SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2013; 6:1–14
Published online 15 February 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.519
RESEARCH ARTICLE
Trust modeling for message relay control and localaction decision making in VANETsJie Zhang1*, Chen Chen2 and Robin Cohen2
1 School of Computer Engineering, Nanyang Technological University, Singapore, Singapore2 David R. Cheriton School of Computer Science, University of Waterloo, Waterloo, Canada
trust management; vehicular ad hoc networks; road safety and congestion; message relay control; local action decision making
*Correspondence
Jie Zhang, School of Computer Engineering, Nanyang Technological University, Singapore, Singapore.E-mail: [email protected]
1. INTRODUCTION
With the advance and wide deployment of wirelesscommunication technologies, vehicle manufactures andresearch academia have been heavily engaged in the blue-print of future vehicular ad hoc networks (VANETs). Peers(vehicles) in a VANET communicate with each other bysharing road condition and safety information to enhancepassenger and road safety and to effectively route trafficthrough dense urban areas. Tremendous effort has been spenton the development of life-critical or road condition-relatedsystems, such as traffic view systems [1], safety messagesharing [2], cooperative collision avoidance [3], and securecrash reporting [4]. These systems focus mainly on ensuringa reliable delivery of messages among peers. As a result, lessfocus has been placed on evaluating the quality of informa-tion that is sent by peers, to cope with reports frommaliciouspeers that may compromise the network, without theassumption of a pervasively available infrastructure such asan online central authority or road-side units. In addition,little concern has been focused on the design of a controlmechanism where upon detection of false information, it
should be immediately controlled to minimize its furthernegative effect on other peers in the network.
In this paper, we propose a trust-based message propaga-tion and evaluation framework to support the effective eval-uation of information sent by peers and the immediatecontrol of false information in a VANET. More specifically,our trust-based message propagation collects peers’ trustopinions about a message sent by a peer (message sender)during the propagation of the message. We improve on anexisting cluster-based data-routing mechanism by employinga secure and efficient identity-based aggregation scheme forthe aggregation and propagation of the sender’s messageand the trust opinions. These trust opinions weighted by thetrustworthiness of the peers modeled using a combinationof role-based and experience-based trust metrics are usedby cluster leaders to compute a majority opinion about thesender’s message to proactively detect false information.Malicious messages are dropped and controlled to a localminimum without further affecting other peers. Our trust-based message evaluation allows each peer to evaluate thetrustworthiness of the message by also taking into accountother peers’ trust opinions about the message and the peer-
1
Figure 1. Design of framework.
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
to-peer trust of these peers. The result of the evaluationderives an effective local action decision for the peer.
We evaluate our trust-modeling framework in simula-tions of real-life traffic scenarios by employing real maps.Vehicle entities involved in the simulations follow trafficrules and road limits. Some entities are possibly maliciousand may send false information to mislead others or spreadspam messages to jam the network. Experimental resultsdemonstrate that our framework significantly improvesnetwork scalability by reducing the utilization of wirelessbandwidth caused by a large number of maliciousmessages. Our system is also demonstrated to be effectivein mitigating against malicious messages and protectingpeers from being affected. Thus, our framework is particu-larly valuable in the deployment of VANETs by archivinga high level of scalability and effectiveness.
The rest of this paper is organized as follows. First, wegive an overview of the data design and major componentsof our framework in Section 2. We then describe thescalable and secure trust opinion aggregation and propaga-tion in Section 3. We also present peer-to-peer trust model-ing in Section 4. We conduct experimental simulations andanalysis to evaluate our framework in Section 5. After that,we survey and compare it with some related works inSection 6. Finally, we highlight conclusions and point outfuture research directions in Section 7.
2. OVERVIEW
The basic idea of our framework is to evaluate and dissem-inate a message on the basis of its quality. We design ourframework in such a way that messages can be evaluatedin a distributed and collaborative fashion. At the same time,the dissemination distance of a particular message is largelydependent on its quality so that our framework ensuresmessages of good quality to be propagated to the farthestdistance while malicious data, such as spams, to be con-trolled to a local minimum. We model the message qualityby using a trust-based approach. In other words, the qualityof a message is mapped to a trustworthiness value, whichcan be computed from a collection of distributed feedbacksfrom other peers in the network. Specifically, during themessage propagation, the peer who receives the messagecan instantly provide feedback, namely, a trust opiniongenerated from an equipped analysis module. A set of trustopinions is appended to the message during message prop-agation. For those who receive the message, their actionmodule may decide to trust or distrust it by computing itstrustworthiness from an aggregated list of trust opinions.Apart from the trust modeling on data quality, we furthermodel the behavior of vehicle entities by using a peer-to-peer trust approach. In this section, we describe the datadesign and main components of our system.
2.1. Data design
Three types of messages are generated in our system:sender message, trust opinion, and aggregate message. A
2
sender peer prepares a sender message: M= [event,confidence, time, location]. confidence 2 [0, 1] providesflexibility in reporting an event—higher confidence indi-cates that the sender itself is more confident in the reportedevent. time 2 N is a positive integer, and location 2N�Nis a geographical coordinate, both being available from anequipped global positioning system device. Trust opinion:O= [reaction, confidence], where reaction 2 {trust,¬trust} and confidence 2 [0, 1], is a message provided bya peer that serves as evaluation of the sender message.Evaluation is conducted by comparing the reported eventwith the peer’s current knowledge, which may come froma number of equipped car sensors, the local database, oreven human interactions. An analysis module in our sys-tem provides such an opinion. Aggregate message:A= [M, O1, . . ., On] is the combination of a sender messageand a list of trust opinions from distinct peers.
Let us consider a simple example. A vehicle V0 discov-ered a car accident and broadcasted a sender message Mcontaining the event description “car accident,” sender con-fidence, and time and location where V0 spotted theaccident. There are another two vehicles near V0, namelyV1 and V2. V1 receives the message M and provides a trustopinion with a trust reaction and 0.8 confidence, whereasV2 distrusts the message M and provides a distrust reactionand 0.5 confidence. The trust opinion from V1 is thenO1 = [trust, 0.8], and similarly, the trust opinion from V2
is O2 = [¬trust, 0.5]. Aggregation on M, O1, and O2 canbe performed by any third party, and these messages areaggregated into the aggregate message A= [M,O1,O2]. Notethat sender and peer IDs are not included in the messages;instead, they are included in the signed messages. To ensurea secure data dissemination environment, we require allmessages to be signed. More details about an identity-basedsignature scheme will be given in Section 3.1.
2.2. System components
Figure 1 illustrates the modular design of our trust-basedframework composed of several major components.Message evaluation contains two modules: analysismodule and action module. The analysis module generatestrust opinions. It analyzes a sender message’s validity,
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
correctness, and accuracy on the basis of a peer’s localknowledge and attempts to provide a trust opinion of either“trust” or “¬trust.” One important design principle is thatthe trust opinion should always be generated before anydisclosure of the existing trust opinions in the aggregatedmessage. The design of this would involve much consider-ation from the perspective of hardware design, such as thedesign of tamper-proof devices, car sensors, and human–computer interactive interfaces. In other words, the gener-ation of the trust opinion is purely based on the peer’s localknowledge, such as direct observations. By doing so, weare capable of coping with gambling peers who give trustopinions by strategically guessing the message trustworthi-ness from others’ trust opinions so as to quickly andmaliciously increase their trust. If a trust opinion can beprovided, it is broadcasted and appended to the sendermessage. The action module is where a local decision ismade. It derives a local action by using a trust-basedcomputation model that will be described in Section 3.3.
Message propagation consists of two components:cluster cooperation and the relay control model. On thebasis of a cluster-based routing mechanism, the clustercooperation serves as the foundation for message propaga-tion and trust opinion aggregation. The relay control modelworks as a filter that controls the relay of messages. Thetrust opinion aggregation scheme ensures that messageevaluation and propagation can be performed with littleinterference on each other. It provides high flexibility thatduring message propagation, trust opinions can be aggre-gated in a secure, scalable, and efficient fashion.
A peer-to-peer trust module manages the trustworthinessof peers. Motivated by the approach of [5], we employ bothrole-based and experience-based trusts. A minority ofvehicles, such as police cars, are assigned by a specific roleand a specific role trust value. For other vehicles, they areassociated with experience-based trust. Each peer maintainsexperience-based trust for other peers. The offline centralauthority assigns roles and updates role-based trust, collectsdistributed experience-based trust from peers, and praisesor punishes peers accordingly.We provide detailed descrip-tions of these major components in the following sections.
Figure 2. Cluster-based message propagation.
3. TRUST OPINION AGGREGATIONAND PROPAGATION
In this section, we describe how trust opinions from peersabout a sender message can be effectively aggregated andpropagated in the VANET and also demonstrate how thetrust opinions help a single peer to derive a local actiondecision about whether to follow the sender message.
3.1. Cluster-based aggregation
Message relay between each pair of neighboring peers inVANETs often results in wireless channel congestion.To achieve scalable trust opinion aggregation, we rely ona cluster-based data-routing mechanism. A number of
cluster-based routing protocols have been proposedto achieve scalability for vehicle-to-vehicle messaging[6–8]. By grouping peers into multiple clusters, the systembecomes scalable by having message relay performedbetween cluster leaders instead of between two neighbor-ing peers. We extend the existing cluster-based routingprotocols in two aspects. First, trust opinions frommembers in the cluster are aggregated and relayed alongwith the message itself so that the number of messagespassed between peers is significantly decreased. Second,we employ the majority opinion computed from trustopinions as the decision of the relay control model, whichfurther increases the scalability of the network by reducingthe network bandwidth utilized by malicious messages.
As demonstrated by an example shown in Figure 2,vehicles (peers) are geographically grouped into 10clusters, that is, from C1 to C10. For each cluster Ci, avehicle is randomly chosen from all cluster members (thewhite nodes) as the cluster leader Li (the black nodes).Our scheme requires that the cooperation among neighbor-ing cluster leaders is preestablished to help build an intra-cluster link topology (the graph with dashed arrowsconnecting neighboring black peers) so that messages canbe relayed from one cluster to another. Sender s in clusterC1 broadcasts a messageM to its members who will providetheir trust opinions Oi immediately afterwards. After that,the cluster leader L1 collects Oi and aggregates them intothe aggregated message A. L1 sends A to the next hopclusters C2, C3, and C4. Upon reception of A, the clusterleader (e.g., L4 here) broadcasts A to its cluster members,collects their trust opinions (if any), aggregates themtogether with the existing A into a new aggregated messageA′, and computes a relay decision about whether to relay A′to the next hop clusters C5, C6, and C7.
To implement our message aggregation protocol, asecure and efficient aggregation scheme is required. Thesecure aggregation would require a signature along witheach message being sent, which brings two advantages.First, messages cannot be maliciously modified withoutbeing detected. Second, once messages are signed, peerscannot deny that the messages are sent by them. Aggrega-tion should also be efficient; otherwise, it would render thesystem unscalable. We propose an aggregation scheme [9]
3
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
that extends the identity-based aggregate signaturealgorithm [10]. Our aggregation scheme introduces twoimportant improvements. It can combine signatures formultiple messages (not just a single message), and it copeswith signature redundancy by merging these into the exist-ing signature that remains valid and verifiable. Thus, ourproposed scheme is not only secure but also improves bothspace and time efficiency, with the one merged signatureremaining of constant size and messages being aggregatedwithout relying on an aggregation chain. For example, thesender s sends a messageM0 = [M, ID0,G0] where ID0 is thesender’s identity and G0 is the signature of M0. Each peer iprovides a trust opinion Mi = [M, Oi, IDi, Gi] for i2 [1, n].An aggregator computes G′ ¼Pn
i¼0Gi and generates theaggregated message A=[M, O1, . . ., On, ID0, ID1, . . ., IDn, G′].The summation of Gi is implemented over bilinear groupsconstructed by the modified Weil pairing on elliptic curves[11]. A detailed description and the verification of ouridentity-based aggregation scheme can be found in [9].
3.2. Message relay control
Whereas traditional routing algorithms [12] in vehicular net-works use “time-to-live” or “hop-to-live” as a relay decision,our decision is determined by the majority opinion: a mes-sage trusted by the majority should be relayed; otherwise, itis to be dropped. Formally, let P be a set of peers whose trustopinions are “trust,” P={i|IDi2A and Oi= [trust, ci]2A},and P′ be a set of peers whose trust opinions are “¬trust,”P′={i|IDi2A and Oi= [¬trust, ci]2A}. A relayer (clusterleader) L computes the weight of “trust” and “¬trust”opinions, respectively, as
Wtrust ¼Xi2P
ciTi; W:trust ¼Xi2P′
ciTi (1)
and Ti≥ t, where t is a trust threshold set by L, ci2 [0, 1] isthe confidence given by peer i, and Ti is the peer-to-peer trustof peer i. We will introduce the peer-to-peer trust in Section4. Messages can be relayed only if
Wtrust
Wtrust þW:trust> 1� e (2)
where e2 [0, 1] is a threshold set by the system to denote themaximum error rate allowed. e is embedded in the protocoland can be adaptive to the current environment, situations,and data types. For example, for more critical messages, suchas car accidents, a lower error rate is appreciated; for weatherinformation, a higher error rate can be allowed.
Algorithm 1. Message relay control1: VA⇐ a cluster leader verifies A upon reception of message A;2: if VA=false, then3: return drop;4: else5: broadcasts A to cluster members;6: collects trust opinions Oi from cluster members;7: computes routing decision r using Equation 2;8: if r=relay, then
4
9: if Δd>md or Δt>mt, then10: //out of the maximum propagation distance or the longest
time to live11: return drop;12: else13: generates A′⇐A+Oi+ . . .;14: return relay A′;15: end if16: else17: return drop;18: end if19: end if
Trustworthiness of messages ages with the time and dis-tance. The longer time elapses and the farther the eventincurs, the less accurate and reliable the data become. Weuse a mapping function fmax :Λ�Y!Mt�Md that mapsthe sender role Λ and the eventY to the maximum time-to-live Mt and the largest propagation distance Md. We definesuch a mapping function because it is reasonable to set dif-ferent thresholds for multiple types of messages and fordifferent types of senders. Take the distance Md for an ex-ample. A piece of weather information can have a propaga-tion area of 10mi2, whereas a life-critical message, forexample “sudden brake,” may only be useful within a dis-tance of 200m. Similarly, the message from an authorityrole should propagate as far as possible. In short, the relaydecision is also based on the following parameters: Md, themaximum propagation distance; Mt, the longest time tolive; Δd, the distance between current location and eventlocation; and Δt, the time that has elapsed since the eventoccurs. The relayer’s relay control decisions take foursteps: (i) verify the aggregated message A; in case verifica-tion fails, drop A; (ii) compute Δd, Md, Δt, andMt; if Δd>Md or Δt>Mt, drop A; (iii) compute the weight of opinion;drop A if the majority distrusts A (see Equation 2); and (iv)generate a new aggregated message A′ by attaching newtrust opinions of cluster members and relay A′ to the nexthop clusters. A pseudocode summary about how the relaycontrol model works is shown in Algorithm 1.
Grouping peers into clusters and relaying messages be-tween cluster leaders increase the scalability of the systemconsiderably. Our relay control model further proactivelydetects malicious messages during information dissemina-tion. Malicious data is therefore dropped and controlled toa local minimum without further affecting other peers. Wewill demonstrate this important feature of our frameworkfor vehicular networks in Section 5. An aggregated mes-sage propagated through our message propagation schemeis then used by the action module to derive an action deci-sion for a peer.
3.3. Local action decision making
The action module derives a local decision for a peer totake an action towards a sender message from trust opi-nions for the message. Specifically, the aggregated trust-worthiness of the message is computed and mapped to anaction set {follow, ¬follow}. Let A denote the aggregatedmessage, s denote the original sender, P denote the peerswho contribute trust opinions of “trust,” and P′ denotethe peers with opinions of “¬trust.” Let TA denote the
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
aggregated trustworthiness of the message A. The actionmodule of peer p computes the following:
TA ¼ cs þP
i2Pci �P
i2P′ci1þ Pj j þ P′j j (3)
where cs2 [0, 1] is the sender’s confidence in the sendermessage, ci2 [0, 1] is the confidence in the trust opiniongiven by peer i, and TA2 (� 1, 1]. TA approaches �1 whenP=∅; ci = 1 for i2P′, and |P′| is large, meaning that themessage is fully distrusted. TA = 1 when we have cs= ci= 1for i2P and P′=∅, which indicates that the message isfully trusted by the peer.
Considering the sender having a different role fromthose who provide trust opinions, we employ a senderweight factor g> 0 that determines how much weight isplaced on the sender. The computation of TA becomes thefollowing:
TA ¼ gcs þP
i2Pci �P
i2P′cigþ Pj j þ P′j j (4)
The value of g can be customized by each peer in thenetwork. Setting g to a larger value indicates that the peerplaces more trust on the sender. The case g= 1 amountsto Equation 3.
Considering that the peer’s honesty varies, we also em-ploy the peer-to-peer trust module. Each peer i is associ-ated with a trust metric Ti2 [0, 1]. We add thetrustworthiness of each peer into the computation for theaggregated trustworthiness of the message A as follows:
TA ¼ gcsTs þP
i2PciTi �P
i2P′ciTigTs þ
Pi2PTi þ
Pi2P′Ti
(5)
and Ti≥ t, where t2 [0, 1] is the trust threshold custom-ized by each peer p. The trust threshold helps filter trustopinions from those peers that are not highly trusted. tcan be set to a higher value close to 1 so that only trust opi-nions from highly trusted peers will be used. In practice,the value of t should be determined by the availability oftrust opinions. For example, t can be set higher when alarger number of trust opinions are available.
The action module implements a mapping faction : TA{follow,¬follow} that maps the trustworthiness of themessage to an action:
faction ¼ follow if TA ≥ ’;:follow otherwise
�(6)
where ’2 [� 1, 1] is the action threshold. The value of ’can be personalized by each peer: a higher action thresholdindicates the peer is more “cautious” of following otherpeers’ advice and vice versa. Under the special situationwhere the traffic is extremely sparse, both P and P′ maybe ∅, and the message only contains the sender’s identity.If we simply compute the aggregated trustworthiness by
using Equation 5, which becomes TA ¼ gcsTsþ0þ0gTsþ0þ0 ¼ cs ,
the trust of the sender is eliminated and thus not con-sidered. Therefore, along with the previous requirementin Equation 6 that TA = cs≥’, we further require that apeer follow the message only if Ts≥ t. A pseudocodesummary about how our action module works is shownin Algorithm 2.
Algorithm 2. Local action decision making1: VA⇐ a peer verifies A;2: if VA=false, then3: return ¬follow;4: else5: computes the value of TA by using Equation 5;6: if TA<’, then7: return ¬follow;8: else9: if P=∅ and P ′=∅, then10://no trust opinion was provided;11: if Ts< t, then12: return ¬follow;13: end if14: end if15: return follow;16: end if17: end if
4. PEER-TO-PEER TRUST MODULE
In our system, each peer’s trust is evaluated by a trust met-ric: either role-based trust or experience-based trust. Let Ti[0, 1] denote the peer-to-peer trust of peer i, and we have
Ti ¼ Tri
f ðTei;pÞ
if peer i has a role;otherwise
�(7)
where Tri 2 0; 1½ � is the role-based trust of peer i and Te
i; p 2½ � 1; 1� is the experience-based trust of peer i from peerp’s perspective. We map the value of Te to the same rangeof Tr by employing a mapping function, for example, f(x) = (x+ 1)/2.
4.1. Role-based trust
It is known that although most vehicles are for personalpurposes, a small number of entities have their specific re-sponsibilities in the traffic system, for example, police cars.Roles are assigned to them, and it is reasonable to assignmultiple levels of trust to different roles. The underlyingassumption is that vehicles of the same role would behavein a similar way so that any third party can estimate theirtrust levels before any interaction happens. The roles androle-based trust values in our system are fixed by the off-line central authority. To demonstrate the utilization ofrole-based peer trust, we define three different roles, fromthe highest to the lowest trust: (i) authority, such as policecars, traffic controllers, and road-side units that serve aspart of road infrastructure; (ii) public services, which couldbe ambulance, fire truck, school bus, public transits, roadmaintenance cars, and so on; (iii) professional cars, for ex-ample, driver-training vehicles, cars whose drivers havemore than 10 years of safe driving experience.
5
Figure 3. Map for simulating VANET.
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
We denote the role-based trust of peer i as Tri , where T
r :ID! [0, 1]; 1 means absolute trust, and 0 represents abso-lute distrust. The vehicle identity can be mapped to its roleand then the role-based trust value. In practice, vehicles pe-riodically download from the offline central authority anup-to-date list of roles, each with a list of vehicle identities.
4.2. Experience-based trust
For most of the peers who do not have a role, we use theexperience-based peer trust to dynamically reflect a peer’strustworthiness in the system. The behavior of a peer isevaluated by other peers, each of whom maintains trust-worthiness for a list of peers in the system. The list of trustis preserved in peer’s local repository.
We denote the peer i’s experience-based trust from p’sperspective as Te
i; p , whose value is in the range of [�1,1]. We simplify the notation of Te
i; p as T in the following
formalization. Adapted from [13], if i’s trust opinion leadsto a correct decision of p, peer p increases the trust of i by
T ltð1� caÞ T þ ca if T ≥ 0l�tð1þ caÞT þ ca if T < 0
�(8)
otherwise, decreases T by
T �ltð1þ cb ÞT � cb if T ≥ 0l�tð1� cbÞT � cb if T < 0
(9)
where a, b2 (0, 1) are increment and decrement factors, c[0, 1] is the confidence value placed by i in the message,l2 (0, 1) is a forgetting factor, and t2 [0, 1] is the timecloseness between the current interaction and the previousone. Our calculation of experience-based trust is scalable.It updates a peer’s trustworthiness in a recursive manner.The computation of our experience-based trust is thus lin-ear with respect to the number of times receiving trust opi-nions from a peer. And only the most recent trust value isneeded to be stored and used for computation.
The values of a and b should be subjective to road situa-tions and message types. For example, when traffic issparse, these values should be set larger, considering thenumber of trust opinions is small. For emergency relatedevents, the values should be larger so as to increase or de-crease peer trust more rapidly. Besides, it is appreciatedthat b> a on the basis of the common assumption that peertrust is difficult to build up but easy to tear down.
We add the confidence c as a factor because peers, in-cluding the sender, play different roles in the message’strustworthiness by placing different confidence values.This can be explained by the design of Equation 5, whichcomputes the message’s aggregated trustworthiness froma peer’s trust and confidence. For example, between twopeers with the same peer-to-peer trust, the one who hasplaced a confidence c= 1 is making greater impact thanthe other with a confidence c= 0.1. Consequently, thosewith higher confidence would increase or decrease their
6
trust faster than those with lower confidence. In otherwords, if a peer provides a correct trust opinion, it shouldbe praised by how much confidence it has placed in themessage. The higher confidence value the peer gives, themore she should be praised. This also applies to the otherdirection, that is, the punishment towards a peer who givesa wrong trust opinion.
We also model the time closeness t as
t ¼ tc � teð Þ=tmax
1if tc � te < tmax;otherwise
�(10)
where tc is the current time, te is the event time in the mes-sage, and tmax is the maximum time for a peer to totally for-get the experience that happened before time tc� tmax. Thevalue of tmax is dependent on the frequency of the interac-tions between two peers in the network, and thus it shouldbe set large under sparse traffic scenarios or small underdense traffic situations.
5. EVALUATION
In this section, we present evaluation results of our trust-based framework through simulations. Implemented in C++, our simulation tool allows us to simulate real-life traf-fic scenarios by employing real maps with vehicle entitiesfollowing traffic rules, road limits, and a full list of custo-mizable parameters defined in our trust model. We alsosimulate a clustering-based routing protocol in our simula-tion. Compared with other existing vehicular network sim-ulation tools [14–17], our tool is specially designed fortrust modeling and cluster-based messaging among poten-tially thousands of nodes and thus achieves more flexibilityand consumes a low amount of computational resources.
We use a map of the East York area of Toronto where asnapshot of its small subarea is shown in Figure 3. Roadsare partitioned into multiple road segments, and vehiclesare clustered geographically by road segments. We setthe length of road segment to 0.5 kilometer, because peerswithin such a distance can reliably communicate with eachother, according to [18]. Vehicles are moving in the map in
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
any possible directions and in different speeds. Entering anew road segment indicates that the peer is switching fromone cluster to another. A leader of a cluster is selectedwhen the leader moves out of the cluster.
We list parameters for our trust modeling in Table I.The purposes and details of these parameters have been in-troduced in Sections 3 and 4. In our experiments, thesender weight factor g is set to 2 to double the weight ofa sender in message evaluation. Assuming that peer dis-honesty is well tolerated by the system, we set the peer’strust threshold t to 0.1 and the maximum error rate e inthe relay control model to 0.8. We also set b/a= 10.
Additional parameters for simulating the vehicularnetwork are listed in Table II. We simulate a total numberof 1125 vehicle entities. We also set 2% of them as author-ity roles, such as police cars, road-side units, and trafficcontrollers. The authority entities are fully reliable andtrustworthy and capable of providing other peers withvalid observations and trust opinions. We also simulatemalicious vehicle entities that always send spam messages.Vehicles in our simulation also have different capability indetecting spam messages. In consequence, they maysometimes provide wrong trust opinions.
The average number of vehicles per cluster is set to 5 toreflect the road situation during normal hours. The evalua-tion of the effect of traffic density is left for future work.Vehicle speed is dependent on weather conditions, trafficdensity, and the speed limit of the road. To simplify ourexperiment, we assign a unique average speed to eachroad, where the vehicle’s speed randomly varies �10%from the average speed. As mentioned in Section 2, the
Table I. Parameters for trust modeling.
Parameter Description Value
g Sender weight factor 2t Trust threshold 0.10’ Action threshold 0.20a Experience-trust increment factor 0.01b Experience-trust decrement factor 0.10l Experience forgetting factor 0.95tmax Maximum time for experience (s) 100e Error rate allowed for message relay 0.80md Maximum propagation distance (km) 5.50mt Message’s longest time to live (s) 150T0 Initial trust value of a vehicle 0
Table II. Parameters for vehicular network simulation.
Parameter description Value
Percentage of authority roles 2%Average number of vehicles per cluster 5Probability of turning left/right at cross 0.2Road segment length for one cluster 0.5 kmMaximum distance for trust opinion 1 kmVehicle speed [15, 30] m/s
trust opinion is purely based on the peer’s local knowl-edge. In our experiment, we assume that all messages areobservational. From this assumption, we further assumethat the analysis module can provide trust opinions onlywhen Δd, the geographical distance between the eventand the peer, is smaller than dmax, the maximum distancefor trust opinions. As a result, we can have the confidencevalue in the trust opinion determined by the geographicalcloseness: the closer the event is, the higher confidencevalue should be provided. In our experiment, confidencec is calculated as follows:
c ¼ dmax � Δdð Þ= dmax
0if Δd < dmax
otherwise
�(11)
5.1. Scalability
Our trust model can improve network scalability by therelay control model, which detects and filters maliciousmessages during propagation. We evaluate the scalabilityby introducing the following attack model. Attackers abusetheir local vehicular network by frequently sending spammessages, which could be out-of-date information orrepeated messages. Spam messages might not be mislead-ing, but they take up a certain portion of wireless resourcesand lower the utilization rate of available bandwidth. Extraparameters for the evaluation of scalability are listed inTable III. Assuming that spam is easier to detect than mis-leading messages as the pattern of spams has less variety,we increase the detection rate of analysis module globallyby setting it to the uniform distribution from 0.4 to 1.0. Wealso include fewer attackers by setting the percentage ofspammers to 1%, each of whom sends one spam every 5 s,which is much more frequent than misleading messages.
Our evaluation of scalability features four metrics:average propagation distance of spam, average number ofreceived messages per peer, cumulative number of spamsreceived per peer, and global relay effectiveness. Eachevaluation metric compares the performance among sixpredefined scenarios as follows:
• Original: without regard to the trustworthiness ofmessages, they are simply relayed to the next hop,until the farthest allowed distance is reached.
• Relay control (RC): a relay decision is made on thebasis of Equations 1 and 2 but without consideringthe role-based and experience-based trusts.
• RC+Role: only role-based trust is involved for relaycontrol.
Table III. Extra parameters for evaluation of scalability.
Parameter description Value
Percentage of spammers 1%Spam sending frequency 1 message/5 sDetection rate of analysis module Uniform, [0.4, 1.0]
7
0
100
200
300
400
500
600
0 % 20 % 40 % 60 % 80 % 100 %
Ave
rage
Num
ber
of
Mes
sage
s R
ecei
ved
per
Peer
Percentage of Messages as Spam
originalrelay control (rc)
rc + rolerc + exp
rc + role + exp100% detection
Figure 5. Number of messages received.
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
• RC+Exp: only experience-based trust is used forrelay control.
• RC+Role +Exp: both role-based trust and experi-ence-based trust are used.
• 100% detection: the ideal case where each peerdetects all spam messages.
On the basis of the fact that the number of messages thatcan be relayed in a fixed time has an upper bound becauseof limited wireless channel resources, our system becomesmore scalable as more normal messages can be relayed,which is achieved by detecting and controlling spamwithin a shorter distance. The maximum propagationdistance without relay control is 5.5 km as defined in ourexperiment. The relay control reduces the distance of spamby nearly half, as observed in Figure 4. Authority rolesfurther restrict the spam within approximately 2 km awayfrom origin because authority roles have assisted its clusterrelayer (leader) to drop the spam at an earlier phase of prop-agation. From the curves of RC+Exp and RC+Role +Exp,we can conclude that the experience-based trust plays agreater part in spam control as our experiment simulates fora longer time. This also explains why RC+Role achievesbetter performance at the beginning but is sooner over-whelmed by RC+ Exp after 30min of system time. Thecurves of RC+Exp and RC+Role +Exp demonstrate thetrend of converging to the performance of 100% detection,under which scenario spam is always dropped and neverrelayed to neighbor clusters, in other words, restricted within0.5 km (the length of cluster defined in our experiment). Asthe experience-based trust of spammers is graduallydecreased, their messages will not be trusted and notbe relayed.
We also measure the number of received messages byadjusting the ratio of spam from 0% to 100%. We track atotal number of 14,400 messages during a simulation for2 h. Experimental results are displayed in Figure 5. Theaverage number of received messages decreases as thepercentage of spam increases because of the relay controlmodel. We notice that the RC+Exp curve outperformsthe RC+Role curve when the percentage of spam is
0
1
2
3
4
5
20 40 60 80 100 120
Ave
rage
Pro
paga
tion
Dis
tanc
e of
Spa
m (
km)
System Evolution Time (minute)
relay control (rc)rc + rolerc + exp
rc + role + exp100% detection
Figure 4. Propagation distance of spam.
8
greater than 23%. This is because peers learn better aboutspammers during a fixed time as more spam messagesare available when the spam ratio is raised.
We then evaluate the cumulative number of spamsreceived per peer as the system evolves. Simulation isconducted for a short duration of 50min, as well as for along duration of 230min. From the simulation of a shorttime (see Figure 6), we can see that the RC+Exp curveis higher than the RC+Role curve until approximately33min later. The explanation for this is that the experi-ence-based trust plays a greater part than role-based trustwhen enough experience is obtained. After simulating fora longer time (see Figure 7), the RC+Exp and RC+Role +Exp curves grow almost as slowly as the 100% detectioncurve, which indicates that attackers are well identifiedwith their spam detected and controlled.
We further evaluate system scalability by using theglobal relay effectiveness, which measures how effectivelymessages are relayed in the presence of a considerableamount of spammessages. Specifically, we define the global
relay effectivenessR ¼ 1N
PNi¼1Ri, whereN is the total num-
ber of clusters and Ri is the relay effectiveness for a singlecluster Ci, which is computed as Ri= (1� Si/Mi)� 100%,where Si is the number of relayed spam messages and Mi is
0
50
100
150
200
250
300
350
400
450
500
0 10 20 30 40 50
Ave
rage
Num
er o
f Sp
ams
Rec
eive
d
System Evolution Time (minute)
originalrelay control (rc)
rc + rolerc + exp
rc + role + exp100% detection
Figure 6. Average number of spams received per peer (shorttime).
Figure 7. Average. number of spams received per peer (long time).
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
the number of all relayed messages by cluster Ci. Weillustrate the global relay effectiveness in Figure 8. Attackis suspended until 5min later. From then on, as shown inthe original case, the effectiveness drops to around 42% after120min. Spams are restricted from dissemination after weapply the relay control model. Role-based trust alwaysimproves the effectiveness in that spam messages arefurther restricted. The global relay effectiveness stopsceasing and begins to recover after 35min if the experi-ence-based trust is applied, as can be observed from curvesRC+Role+Exp and RC+Exp. As peers become moreexperienced, the capability of the system to cope withspammers is strengthened.
5.2. Effectiveness
We evaluate the effectiveness of our system in terms of itscapability of mitigating against malicious messages andprotecting peers from being affected. We define the attackmodel where attackers jeopardize the network bybroadcasting misleading messages on fake events, suchas “traffic congestion here”, so as to cheat peers and max-imize their own interest. We measure the average numberof wrong actions per peer. An instance of “wrong action”
indicates that one malicious message is trusted by a certainpeer whose action module computes an action decision of“follow” instead of “¬follow”.
Extra parameters for evaluating system effectivenessare listed in Table IV. Ten percent of the peers in thesystem are attackers, each of whom sends a maliciousmessage after every 30 s, which is approximately the timeof driving from one cluster to another. Considering thatthe analysis module generates trust opinions, we definethe detection rate dr as follows:
dr ¼ Pr D Mj gf (12)
where D is a successful detection given a malicious mes-sage M. The analysis module generates a trust opinion of“distrust” upon a successful detection and an opinionof “trust” otherwise. To better reflect real situations, weassume that the capability to detect malicious messagesvaries among peers. In our experiment, the peer’s detectionrate follows the uniform distribution of [0.05, 0.95], exceptfor those in authority roles, whose detection rate is thehighest and fixed to 1.
We measure the effect of trust opinions under three trustopinion modes:
• No trust opinions: The action module ignores all trustopinions. Specifically, when the peer is within themaximum distance where a trust opinion is available,the action module follows the reaction of the analysismodule; otherwise, it simply follows the message.
• Trust opinions +majority voting: The action modulecomputes a local action by using Equation 3 withoutconsidering the trustworthiness of peers.
• Trust opinions + experience-based trust: A local actionis computed from trust opinions by considering eachpeer’s trustworthiness by using Equation 5.
We run the simulation for 60min and sample the dataafter every 5min. As shown in Figure 9, each peer makesan average number of approximately 46 wrong actions iftrust opinions are excluded. However, this numberdrastically drops to 19 (i.e., by 65%) if trust opinions areconsidered. The employment of experience-based trustfurther decreases the number of wrong actions globally asthe system evolves. This is because once a peer obtainsits own experience after being cheated by a malicious mes-sage, it will update the experience-based trust for thosewho have provided trust opinions for that message. Themalicious peers’ trust is shortly decreased. As a result,
Table IV. Extra parameters for evaluation of systemeffectiveness.
Parameter description Value
Percentage of malicious peers 10%Frequency of malicious messages 1 message/30 sAnalysis module’s detection rate Uniform, [0.05, 0.95]
9
0
10
20
30
40
50
60
0 10 20 30 40 50 60
Ave
rage
Num
ber
of
Wro
ng A
ctio
ns p
er P
eer
System Evolution Time (minute)
no trust opinion (original)trust opinion + majority voting
trust opinion + experience
Figure 9. Effect of trust opinions.
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
the action module improves its accuracy by mitigatingagainst malicious peers.
We also evaluate the effect of our peer-to-peer trustmodel. In our system, the peer-to-peer trust is used in boththe action module and relay control model. To demonstratethe effect of peer-to-peer trust on the action module, weevaluate the system effectiveness under two scenarios,namely without and with the relay control model, as shownin Figures 10 and 11. In the absence of the relay control
0
5
10
15
20
25
30
0 10 20 30 40 50 60
Ave
rage
Num
ber
of
Wro
ng A
ctio
ns p
er P
eer
System Evolution Time (minute)
originalroleexp
role + exp
Figure 10. Effect of P2P trust when relay control model is off.
0
5
10
15
20
25
30
0 10 20 30 40 50 60
Ave
rage
Num
ber
of
Wro
ng A
ctio
ns p
er P
eer
System Evolution Time (minute)
relay control (rc)rc + rolerc + exp
rc + role + exp
Figure 11. Effect of P2P trust when relay control model is on.
10
model, both good and bad messages are relayed to thefarthest distance without being dropped.
Two conclusions can be drawn from the two figures.Role-based trust improves the system effectiveness in bothscenarios because authority roles are helpful in two ways.First, the trust opinions from authorities are alwaysfollowed by the action module of peers. Because authorityis always trustworthy, the number of wrong actions isdecreased. Second, the trust opinions from authoritiesdetermine whether a message is to be relayed or dropped.When the relay control model is turned on, the propagationof malicious messages is limited, and thus the negativeeffect is restricted. This explains why role-based trustdecreases the number of wrong actions more in thescenario with relay control than the one without relaycontrol. Experience-based trust improves the systemeffectiveness as well. As explained earlier, peers accumu-late experience and lower the experience-based trust formalicious peers. As a result, the average number of wrongactions is gradually decreased as system evolves. Theperformance of the both curves (Exp and Role +Exp) isabout the same after 60min, which indicates that theexperience-based trust plays a greater part in lowering thewrong decision rate than the role-based trust as systemevolves for a longer time. These results suggest that therole-based trust is especially useful when peers do not havemuch experience with other peers because of the datasparsity in the VANET environment or because they arenew to the system. Experience-based trust is also importantbecause it improves system performance when peers gainmore experience in the environment.
Instead of using the average number of wrong actionsper peer, we use another evaluation metric “number ofdeliveries” to demonstrate the system effectiveness fromthe perspective of social impact. One delivery of the senderis defined as one message reception by some receiver. Westudy the social impact of peers with different honestylevels. The honesty h of a peer can be defined in possiblymany ways, such as the following:
h ¼ 1� number of malicious messages sentnumber of messages sent
(13)
We set three honesty levels in our experiment, namely100%, 50%, and 0% honesty. Figure 12 shows the cumula-tive number of deliveries as the system evolves. Threepeers are randomly chosen from the system, each assignedto a different honesty level. After a simulation for 20 h, itbecomes obvious that the peer of 100% honesty has thelargest number of deliveries because its messages aretrusted and relayed to the longest distance. The cumulativecurve for 0% honesty ranks the lowest because mostmessages from fully dishonest peers are restricted frompropagation. It grows even more slowly as the systemevolves because peers become more experienced so thatthe relay control model becomes more accurate in filteringmalicious messages. Figure 13 is an alternative graph
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
showing the social impact versus peer honesty. We samplethe number of deliveries for each hour and show the trendof each curve as the system evolves for 20 h. Similar to theobservations in Figure 12, dishonest peers would have lesssocial impact than honest peers.
5.3. Discussions on results
We demonstrate the system effectiveness and scalabilitythrough an experimental simulation. Throughout theexperiment, we emphasize that the system effectivenessand scalability are dependent on two important factors:(i) a peer’s experience with other peers; and (ii) controlof malicious messages. With a better understanding andstronger control of malicious messages, system effective-ness is improved as fewer peers are affected. At the sametime, the system becomes more scalable as maliciousmessages are more likely to be detected and dropped.
As the peer accumulates more experience and deriveslocal decisions from a more reliable set of trust opinions,a better local decision can be made. Although the accumu-lation of experience can be time consuming, the experi-ence-based trust demonstrates a strong effect on systemeffectiveness and scalability. The existence of authority
and role-based trust improves the quality of trust opinionsso that fewer wrong action decisions will be derived. Thecontrol of malicious messages is implemented by our relaycontrol model. Although it only improves system effective-ness slightly because of the dominating effect of trustopinions, the relay control model greatly improves systemscalability as it detects and filters malicious messages.
6. RELATED WORK
Vehicular ad hoc network is one of the most importantapplications of mobile ad hoc networks (MANETs) [19].In this section, we first survey some trust models proposedfor MANETs and point out their problems when beingdirectly applied to the VANET domain. We then introducea few existing trust models for VANETs and discuss theadvantages of our work compared with them.
Many trust models have been proposed for MANETs[19]. For example, [20] identified several importantproperties of trust establishment, such as the specificationof admissible types of evidences and the generation, distri-bution, and evaluation of trust evidences in MANETs.
A trust establishment scheme called Hermes isintroduced in [21] with the objective of reliable deliveryand routing in MANETs. The trust between two neighbor-ing peers is modeled by taking into account confidenceinformation and using a Bayesian approach based onan empirical set of first-hand observations of packet-forwarding behavior of neighboring peers. Choosing thebest route between the source and destination amounts todetermining the shortest path, where the weight of the pathis computed from a set of peer-to-peer trust between thepeers within the path. The work in [22] extends [21] in thatrecommendation trust is introduced to model the trustbetween two nonneighboring peers. The trust to a remotepeer is established by collecting recommendations from aset of other peers.
Similar to [21,22], the work in [23] models the trustevaluation as a path optimization problem on a direct graphwhere each peer is a vertex and trust between twoneighboring peer is an edge. The authors introduced thesemiring-based evaluation metric that features two binaryoperators, + and *. The former operator is used for trust com-putation over a path of peers, whereas the latter is to computethe optimal aggregated trust among a set of available paths.The two operators can be reloaded via different semiringalgorithms so as to adapt to various conditions.
Sun et al. [24,25] presented an information theoreticframework to quantitatively measure and model the trustin ad hoc networks. It first defines three trust axioms:(i) concatenation propagation of trust does not increasetrust; (ii) multipath propagation of trust does not reducetrust; (iii) trust based on multiple observations from asingle source should not be higher than the multipleobservations from multiple independent sources. Anentropy-based trust model and a probability-based modelare introduced in which the author showed how to compute
11
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
trust along a path as well as the overall trust among a set ofpaths. The trust value between two neighboring nodes isbased on observations. Third, the paper discusses how toobtain, evaluate, and update trust when it comes to adhoc routing. Briefly speaking, each node maintains its trustrecord about other nodes. The source node finds multipleroutes to the destination node when the source node wantsto establish a route to the destination node. The sourcenode evaluates the packet-forwarding trustworthiness ofeach node on a route, either by its own trust record or byrequesting recommendations from other nodes. After thebest trustworthy route is chosen, data is transmitted. Afterthe transmission, the source node updates the trust recordson the basis of its observation of route quality. Comparedwith their work, our system requires that each peermaintains a list of other peers and derives their trust frommessaging and posterior experience.
The methodologies mentioned earlier may not workeffectively in vehicular networks because, in practice, thetrust cannot be established, maintained, or retrieved unlessa reliable route is available, which is difficult to establish ina highly dynamic environment such as vehicular networks.Previous trust-modeling endeavors in MANETs, such asimproving routing quality and deriving reliability betweenarbitrary peers, may become effortless when it comes tovehicular networks because of their two basic inherentproperties. First, peer connection is ephemeral as vehicleentities are moving fast with little time for interaction.Second, interaction between two entities is highlyinfrequent because of a peer’s mobile nature and the broadreal world environment. As a result, trust establishment isdifficult, and even if trust can be established between twovehicle entities, it may be out of date and uncertain.Considering the uncertainty property of trust establishmentin MANETs, Balakrishnan et al. [26] expressed the notionof ignorance during the establishment of trust relationshipsbetween mobile nodes. A subjective logic-based model isemployed to denote the trust as a three-dimensionalmetric: belief, disbelief, and uncertainty. The uncertaintyrepresents the ignorance between two nodes. Such arepresentation is useful because an existing peer may nothave a record of past evidence towards a newcomer/stranger peer, in which case assigning an arbitrary trustvalue could bring about problems. Compared with theirwork, our trust model proposes a different methodologythat takes two factors into consideration, namely, a set offixed roles and the aging factor in experience-based trust.Roles decrease the uncertainty in that their trust is fixed.The aging factor reduces the trust between two entitiesuntil new interactions are available.
Only a few trust models have recently been proposedfor detecting malicious peers and data in VANETs. For ex-ample, the work in [27,28] has been focused on theeviction of malicious peers in VANETs via certificationrevocation where malicious peers will be identified andrestricted from further hampering the network by thecentral authority. The mitigation against maliciousness isentity oriented. In their models, the authors assume that
12
the quality of data depends only on the honesty of thesender without considering opinions of other peers aboutthe data. The methodology taken towards the maliciousdata control is reactive. Specifically, it takes a considerabletime for the central authority to distribute an up-to-daterevocation list before malicious peers can be timelyidentified. Our approach proactively detects malicious dataso that the data can be immediately controlled to minimizeits further negative effect on other peers.
Golle et al. [29] proposed an approach to detect andcorrect malicious data in vehicular networks. They assumethat each vehicular peer is maintaining a model thatconsists of all the knowledge that the peer has about thenetwork. Data is trusted if it agrees with the model with ahigh probability. Otherwise, a heuristic is invoked torestore data consistency by finding the simplest explanationpossible. Multiple explanations are ranked, and the peersaccept the data if it is consistent with the most highly rankedone(s). However, they assume that each vehicle has theglobal knowledge of the network and solely evaluates thevalidity of data, which may not be feasible in practice. Ourwork also provides high resistance and security againstmalicious entities by using a fundamentally different wayof message evaluation. Instead of relying on an assumedmodel and seeking explanations, messages in our modelare evaluated in a distributed and collaborative fashion bycollecting multiple opinions during their propagation.
Raya et al. [30], in their work, employed trust into dataevaluation in vehicular networks. In contrast to traditionalviews of entity-oriented trust, they proposed data-centrictrust establishment that deals with the evaluation oftrustworthiness of messages from other peers instead ofvehicle entities themselves. A set of trust metrics aredefined to represent the data trust from multiple dimen-sions, such as a vehicle’s security status, peer type, andevent type. On the basis of Bayesian interference andDempster–Shafer theory, they evaluated the decision logicthat outputs the trust values of various data regarding aparticular event. Their work shares some commonalitieswith ours, such as the employment of data trust. One ofthe shortcomings of their work is that trust relationship inentities can never be reliably established. The data-centrictrust has to be established again and again for each event,which may not be applicable to situations under thesparse environment where only limited evidence aboutthe event is available. Our framework employs role-basedtrust to cope with the data sparsity problem. We alsoincorporate both data trust and peer trust together in ourframework to detect malicious data as well as possiblymalicious peers.
Possibly the closest to our model, Dotzer [31] suggestedbuilding a distributed reputation model that exploits a no-tion called opinion piggybacking where each forwardingpeer (of the message regarding an event) appends its ownopinion about the trustworthiness of the data. He providedan algorithm that allows a peer to generate an opinionabout the data on that basis of aggregated opinionsappended to the message and various other trust metrics
Trust based decision making on message relay and local actions in VANETJ. P. Zhang, C. Chen and R. Cohen
including direct trust, indirect trust, sender-based reputa-tion level, and Geo-Situation-oriented reputation level. Inour framework, we also introduce the trust-based messagepropagation to control the spread of malicious messages toincrease network scalability.
7. CONCLUSION ANDFUTURE WORK
We presented a novel message evaluation and propagationframework based on trust modeling for message relay controland local action decision making in VANETs, where a set oftrust metrics, including trust opinions, experience-basedtrust, and role-based trust, are used to model the quality ofinformation shared by peers as well as the trust relationshipsbetween peers. Our proposed message evaluation approachis conducted in a distributed and collaborative fashion duringmessage propagation and effectively increases the overalldata reliability and system effectiveness by proactivelydetecting malicious data. We also proposed that messagerelay control should be trust based, filtering malicious datato promote network scalability. Experimental results demon-strate that our trust-modeling approach works effectively forthe domain of vehicular networks.
Our trust aggregation and message propagation modelis built on a cluster-based routing scheme where clusterleaders are responsible for judging whether to relay dataon the basis of the relay control model. For future work,we will consider the presence of malicious leaders who in-tentionally drop messages. We will investigate a set of de-tection and revocation mechanisms to cope with this issueby dynamically selecting trustworthy leaders or introduc-ing backup leaders.
For future work, we will vary different parameters inour simulations to more comprehensively evaluate the per-formance of our system. For example, in real-life scenar-ios, it is very likely that only a subset of trust opinions isavailable for aggregation because of complex road settings.We will evaluate the effectiveness of our system in thesecases. More complex scenarios may also be employed.For example, we will simulate the scenario where vehicledensity varies to examine the capability of our system incoping with data sparsity. We will also simulate the situa-tion where the aggregation of messages may take a longtime and examine the robustness of our system in dealingwith this situation. More sophisticated attack models mayalso be simulated to evaluate the resistance of our systemto, for example, peer collusion attacks.
A final direction for future research would be toemploy richer models of trust as part of our framework.Minhas et al. have recently introduced two new elementsto their trust model: (i) distinguishing direct and indirectreports that are shared; and (ii) employing a penalty formisleading reports to promote honesty [32]. It would beinteresting to investigate how these aspects of trust model-ing would influence the message propagation within the
network. It would also be useful to compare the extendedtrust model of Minhas et al. with other trust models sur-veyed in Section 6 to choose the most effective one forour message propagation and evaluation framework.
REFERENCES
1. Nadeem T, Dashtinezhad S, Liao C, Iftode L. Trafficview: traffic data dissemination using car-to-car com-munication. ACM SIGMOBILE Mobile Computingand Communications Review 2004; 8(3):6–19.
2. Xu Q, Mak T, Ko J, Sengupta R. Vehicle-to-vehiclesafety messaging in DSRC. In Proceedings of theACM International Workshop on Vehicular Ad HocNetworks, 2004; 19–28.
3. ElBatt T, Goel SK, amd Hariharan Krishnan GH,Parikh J. Cooperative collision warning using dedicatedshort range wireless communications. In Proceedings ofthe ACM International Workshop on Vehicular Ad HocNetworks, 2006; 1–9.
4. Rahman SU, Hengartner U. Secure crash reporting invehicular ad hoc networks. In Proceedings of theInternational Conference on Security and Privacy inCommunication Networks, 2007; 443–452.
5. Minhas UF, Zhang J, Tran T, Cohen R. A multifacetedapproach to modeling agent trust for effective communi-cation in the application of mobile ad hoc vehicularnetworks. IEEE Transactions on Systems, Man, andCybernetics–Part C: Applications and Reviews (SMCC)2011; 41(3):407–420.
6. Wu J. Dominating-set-based routing in ad hoc wirelessnetworks. In Handbook of Wireless Networks andMobile Computing. John Wiley & Sons, Inc: NewYork, USA, 2002; 425–450.
7. Blum J, Eskandarian A, Hoffman L. Mobility manage-ment in IVC networks. In Proceedings of the IEEEIntelligent Vehicles Symposium, 2003; 150–155.
8. Little TD, Agarwal A. An information propagationscheme for VANETs. In Proceedings of the IEEE Con-ference on Intelligent Transportation Systems, 2005.
9. Chen C, Zhang J, Cohen R, Ho PH. Secure andefficient trust opinion aggregation for vehicular ad-hocnetworks. In Proceedings of the IEEE 72nd VehicularTechnology Conference (VTC), 2010.
10. Gentry C, Ramzan Z. Identity-based aggregatesignatures. In Proceedings of the International Confer-ence on Theory and Practice of Public-Key Cryptogra-phy, 2006; 257–273.
11. Boneh D, Lynn B, Shacham H. Short signatures fromthe Weil pairing. In Proceedings of the InternationalConference on the Theory and Application of Cryptol-ogy and Information Security, 2001; 514–532.
13
Trust based decision making on message relay and local actions in VANET J. P. Zhang, C. Chen and R. Cohen
12. Li F, Wang Y. Routing in vehicular ad hoc networks:a survey. IEEE Vehicular Technology Magazine 2007;2(2):12–22.
13. Tran T. Reputation-oriented reinforcement learningstrategies for economically-motivated agents in elec-tronic market environments. PhD Thesis, University ofWaterloo, Canada 2004.
14. Lochert C, Barthels A, Cervantes A, Mauve M,Caliskan M. Multiple simulator interlinking environ-ment for IVC. In Proceedings of the 2nd ACM Interna-tional Workshop on Vehicular Ad Hoc Networks(VANET), 2005; 87–88.
15. Choffnes DR, Bustamante FE. An integrated mobilityand traffic model for vehicular wireless networks. InProceedings of the 2nd ACM International Workshopon Vehicular Ad Hoc Networks (VANET), 2005;69–78.
16. Mangharam R, Weller DS, Stancil DD, Rajkumar R,Parikh JS. GrooveSim: a topography-accurate sim-ulator for geographic routing in vehicular net-works. In Proceedings of the 2nd ACM InternationalWorkshop on Vehicular Ad Hoc Networks (VANET),2005; 59–68.
17. Saha AK, Johnson DB. Modeling mobility for vehicu-lar ad-hoc networks. In Proceedings of the 1st ACMInternational Workshop on Vehicular Ad HocNetworks (VANET), 2004; 91–92.
18. Zhu J, Roy S. MAC for dedicated short rangecommunications in intelligent transport system. IEEECommunications Magazine 2003; 41(12):60–67.
19. Zhang J. A survey on trust management for VANETs.In Proceedings of the 25th International Conference onAdvanced Information Networking and Applications(AINA), 2011.
20. Eschenauer L, Gligor VD, Baras J. On trust establish-ment in mobile ad-hoc networks. In Proceedings of theSecurity Protocols Workshop. Springer-Verlag: Berlin,Heidelberg, 2002; 47–66.
21. Zouridaki C, Mark BL, Hejmo M, Thomas RK. Aquantitative trust establishment framework for reliabledata packet delivery in MANETs. In Proceedings ofthe 3rd ACM Workshop on Security of Ad Hoc andSensor Networks (SASN), 2005; 1–10.
22. Zouridaki C, Mark BL, Hejmo M, Thomas RK.Robust cooperative trust establishment for MANETs.In Proceedings of the fourth ACM Workshop on
14
Security of Ad Hoc and Sensor Networks (SASN),2006; 23–34.
23. Theodorakopoulos G, Baras J. On trust models andtrust evaluation metrics for ad hoc networks. IEEEJournal on Selected Areas in Communications 2006;24(2):318–328.
24. Sun Y, Yu W, Han Z, Liu K. Trust modeling andevaluation in ad hoc networks. In Proceedings ofthe IEEE Global Telecommunications Conference(GLOBECOM), 2005.
25. Sun YL, Yu W, Han Z, Liu K. Information theoreticframework of trust modeling and evaluation for adhoc networks. IEEE Journal on Selected Areas inCommunications 2006; 24(2):305–317.
26. Balakrishnan V, Varadharajan V, Tupakula U. Subjectivelogic based trust model for mobile ad hoc networks. InProceedings of the 4th International Conference onSecurity and Privacy in Communication Networks(SecureComm), 2008; 1–11.
27. Haas JJ, Hu YC, Laberteaux KP. Design andanalysis of a lightweight certificate revocationmechanism for VANET. In Proceedings of the sixthACM International Workshop on VehiculAr InterNET-working, 2009; 89–98.
28. Raya M, Papadimitratos P, Aad I, Jungels D, HubauxJP. Eviction of misbehaving and faulty nodes invehicular networks. IEEE Journal on Selected Areasin Communications 2007; 25(8):1557–1568.
29. Golle P, Greene D, Staddon J. Detecting and correct-ing malicious data in VANETs. In Proceedings of theACM International Workshop on Vehicular Ad HocNetworks, 2004; 29–37.
30. Raya M, Papadimitratos P, Gligory VD, Hubaux JP.On data-centric trust establishment in ephemeral adhoc networks. In Proceedings of the IEEE Conferenceon Computer Communications, 2008; 1238–1246.
31. Dotzer F. Vars: a vehicle ad-hoc network reputationsystem. In Proceedings of the IEEE InternationalSymposium on a World of Wireless Mobile andMultimedia Networks, 2005.
32. Minhas UF, Zhang J, Tran T, Cohen R. Intelligentagents in mobile vehicular ad-hoc networks: leveragingtrust modeling based on direct experience with incentivesfor honesty. In Proceedings of the IEEE/WIC/ACMInternational Conference on Intelligent Agent Technology(IAT), 2010.
