Sage Journals: Discover world-class research

Abstract

Establishing trust and reputation for evaluation of message reliability is key to the vehicular ad hoc networks (VANETs). Most of the previous reputation management systems focus on the effectiveness of the reputation management system in handling the liars who send false service messages. However, these reputation management systems have two drawbacks. One is that they are vulnerable to tactical attacks such as self-promoting attacks and bad-mouthing attacks. The other is that they may violate location privacy because they assume every vehicle communicates with a unique ID. Our research particularly investigates the robustness against these tactical attacks, as well as the preservation of privacy by integrating trust management with the pseudonym technique. To resist the tactical attacks in VANETs, we present a reputation model which builds both service reputation and feedback reputation. Moreover, we apply the information entropy and the majority rule to the reputation accumulation algorithms to counter false feedback. To defend the reputation link attack during pseudonym changes, we propose hidden-zone strategy and k-anonymity strategy. The simulation results show that our scheme is robust to these tactical attacks and preserves privacy against the reputation link attack during the pseudonym changes.

1. Introduction

A vehicular ad hoc network (VANET) typically consists of roadside infrastructure and vehicles that are connected in a self-organized way. It supports safety applications, convenience applications, and commercial applications, such as collision warning, congested road notification, and infotainment. These applications are highly dependent on the liable messages generated by vehicles. Because false messages may lead to failures, injuries, and even deaths, false information should not be transferred by the neighbor node which affects the overall performance of network [1]. Traditional network security approaches such as the use of firewall, access control, and authorized certification are greatly investigated to secure VANETs. These approaches, known as hard security mechanisms [2], are very effective in protecting VANETs from external attackers. However, what if some internal attackers (the vehicles with true legal IDs) intentionally produce false messages to cheat others? For example, a malicious internal vehicle may send a false congestion warning to let other vehicles make unnecessary detours. In such case, the validation of a sender's ID cannot guarantee the truth of the message. A potential way to address such problems is using trust management [3], which are also known as soft security mechanisms [2].

1.1. Motivation

There have already been many reputation systems proposed for other environments, such as peer-to-peer networks [4], ad hoc networks [5], and wireless sensor networks [6]. However, these reputation systems are not feasible for VANETs because they do not concern the characteristics of VANETs, such as high dynamics and privacy concerns. Recently, some trust management systems [7–14] have been proposed for VANETs. However, they have two drawbacks.

First, these trust management systems may be vulnerable to tactical attacks. In the preliminary stage, the trust management systems in VANETs are designed to deal with the basic attack—lying, in which the liars send false service messages individually. However, when realizing the effect of trust management systems incorporated into the VANET, the malicious vehicles are likely to target the trust management system using some more complicated attacks which we call tactical attacks. For example, a couple of vehicles can form a collusion group and quickly promote the reputation of a member by enormous positive feedback; a service provider vehicle can bad-mouth his rival by intentionally giving negative feedback. Therefore, the VANET suffers not only the malicious behaviors of vehicles, but also the trust management system [15]. Unfortunately, these aforementioned trust management systems in VANETs do not consider these tactical attacks in their trust models. Trust model, which is the core of a trust management system, takes the responsibility for profiling the honest and the malicious behaviors. Robust trust model against tactical attacks in VANETs must be taken into account.

Second, current trust management systems [16, 17] proposed for VANETs do not consider the issue of privacy preservation. Most of these previous trust management systems assume every vehicle communicates with a unique ID rather than pseudonyms, which is not practical in VANETs due to privacy issues. The RaBTM [18] (roadside unit and beacon-based trust management system) employs pseudonyms in the reputation system to enhance privacy preservation. We will make comparisons with RaBTM and highlight the feature of our work in Section 6. In fact, an adversary vehicle can easily track a target vehicle by following the target's unique ID in the messages, which greatly violates the target vehicle's location privacy. Unlike other ad hoc networks, every vehicle in VANET is tightly related to a user (driver). Disclosure of the location information of a vehicle is a potential threat to the user's privacy. Location privacy preservation is a significant issue in a VANET because people's concerns about privacy will prevent them from accepting the VANET. An efficient way to address this issue is to use the pseudonym technique [19, 20]. In a pseudonym-enabled VANET, every vehicle has multiple pseudonyms. To preserve their location privacy, vehicles will periodically change their pseudonyms when they are broadcasting messages. When designing a trust and reputation management system in a VANET, it is necessary to employ pseudonyms instead of unique IDs for vehicles.

However, integrating the trust management with the pseudonym technique is not as easy as it seems. As the reputation value becomes the visible information in most messages, we find that there is a reputation link attack that may threaten the location privacy. The reputation link attack refers to the fact that the adversaries can link the pseudonyms by linking reputations involved in the target's messages. The classical mix-zone (a zone designed for pseudonym changes and trying to decrease the probability of linking) [20] can deal with linking of velocity, location, acceleration, and so forth, but it does not work on the reputation link attack. For instance (Figure 1), we assume only pseudonym and velocity are visible. An attacker is tracking the target $V_{A}$ . At time $t_{0}$ , the attacker can get $V_{A}$ 's pseudonym and velocity (Ally, 15 km/h); then the vehicles slow down to 0 km/h at the intersection because of red traffic lights; at time $t_{1}$ (the lights turn green), $V_{A}$ and $V_{B}$ change their pseudonyms simultaneously in a location-based mix-zone (i.e., the intersection), and the attacker gets the new information (Alex, 0 km/h) and (Bob, 0 km/h). Then the attacker can infer that either Alex or Bob was Ally. So the mix-zone decreases the probability of linking to 50%. A location-based mix-zone can adjust information such as velocity, location, and acceleration to be indistinguishable, but it does not work on the reputation because reputation is less flexible. For example (Figure 2), we assume that pseudonym, velocity, and reputation in messages are visible. $V_{A}$ is the target. The mix-zone makes the velocities of $V_{A}$ and $V_{B}$ be the same (0 km/h). So the velocities are indistinguishable at $t_{1}$ and cannot be linked. However, the attacker can link “Alex” to “Ally” by linking the reputations 10. In a word, the classical mix-zones cannot address the reputation link attack because they are not able to adjust the less flexible information—reputation.

Figure 1

An example in which the mix-zone decreases the probability of velocity link to 50%.

Figure 2

An example in which the mix-zone cannot preserve privacy against reputation link attack.

The reputation link attack, which may violate the untraceability of VANETs, is an important issue in designing a trust management system because the reputation link attack makes it easier for an attacker to keep track of a target's location information. Furthermore, with the location information and some additional knowledge, such as home/work location pairs, the attacker may identify the driver with a probability of over 50% [21]. For example, an attacker tracks the competitor and gets his most-visited locations. Then the attacker may identify the driver by correlating these locations with the home/work location pairs obtained from the web, for example, online social networks.

1.2. Contributions

In this paper, we present a reputation management scheme that overcomes these two drawbacks.

First, we propose a reputation model, which is not only effective in dealing with false messages, but also robust to the tactical attacks. We assume false messages are generated by malicious vehicles for their own benefit. We model service reputation for every vehicle, which can be used to identify malicious vehicles that provide low quality services. Most collusion attacks are with false feedback, so we propose feedback reputation to model the quality of feedback. In addition, we propose robust aggregation algorithms, which use the majority rule and information entropy to mitigate the threat of collusion attacks.

Second, we present a hidden-zone strategy and a k-anonymity strategy to preserve location privacy against reputation link attacks. The hidden-zone strategy hides the reputation value in a distance, which is effective in dealing with local active attackers (LAAs) [22]. The k-anonymity strategy generalizes the reputation values to achieve a k-anonymity, which is effective in handling both LAAs and global passive attackers (GPAs) [22].

Third, we model the tradeoff between privacy and utility mathematically for the k-anonymity strategy.

The rest of the paper is organized as follows. Section 2 introduces a pseudonym-enabled VANET model, a reputation management mechanism, and attack models. Section 3 describes the proposed reputation model. Section 4 presents our strategies against the reputation link attack. Section 5 evaluates our scheme via simulations. Section 6 discusses the related work. Section 7 concludes this study.

2. System Overview

In this section, we describe the pseudonym-enabled VANET model and the reputation management mechanism on it. Then we introduce some attack models.

2.1. Network Model

The network involved in our RPRep scheme consists of three entities (Figure 3): vehicles, RSUs, and servers. Every vehicle is equipped with an onboard unit (OBU), which is able to broadcast and receive messages via wireless communication. Applications are running on vehicles and each vehicle can be a service provider. We assume most vehicles are honest, while some of them are malicious and send false service messages or false feedback messages. The RSU is a wireless communication device deployed along the roadside. It is connected with servers and acts as a communication interface between vehicles and servers. We assume that RSU can be trusted. In our scheme, the pseudonym server and the reputation server are also trusted authorities. The pseudonym server issues and verifies pseudonym certificates. The reputation server maintains the reputation of vehicles and issues reputation certificates.

Figure 3

The pseudonym-enabled VANET model.

2.2. Reputation Management Mechanism

We incorporate the reputation management mechanism into the pseudonym-enabled VANET. We describe the reputation management mechanism using an example. The notations used are listed in the List of Notations shown at the end of the paper.

Step 1.

A vehicle $V_{A}$ registers to the pseudonym server PseServ and gets a bunch of pseudonym certificates from it. A pseudonym certificate PCert does not contain any identifiable information and cannot be used to link to a particular user or to another pseudonymous certificate. Basic pseudonym approaches [23] are adopted in this paper because we mainly focus on the combination of “trust” and “pseudonym” rather than the “pseudonym” technique itself. More complicated signature and certificate schemes for realizing pseudonyms are surveyed in [24].

Vehicles are equipped with pseudonyms and their corresponding secret keys. When sending a message, a vehicle signs it with its secret key and attaches the signature and the pseudonym certificate to the message so that receivers can verify the signature.

Step 2.

The $V_{A}$ needs to get reputation certificates from the reputation server RepServ. Every day when $V_{A}$ enters the region of a RSU, $V_{A}$ sends the request message with a set of pseudonyms to the reputation server. The reputation server verifies these pseudonyms and then issues the latest reputation certificates to $V_{A}$ , where the reputation certificate $R C e r t = (P s n y m, d, R e p, σ_{1})$ . Psnym is the pseudonym, d is the current data, the Rep is the reputation value, and $σ_{1}$ is the signature of RepServ. To make Rep more understandable to those applications, we let $R e p = ⌈10 \times S R e p⌉$ , which maps reputation values to the set of ${1,2, \dots, 10}$ . In addition, to preserve location privacy, Rep can also be a generalized value which will be discussed in Section 4.

Step 3.

The $V_{A}$ broadcasts a service message SMsg with a reputation certificate, where $S M s g = (P s n y m, R C e r t, E, σ_{2})$ . $σ_{2}$ is the signature of $V_{A}$ . Every service message is associated with an event E, where $E = (E I D, t, p, E T y p e, C o n t e n t)$ . When any event happens, the vehicle will generate a unique event identity (EID) through a hash function. The time t is when the event happens; p is where the event happens. Additionally, during the broadcasting, $V_{A}$ changes pseudonyms periodically to preserve location privacy.

Step 4.

When $V_{B}$ receives the message SMsg, $V_{B}$ will verify the signatures and then gets the reputation Rep of $V_{A}$ from it. Then $V_{B}$ makes the decision to receive $V_{A}$ 's service or not. If $V_{B}$ consumes $V_{A}$ 's service, $V_{B}$ will be able to generate feedback FMsg and report it to the reputation server RepServ, where $F M s g = (T a r g e t, F e e d b a c k e r, S M s g, R, σ_{3})$ , where $T a r g e t$ is $P s n y m_{V_{A}}$ , $F e e d b a c k e r$ is $P s n y m_{V_{B}}$ , R is a rating to the event, and $σ_{3}$ is the signature of $V_{B}$ .

Step 5.

The reputation server collects the feedback messages, aggregates the reputation values, and updates the records of $V_{A}$ and $V_{B}$ . The reputation server maintains a vehicle record as (VID, SRep, FRep, Roletrust, FMsgRecord, FEventRecord, PsnymRecord, isRevoked), where the VID is the unique ID of every vehicle maintained by the PseServ, SRep is the service reputation, FRep is the feedback reputation, and Roletrust is the trust in vehicle's roles. FMsgRecord, FEventRecord, and PsnymRecord are the caches of FMsg, FEvent, and pseudonyms. isRevoked is an indicator that indicates whether this vehicle is revoked.

2.3. Attack Models

We assume servers and RSUs are protected against fraudulent access by well-established security mechanisms. We also assume the malicious vehicles cannot fake signatures and pseudonym certificates, and the Sybil attack is avoided. Denial-of-service attacks are considered out of the scope of this paper.

Apart from “lying,” on which the aforementioned reputation systems focus, there are a few other potential malicious behaviors in the VANET. We model these attacks in the following.

2.3.1. Self-Promoting Attack

In self-promoting attacks [25], attackers tend to unfairly augment their own reputation. Typically, in the VANET, a group of malicious vehicles stay with a target vehicle in a separate space and collaborate to give numerous positive feedback messages to increase the target's reputation. With the manipulated high reputation, the target is able to convince an increased number of vehicles of the reality of its message even if it is actually false. One feature of the self-promoting attack is that the positive ratings on the attacker are largely from a small crowd of colluding vehicles.

2.3.2. Bad-Mouthing Attack

In some cases, the malicious vehicles collude to give negative feedback on a target in order to corrupt its reputation. This attack often happens among the competitor vehicles that are providing similar services. The attackers can use the bad-mouthing attack [26] to slander their competitors. The bad-mouthing attack differs from the self-promoting attack because the bad-mouthing attackers cannot collaborate with the target vehicle to separate from other honest vehicles. In addition to the ratings provided by the attackers, the reputation server also receives a large number of ratings from other honest vehicles, which is helpful in identifying false feedback messages. Therefore, modeling the feedback reputation may be effective in mitigating bad-mouthing attacks.

2.3.3. Reputation Link Attack

In the process of a pseudonym change, the vector $F = (P s n y m, R e p, T i m e, L o c a t i o n, V e l o c i t y, \dots)$ can represent the factors of a message. We assume a mix-zone can make the factors such as location and velocity indistinguishable. Thereby we focus on the subset (Psnym, Rep) which can be observed and used by an attacker to carry on a reputation link attack.

For example (Table 1), a cluster of vehicles— $V_{A}$ , $V_{B}$ , and $V_{C}$ —change pseudonyms simultaneously. The target vehicle $V_{A}$ changes pseudonym from Ally to Alex. But if an attacker gets the original table (OT) (Table 1(a)) and the changed table (CT) (Table 1(b)), it is easy for the attacker to link Alex to Ally by Rep = 10. One way to address this issue is to block the information of CT; another way is to make Repsk-anonymity like that in GT (Table 1(c)).

Table 1

Original table, changed table, and generalization table. (a) Original table (OT) before pseudonym change; (b) changed table (CT) after pseudonym change; (c) generalization table (GT), where $k = 3$ .

	(a)

Psnym		Rep

Ally		10
Bob		8
Clark		8

	(b)

Psnym		Rep

Alex		10
Brent		8
Carl		8

	(c)

Psnym		Rep

Alex		8–10
Brent		8–10
Carl		8–10

The objective of the attack is to track the vehicles and breach their location privacies. Such an attacker can be abstracted as (i) global passive attacker (GPA) [22] that can eavesdrop all communications of any vehicle in a monitored area and (ii) local active attacker (LAA) [22] that can follow a target and eavesdrop its messages.

3. Reputation Model

In this section, we propose a robust reputation model. Unlike previous trust models in VANETs, our model is meant to deal with both the liars and tactical attackers.

3.1. Basic Concepts

We first introduce some basic concepts involved in our reputation model.

3.1.1. Service Reputation and Feedback Reputation

The concepts of trust and reputation in human society have been extended into the VANETs. Since vehicles in a VANET have various applications which can interact intelligently with each other just as humans do, the introduction of trust and reputation in this kind of network is natural. Basically, reputation is public knowledge and represents the collective opinion of a node in a network. In this paper, we adopt the following definition [27].

Definition 1.

Reputation is the global perception of a vehicle's trustworthiness in a VANET.

Interactions and feedback of vehicles provide information to measure trust among them [28]. There are mainly two types of messages in our scheme, service messages and feedback messages, so we model service reputation and feedback reputation accordingly. The service reputation models the reliability of service messages. We assume false service messages are intentionally sent by the malicious vehicles, so a low service reputation implies the malicious vehicle, thereby allowing the service consumer vehicles to make better decisions. In our scheme, the service reputation will be published in the reputation certificate as Rep, which is discussed in Section 2.2. The feedback reputation evaluates the quality of ratings in the feedback messages. We use it to identify false feedback, which is often exploited by self-promoting and bad-mouthing attackers.

3.1.2. Experience-Based Trust and Role-Based Trust

We consider a vehicle trustworthy if it has a good history of providing service or if it demonstrates a specialized or authority role such as bus, ambulance, and police car. So reputation can be built up by experience-based trust and role-based trust in our reputation model. The experience-based trust refers to the degree to which the feedbacker believes a target vehicle's service message. A role in the reputation model represents a set of vehicles that are of this role. The role-based trust refers to the general belief in a role. The specialized or authority vehicles can be verified by a trustworthy government department and register to the VANET.

In particular, because there is insufficient feedback in the beginning of a VANET, which is also known as the cold start issue [29], the reputation is mainly built up by role-based trust. Then, the vehicles communicate and the reputation server accumulates the feedback. When there is sufficient feedback, we calculate the reputation largely using experience-based trust.

3.2. Rating Generation Module

Recall the example in Section 2.2; $V_{A}$ broadcasts a message and $V_{B}$ need to report feedback $F M s g = (T a r g e t, F e e d b a c k e r, S M s g, R, σ_{3})$ to the reputation server. We will describe how $V_{B}$ generates a rating.

The rating is defined by

\begin{matrix} R = o \times c, \end{matrix}

(1)

where o is the opinion and c is the confidence.

When $V_{B}$ observes the event using its own sensors, $V_{B}$ can give an opinion o on SMsg, where o is defined by

\begin{matrix} o = \{\begin{cases} 1, & if  positive  opinion, \\ - 1, & if  negative  opinion . \end{cases} \end{matrix}

(2)

The confidence c consists of time closeness, location closeness, and sensing condition. The TC is the time closeness between the observation and the event, where $T C = {λ_{T}}^{(T_{1} - T_{0})}$ , $λ_{T} \in (0,1]$ is a constant, and $T_{1}$ and $T_{0}$ measured in seconds are time of the observation and the event, respectively. The LC is the location closeness between the observation and the event, where $L C = {λ_{L}}^{|P_{1} - P_{0}|}$ . $λ_{L} \in (0,1]$ is a constant. $P_{1}$ and $P_{0}$ measured in meters are location vectors of the observation and the event, respectively. We model the sensing condition related to the velocity of the vehicle. When $V_{B}$ is at a low velocity, it has the more confidence in its observation. We define $S C = {λ_{C}}^{V}$ , where $λ_{C} \in (0,1]$ is a constant, measured in kilometers per hour as the velocity of the vehicle $V_{B}$ . Then, the confidence c is defined by

\begin{matrix} c = \sum \frac{ω_{T} \cdot T C + ω_{L} \cdot L C + ω_{S} \cdot S C}{ω_{T} + ω_{L} + ω_{S}}, \end{matrix}

(3)

where

ω_{T}

ω_{L}

, and

ω_{S}

are the weights of time closeness, location closeness, and sensing condition, respectively.

3.3. Reputation Aggregation Module

As Figure 4 shows, when the reputation server receives feedback ${F M s g}_{B} (A)$ from $V_{B}$ , it checks with the new feedback on whether $V_{A}$ is valid and $V_{B}$ 's feedback reputation is positive, whether the number of feedback messages on the event is greater than a threshold $Ф_{F M s g}$ , whether the number of events announced by $V_{A}$ is greater than the size of window, and whether the information entropy H of messages on $V_{A}$ is greater than a threshold $Ψ_{e n t r o p y}$ .

Figure 4

Reputation aggregation procedures.

Then, $S R e p_{A}$ and $R R e p_{B}$ are calculated and updated.

3.4. Service-Reputation Aggregation Algorithm

In our model, feedback messages and events are steadily accumulated by the reputation server. Typically, an event $E_{i}$ is associated with $N_{i}$ feedback messages. We take the latest $Ф_{W i n d o w}$ events within time τ as a window.

In the self-promoting attack, a set of vehicles give enormous positive feedback on a member. In our collusion detection method, we use information entropy to evaluate the feedback in the window. Large information entropy implies that a great many vehicles participate in feedback. In this case, it is difficult for attackers to raise or slander the reputation. On the contrary, a low information entropy probably implies collusion. According to the information theory, probability of a feedbacker vehicle $V_{j}$ is

\begin{matrix} P_{V_{j}} = \frac{1}{\sum_{i = 1}^{Φ_{W i n d o w}} N_{i}} \cdot \sum_{i = 1}^{Φ_{W i n d o w}} \frac{f (V_{j}, E_{i})}{N_{i}}, \end{matrix}

(4)

where f is a function defined by

\begin{matrix} f (v, e) = \{\begin{cases} 1, & if  vehicle v sent  a F M s g on  event e, \\ 0, & otherwise . \end{cases} \end{matrix}

(5)

The information entropy

\begin{matrix} H = - \sum_{j = 1} (P_{V_{j}} \cdot \log_{2} P_{V_{j}}) . \end{matrix}

(6)

H < Ψ_{e n t r o p y}

, it means the new feedback message

{F M s g}_{B} (A)

brings less information, and the feedback should be dropped. Otherwise, we continue to aggregate the service reputation.

Trust in an event is calculated by

\begin{matrix} TRUST (E_{i}) = \frac{\sum_{j = 1}^{N_{i}} (R \cdot F R e p (F e e d b a c k e r))}{N_{i} \cdot \sum_{j = 1}^{N_{i}} F R e p (F e e d b a c k e r)}, \end{matrix}

(7)

where R and

F e e d b a c k e r

are with the feedback

{F M s g}_{j}

Then, the weight of each event is defined by $ω_{i} = [τ - (t_{c} - t_{e})] / τ$ , where $t_{c}$ is the current time and $t_{e}$ is the time of event. For the events in the window, we put more weight on the recent ones.

Lastly, the service reputation of $V_{A}$ is defined by

\begin{matrix} S R e p_{A} = \{\begin{cases} \frac{\sum_{i = 1}^{Φ_{W i n d o w}} (T R U S T (E_{i}) \cdot ω_{i})}{\sum_{i = 1}^{Φ_{W i n d o w}} ω_{i}}, & if  NUM (E) \geq Φ_{W i n d o w}, \\ R o l e t r u s t_{A}, & otherwise . \end{cases} \end{matrix}

(8)

3.5. Feedback Reputation Aggregation Algorithm

We use the majority rule to evaluate the quality of a rating. The function $g (F M s g, E)$ is defined by whether the message FMsg is consistent with the majority of ratings on an event, which is

\begin{matrix} g (F M s g, E) = \{\begin{cases} g_{1}, & if F M s g is consistent with the majority, \\ g_{2}, & otherwise . \end{cases} \end{matrix}

(9)

g_{1}

and

g_{2}

are constants. The feedback reputation of

V_{B}

is updated as

\begin{matrix} F R e p_{B} ⟵ (λ^{t_{c} - t_{l}} \cdot F R e p_{B}) \cdot (1 - γ) + g (F M s g_{B} (A), E) \cdot γ, \end{matrix}

(10)

where E is the event of

F M s g_{B} (A)

t_{c}

is the current time,

t_{l}

is the last update time, and λ is the decay factor; EType is of event E and γ is the increment factor. Additionally, the initial

F R e p_{B}

is assigned by

R o l e t r u s t_{B}

There are probably tactical attacks on feedback reputation as well. Two steps in Figure 4 can also mitigate this type of attacks. First, the number of feedback messages on the event must be greater than a threshold $Ф_{F M s g}$ , which means the attackers need to send a large number of feedback messages to launch an attack. In this way, the cost of attack is raised. Second, the information entropy of feedback messages must be greater than a threshold $Ψ_{e n t r o p y}$ , which implies the feedback messages must come from a large number of different vehicles rather than only a few fixed ones. The attackers need to have a large colluding group to raise feedback reputation. Therefore, this method raises the cost of attackers greatly. And the attack on feedback reputation is mitigated.

3.6. Reputation Update and Vehicle Revocation

The reputation server keeps track of every vehicle with records of (VID, SRep, FRep, Roletrust, FMsgRecord, FEventRecord, isRevoked). In our example, when the reputation aggregations are completed, SRep, FMsgRecord, and FEventRecord of vehicle $V_{A}$ will be updated, and so will be the FRep of vehicle $V_{B}$ .

If $S R e p_{A} < 0$ , the vehicle $V_{A}$ is considered to be malicious and must be revoked from the reputation management system. Consequently, the revocation indicator isRevoked is set to true and the reputation management system will no longer issue new reputation certificates to $V_{A}$ . Consequently, when $V_{A}$ 's reputation certificates expire, $V_{A}$ is thoroughly revoked from the VANET. How to quickly revoke a vehicle is out of the scope of this paper.

4. Location Privacy Preservation

In this section, we present strategies to preserve location privacy against reputation link attack.

In a classical VANET, the attackers can track a target vehicle by linking the information in the messages such as location, velocity, and acceleration. Mix-zone technologies have been studied to address this problem, which are mainly classified into two categories—location-based mix-zone [20] and silent mix-zone [19]. The location-based mix-zone technique suggests pseudonym changes at social spots where many vehicles may gather, for example, road intersections. The basic idea of the silent mix-zone is that vehicles should not transmit messages in a period and they should change pseudonyms during the silent periods.

In a VANET with a reputation management system, the reputation value in most messages is observable. The reputation value can also be exploited by adversaries for tracking. However, the mix-zone techniques mentioned above cannot address the reputation link attack.

We propose two strategies to defend the reputation link attack: one is using hidden-zone to prevent the attacker from getting sufficient knowledge and the other is using k-anonymity to make the reputation values undistinguishable. Specifically, we will describe the strategies in a location-based mix-zone scenario. These strategies can also be adjusted to adapt silent mix-zones.

4.1. Hidden-Zone Strategy

In a reputation link attack, the attacker needs both the original table (OT) and the changed table (CT) to link the target's reputation values. Keeping the attacker from the knowledge of the changed table (CT) helps to defend against the attack. Suppose the attacker is a local active attacker (LAA); if the target and the neighbors hide their reputation values in the transmission range of the attacker's, the attacker can hardly identify the target. To this end, we present the hidden-zone strategy for pseudonym change. The idea of hidden-zone is inspired by the silent mix-zone [19]. But they are quite different. The hidden-zone hides reputation values in a restricted zone, while the silent mix-zone forbids messages for a random period.

Protocol (Hidden-Zone Strategy) (1)

A vehicle $V_{i}$ stops at an intersection when the traffic light is red.

(2)

When the traffic light turns to green, $V_{i}$ changes pseudonym and hides the reputation certificate from messages.

(3)

When $V_{i}$ goes further than a transmission range from the intersection, $V_{i}$ shows a reputation certificate in messages.

For example (Figure 5), a cluster of vehicles $V_{A}$ , $V_{B}$ , and $V_{C}$ change pseudonyms in a mix-zone when traffic light turns to green at time $t_{1}$ . Then they hide their Reps until they are beyond the hidden-zone whose radius is larger than the attacker's transmission range r. Suppose the LAA is tracking the target $V_{A}$ all the way and it is in the intersection at time $t_{2}$ . When $V_{A}$ , $V_{B}$ , and $V_{C}$ drive out of the hidden-zone, LAA cannot receive any messages from $V_{A}$ and $V_{C}$ ; thus LAA cannot carry out a reputation link attack and consequently $V_{A}$ avoids the reputation link attack.

Figure 5

An example of hidden-zone strategy.

The performance of the hidden-zone strategy relates to intersections types. Suppose there are n directions for a vehicle to leave a mix-zone, for example, three directions in a four-way intersection and two directions in a three-way intersection. Let $d_{i}$ be the direction i and let $P (d_{i})$ be the probability that a vehicle turns into direction $d_{i}$ , where $P (d_{i}) = 1 / n$ . Let $k_{0}$ ( $k_{0} \geq 1$ ) be the number of vehicles whose reputation values are the same as the target's. Then the probability P that the target is correctly tracked by an attacker is calculated as follows:

\begin{matrix} P = \sum_{i} [P (d_{i}) \cdot P (t a r g e t ∣ d_{i})] = \frac{1}{n} \cdot \sum_{i} P (t a r g e t ∣ d_{i}) = \frac{1}{(n \cdot k_{0})} . \end{matrix}

(11)

As the probability is inverse to both n and

k_{0}

, increasing n and

k_{0}

seems to be a good way to enhance privacy preservation. However, n is always limited by the real-world intersections and

k_{0}

is not under control.

The hidden-zone strategy has some drawbacks. First, it is ineffective in handling a global passive attacker (GPA) because the GPA's monitored area is large and secret and makes it hard to construct a hidden-zone. As Figure 5 shows, the hidden-zone cannot keep the GPA from the original table (OT) and the changed table (CT). Second, hiding reputation certificates may cause inconsistence for services that depend on reputation values. So the hidden-zone strategy is suitable for the delay-tolerant services and not feasible for the time-critical services. Therefore, we present a k-anonymity strategy that overcomes these drawbacks.

4.2. k-Anonymity Strategy

The k-anonymity concept was presented by Sweeney [30] for a data center to publish private medical records. Inspired by it, we define the k-anonymity of a vehicle.

Definition 2 (k-anonymity of a vehicle).

Let $T (P s n y m, R e p)$ be a table and let Rep be the quasi-identifier. A tuple (vehicle) is said to satisfy k-anonymity if and only if there are at least k occurrences in $T (R e p)$ .

The k-anonymity strategy is to make the changed table's tuples be k-anonymity. Generalization is an approach to implement k-anonymity. For example, with the Value Generalization Hierarchy (VGH) in Figure 6, we generalize the changed table (CT) to a generalized table (GT) (Table 1(c)) where three vehicles $V_{A}$ , $V_{B}$ , and $V_{C}$ have the same Rep. $V_{A}$ is 3-anonymity after generalization, which means that the attacker's chance of linking $V_{A}$ 's pseudonyms is reduced to 1/3. So the generalization effectively mitigates the reputation link attack on $V_{A}$ .

Figure 6

Value Generalization Hierarchy of Rep.

The k-anonymity strategy is as follows.

Protocol (k-Anonymity Strategy) (1)

A vehicle $V_{i}$ stops at an intersection when the traffic light is red.

(2)

$V_{i}$ broadcasts its accurate reputation value (in level 0) and privacy preferences. Meanwhile, it collects the messages from other vehicles.

(3)

When the traffic light turns to green, $V_{i}$ stops broadcasting.

(4)

$V_{i}$ carries on an anonymization algorithm and gets the result for reputation generalization.

(5)

$V_{i}$ changes pseudonym and shows appropriate reputation certificates in messages.

The k-anonymity strategy overcomes the weaknesses of the hidden-zone strategy. This strategy is effective in not only the LAAs but also the GPAs because it works even if the attacker has full knowledge of vehicles in a mix-zone. For example (Figure 7), a cluster of vehicles $V_{A}$ , $V_{B}$ , and $V_{C}$ change pseudonyms in a mix-zone when traffic light turns to green at time $t_{1}$ . Meanwhile, these vehicles generalize their Reps collaboratively to achieve a k-anonymity. Although both the LAA and GPA have all information of $V_{A}$ , $V_{B}$ , and $V_{C}$ before and after $t_{1}$ , they cannot link the Rep values because the vehicles Alex, Brent, and Carl have the same Rep after $t_{1}$ . In addition, the k-anonymity strategy makes a pseudonym change consistent.

Figure 7

An example of k-anonymity strategy.

However, there is still one issue with the k-anonymity strategy, which is how to balance the privacy and utility when generalizing the reputation values.

Given that $R e p_{l e v e l 0}$ is $V_{i}$ 's accurate reputation in VGH and $R e p_{g}$ is the generalized reputation, we have the following.

Definition 3 (generalization degree, GD).

The generalization degree of a reputation value $R e p_{g}$ is

\begin{matrix} G D (R e p_{g}) = \frac{|R e p_{g}|}{|R e p_{l e v e l 0}|}, \end{matrix}

(12)

where

|R e p_{g}|

and

|R e p_{l e v e l 0}|

refer to the domain of

R e p_{g}

and

R e p_{l e v e l 0}

, respectively. Specifically, in our VGH,

|R e p_{l e v e l 0}| = 1

, so

G D (R e p_{g}) = |R e p_{g}|

. For example, if a reputation 9 is generalized to be

[8 – 10]

, then

G D ([8 – 10]) = |[8 – 10]| / |[9]| = 3

Definition 4 (effectiveness of a reputation value Rep).

Consider

\begin{matrix} Eff (R e p) = \frac{|V G H_{l e v e l 0}| - |R e p|}{|V G H_{l e v e l 0}| - 1}, \end{matrix}

(13)

where

|V G H_{l e v e l 0}|

refers to the domain of VGH at level 0. Specifically, for the VGH in Figure 6,

|V G H_{l e v e l 0}| = 10

. For example, if Rep is at level 0, for example, 9, then

|R e p| = 1

and

E f f ([9]) = 1

; if Rep is at level 2, that is,

[1 – 10]

, then

|R e p| = 10

and

E f f ([1 – 10]) = 0

, which means that

R e p [1 – 10]

is ineffective for the trust management system.

The relationship between GD and Eff can be inferred so that

\begin{matrix} Eff (R e p) = \frac{|V G H_{l e v e l 0}| - G D (R e p) \cdot |R e p_{l e v e l 0}|}{|V G H_{l e v e l 0}| - 1} . \end{matrix}

(14)

With the VGH in Figure 6,

|V G H_{l e v e l 0}| = 10

|R e p_{l e v e l 0}| = 1

, so

\begin{matrix} Eff (R e p) = \frac{10}{9} - \frac{1}{9} GD (R e p) . \end{matrix}

(15)

Therefore, in conclusion, Eff and GD have an inverse relationship. This comes to be a tradeoff issue. A large GD may get a high k-anonymity to preserve privacy, but it may lead to a less effective reputation value for reputation management.

To address this issue, we use an Eff threshold M to balance Eff and GD. Every vehicle must not generalize its reputation value when the Eff is lower than the threshold M.

5. Evaluation

In this section, we present the evaluation of our RPRep scheme. We use the Veins [31] simulator which is based on OMNeT++, an event-based network simulator, and SUMO, a road traffic simulator. We use a map of the University of Erlangen-Nuremberg, Germany. Figure 8 shows a snapshot of one of our simulation runs. For the simulations in Sections 5.1 and 5.2, we fix the total number of vehicles to 50.

Figure 8

Map for simulating VANET.

5.1. Effectiveness

In our first simulation, we evaluate the effectiveness of RPRep in countering liars. There it consists of 10% authority vehicles and 90% common vehicles. Some of the common vehicles are liars who broadcast false congestion messages every 90 seconds to cheat others. When a vehicle is deceived by a congestion message, it makes a detour, so it travels a longer way instead of the planned way. We vary the number of liars from 0% to 30% and use the average distance of vehicles in the VANET to measure the change.

The results are presented in Figure 9. When there is no liar in the VANET, the average distance of all vehicles is about 3280 meters. As the number of liars increases, the average distance gets longer because the vehicles are confused by the false congestion messages. When 30% are liars, the average distance of the traditional VANET gets up to 3956 meters, which is much longer than that of the VANET with RPRep. The vehicles in the VANET with RPRep are less disturbed by false messages because the RPRep helps them identify the liars. As expected, our RPRep scheme is effective in countering malicious vehicles that send false service messages.

Figure 9

Average distance of all vehicles when there are different percentages of liars.

5.2. Robustness

5.2.1. Robustness of RPRep under Self-Promoting Attack

This experiment evaluates the robustness of RPRep under a self-promoting attack. We randomly designate a vehicle $V_{A}$ as a malicious one and 6 vehicles as colluders. When $V_{A}$ is moving together with its colluders, $V_{A}$ broadcasts false messages and the colluders report positive feedback messages to the reputation server. By this means, $V_{A}$ promotes its reputation rapidly. Figure 10 shows the results of the self-promoting attack. In the beginning, $V_{A}$ 's reputation decreases. But when the self-promoting attack starts, $V_{A}$ 's reputation increases rapidly to 10 if the RPRep does not have collusion detection. In contrast, our RPRep uses the information entropy of the feedback messages to mitigate the collusion, which prevents $V_{A}$ from manipulating its reputation. In the self-promoting attack, $V_{A}$ avoids the witnesses (honest vehicles) and works only with the colluders. So the feedback messages about $V_{A}$ come largely from these colluders, leading to low information entropy. We use an entropy threshold ( $Ψ_{e n t r o p y} = 3.0$ ) to filter out the false feedback messages and greatly mitigate $V_{A}$ 's self-promoting attack. Using this method our RPRep is robust to the self-promoting attack.

Figure 10

Reputation of the malicious vehicle in the self-promoting attack.

5.2.2. Robustness of RPRep under Bad-Mouthing Attack

This experiment is in a scenario with bad-mouthing attack. The target $V_{A}$ is a new honest vehicle that broadcasts real service messages. A group of attackers (malicious vehicles) try to slander $V_{A}$ by reporting negative feedback messages. In addition to these attackers, other vehicles are honest in reporting feedback messages. We vary the number of attackers from 2 to 4 and evaluate the feedback reputation's (FRep's) effect on defending bad-mouthing attacks. We compare two approaches: RPRep with feedback reputation and RPRep without feedback reputation. The results are shown in Figure 11. When the experiment starts, $V_{A}$ accumulates the reputation gradually. Then after a short while, the attackers start to report negative feedback messages about $V_{A}$ . With feedback reputation in RPRep, the reputation of the target $V_{A}$ is slightly affected by the bad-mouthing attack. However, without feedback reputation in RPRep, the reputation of the target $V_{A}$ is greatly disturbed and gets a lower rate of convergence. Moreover, when the number of attackers increases, in the case of RPRep with feedback reputation, the reputation of $V_{A}$ still keeps a high rate of convergence, while, in the case of RPRep without feedback reputation, the reputation of $V_{A}$ gets a much lower rate of convergence. Therefore, the modeling of feedback reputation enables the RPRep scheme to be robust to the bad-mouthing attacks.

Figure 11

Reputation of the target in the bad-mouthing attack.

5.3. Location Privacy Preservation

We define a metric “tracking rate” for the evaluations of location privacy preservation.

Definition 5 (tracking rate).

Tracking rate $T R a t e (G T)$ denotes the rate that an attacker correctly tracks the target among the vehicles of the generalization table (GT),

\begin{matrix} T R a t e (G T) = \frac{N u m (c o r r e c t t r a c k i n g i n s t a n c e s)}{N u m (t r a c k i n g i n s t a n c e s)} . \end{matrix}

(16)

In this privacy-preservation scenario, first, we evaluate the performances of the strategies under the tracking attack, which are the naïve strategy, the hidden-zone strategy, the k-anonymity strategy, and the

h - k

strategy (hybrid strategy of hidden-zone and k-anonymity). In this simulation, the vehicles will change their pseudonyms in the mix-zones at 4-way intersections. The attacker tracks a target using the reputation link method. When there are multiple linkable vehicles, the attacker randomly follows one. We set

k = 2

for the generalization algorithm. When a LAA attacks (Figure 12(a)), the

h - k

strategy is the best defense. The naïve strategy (traditional location-based mix-zone) cannot resist the reputation link attack unless there are a large number of vehicles. The hidden-zone strategy performs a little better than the k-anonymity strategy. However, when GPAs attack (Figure 12(b)), the hidden-zone strategy is as less useful as the naïve strategy. The k-anonymity strategy performs best, which has a low tracking rate even when there are a small number of vehicles. In conclusion, the hidden-zone strategy can defend reputation link attacks of LAAs rather than those of GPAs, while the k-anonymity strategy can defend attacks of both LAAs and GPAs. This result verifies the analysis in Section 4.1.

Second, we investigate the impact of k in the k-anonymity strategy. In this simulation, the attackers are GPAs. As k increases from 2 to 4, the tracking rate decreases slightly (Figure 13(a)), but the effectiveness of reputation values increases sharply (Figure 13(b)), especially when there are only a few vehicles. Effective reputation values are essential for the trust management system. Therefore, to make a good tradeoff between the tracking rate and the utility of reputation values, we let $k = 2$ in our scheme.

Figure 12

Performance of strategies under tracking attack.

Figure 13

Impact of k.

6. Related Work

The implementation of trustworthy security and privacy mechanisms is still the main challenges in VANETs [32]. Cooperative VANET applications rely on the messages sent by vehicles. An open question [33] is the following: how can one vehicle trust a message received from another? Thus, trust is supposed to be built to allow each vehicle to detect dishonest ones as well as malicious data sent by these dishonest ones and to give incentives for vehicles to behave honestly [34].

A number of research studies have proposed some digital signature and authentication schemes to enable trustworthy communication in VANETs. The work in [35, 36] designed an endorsement mechanism based on threshold signatures to deal with internal attacks. The work in [37] introduced an ID-based proxy signature technique with ECDSA for authentication in VANETs, which combines the properties of an identity-based signature along with the features of a proxy signature. Their scheme is improved by overcoming a private key reveal attack [8]. The work in [38] introduced a conditional privacy-preserving communication protocol for VANETs based on proxy resignature, which is characterized by the trusted authority designating the RSUs to translate signatures computed by the OBUs into ones that are valid with respect to the trusted authority's public key. The work in [39] proposed a decentralized lightweight authentication scheme called the trust-extended authentication mechanism (TEAM) for highly dynamic VANETs. These cryptographic methods ensure integrity and nonrepudiation and increase the vehicles' confidence for communications, but they cannot guarantee the quality or reliability of the message data itself.

Some trust and reputation mechanisms have been designed for VANETs and the main issues studied by them can be categorized as follows.

(A) What should be considered as evidence to build trust and reputation in VANETs? Wei and Chen [18] and Chen and Wei [13] proposed a beacon-based trust management system called RaBTM that aims to thwart internal malicious attackers more precisely in VANETs. In their system, by computing the similarity between the claimed position, velocity, and direction with the estimated values, they determine the trustworthiness of the vehicle that is sending the beacons. Antolino Rivas and Guerrero-Zapata [40] studied chains of trust to share information about points of interest in VANETs. They let users append their signed reviews to the original message and use these reviews to build trust among the users. Minhas et al. [9] developed a framework that models the trustworthiness of the agents of vehicles in order to receive the most effective information. Their multifaceted trust-modeling approach incorporates direct experiences and vehicle roles to build trust. Actually, since every vehicle is highly related to a human driver, both vehicle attributes and drivers' social relationships can be used to build trust for VANETs.

(B) What is specific of the trust management in VANETs? Lo and Tsai [7] consider a false traffic warning message as a message with inaccurate traffic information due to two reasons. First, the status of traffic events such as location and size is dynamically changed over time. Second, vehicles may have different sensing capabilities since they have different sensors. Based on these assumptions, they presented a reputation system which uses a cooperative event observation mechanism. Wang et al. [41] argue that, in a VANET, a source vehicle must rely on other vehicles to forward its packets on multihop routes to the destination. Thus, they highlight the trust propagation in routing. They presented a trust routing method by introducing the concept of attribute similarity. Abumansoor and Boukerche [42] describe a case of non-line of sight caused by obstacles, which interrupts direct communication among vehicles and prevents vehicles from properly monitoring their neighboring nodes. This will lead vehicles to evaluate the trustworthiness of others unfairly. So they proposed a trust evaluation model based on location information and verification to address this issue.

(C) Should the trust management system be decentralized or centralized? Gómez Mármol and Martínez Pérez [10] surveyed the trust management in P2P networks, wireless sensor networks, and ad hoc networks and presented a decentralized scheme TRIP to quickly and accurately distinguish malicious or selfish nodes spreading false messages throughout the VANETs. Zhang et al. [14] presented a trust-modeling framework for message propagation and evaluation in VANETs. Their model allows vehicles to make decisions about whether to follow the message by evaluation in a distributed way while taking into account others' opinions. However, these decentralized trust systems, which rely on large numbers of interactions with neighbors, are not practical in the highly dynamic environment of a VANET. To handle the dynamics of VANETs, Huang et al. [43] presented a situation-aware trust scheme SAT, which includes an attribute based policy control model and a proactive trust model to build trust among vehicles. The weakness is that the users may need rich knowledge to define and adjust a policy. Li et al. [11] designed an efficient announcement scheme that takes advantage of the centralized infrastructure in a highly dynamic environment of VANETs. In their scheme, a trusted reputation server issues reputation certificates to vehicles and later they use these reputation certificates in communication with other vehicles. Because the feedback is collected from all vehicles in the VANET instead of neighbors, the issue of lacking interactions faced by decentralized trust systems is well addressed in this scheme. Our scheme is centralized, which is similar to Li et al.'s. Nevertheless, Li et al.'s scheme only considers the naïve liars and assumes a unique identity for each vehicle rather than pseudonyms. So their scheme is less robust against tactical attacks and less effective in preserving privacy.

(D) How can we model the misbehavior? Minhas et al. [9] model liars in their multifaceted trust model, which may send false traffic information to mislead other vehicles and cause traffic congestion. Gazdar et al. [44] model two different misbehaviors: malicious and selfish. In their trust model, a malicious vehicle can broadcast a message about an unreal event, and a selfish vehicle can reduce its forwarding rate in order to keep its throughput only for its own data transmission. A lot of work considers only the liars; however, when a trust management system is integrated into a VANET, the malicious vehicles may carry out many tactical attacks on it. In our scheme, we address some of the potential tactical attacks, including self-promoting attack and bad-mouthing attack.

(E) How can we preserve privacy? Driving privacy or vehicle anonymity is a critical concern in VANETs [45]. Li and Chigan [12] state that privacy protection and reputation management impose conflicting requirements in VANETs because of the following: privacy protection makes it challenging to maintain the reputation history of any node; reputation management requires real-time reputation manifestation at risk of easier vehicle tracking. They presented a decentralized scheme JPRA, which uses 1-hop neighbors and a partially blind signature technique, to solve these conflicting requirements. This leads to other concerns such as ensuring that the neighbors are trustworthy. In general, most previous trust management systems for VANETs pay more attention to trust issues than privacy preservation.

The RaBTM proposed by Wei and Chen [13, 18] is one of the most related works. They incorporate pseudo identity in their scheme for privacy preservation. However, they do not address the problem of reputation link attack. Thereby in RaBTM, the adversary can trace a vehicle by linking the reputations. Another very related work is IncogniSense which is proposed by Christin et al. [46]. The IncogniSense introduces a concept reputation cloaking to address the reputation link problem in the scenario of participatory sensing. One of the reputation cloaking techniques is to give small disturbance to reputation to make it more generic; for example, reputation 5.1 and reputation 5.2 can be floored to 5. The IncogniSense mainly protects client's privacy from the server, while our scheme preserves vehicle's privacy from other vehicles in the process of message broadcasting. In the scenario of participatory sensing, pseudonym changers are all the clients; but in the scenario of broadcasting in a VANET, the pseudonym changers are usually a small number of vehicles in a mix-zone (e.g., an intersection). So the Floor Function of IncogniSense can probably preserve privacy in the scenario of participatory sensing, but it may not guarantee a k-anonymity in VANET. In our scheme, we combine a reputation management system with the pseudonym technique to enhance privacy preservation in VANETs. We strengthen the trust model to deal with tactical attacks. Our scheme can control the tradeoff between privacy preservation and reputation utility.

7. Conclusion

Trust management is a key technique in handling internal attackers in VANETs. Unlike other networks such as peer-to-peer networks and wireless sensor networks, designing a trust management system in a VANET needs to take pseudonyms into account due to privacy concerns. In this paper, we present a reputation management scheme for pseudonym-enabled VANETs. Our scheme builds service reputations to identify liars who provide false service messages, as well as feedback reputations to deal with tactical attackers. In addition, we propose hidden-zone strategy and k-anonymity strategy to resist the reputation link attack during pseudonym changes, which protects the location privacy of vehicles. Experimental results demonstrate that our scheme works efficiently to deal with lying, self-promoting, and bad-mouthing behaviors, as well as reputation link-based tracking attacks.

Our scheme is designed for the VANET. Nevertheless, it can also be applied to the IoV (Internet of vehicles) [47]. According to recent predictions [48], billions of “things” will be connected to the Internet by 2020 including vehicles. An IoV considers each vehicle as a smart device equipped with powerful sensors, V2V communication technologies, and IP-based connectivity to the Internet. Similarly, the IoV is susceptible to false messages. A centralized trust management system such as our RPRep can be employed to address this issue.

We do not distinguish the reputation between vehicle and driver. For future work, we will consider the social network in which the drivers are involved. The usage of social networks has become pervasive. This leads to a new paradigm in solving “trust” problems. Building a connection among drivers and online social networks may enable cross-domain trust relationships. The trust management system in VANET will benefit from these trust relationships, especially in the early stage of the VANET.

For future work, we also plan to consider the threat of corruption [49] in the k-anonymity strategy. For example (Figure 7), Alex, Brent, and Carl are 3-anonymity. But if Brent and Carl are corrupted and they tell their pseudonyms to the attacker, Alex will be disclosed. As we analyze in Section 5.3, k is usually a low integer, that is, 2, which means the attacker needs to corrupt only a small number of vehicles. Therefore, we would like to cope with the threat of corruption to further improve the robustness of the k-anonymity strategy.

Footnotes

List of Notations

Competing Interests

The authors declare that there are no competing interests regarding the publication of this paper.

Acknowledgments

The support provided by the Third Jiangsu Overseas Research & Training Program for University Prominent Young & Middle-Aged Teachers and Presidents is acknowledged. The partial support from the National Natural Science Foundation of China (no. 61402244) is also acknowledged.

References

Fang

Zhang

Shi

Zhao

Shan

BTRES: Beta-based Trust and Reputation Evaluation System for wireless sensor networks

Journal of Network and Computer Applications 2016 59 88 94

10.1016/j.jnca.2015.06.013

Jøsang

Ismail

Boyd

A survey of trust and reputation systems for online service provision

Decision Support Systems 2007 43 2 618 644

10.1016/j.dss.2005.05.019

2-s2.0-33846834126

Kakkasageri

M. S.

Manvi

S. S.

Information management in vehicular ad hoc networks: a review

Journal of Network and Computer Applications 2014 39 1 334 350

10.1016/j.jnca.2013.05.015

2-s2.0-84893768811

Kamvar

S. D.

Schlosser

M. T.

Garcia-Molina

The EigenTrust algorithm for reputation management in P2P networks

Proceedings of the 12th International Conference on World Wide Web (WWW '03)

May 2003

New York, NY, USA

ACM

640 651

10.1145/775152.775242

2-s2.0-84880467894

Duan

Yang

Zhu

Zhang

Zhao

TSRF: a trust-aware secure routing framework in wireless sensor networks

International Journal of Distributed Sensor Networks 2014 2014 14

209436

10.1155/2014/209436

2-s2.0-84893163837

Cao

Shen

Evolutionary game-based trust strategy adjustment among nodes in wireless sensor networks

International Journal of Distributed Sensor Networks 2015 2015 12

818903

10.1155/2015/818903

N.-W.

Tsai

H.-C.

A reputation system for traffic safety event on vehicular ad hoc networks

EURASIP Journal on Wireless Communications and Networking 2009 2009 10

125348

10.1155/2009/125348

Tsai

J.-L.

An improved cross-layer privacy-preserving authentication in WAVE-enabled VANETs

IEEE Communications Letters 2014 18 11 1931 1934

10.1109/lcomm.2014.2323291

2-s2.0-84910152067

Minhas

U. F.

Zhang

Tran

Cohen

A multifaceted approach to modeling agent trust for effective communication in the application of mobile Ad Hoc vehicular networks

IEEE Transactions on Systems, Man and Cybernetics Part C: Applications and Reviews 2011 41 3 407 420

10.1109/TSMCC.2010.2084571

2-s2.0-79954619208

10.

Gómez Mármol

Martínez Pérez

TRIP, a trust and reputation infrastructure-based proposal for vehicular ad hoc networks

Journal of Network and Computer Applications 2012 35 3 934 941

10.1016/j.jnca.2011.03.028

2-s2.0-84858068452

11.

Malip

Martin

K. M.

S.-L.

Zhang

A reputation-based announcement scheme for VANETs

IEEE Transactions on Vehicular Technology 2012 61 9 4095 4108

10.1109/TVT.2012.2209903

2-s2.0-84869449753

12.

Chigan

Joint privacy and reputation assurance for VANETs

Proceedings of the IEEE International Conference on Communications (ICC '12)

June 2012

Ottawa, Canada

IEEE

560 565

10.1109/icc.2012.6363884

2-s2.0-84871999854

13.

Chen

Y.-M.

Wei

Y.-C.

A beacon-based trust management system for enhancing user centric location privacy in VANETs

Journal of Communications and Networks 2013 15 2 153 163

6512239

10.1109/JCN.2013.000028

2-s2.0-84877291023

14.

Zhang

Chen

Cohen

Trust modeling for message relay control and local action decision making in VANETs

Security and Communication Networks 2013 6 1 1 14

10.1002/sec.519

2-s2.0-84871688141

15.

Ayday

Fekri

Iterative trust and reputation management using belief propagation

IEEE Transactions on Dependable and Secure Computing 2012 9 3 375 386

10.1109/TDSC.2011.64

2-s2.0-84858666726

16.

Rawat

D. B.

Yan

Bista

B. B.

Weigle

M. C.

Trust on the security ofwireless vehicular Ad-hoc networking

Ad-Hoc & Sensor Wireless Networks 2015 24 3-4 283 305

2-s2.0-84923030214

17.

Zhou

Sun

Fan

Lei

Yang

A security authentication method based on trust evaluation in VANETs

EURASIP Journal on Wireless Communications and Networking 2015 2015 1, article 59 8

10.1186/s13638-015-0257-x

18.

Wei

Y.-C.

Chen

Y.-M.

An efficient trust management system for balancing the safety and location privacy in VANETs

Proceedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom '12)

June 2012

Liverpool, UK

393 400

10.1109/trustcom.2012.79

2-s2.0-84868128557

19.

Buttyán

Holczer

Weimerskirch

Whyte

SLOW: a practical pseudonym changing scheme for location privacy in VANETs

Proceedings of the IEEE Vehicular Networking Conference (VNC '09)

October 2009

Tokyo, Japan

IEEE

1 8

10.1109/vnc.2009.5416380

2-s2.0-77951259549

20.

Lin

Luan

T. H.

Liang

Shen

Pseudonym changing at social spots: an effective strategy for location privacy in VANETs

IEEE Transactions on Vehicular Technology 2012 61 1 86 96

10.1109/tvt.2011.2162864

2-s2.0-84856182115

21.

Golle

Partridge

On the anonymity of home/work location Pairs

Proceedings of the 7th International Conference on Pervasive Computing

2009

Berlin, Germany

390 397

10.1007/978-3-642-01516-8_26

22.

Huang

Yamane

Matsuura

Sezaki

Towards modeling wireless location privacy

Proceedings of the 5th International Conference on Privacy Enhancing Technologies (PET '05), Cavtat, Croatia, May-June, 2005 2006

Berlin, Germany

Springer

59 77

10.1007/11767831_5

23.

Schaub

Kargl

Privacy requirements in vehicular communication systems

Proceedings of the IEEE International Conference on Privacy, Security, Risk, and Trust (PASSAT '09)

August 2009

Vancouver, Canada

139 145

10.1109/cse.2009.135

2-s2.0-70849118349

24.

Patel

N. J.

Jhaveri

R. H.

Trust based approaches for secure routing in VANET: a survey

Procedia Computer Science 2015 45 592 601

10.1016/j.procs.2015.03.112

25.

Hoffman

Zage

Nita-Rotaru

A survey of attack and defense techniques for reputation systems

ACM Computing Surveys 2009 42 1, article 1 31

10.1145/1592451.1592452

2-s2.0-71649094416

26.

Noor

T. H.

Sheng

Q. Z.

Alfazi

Reputation attacks detection for effective trust assessment among cloud services

Proceedings of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom '13)

July 2013

Melbourne, Australia

IEEE

469 476

10.1109/trustcom.2013.59

2-s2.0-84893448677

27.

Shen

Miao

Leung

Niyato

A survey of trust and reputation management systems in wireless communications

Proceedings of the IEEE 2010 98 10 1755 1772

10.1109/JPROC.2010.2059690

2-s2.0-77956948315

28.

Can

A. B.

Bhargava

SORT: a self-organizing trust model for peer-to-peer systems

IEEE Transactions on Dependable and Secure Computing 2013 10 1 14 27

10.1109/tdsc.2012.74

2-s2.0-84872024957

29.

Wang

Yin

Cai

Dong

A trust-based probabilistic recommendation model for social networks

Journal of Network and Computer Applications 2015 55 59 67

10.1016/j.jnca.2015.04.007

30.

Sweeney

Achieving K-anonymity privacy protection using generalization and suppression

International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 2002 10 5 571 588

10.1142/s021848850200165x

MR1948200

2-s2.0-0036811143

31.

Sommer

German

Dressler

Bidirectionally coupled network and road traffic simulation for improved IVC analysis

IEEE Transactions on Mobile Computing 2011 10 1 3 15

10.1109/tmc.2010.133

2-s2.0-84891005070

32.

Gerlach

Steglich

Arbanowski

Wegdam

Teunissen

Trustworthy applications for vehicular environments

IEEE Vehicular Technology Magazine 2006 1 2 9 15

10.1109/MVT.2006.283581

2-s2.0-33846595682

33.

Wex

Breuer

Held

Leinmüller

Delgrossi

Trust issues for vehicular ad hoc networks

Proceedings of the IEEE 67th Vehicular Technology Conference-Spring (VTC '08)

May 2008

Singapore

2800 2804

10.1109/vetecs.2008.611

2-s2.0-47749147333

34.

Zhang

A survey on trust management for VANETs

Proceedings of the 25th IEEE International Conference on Advanced Information Networking and Applications (AINA '11)

March 2011

Singapore

105 112

10.1109/aina.2011.86

2-s2.0-79957723198

35.

Daza

Domingo-Ferrer

Sebé

Viejo

Trustworthy privacy-preserving car-generated announcements in vehicular Ad Hoc networks

IEEE Transactions on Vehicular Technology 2009 58 4 1876 1886

10.1109/tvt.2008.2002581

2-s2.0-66149136922

36.

Viejo

Sebé

Domingo-Ferrer

Aggregation of trustworthy announcement messages in vehicular ad hoc networks

Proceedings of the IEEE 69th Vehicular Technology Conference (VTC Spring '09)

April 2009

Barcelona, Spain

1 5

10.1109/vetecs.2009.5073371

2-s2.0-70349683022

37.

Biswas

Mišić

ID-based safety message authentication for security and trust in vehicular networks

Proceedings of the 31st International Conference on Distributed Computing Systems Workshops (ICDCSW '11)

June 2011

Minneapolis, Minn, USA

IEEE

323 331

10.1109/icdcsw.2011.38

2-s2.0-80052406758

38.

Xiong

Chen

Efficient privacy-preserving authentication protocol for vehicular communications with trustworthy

Security and Communication Networks 2012 5 12 1441 1451

10.1002/sec.515

39.

Chuang

M.-C.

Lee

J.-F.

TEAM: trust-extended authentication mechanism for vehicular ad Hoc networks

IEEE Systems Journal 2014 8 3 749 758

10.1109/jsyst.2012.2231792

2-s2.0-84907599949

40.

Antolino Rivas

Guerrero-Zapata

Chains of trust in vehicular networks: a secure points of interest dissemination strategy

Ad Hoc Networks 2012 10 6 1115 1133

10.1016/j.adhoc.2012.02.011

2-s2.0-84859742949

41.

Wang

Liu

Zhang

A trust propagation scheme in VANETs

Proceedings of the IEEE Intelligent Vehicles Symposium

June 2009

Xi'an, China

IEEE

1067 1071

10.1109/ivs.2009.5164429

2-s2.0-70449565130

42.

Abumansoor

Boukerche

Towards a secure trust model for vehicular ad hoc networks services

Proceedings of the 54th Annual IEEE Global Telecommunications Conference (GLOBECOM '11)

December 2011

Houston, Tex, USA

IEEE

1 5

10.1109/glocom.2011.6134243

2-s2.0-84857217691

43.

Huang

Hong

Gerla

Situation-Aware Trust architecture for vehicular networks

IEEE Communications Magazine 2010 48 11 128 135

10.1109/mcom.2010.5621979

2-s2.0-78149431890

44.

Gazdar

Rachedi

Benslimane

Belghith

A distributed advanced analytical trust model for VANETs

Proceedings of the IEEE Global Communications Conference (GLOBECOM '12)

December 2012

Anaheim, Calif, USA

201 206

10.1109/glocom.2012.6503113

2-s2.0-84877659560

45.

Domingo-Ferrer

González-Nicolás

Ú.

Balanced trustworthiness, safety, and privacy in vehicle-to-vehicle communications

IEEE Transactions on Vehicular Technology 2010 59 2 559 573

10.1109/TVT.2009.2034669

2-s2.0-77249157951

46.

Christin

Rosskopf

Hollick

Martucci

L. A.

Kanhere

S. S.

IncogniSense: an anonymity-preserving reputation framework for participatory sensing applications

Proceedings of the 10th IEEE International Conference on Pervasive Computing and Communications (PerCom '12)

March 2012

Lugano, Switzerland

135 143

10.1109/percom.2012.6199860

2-s2.0-84861617994

47.

Gerla

Lee

E.-K.

Pau

Lee

Internet of vehicles: from intelligent grid to autonomous cars and vehicular clouds

Proceedings of the IEEE World Forum on Internet of Things (WF-IoT '14)

March 2014

Seoul, The Republic of Korea

IEEE

241 246

10.1109/wf-iot.2014.6803166

2-s2.0-84900414238

48.

Emmerson

M2M: the internet of 50 billion devices

WinWin Magazine 2010 1 19 22

49.

Tao

Xiao

Zhang

On anti-corruption privacy preserving publication

Proceedings of the IEEE 24th International Conference on Data Engineering (ICDE '08)

April 2008

Cancún, Mexico

725 734

10.1109/icde.2008.4497481

2-s2.0-52649134322

RPRep: A Robust and Privacy-Preserving Reputation Management Scheme for Pseudonym-Enabled VANETs

Abstract

1. Introduction

1.1. Motivation

1.2. Contributions

2. System Overview

2.1. Network Model

2.2. Reputation Management Mechanism

Step 1.

Step 2.

Step 3.

Step 4.

Step 5.

2.3. Attack Models

2.3.1. Self-Promoting Attack

2.3.2. Bad-Mouthing Attack

2.3.3. Reputation Link Attack

3. Reputation Model

3.1. Basic Concepts

3.1.1. Service Reputation and Feedback Reputation

Definition 1.

3.1.2. Experience-Based Trust and Role-Based Trust

3.2. Rating Generation Module

3.3. Reputation Aggregation Module

3.4. Service-Reputation Aggregation Algorithm

3.5. Feedback Reputation Aggregation Algorithm

3.6. Reputation Update and Vehicle Revocation

4. Location Privacy Preservation

4.1. Hidden-Zone Strategy

4.2. k-Anonymity Strategy

Definition 2 (k-anonymity of a vehicle).

Definition 3 (generalization degree, GD).

Definition 4 (effectiveness of a reputation value Rep).

5. Evaluation

5.1. Effectiveness

5.2. Robustness

5.2.1. Robustness of RPRep under Self-Promoting Attack

5.2.2. Robustness of RPRep under Bad-Mouthing Attack

5.3. Location Privacy Preservation

Definition 5 (tracking rate).

6. Related Work

7. Conclusion

Footnotes

List of Notations

Competing Interests

Acknowledgments

References