Graph-Based Metrics for Insider Attack Detection in …IEEETRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL.62,NO.4,MAY2013 1505 Graph-Based Metrics for Insider Attack Detection in VANET

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 4, MAY 2013 1505

Graph-Based Metrics for Insider Attack Detection inVANET Multihop Data Dissemination Protocols

Stefan Dietzel, Jonathan Petit, Geert Heijenk, and Frank Kargl

Abstract—Vehicular networks (VANETs) are a growing re-search area with a large number of use cases. Foreseen applica-tions include safety applications, traffic efficiency enhancements,and infotainment services. To make future deployment successful,it is imperative that all applications are matched with propersecurity mechanisms. Current proposals mostly focus on entityauthorization by establishing a public key infrastructure. Suchproactive security efficiently excludes nonauthorized entities fromthe network. However, in the face of insider attackers possessingvalid key material, we need to consider data-centric methods tocomplement entity-centric trust. A promising approach for con-sistency checks, particularly in multihop scenarios, is to exploitredundant information dissemination. If information is receivedfrom both honest and malicious vehicles, chances are that attackscan be detected. In this paper, we propose three graph-basedmetrics to gauge the redundancy of dissemination protocols. Weapply our metrics to a baseline protocol, a geocast protocol, and anaggregation protocol using extensive simulations. In addition, wepoint out open issues and applications of the metrics, such as col-luding attackers and eviction of attacker nodes based on detectedattacks. Results show that Advanced Adaptive Geocast behavesalmost optimally from a routing efficiency point of view but failsto offer sufficient redundancy for data consistency mechanismsin many scenarios. The simulated aggregation protocol showssufficient redundancy to facilitate data consistency checking.

Index Terms—Data consistency, graph theory, protocol analysis,vehicular networks (VANETs).

I. INTRODUCTION

FUTURE applications that make use of vehicular net-working span a wide range of use cases. We can distin-

guish three main groups of applications: 1) safety applications,2) traffic efficiency applications, and 3) infotainment services.The goal of safety applications is to provide the driver with ad-ditional information that can prevent potential accidents. Exam-ples include hard breaking warning or a lane-change assistant.The goal of traffic efficiency applications is to optimize travel

Manuscript received June 1, 2012; revised October 12, 2012 andDecember 17, 2012; accepted December 18, 2012. Date of publicationDecember 21, 2012; date of current version May 8, 2013. This work was sup-ported in part by the European Union’s Seventh Framework Programme projectPRESERVE under Grant 269994. The review of this paper was coordinated byDr. G. Mao.

S. Dietzel is with the Institute of Distributed Systems, Ulm University, 89081Ulm, Germany (e-mail: [email protected]).

J. Petit and G. Heijenk are with the Centre for Telematics and Informa-tion Technology, University of Twente, 7522 NB Enschede, The Netherlands(e-mail: [email protected]; [email protected]).

F. Kargl is with the Institute of Distributed Systems, Ulm University,89081 Ulm, Germany, and also with the Centre for Telematics and Informa-tion Technology, University of Twente, 7522 NB Enschede, The Netherlands(e-mail: [email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TVT.2012.2236117

time beyond the possibilities of current navigation systems.For instance, information about current average speed, whichis disseminated to approaching vehicles, can help to betterplan alternate routes. Finally, infotainment services includeapplications like video streaming or map updates while onthe road.

For some of the mentioned applications, information fromthe single-hop broadcast area around a vehicle is sufficient.In particular, safety applications often rely on one-hop broad-casts because of tight real-time constraints. However, otherapplications, particularly those for traffic efficiency, need todisseminate information in larger areas. In these multihop sce-narios, competition for available wireless bandwidth is an issue.Consequently, numerous proposals exist for efficient multihopinformation dissemination protocols. Two major disseminationpatterns that are employed are geocast and aggregation [1].

Geocast disseminates information in a predefined geograph-ical region, for instance, a stretch of road or a city region.Depending on whether the origin of information is within thedestination region, information is either first forwarded towardthe destination region or disseminated directly. Example usecases for geocast are the dissemination of emergency vehiclewarnings to approaching vehicles and disseminating accidentwarnings. The goal of aggregation mechanisms is to collabora-tively create and disseminate an approximate view of the realworld. Instead of forwarding information like average speedunmodified, vehicles combine known information and onlydisseminate summaries in larger regions. In contrast to geocast,information is modified while it is forwarded in the network.Example use cases are traffic information systems and parkingspot availability information.

To prevent spreading of malicious information, all proposedprotocols need to be properly secured [2]–[4]. Otherwise, at-tackers could be able to reroute traffic if they insert maliciousmessages into traffic information systems, for instance. In casesof safety applications, attackers could be able to cause accidentsdue to false information, in the worst case.

The original approach to protect vehicular communication isbased on entity-centric trust, which is established by signingpackets with digital signatures and by establishing a publickey infrastructure (PKI) that issues certificates to vehicles [5].Entity-centric trust ensures that the originators of messagesare actual vehicles or other infrastructure that is authorizedto participate in vehicular networks (VANETs). Attacks usingarbitrary commodity devices are effectively thwarted.

However, prohibitive cost and complex management oftrusted hardware make it likely that knowledgeable attackerswill be able to access key material in vehicles they physically

0018-9545/$31.00 © 2012 IEEE

1506 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 62, NO. 4, MAY 2013

own. Using the obtained keys, attackers can generate wronginformation or modify information they process as part of mul-tihop dissemination protocols. Hence, cryptographic signaturescannot guarantee that messages contain correct information.This problem is worse in multihop protocols. If geocast isused to forward messages over large distances, it is likely thatthe receivers of messages do not have any previous interac-tions with originators of messages. Hence, messages cannot bejudged based on the originators’ previous good or behavior. Ifaggregation is used, the originators can no longer be identified.Forwarding nodes actively modify and combine messages,which invalidates the originators’ signatures.

Therefore, a number of research papers [6], [7], as well asstandardization activities [5], propose to complement entity-centric trust with data-centric methods, which detect attacksbased on data consistency rather than entity trust. Data-centricmethods are well known in intrusion detection systems forclosed networks or servers. The central idea is to rely onphysical models, local sensors, or data redundancy to detectspurious data.

Various approaches leveraging on data-centric methods havebeen investigated, for instance, to detect spoofed position data[8] or to take majority decisions based on messages receivedfrom different sources [9], [10]. However, these mechanisms,as well as the theoretical framework proposed by Golle et al.[7], focus mainly on single-hop applications and correspondingdissemination protocols.

In this paper, we assess different data consistency ap-proaches for VANETs. Among these, we identify redundancyas a promising approach particularly for multihop protocols.Representing a message transfer of a multihop protocol as adirected graph, we derive metrics to assess communicationredundancy.

Our goal is to analyze whether redundancy can be exploitedto achieve data consistency in multihop dissemination proto-cols. In previous work [11], we have presented first metricsfor data consistency and performed initial simulations. In thispaper, we present extensions of the metrics and perform ex-tensive simulations to show that sufficient data redundancy forconsistency checking can be achieved at the cost of higherbandwidth usage and smaller information dissemination areasor reduced information utility.

Our contributions can be summarized as follows.

1) We categorize approaches for data consistency and as-sess their applicability to multihop data dissemination(see Section II).

2) We propose graph-based metrics to gauge data redun-dancy in data dissemination protocols (see Section III).

3) We perform extensive simulations using existing protocolproposals to validate our metrics and to discuss whetherdata redundancy is a valid approach for future data-centric integrity protection methods (see Section IV).

Based on the simulation results, we compare our metrics torelated work in Section V. We focus on formal approaches thatstudy communication redundancy to validate our simulationresults. In Section VI, we give an outlook on open issues,such as colluding attackers and applications for our metrics.

Section VII concludes this paper with an outlook on future workto dynamically adjust data redundancy in efficient dissemina-tion protocols.

II. DATA CONSISTENCY

As VANET applications highly depend on communicateddata, checking that such data correctly reflect a specific real-world situation is fundamental. Entity-centric trust helps tofilter spurious data by excluding nonauthorized devices fromthe network. However, additional data consistency checks areneeded to detect attacks from insiders that possess key ma-terial. The central idea of data consistency checking is torely on multiple independent sources of information to detectinconsistencies between different alleged information items.The detection of inconsistencies can be used as a source formechanisms that filter wrong information and exclude attackervehicles from the network. We distinguish three main types ofsources for data consistency mechanisms.

Models can be used to compare claimed information againstknown models, such as the physical behavior of vehicles. Forinstance, vehicles cannot accelerate arbitrarily fast and cannotmove at infinite speed. In [12], particle-hopping models areused to represent statistical physics of vehicular traffic, whichdefine the physical behavior of vehicles. Golle et al. [7] createa model of the VANET, which captures all possible events anduses their statistical properties (e.g., probability of occurrence)to detect spurious information.

Local sensors can be used to verify information receivedfrom vehicles in the direct vicinity. In case of conflicts be-tween the perceived environment and information from othervehicles, precedence can be given to local sensor information.Schmidt et al. [13] propose a system that uses sensors toanalyze vehicle behavior and check position information.

Dissemination redundancy exploits the fact that messages areoften delivered via multiple routes to compensate for packetloss, and that events are often observed by multiple vehicles. Asa result, vehicles can detect spoofed information by observinginconsistencies between the different received messages aboutthe same event [9]. Cao et al. [14] present the notion of proof ofrelevance (PoR), which is accomplished by collecting authenticconsensus on the event from witness vehicles in a cooperativeway. Event reports from attackers who fail to provide this PoRare disregarded, making the network immune to bogus data.

Fig. 1 shows examples of the three approaches. The targetvehicle A is confronted with multiple insider attacks mountedby the vehicles B, C, and D. Vehicle D claims at a speedof 500 km/h. Using model-based consistency checking, A canconclude that 500 km/h is an impossible speed for a vehicle andthus might disregard this information. However, the underlyingmodel that determines which speeds are impossible may beknown to attackers as well. Within the range of “allowed”speeds, attackers can still claim false events.

Vehicle B shows this type of attack. However, A can uselocal sensors to detect that vehicle B, which claims to standstill, is actually moving. Such measurements can, for instance,be taken using an onboard radar sensor, if the attacking vehicleis within sight.

DIETZEL et al.: GRAPH-BASED METRICS FOR INSIDER ATTACK DETECTION IN VANET PROTOCOLS 1507

Fig. 1. Three main methods of data consistency.

Both checks will fail to detect C’s attack, who claims tobe stuck in a more distant traffic jam. Since this is perfectlypossible, the model-based checking fails. Because it is farbeyond the reach of local sensors, sensor cross checking canalso not be applied.

However, redundancy-based consistency checks can be ap-plied to detect C’s attack. If C is reporting a correct speedbut an intermediate node forwarding the data modifies it, theremight still be redundant paths that allow A to detect the alter-ation. If C itself is reporting false information, other vehiclessurrounding C might report a different consistent picture ofthe traffic situation. Again, C’s spoofed information can bedetected. Such redundancy-based approaches can be used evenif the attacking vehicle is far beyond the reach of local sensorsand complies with physical models. Once such inconsistenciesare detected, we can use information from other sources to filterout incorrect information and possibly evict malicious nodes.For instance, majority decisions can be made if originatingnodes sign messages and messages are not modified duringdissemination, such as presented in [9]. Another approach is toapply models in addition to redundancy checks. For example,consider a traffic information system. Once an inconsistency isdetected due to redundant information, historic information thatis already in the world model can be used to predict the morelikely current traffic situation among the conflicting views.

We therefore argue that exploiting dissemination redundancyis a promising approach to detect insider attacks on multi-hop dissemination protocols. We can exploit the fact that allprotocols have to introduce a certain amount of redundancydue to the inherently unreliable network. However, existingprotocols are often tweaked for minimal redundancy to copewith bandwidth limitations. Therefore, we will design metricsto assess redundancy in existing networks and validate themusing extensive simulations.

III. REDUNDANCY METRICS

We define three metrics that characterize communicationredundancy. The following gives an overview of the metrics.Afterwards, we introduce our network and attacker model usinggraphs and explain how to derive the metrics from it.

Metric 1 (Redundant paths): For a message transfer in a multi-hop dissemination protocol, we analyze the number of fullyredundant paths (P) between the source and the destina-tion of the message. A higher number of redundant pathsmeans that a protocol is more resilient against attackers.

Metric 2 (Critical nodes): If there is at least one vehicle thatis part of all paths between source and destination, thatvehicle is a critical node, because it fully controls theinformation that the destination receives from the source.

The number of critical nodes (C) between source anddestination is a measure for the likelihood that an attackon the network remains undetected.

Intuitively, a higher number of redundant paths andfewer critical nodes lead to a higher bandwidth usage. Asa result, a resilient protocol is likely to be less efficient indisseminating information to a large number of destinationnodes. Therefore, we introduce a third metric to analyzethe tradeoff between redundancy and bandwidth usage.

Metric 3 (Distribution of information): The percentage of allvehicles in the network that actually receive a messagefrom the source gives the distribution of information (D).

To formalize the foregoing metrics, we introduce agraph representation for multihop protocols. We will alsouse this graph representation to explain the exact commu-nication scenario we analyze and to explain our attackermodel.

A. Communication Model

Definition 1: We represent the communication network witha directed graph G = (V,E), where vertices represent vehicles,and edges represent that a node is within one-hop communica-tion range of another node.

Information that is observed by a source s ∈ V is forwardedover multiple forwarding nodes f1, . . . , fm ∈ V to a destina-tion d. To compensate for packet loss, protocols often forwardinformation using multiple paths from s to d, and each path canbe characterized by the corresponding n-tuple of forwardingnodes. For the transfer of a single message, we distinguish twosubgraphs of G, namely, G(s,∗) and G(s,d), where

G ⊇ G(s,∗) ⊇ G(s,d). (1)

Definition 2: We use G(s,∗) = (V(s,∗), E(s,∗)) to representall transfers of a single message, that is, all forwarding pathsstarting at s. Hence, (vi, vj) ∈ E(s,∗) if and only if vi forwardsthe message, which vj then receives. V(s,∗) contains all nodesin V that are connected by an edge in E(s,∗).

Definition 3: G(s,d) = (V(s,d), E(s,d)) represents successfultransfers from s to d. Thus, V(s,d) and E(s,d) contain all nodesand edges that are part of a path from s to d in G(s,∗).

Fig. 2 shows an example network. Ideally, d receives themessage unmodified via all paths. However, due to the unre-liable wireless channel, some packets might be lost, and dueto malicious vehicles, some of the received messages might bemodified.

B. Attacker Model

We assume a single insider attacker a ∈ V \ {s, d} whosegoal is to alter the message that is transferred from s to d, whoare both honest. Further, a possesses at least one valid certifiedkey pair. While cases of colluding attackers are possible, weconsider single attackers to be the most likely, particularlyassuming that attackers need to physically own cars to extractkey material. Whenever a receives s’s message for forwarding,a will modify it. We assume that we cannot distinguish a from


Fig. 2. Example communication network G with a source s, destination d,and corresponding transfers G(s,∗) and successful transfers G(s,d).

Fig. 3. Example graph showing critical nodes, namely, 2 and 4, on a pathbetween source s and destination d.

normal vehicles beforehand, because the attacker vehicle cre-ates messages that conform to the communication protocol. Ingeneral, we assume a behaves according to the protocol exceptfor modifying message content. Note that this attack scenariocannot be solved with a simple message integrity protectionusing digital signatures. The reason is that the destination ddoes not know the identity of s. Therefore, d cannot checkwhether the message has been signed with s’s private key.Instead, d can only verify that the signer of the message is an au-thorized participant of the network. However, since we assumea possesses one or more valid key pairs, d cannot distinguishs’s messages from a’s messages only using signatures.

We consider a to be successful if a is able to modify allmessages that d receives from s. To be successful, a needs to bein V(s,d), and part of all possible paths from s to d in G(s,d), i.e.,a, needs to be a critical node. Fig. 3 shows an example graphwith two critical nodes. A message transfer is called attackableif there exists at least one a ∈ V(s,d) \ {s, d} such that for allpaths p from s to d in G(s,d), a is on p.

C. Metrics

We will now derive an efficiently computable metric forredundant paths based on the notion of an attackable messagetransfer. If a node exists that is part of all paths between s andd, then G(s,d) becomes disconnected after removing this node.Thus, the size of the graph’s minimum vertex cut is 1. ApplyingMenger’s theorems [15], which state that a graph’s minimumcut is equal to the maximum flow, means that the number ofnode-disjoint paths between s and d in G(s,d) is equal to 1. Wecan use maximum flow algorithms to compute the number ofnode-disjoint paths efficiently.

Namely, we use a modified version of Edmonds–Karp algo-rithm, as proposed in [16]. Used as is, Edmonds–Karp calcu-

Fig. 4. Example helper graph G′ corresponding to the graph shown in Fig. 5.

Fig. 5. Example graph showing two node-disjoint paths, namely, (1, 2) and(5, 6), from s to d.

lates the number of edge-disjoint paths for a source–destinationpair in a weighted directed graph. We introduce a helper graphG′ = (V ′, E ′) to obtain the number of node-disjoint paths asfollows. Each node in V is split into two nodes vi and v′i, andthe two nodes are added to V ′. Thus

V ′ = {v1, v′1, v2, v′2, . . . , vn, v′n} . (2)

Now, an edge is added between all vi and v′i pairs, and allincoming edges of G’s nodes are added to vi nodes, and alloutgoing edges are connected with the v′i nodes, i.e.,

E ′={(v1, v′1), . . . , (vn, v′n)}∪{(v′i, vj) : (vi, vj)∈E} . (3)

Finally, we need to define edge weights because maximumflow algorithms operate on weighted graphs. We set all edgeweights to 1, because each edge represents a single messagetransfer between two nodes. Fig. 4 shows the correspondinghelper graph G′ for the graph shown in Fig. 5. Intuitively, the(vi, v

′i) edges “tag” a node as being used. Because all edge

weights are 1, all nodes in V can only be used once before theedge (vi, v

′i) is at maximum capacity. Therefore

P := EdmondsKarp(G′) (4)

gives the number of node-disjoint paths in G, whereEdmondsKarp() is the Edmonds–Karp algorithm for calculat-ing the maximum flow in a graph.

If a protocol is not attackable, there are at least two pathsfrom s to d that have no common nodes apart from s and d, asshown in Fig. 5. In general, the number of node-disjoint paths Pcharacterizes how resilient a message transfer is against insiderattackers. Given at least two node-disjoint paths from s to d, anattack by a single attacker can be detected, even if, for P = 2,it is still undecidable which node is the attacker. For P ≥ 3, anattacker can be detected given an honest majority and additional


TABLE IMETRICS OVERVIEW

information about the forwarding topology. However, detectionis not straightforward; we will elaborate more on this issue inSection VI.

In case we have P = 1, there is at least one node in thenetwork that can successfully attack the message transfer froms to d. However, not all nodes on the node-disjoint path betweens and d can attack successfully. Therefore, we calculate thenumber of critical nodes (C) on the path between s and d.A node is critical if its removal would disconnect G(s,d). Wedefine C ⊂ V(s,d) to be the set of all critical nodes. In caseP ≥ 2, the number of critical nodes is automatically 0. Hence

C =

{0, P ≥ 2|{v ∈ V \ {s, d} : v ∈ C}| , otherwise.

(5)

The number of critical nodes C indicates how likely anattacker is successful. The more nodes on the path betweens and d are in the set of critical nodes, the more likely it isthat an attacker that is randomly positioned in the network issuccessful. Namely, the chance of success is

P (a ∈ V \ {s, d} successful) =C

|V \ {s, d}| . (6)

Both P and C measure the suitability of a protocol forredundancy-based data consistency. However, such redundancymight come at the cost of higher bandwidth overhead. There-fore, we introduce distribution of information D as the fractionof all nodes that have received a particular message from thesource. That is

D := |V(s,∗)|/|V |. (7)

Hence, D gives an intuition of a protocol’s success rate indisseminating messages throughout a large area, which is acommon goal for multihop communication protocols.

Table I summarizes our metrics. Together, P , C, and Ddescribe the tradeoff between communication efficiency andattack resilience due to redundancy. Here, P and C directly cor-relate. If there is more than one node-disjoint path, no criticalnodes can exist. The distribution of information is orthogonal tothat. Depending on specific application requirements, it mightbe acceptable if a protocol is able to disseminate information ina large area, as indicated by D, but at the cost of a low numberof paths P . On the other hand, safety-critical protocols willvalue high redundancy and a high number of paths over widedissemination of potentially false information due to a highernumber of critical nodes C.

IV. ANALYSIS AND DISCUSSION

To validate our metrics, we apply them to widely-used mul-tihop data dissemination protocols [1]. The goal is to analyzeto what extent these protocols provide enough redundancy todetect attackers in different scenarios. We implemented repre-sentatives of the following protocol families.

Baseline: To have a baseline, we create a graph that representsthe node connectivity based on the chosen simulationparameters. This graph resembles the result of a naïveflooding with perfect packet delivery even over multiplehops. The baseline gives an estimate of the maximumachievable redundancy in a network.

Geocast: We use an adaptive probabilistic gossiping protocol,namely, Advanced Adaptive Geocast (AAG) [17], as rep-resentative for the Geocast protocol family. In AAG, eachnode determines the message forwarding probability basedon the current perceived node density according to two-hopneighborhood information. The protocol performance canbe adjusted by configuring an average reception percent-age, which states the percentage of nodes that should, onaverage, receive a message. In high node density scenarios,AAG uses a logistic function to automatically reduce theforwarding probability further. A target region can be spec-ified that determines the area for which an observation isrelevant. For our simulations, we set the target region to thewhole network, because we assume a traffic informationapplication where all vehicles are interested in the speed ofthe other vehicles in the network.

Aggregation: We use a basic aggregation scheme similar to [18]as representative for in-network aggregation protocols. Thescheme uses fixed-size road segments, for which all atomicobservations are averaged. For calculating our metrics,we assume that a message from the source reaches thedestination if the destination receives an aggregate thatthe source message contributed to. All vehicles collectknown aggregates in a world model and periodically dis-seminate a subset of the world model using one-hop link-layer broadcast. For dissemination, a fixed packet size isconfigured. In case the world model content exceeds thepacket size, priority is given to information about the directvicinity of the disseminating vehicle. Both segment sizeand dissemination packet size can be adjusted.

For these protocols and for each simulation setting, wecalculate the redundant paths and critical nodes, as described inSection III, between 100 randomly chosen source–destinationpairs in different randomly selected node placements. All othervehicles, apart from participating in the forwarding processbetween the source and the destination, create and disseminatemessages as well. These messages are regarded as background


TABLE IIOVERVIEW OF SIMULATION PARAMETERS

load. They contribute to the channel load and cause possiblecollisions on the wireless medium, resulting in fewer pathsfrom the source to the destination. All graphs show the averagevalues and their standard deviations.

Our simulations are done using an enhanced version1 ofJiST/SWANS.2 Table II summarizes the default simulationparameters (marked in bold) as well as the variations of theparameters. We consider both city and highway scenarios withchanging node density, broadcast rates, transmit power settings,packet sizes, as well as different protocol-specific parametersettings. For the city scenario simulations, we place all nodesrandomly on a predefined road network. For the highwayscenario simulations, nodes are randomly distributed on a singlestretch of road.

We do not consider node mobility at this point, because wefocus on single message transfers between a source and a des-tination and can assume that the basic network characteristics,e.g., node density, remain the same during one message transfer.To verify our assumption, we run several test simulations tocompare results with and without mobility, which will bediscussed in Section IV-A.

We will now discuss the simulation results for commonprotocol parameters found in the literature. Default parametersare marked bold in Table II.

Fig. 6(a) shows the number of node-disjoint paths on ahighway with varying node density. For the baseline and forthe aggregation protocol, P grows linearly in the number ofnodes. For the baseline, this behavior is expected, becausethe graph is more connected with higher node density. Theaggregation protocol behaves similarly, because in the highwayscenario there are only ten road segments. Both protocols showa high standard deviation of P , which is due to the varyingdistance of the chosen source–destination pairs. Fig. 7 showsthe histogram for the number of node-disjoint paths using theaggregation protocol on a highway. For a low node density, onlyone node-disjoint path is the most likely outcome. However, thehistogram shows that more paths do occur. For higher densities,no single source–destination pair resulted in only one or only

1Website: http://www.vanet.info/2Website: http://jist.ece.cornell.edu/

a few node-disjoint paths. Consequently, Fig. 6(b) shows thatthe number of critical nodes C = 0 for both the baseline andthe aggregation protocol. However, low node densities can beproblematic. To some extent, this cannot be changed. If onlyfew nodes are available as source of information, the redun-dancy is necessarily low. However, the aggregation protocolcould be adapted to perform less aggregation in low nodedensity scenarios to maintain a higher redundancy due to moreredundant atomic observations. The results for AAG in Fig. 6(a)show a much lower number of node-disjoint paths; the averageover all simulation runs is 1.51, and it stays constant withgrowing numbers of nodes. This is due to the fact that AAGautomatically reduces redundancy by lowering the forward-ing probability in high node density scenarios. Consequently,Fig. 6(b) shows a higher number of critical nodes for AAG.In addition, a number of critical nodes remain even in highdensity scenarios. While these results show that AAG reactswell to high node densities from an efficiency point of view, itis problematic from a security point of view. Even when a largenumber of nodes, and consequently redundant observations, areavailable, a cleverly positioned insider attacker will still be ableto insert wrong information. The distribution of information(see Fig. 8) shows that both the baseline and the aggregationprotocols achieve almost 100 percent distribution for more than100 nodes. For AAG, however, the distribution performancedeclines with higher number of nodes due to lowered forward-ing probabilities according to the logistic function. The highstandard deviation in the plot again shows the high variance inthe distance between the selected source–destination pairs. Atfirst sight, the decreasing distribution of knowledge seems tobe a bad outcome for the AAG protocol. Note, however, thatthe shown distribution percentage represents the distribution ofa particular message and not a number of messages about thesame event. Since AAG does not aggregate messages abouta single event, like the aggregation protocol, it is likely thatat least some messages about an event will still reach thedestination, if the source sends enough messages.

In the city scenario, we see similar results for the baselineand AAG protocols in terms of both node-disjoint paths andnumber of critical nodes [see Fig. 9(a) and (b)]. However,the aggregation protocol performs significantly worse than inthe highway case. Even for high node densities, informationexchange can be attacked in some cases. The reason for thisis that the aggregation protocol needs to disseminate a muchhigher number of segments in the city scenario due to the largerroad network. The higher number of road segments also reflectsin the distribution of information (see Fig. 10). In contrast to thehighway case, the aggregation protocol achieves a distributionof 60%–80% on average with a high standard deviation. Theseresults confirm a lesson learned [19] from early aggregationprotocols: Aggregation schemes that use fixed segments donot scale with larger areas, because the number of messagesthat need to be disseminated still grows linearly. In contrast,schemes that adapt the aggregation areas dynamically canreduce the number of total messages, which would resultin higher redundancy. Our results therefore indicate that dy-namic aggregation schemes are also favorable from a securitypoint of view.


Fig. 6. Node-disjoint paths and critical nodes for different node densities on a highway. (a) Node-disjoint paths P . (b) Critical nodes C.

Fig. 7. Histogram showing the node-disjoint paths for the aggregation proto-col on a highway.

Fig. 8. Distribution of information D for different node densities on ahighway.

We observe that for AAG, all metrics are consistent forthe city and highway scenarios, as well as for different nodedensities. In all settings, AAG performs almost optimal in termsof communication efficiency. However, the low redundancydue to efficient communication results in possible attacks.Moreover, AAG performs worse in terms of information dis-

tribution with higher node densities. Aggregation shows a highpercentage of information distribution as well as a high levelof redundancy for all scenarios. However, aggregation onlydisseminates summarized information. As a result, the utility ofthe disseminated information may be lower when compared toexact data. Moreover, the aggregation protocol’s performancedecreases notably in a city scenario. This decrease illustratesthe drawbacks of a fixed segment aggregation scheme. Withincreasing number of segments, information cannot be dissem-inated efficiently anymore, resulting in a lower distribution ofinformation percentage.

We will now discuss the impact of varying key simulationparameters on the results to show whether AAG can be adaptedto achieve higher redundancy and to see how the performanceof aggregation in city environments can be improved.

A. Impact of Mobility

We perform all our simulations using static vehicles. Toconfirm our assumption that mobility does not influence ourresults, we performed exemplary simulations with mobility onhighway scenarios. Mobility is implemented as a car-followingmodel on a multilane highway. Using all available lanes, carsovertake if possible and slow down to avoid collisions withother cars. Fig. 11(a) shows the difference between static ve-hicles and mobile vehicles for the aggregation protocol. Dueto the increased encounters of other nodes in the simulationswith mobility, the number of node-disjoint paths is slightlyhigher. However, the difference is small and within the standarddeviation. Similarly, Fig. 11(b) shows that the number of node-disjoint paths for the AAG protocol is independent of nodemobility.

B. Impact of Broadcast Interval

Fig. 12 shows the impact of different broadcast frequenciesin the city scenario. According to the current standard on ve-hicular communications [5], we simulate broadcast frequencysettings from 10 Hz, which is commonly assumed for one-hopbroadcasts, up to 0.5 Hz, i.e., one message every 2 s. The figure


Fig. 9. Number of node-disjoint paths and critical nodes for different node densities in a city. (a) Node-disjoint paths P . (b) Critical nodes C.

Fig. 10. Distribution of information D for different node densities in a city.For legend, see Fig. 8.

shows results for low (100 nodes) and high (750 nodes) vehicledensities. We can see that AAG is unaffected by the changeof broadcast frequency. This result is independent of the nodedensity. However, Fig. 13 shows that the distribution of infor-mation increases significantly if lower broadcast frequenciesare used for AAG, which is due to the reduced number of packetcollisions when using lower broadcast frequencies.

The aggregation protocol is not affected by the broadcastfrequency in the low vehicle density setting. However, in thehigh density simulation, we see that the number of node-disjoint paths decreases with decreasing broadcast frequency.This decrease is in line with the results for varying node densityin the city scenario [see Fig. 9(a)]; due to the increased numberof road segments and the increased number of observationsfrom different nodes, a lower broadcast frequency results infewer node-disjoint paths per observation.

C. Impact of Transmit Power

Next, we analyze the impact of increased transmit power.For all previous simulations, we assume a conservative valueof 10.9 dB for the transmit power of nodes. This is well belowthe maximum value of 40 dB defined in the IEEE 1609.4 draftstandard [20], because we assume that strict transmit power

control mechanisms will be in place in real-world deployments.Now, we simulate transmit powers of up to 30 dB. Fig. 14(a)shows the impact on the number of node-disjoint paths inthe city scenario. AAG again performs equally in all powersettings and in all vehicle density settings. Both aggregationand baseline benefit from higher transmit powers and highervehicle densities. Under low density, aggregation performsclose to the baseline. In a higher density setting, the differencebetween aggregation and baseline is larger, which confirms theresults for aggregation in the varying node density scenario[see Fig. 9(a)]. Due to the higher number of road segments,and consequently aggregates, in the city scenario, the differencebetween aggregation and baseline is significantly larger.

Looking at the distribution of information in the simulationsshown in Fig. 14(b), we see why AAG is the only protocolthat is unaffected by the higher vehicle density in Fig. 14(a).With increasing transmit power, the distribution of informationdecreases for AAG. The decrease is due to the logistics functionused. It reduces the forwarding probability for messages in highnode density scenarios to avoid high bandwidth usage.

D. Impact of Protocol-Specific Parameters

Finally, we assess the impact of protocol-specific parameterson the number of node-disjoint paths. For the aggregation pro-tocol, the two main parameters are the size of the road segmentsand the maximum size of packets generated for dissemination.Fig. 15(a) shows the impact of different segment sizes in thecity and highway scenarios. Under low vehicle density, thesegment size does not have an impact on the redundancy.For high vehicle densities, aggregation benefits from largersegments, and consequently, fewer aggregates that need to bedisseminated. The impact is again slightly higher in the cityscenario. Fig. 15(b) shows the impact of different packet sizes.The results are analog to the impact of the segment sizes; almostno difference can be seen for low vehicle density, and the cityscenario is slightly more influenced than the highway scenario.

For AAG, the main protocol-specific parameter is the averagereception percentage. Intuitively, higher average reception per-centages result in higher probability of message forwarding in


Fig. 11. Impact of mobility on node-disjoint paths for (a) Aggregation and (b) Geocast.

Fig. 12. Impact of broadcast frequency on the node-disjoint paths in the cityscenario.

Fig. 13. Impact of broadcast frequency on the distribution of informationof AAG.

each node. We vary the value between 0.5 and 0.9 and disablethe logistics function, which lowers the reception percentagefor high node density scenarios. Fig. 16 shows the impact ofthe reception rate on the number of node-disjoint paths. Weobserve that, remarkably, the number of node-disjoint paths isunaffected by different reception rate settings in all scenarios.

To further analyze the impact of different average receptionpercentages, we reduce the number of nodes that send messagesin parallel. In addition, we introduce a simple extension toAAG’s duplicate message detection scheme. Instead of drop-ping each duplicate immediately, each node rebroadcasts analready known duplicate message at most x times before it isdropped. Fig. 17 shows the corresponding simulation results for300 vehicles in the city scenario. We can see that the unmodifiedAAG scheme (x = 1) achieves no higher redundancy evenunder lower message load. However, increased values for xresult in higher redundancy in low load (three messages total)and medium load (300 messages total) scenarios. For highmessage load (more than 10 000 messages total), which is thestandard in all other simulations, the simple modification doesnot result in noticeable benefits. Therefore, more advanced andadaptive dissemination mechanisms will have to be explored.

E. Summary

Throughout all simulations, we observe that the numberof node-disjoint paths remains stable for AAG, independentof different parameters. Namely, P varies between 1 and 2.From a routing efficiency viewpoint, these results are almostoptimal. In all settings, AAG succeeds to deliver messages(P > 1), but there are few or no redundant paths (P < 2).However, from a data consistency perspective, these resultsshow that the unmodified AAG protocol is susceptible to insiderattacks. The main protocol parameter, i.e., the average receptionpercentage, did not improve P significantly. However, we haveshown that even a simple modification of duplicate detectionbenefits the redundancy of AAG. Further research will have tobe done to fine-tune redundancy based on attack probabilitiesand changing network topologies.

In contrast, the aggregation protocol shows much highervalues for P . In the highway scenarios, the aggregation protocolachieves redundancy values close to the results of the baselinesimulations. However, we can also see from the city scenariosthat the performance of the simple aggregation protocol usedis highly dependent on the total number of road segments.These results show that it is advisable to use a more flexible


Fig. 14. Impact of transmit power on the node-disjoint paths and distribution of knowledge in the city scenario. (a) Node-disjoint paths. (b) Distribution ofknowledge.

Fig. 15. Impact of protocol-specific parameters for aggregation. (a) Aggregation segment sizes. (b) Dissemination packet sizes.

Fig. 16. Impact of average reception percentage.

hierarchic aggregation scheme in practice. Existing research byScheuermann et al. [19] has shown that aggregation protocolsthat use fixed road segments will not scale to large areasdue to bandwidth constraints. Our simulations confirm theseresults. Due to the high number of aggregates in the high nodedensity city scenarios, both the distribution of information and

Fig. 17. Impact of modified duplicate detection for AAG on the number ofnode-disjoint paths.

the number of node-disjoint paths are affected. Thus, a moreflexible aggregation scheme is beneficial for both scalabilityand data consistency.

However, we need to point out that we do not considerinformation utility explicitly in our simulations. That is, for theaggregation protocol, we consider that the selected destination


node has received a message from the source if the destinationreceived an aggregate to which the source contributed. In theprocess, the source’s message may have been merged withother messages. For instance, the speeds of all vehicles on thesame road segments are averaged, and only the average is dis-seminated. This loss of precision between the original atomicobservations and the resulting aggregate is not considered inour metrics. Hence, future work to include information utilitymetrics in the simulation results to better put the results of theaggregation protocol into perspective still remains.

For all the simulated protocols, the three proposed metricsshow useful results that allow to make statements about theresilience of the protocols against attackers.

V. RELATED WORK

The existence of short redundant paths between pairs ofnodes is a fundamental question in all mobile ad hoc networks.Researchers have applied graph theory to formally derive ex-pected connectivity and other metrics of networks. Focusingon random nonmalicious faults, the central questions are “is anetwork of randomly distributed nodes connected?” and “howmany node and link faults can be tolerated before the network isdisconnected?” Although attackers are not explicitly consideredin these scenarios, we can apply these results to our setting.We assume that an attacker node modifies all information thatis forwarded through it. Therefore, an attacker node in ourscenario is equivalent to a failed link, because the attacker doesnot forward any correct information to downstream nodes.

Rabin exploit efficient replication in messages and pathredundancy to achieve additional fault tolerance [21]. In [22],the authors define the radio connectivity between nodes s andd as the minimum number of jammers needed to disrupt allcommunication between s and d. Networks with high node(edge) connectivity are more robust against node (edge) fail-ures, respectively. However, the attacker model is different, andthe result is not directly applicable in our context. For instance,Rabin assumed external attackers that aim at destroying linksand can choose their position in the network, whereas we focuson hard-to-detect insider attackers that only modify forwardedinformation without hindering other communication.

Nikoletseas et al. [23] examine connectivity properties inrandom graphs. For a random graph Gn,p with n nodes andthe probability for any possible edge to occur p, they calculatethe minimum value of p that results in at least x vertex disjointpaths between any pair of nodes. Moreover, the given boundsfor p guarantee that all x paths are bounded by a maximumlength l.

Bettstetter [24] formally derives results for k connectivityin mobile networks with randomly distributed nodes. For anetwork to be k connected, there needs to be at least k node-disjoint paths between all possible source–destination pairs. Incontrast to the work of Nikoletseas et al., Bettstetter directlyconsiders mobile ad hoc networks. Thus, he uses a random ge-ometric graph, where nodes are distributed in space, and edgesoccur according to a distance metric, instead of the abstractedge probability in a random graph. Bettstetter establishes thatthe probability of a network to be k connected is, with high

certainty, equal to the probability that all nodes in the networkhave at least k neighbors.

In addition to theoretic results, path redundancy has beenexploited practically to design resilient protocols for wirelesssensor networks (WSNs). In [25], it is confirmed that rout-ing using node-disjoint paths enhances both survivability anddata confidentiality. They present two efficient algorithms forcomputing a pair of node-disjoint paths. The presented pathcalculation takes into consideration both lifetime and totalenergy consumption. Al-Wakeel and Sa [26] propose a path-redundancy-based security algorithm (PRSA) to improve therouting security in WSNs. The algorithm uses alternative rout-ing paths for each data transmission to overcome attacks onthe sensor network. The idea behind PRSA is to find multiplesecure least-cost routing paths between source and destination.In [27], the authors define the problem of increasing WSNreliability by deploying a number of additional relay nodes toensure that each sensor node in the initial design has k node-disjoint paths to the sinks. A WSN is robust if at least one routeto a sink is available for each remaining sensor node after thefailure of up to k − 1 nodes.

However, these existing approaches do not consider VANETprotocols. Due to the focus on nonmalicious failure, the pre-sented approaches usually consider the basic network con-nectivity when calculating the proposed metrics. A maincontribution of this paper is to present metrics suitable forVANETs and to apply graph metrics to existing communicationprotocols, thus measuring the actual redundancy provided. Suchmeasurements are a prerequisite to apply misbehavior detectionprotocols to VANET communication. Only if the underlyingcommunication protocols exhibit enough communication re-dundancy and information from different sources can we usethese different sources to detect misbehavior.

Therefore, misbehavior detection protocols, such as pre-sented in [28] and [29], can be seen as an application of ourmetrics. For example, Liu et al. [28] present an insider attackerdetection scheme for WSNs, where each node runs a localintrusion detection system to report misbehavior. In the contextof VANETs, Bissmeyer et al. [29] propose to detect intrusionby verification of vehicle movement data. The results of suchmisbehavior detection can be enhanced if nodes locally calcu-late the expected redundancy given the current node density andadapt the underlying communication protocol to send more orless redundant information accordingly.

VI. APPLICATION OF THE METRICS AND OPEN ISSUES

In our simulations, we focused on scenarios with a singleattacker. While a single attacker is the most probable scenario,it might be possible that attackers acquire more than one validkey pair. The reason can either be that an attacker physicallyowns more than one vehicle and is able to extract keys from allof them or that an attacker is able to acquire more than one validkey pair from a single vehicle. The latter is particularly possibleif pseudonyms are used to enhance communication privacy [2].We can extend our attacker model to cover colluding attackersby saying that n nodes a1, . . . , an are attackers and try tomodify messages transferred from s to d. The set of colluding


Fig. 18. Nonsuccessful distribution of n ≥ P colluding attackers, namely,a1, a2, and a3.

Fig. 19. Example graph showing the dependency between different node-disjoint paths.

attackers is successful if d does not receive an unmodified copyof the message.

Given a message transfer with P node-disjoint paths, we candetect inconsistencies caused by at least P − 1 attackers. Recallfrom Section III that P node-disjoint paths mean that the sizeof a minimum vertex cut of the graph G(s,d) is P . Therefore,P − 1 attackers cannot disconnect the graph, which means thatthere is at least one path left from s to d that consists of honestnodes only. On the other hand, if there are n ≥ P attackers,they are not necessarily successful. Fig. 18 shows an example;because the attacker nodes are distributed such that they cannotcontrol all paths from s to d, the attack is not successful.

In addition to node-disjoint paths, we defined the number ofcritical nodes [see Definition 2 and (5)] and used it to derivethe success probability for an attacker controlling a randomlyselected node in (6). However, calculating the success proba-bility for multiple attackers is an open challenge. To see why,consider the example graph shown in Fig. 19. Clearly, the graphhas P = 2 node-disjoint paths from s to d. Thus, two colludingattackers can be successful. However, we cannot compute thenumber of critical nodes separately per path. If the attackerchooses node 1 on the first path, nodes 4, 5, and 6 are criticalon the other path. However, if the attacker chooses node 2 or 3on the first path, only nodes 5 and 6 are critical because of theedge (1, 5). Hence, we cannot determine the number of criticalnodes separately for each path. We are currently developing amethod to derive the probability of success for randomly placedcolluding attackers that takes into account these interrelations.

Another topic of ongoing work is the detection of attackers.We say that we can detect an attack if the destination receives atleast one unmodified copy of the message. However, we cannotassume that the version of the message that was received via themajority of incoming edges to the destination is the unmodifiedmessage. The reason is that few attackers can control a largeshare of incoming edges. Consider, for example, the topologyshown in Fig. 20. A single attacker a can influence most of themessage copies received by d because a is followed by a large

Fig. 20. Example graph where only one attacker can influence a large numberof message copies received by the destination.

number n > 2 of forwarding hops. The honest nodes h1 and h2

only reach d via a single path each. Despite the honest majorityand despite the fact that there are three node-disjoint pathsin the graph, we cannot decide which information is correctand which information is modified by the attacker withoutfurther information about the graph topology. Thus, additionalmechanisms are necessary, such as message confidence values,which can be gained using cryptographic mechanisms, such aspresented in [9] and [30].

Finally, we have seen that AAG does not achieve the neces-sary redundancy for attack detection in many scenarios. Ideally,future protocols will optimize path redundancy and bandwidthconsumption at the same time. For instance, ideas from mul-tipath routing [31] could be applied to achieve protocols thatmaintain P ≥ 2 redundant paths while still keeping the over-head relatively low. In addition, protocols could dynamicallyadapt to changing network conditions. Once signs for attacksare detected, protocols could deliberately increase redundancyto foster attack detection. Such adaptive protocols can achievea tradeoff between efficient communication when attacks areunlikely and good resilience against attacks when necessary.

VII. CONCLUSION

Data consistency is an important building block for securevehicular communication systems. Focusing on entity-basedsolutions, such as message signing and certification usingPKI, data consistency measures have been widely neglectedby existing research. We have proposed a categorization ofdata consistency mechanisms into model-based, sensor-based,and dissemination-redundancy-based approaches and argue thatredundant data forwarding paths are the most promising tech-nique to enable consistency checks in multihop data dissemina-tion protocols.

Previous research on such multihop dissemination protocolshas focused on aspects like communication efficiency, aimingto remove any dissemination redundancy as a result. We com-plement this paper by analyzing how likely it is for a randomlyselected unknown attacker to dominate all information pathsfrom a source to a destination. Our metrics (the number of node-disjoint paths and the derived number of critical nodes) areefficient to compute due to their relation to the well-researchedmaximum flow problem in graph theory.

We validate our metrics using extensive simulations in differ-ent network scenarios. Our results show that AAG, which is anefficient Geocast protocol, reduces communication redundancy


to a point that enables single attackers to fully control theinformation flow between a vehicle pair in certain scenarios.On the other hand, a simple aggregation protocol shows morepromising results in terms of redundancy. These results showthat existing research on routing protocols, which exclusivelyfocuses on routing efficiency, will not be ideal from a securityperspective. More research is necessary on protocols that ex-plore the tradeoff between increased security due to redundancyon the one hand and dissemination efficiency on the other hand.

Given our current results, we are able to detect inconsisten-cies in received information due to attackers. Moreover, wenotice a high standard deviation due to the different networkcharacteristics in all simulation settings. As a result, data con-sistency mechanisms that build on redundancy are bounded tobe probabilistic rather than absolute in nature. We are currentlyassessing scenarios of colluding attackers, as well as protocolsthat use conflict detection as a baseline to identify the spuriousinformation in conflict situations. A holistic protocol will useboth absolute cryptographic security measures and probabilisticapproaches together to ensure data consistency and protectfuture VANETs against outsider and insider attackers.

REFERENCES

[1] E. Schoch, F. Kargl, M. Weber, and T. Leinmuller, “Communication pat-terns in VANETs,” IEEE Commun. Mag., vol. 46, no. 11, pp. 119–125,Nov. 2008.

[2] P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger,M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, “Secure vehicularcommunication systems: Design and architecture,” IEEE Commun. Mag.,vol. 46, no. 11, pp. 100–109, Nov. 2008.

[3] F. Kargl, P. Papadimitratos, L. Buttyan, M. Müter, E. Schoch,B. Wiedersheim, T.-V. Thong, G. Calandriello, A. Held, A. Kung, andJ.-P. Hubaux, “Secure vehicular communication systems: Implemen-tation, performance, and research challenges,” IEEE Commun. Mag.,vol. 46, no. 11, pp. 110–118, Nov. 2008.

[4] F. Dressler, F. Kargl, J. Ott, O. K. Tonguz, and L. Wischhof, “Executivesummary—Inter-vehicular communication,” in Proc. Dagstuhl Semin.10402—Inter-Veh. Commun., Wadern, Germany, Oct. 2010.

[5] IEEE Trial-Use Standard for Wireless Access in Vehicular Environments-Security Services for Applications and Management Messages, IEEE Std.1609.2-2006.

[6] M. Raya, P. Papadimitratos, V.D. Gligor, and J.-P. Hubaux, “On data-centric trust establishment in ephemeral ad hoc networks,” in Proc. 27thConf. IEEE INFOCOM, 2008, pp. 1238–1246.

[7] P. Golle, D. Greene, and J. Staddon, “Detecting and correcting maliciousdata in VANETs,” in Proc. 1st ACM Int. Workshop VANET , New York,2004, pp. 29–37.

[8] T. Leinmüller, E. Schoch, F. Kargl, and C. Maihöfer, “Decentralized posi-tion verification in geographic ad hoc routing,” Security Commun. Netw.,vol. 3, no. 4, pp. 289–302, 2010.

[9] J. Petit, M. Feiri, and F. Kargl, “Spoofed data detection in VANETs usingdynamic thresholds,” in Proc. IEEE VNC, Nov. 2011, pp. 25–32.

[10] J. Petit and Z. Mammeri, “Dynamic consensus for secured vehicular adhoc networks,” in Proc. IEEE 7th Int. Conf. WiMob, Oct. 2011, pp. 1–8.

[11] S. Dietzel, J. Petit, F. Kargl, and G. Heijenk, “Analyzing dissemina-tion redundancy to achieve data consistency in VANETs (short paper),”in Proc. 9th ACM Int. Workshop Veh. Inter-Netw., New York, 2012,pp. 131–134.

[12] D. Chowdhury, L. Santen, and A. Schadschneider, “Statistical physics ofvehicular traffic and some related systems,” Phys. Rep., vol. 329, no. 4–6,pp. 199–329, May 2000.

[13] R. K. Schmidt, T. Leinmueller, E. Schoch, A. Held, and G. Schaefer,“Vehicle behavior analysis to enhance security in VANETs,” in Proc. 4thIEEE V2VCOM, Eindhoven, The Netherlands, 2008.

[14] Z. Cao, J. Kong, U. Lee, M. Gerla, and Z. Chen, “Proof-of-relevance:Filtering false data via authentic consensus in vehicle ad-hoc networks,”in Proc. IEEE INFOCOM, 2008, pp. 1–6.

[15] K. Menger, “Zur allgemeinen kurventheorie,” Fund. Math., vol. 10, no. 1,pp. 95–115, 1927.

[16] R. Bhandari, “Optimal physical diversity algorithms and survivable net-works,” in Proc. 2nd IEEE Symp. Comput. Commun., 1997, pp. 433–441.

[17] B. Bako, F. Kargl, E. Schoch, and M. Weber, “Advanced adaptive gossip-ing using 2-hop neighborhood information,” in Proc. IEEE GLOBECOM,2008, pp. 1–6.

[18] L. Wischhof, A. Ebner, and H. Rohling, “Information dissemination inself-organizing intervehicle networks,” IEEE Trans. Intell. Transp. Syst.,vol. 6, no. 1, pp. 90–101, Mar. 2005.

[19] B. Scheuermann, C. Lochert, J. Rybicki, and M. Mauve, “A fundamentalscalability criterion for data aggregation in VANETs,” in Proc. 15th Annu.Int. Conf. MobiCom, New York, 2009, pp. 285–296.

[20] IEEE Standard For Wireless Access In Vehicular Environments (WAVE)-Multi-Channel Operation, IEEE Std. 1609.4-2010, 2011 (Revision ofIEEE Std. 1609.4-2006).

[21] M. O. Rabin, “Efficient dispersal of information for security, load balanc-ing, and fault tolerance,” J. ACM, vol. 36, no. 2, pp. 335–348, Apr. 1989.

[22] J. Wang and J. Silvester, “Maximum number of independent paths andradio connectivity,” IEEE Trans. Commun., vol. 41, no. 10, pp. 1482–1494, Oct. 1993.

[23] S. Nikoletseas, K. Palem, P. Spirakis, and M. Yung, “Short vertex disjointpaths and multiconnectivity in random graphs: Reliable network com-puting,” in Automata, Languages and Programming, S. Abiteboul andE. Shamir, Eds. Berlin, Germany: Springer-Verlag, 1994, ser. LectureNotes in Computer Science, pp. 508–519.

[24] C. Bettstetter, “On the minimum node degree and connectivity of a wire-less multihop network,” in Proc. 3rd ACM Int. Symp. Mobile Ad Hoc Netw.Comput., 2002, pp. 80–91.

[25] J. Tang and G. Xue, “Node-disjoint path routing in wireless networks:Tradeoff between path lifetime and total energy,” in Proc. IEEE Int. Conf.Commun., Jun. 2004, vol. 7, pp. 3812–3816.

[26] S. Al-Wakeel and A.-S. Sa, “PRSA: A path redundancy based secu-rity algorithm for wireless sensor networks,” in Proc. IEEE WCNC,Mar. 2007, pp. 4156–4160.

[27] L. Sitanayah, K. Brown, and C. Sreenan, “Fault-tolerant relay deploymentfor k node-disjoint paths in wireless sensor networks,” in Proc. IFIP WD,Oct. 2011, pp. 1–6.

[28] F. Liu, X. Cheng, and D. Chen, “Insider attacker detection in wireless sen-sor networks,” in Proc. 26th IEEE INFOCOM, May 2007, pp. 1937–1945.

[29] N. Bissmeyer, C. Stresing, and K. Bayarou, “Intrusion detection inVANETs through verification of vehicle movement data,” in Proc. IEEEVNC, Dec. 2010, pp. 166–173.

[30] H.-C. Hsiao, A. Studer, R. Dubey, E. Shi, and A. Perrig, “Efficient andsecure threshold-based event validation for VANETs,” in Proc. 4th ACMConf. WiSec, New York, 2011, pp. 163–174.

[31] J. Al-Karaki and A. Kamal, “Routing techniques in wireless sensor net-works: A survey,” IEEE Wireless Commun., vol. 11, no. 6, pp. 6–28,Dec. 2004.

Stefan Dietzel received the Diplom degree in com-puter science in 2008 from Ulm University, Ulm,Germany, where he is currently working toward thePh.D. degree.

Between 2010 and 2012, he was with the Dis-tributed and Embedded Systems Security Group,University of Twente, Enschede, The Netherlands.Since 2012, he has been with the Institute of Dis-tributed Systems, Ulm University. His research inter-ests include message dissemination mechanisms ingeneral and in-network data aggregation in particu-

lar, as well as security and privacy aspects of vehicular communication.

Jonathan Petit received the Ph.D. degree in net-works, systems, and architecture from the Universityof Toulouse, Toulouse, France, in 2011.

He is currently a Senior Researcher with the Dis-tributed and Embedded Security Group, Universityof Twente, Enschede, The Netherlands. He is highlyinvolved in the coordination of the European projectPRESERVE. His research interests include wirelessnetworks and, more particularly, the security andprivacy aspects of vehicular communication.


Geert Heijenk received the M.Sc. degree in com-puter science and the Ph.D. degree in telecommu-nications from the University of Twente, Enschede,The Netherlands.

In 1995, he joined Ericsson EuroLab Netherlands,where he worked as a Research Department Manageruntil 2003. He is a steering committee member ofWWIC and IEEE VNC and the vice-chair of COSTaction “Wireless Networking for Moving Objects.”He was a Visiting Researcher with the University ofPennsylvania, Philadelphia, and a Visiting Professor

with the University of California, Irvine, and INRIA, Rocquencourt, France.He is currently an Associate Professor with the University of Twente. His areaof research is mobile and wireless networking. He is particularly interestedin architectures, algorithms, and protocols for cellular, ad hoc, sensor, andvehicular networks.

Frank Kargl received the Diplom and Doctoraldegrees in computer science from the University ofUlm, Ulm, Germany. After completing the Habil-itation degree with the same University, he joinedthe Distributed and Embedded Systems Group, theUniversity of Twente, Enschede, the Netherlands.

He is now the Chair of distributed systems with theUniversity of Ulm, as well as a part-time professorwith the Distributed and Embedded Security Group,University of Twente. He is currently a Coordinatorof the ongoing PRESERVE project that aims to make

security and privacy in V2X a reality for upcoming intelligent transportationsystems (ITS) deployment. He is the author or coauthor of more than 100 peer-reviewed publications. His research interests include dynamic and cooperativedistributed systems and their security and privacy, with a special focus oncooperative intelligent transportation systems. In this area, he has participatedin a number of projects, including the Secure Vehicular Communication(SeVeCom) and Privacy Enabled Capability in Cooperative Systems and SafetyApplications (PRECIOSA) projects.

Dr. Kargl is actively contributing to the cooperative ITS community throughparticipation in bodies such as the Car-to-Car Communication Consortium,and as a Cochair of events such as the Association for Computing MachineryConference on Security and Privacy in Wireless and Mobile Networks, IEEEInternational Symposium on Wireless Vehicular Communications, and IEEEVehicular Networking Conference.

Documents

Graph-Based Metrics for Insider Attack Detection in …IEEETRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL.62,NO.4,MAY2013 1505 Graph-Based Metrics for Insider Attack Detection in VANET