Security privacy and protection Security privacy and protection in different VANET applicationsin different VANET applications

afternoon sessionMario Gerla

Vehicular security toolstechniquesOutline

bull Conventional tools Vehicle-PKI and secure positioning

bull New tools (eg anonymous routing routing attack secure incentives situation awareness community trust ldquotrust cloudrdquo of commuters - from the social net proposal)

bull Wormholes in the urban gridbull Privacy vs security trade offs

Conventional techniques

Tamper-proof deviceV-PKI

Anonymous keys Secure Localization

Tamper-proof device

Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel

Digital signatures

Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Vehicular security toolstechniquesOutline

bull Conventional tools Vehicle-PKI and secure positioning

bull New tools (eg anonymous routing routing attack secure incentives situation awareness community trust ldquotrust cloudrdquo of commuters - from the social net proposal)

bull Wormholes in the urban gridbull Privacy vs security trade offs

Conventional techniques

Tamper-proof deviceV-PKI

Anonymous keys Secure Localization

Tamper-proof device

Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel

Digital signatures

Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Conventional techniques

Tamper-proof deviceV-PKI

Anonymous keys Secure Localization

Tamper-proof device

Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel

Digital signatures

Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Tamper-proof device

Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel

Digital signatures

Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Digital signatures

Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

VPKI (Vehicular PKI)

Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs

Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

The CA hierarchy two options

The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification

Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Anonymous keys

bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key

bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)

bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed

(say police + court)

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Avoiding Big Brother

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

DoS resilience

Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Data verification by correlation

1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Security analysis

How much can we secure VANETs

bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because

bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

What PK cryptosystem to use

Available options RSA Sign most popular but largest key size

ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip

Signature verification speed matters the most

Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Performance comparison

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Not to scale

Performance evaluation

ns-2 simulations

Two scenarios drawn from DSRC

The effect of message size (including the security material) on delay number of received packets and throughput is evaluated

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

How msg size affects Delay hellip

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

hellipNumber of received packets hellip

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

hellipand Throughput

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

How to securely locate a vehicle

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight

(ToF))

General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab

Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal

Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-

(UWB)-ToF) Multispectral solutions Inc

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Positioning systems (cont)

Ad hoc and sensor nets (no GPS)

bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of

Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed

Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

GPS

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Distance measurement techniques

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Attacks on RF and Ultra Sound ToF-based techniques

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

The challenge of secure positioning

Goalsbull preventing an insider attacker from cheating about

its own positionbull preventing an outsider attacker from spoofing the

position of an honest node

Our proposal Verifiable Multilateration

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Distance bounding

bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning

indoor and up to 2km outdoor

bull US distance boundingndash millisecond precision required1ms ~ 35cm

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack

The Bound = (tr-ts)c2 gt dreal

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Conclusion on secure positioning

bull New research areabull Positioning tout court is not yet completely solved

(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)

bull Time of flight seems to be the most appropriate technique

bull More information available at httpspotepflch

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

New Tools on VANET Security and Privacy

Secure Routing Security Incentives

Situation awareness Trust

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

A Secure Ad-hoc Routing Approach using Localized Self-healing Communities

Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department

University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Problem Statement

bull Threats to on-demand routingndash Active attack disruptive

bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole

wormholendash Passive attack protocol-compliant

bull Eavesdropper traffic analyst anonymous routing needed

bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource

ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit

ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo

bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods

bull Source will keep retrying with repeated RREQ causing massive congestion

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

RUSHING ATTACK

bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here

source dest

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Outline

bull Review of current countermeasures

bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo

bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks

bull Empirical simulation verification

bull Summary

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Other countermeasures (for on-demand routing against active attacks)

bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they

have the keys [TESLA in Ariadne PKI in ARAN]

bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]

bull Long RREQ interval causes non-trivial routing performance degradation

ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]

bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging

ndash Perrig solution to rushing (is it also multi path)

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Our designbull Goal Reduce of allowed RREQ floods (per connection) to

minimumndash Ideally 1 initial on-demand RREQ flood for each e2e

connectionndash In spite of attacks

bull Solution ndash Build multi-node self-healing communities to counter non-

cooperative packet lossndash approach applies to wide range of ad hoc routing protocols

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Community 2-hop scenario

bull Explain two hop path hellip intermediate nodes = community

bull Community leader (to be defined later)

community

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Community multi-hop scenario

bull community is dynamically reconfigured (self healing)

communities

source dest

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Community Based Security (CBS)

bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network

ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS

0 1 2 3 4

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Community formation amp re-configurationbull On demand initial configuration

ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3

consecutive (ACKs of) RREP packets set community membership flag for the connection

bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Self-healing community around Vformed upon hearing RREPRREQ

RREP EV

V EU

Community formation around V

bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo

V1

V2

upstream

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Protocol details

bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

ACK-based configurationRemove self healing - not an essential attribute

communities (if C forwards a correct RREP)

source destC

Crsquo

Crdquo

BD E

communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Community Concept helpsreduce RREQ in mobile networks

bull How does this work

bull Proactive re-configuration bull Each community loses shape due to mobility

End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Reconfig in 2-hop scenario

bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)

bull ldquoUnicast probing + take-overrdquo in use

Old community becomes amorphousdue to random node mobility etc

S D

oldF

newF

Newly re-configured community

Node Ds roaming trace

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Communities help in mobile scenario multi-hop case

bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics

Simple heuristics Slow Increase Fast Decrease

source dest

PROBE PROBE_REP

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

Secure Incentives for Commercial Advertisement Dissemination in

Vehicular Networks

Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla

CS 218 Class ProjectFall 2006

Accepted at Mobihoc 2007

5231

Presentation Outline

bull Ad dissemination in VANETbull Signature-Seeking Drive

ndash Overviewndash One-level advertisingndash Multi-level advertising

bull Evaluationsbull Discussion

5331

Ad Dissemination in VANET

bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios

bull Electronic coupon system FleaNet Digital Billboards

Advertising in VANET

Advertisement Content

Ad providers use VANET for disseminating their ads

Advertising in VANET

Vehicle-Vehicle Communication

Vehicle u keeps forwarding this ad for In-N-Out Burger

u

5631

Ad Dissemination in VANET

bull In the real worldhellipndash Non-cooperative behaviors

bull Selfish users bull Malicious users

ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the

network)

bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the

benefit of the business companies

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

5331

Ad Dissemination in VANET

bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios

bull Electronic coupon system FleaNet Digital Billboards

Advertising in VANET

Advertisement Content

Ad providers use VANET for disseminating their ads

Advertising in VANET

Vehicle-Vehicle Communication

Vehicle u keeps forwarding this ad for In-N-Out Burger

u

5631

Ad Dissemination in VANET

bull In the real worldhellipndash Non-cooperative behaviors

bull Selfish users bull Malicious users

ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the

network)

bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the

benefit of the business companies

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

Advertising in VANET

Advertisement Content

Ad providers use VANET for disseminating their ads

Advertising in VANET

Vehicle-Vehicle Communication

Vehicle u keeps forwarding this ad for In-N-Out Burger

u

5631

Ad Dissemination in VANET

bull In the real worldhellipndash Non-cooperative behaviors

bull Selfish users bull Malicious users

ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the

network)

bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the

benefit of the business companies

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

Advertising in VANET

Vehicle-Vehicle Communication

Vehicle u keeps forwarding this ad for In-N-Out Burger

u

5631

Ad Dissemination in VANET

bull In the real worldhellipndash Non-cooperative behaviors

bull Selfish users bull Malicious users

ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the

network)

bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the

benefit of the business companies

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

5631

Ad Dissemination in VANET

bull In the real worldhellipndash Non-cooperative behaviors

bull Selfish users bull Malicious users

ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the

network)

bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the

benefit of the business companies

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

5731

Vehicular Ad System

bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business

companies are exploiting vehicle usersrsquo resources for their own profit

bull Graceful compromisendash Advertisers pay for the incentives for users

bull Charges for network resources bull Or advertising charges

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

5831

Our framework

bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

SSD overview

ADI

After verifying ADI Vehicle u may agree to disseminate the ad

Vehicular Authority (VA)

Request forAd permission

Certified Ad

u

Ad Distribution Point (ADP)

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

Signature-Seeking Drive Overview

Vehicle-Vehicle Communication

Vehicle u keeps forwarding ADI

u

Rv

ADIADIADI

v

w

Rw

In return receiving vehicles v w provide signed-receipts to u

While driving its way u may collect as many receipts as it forwards ADI

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

Signature-Seeking Drive Overview

Gas Station

Virtual Cashier

RwRv

ADIADIADI

Colleted receipts

Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too

Vehicular Authority (VA)

Transaction Record

VA charges In-N-Out Burger such virtual cash induced by ADIrsquos

Charge

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6231

Uncooperative Model

bull Selfish nodesndash Seek to maximize their own profit

bull Malicious nodesndash Try to intentionally disrupt the system

bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6331

Ad Dissemination Models

bull One-level advertisementndash Local advertisingndash Most users receive the ad

with reasonable of forwarding nodes

Fast Food Restaurant I

Ad Distribution Point

Gas Station

Virtual Cashier

u

v

receipts ad

uu u

w y z

x

v

u

w

u

Electronic Company S

Ad Distribution Pointad

u

bull Multi-level advertisementndash Intensive advertising

over the wide area

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

Notations

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6531

One-level advertisement1 Approval for advertisement (company I Vehicular Authority)

2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit

Voucher

bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6631

One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)

4 Receipt Redemption (vehicle u Virtual Cashier VC)

Signed receipt

bull Each VC is connected with VA that maintains all the transactions

bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before

Voucher

Collected receipts

Ad permit

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6731

Multi-level advertisement

bull Level-free advertisement

ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher

ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy

bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6831

Hash chain based n-level advertising Contacting with Srsquos ADP

of levels S sets Random by S

Advertisement Dissemination (u v)

Advertisement Dissemination (v x)

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

6931

Hash chain based n-level advertising Receipt Redemption (x VC)

bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value

bull Weaknessesndash No coercive measures for nodes to reduce their permissible

levels by 1ndash Malicious users can throw any permissible value open to the

public

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7031

Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher

Advertisement Dissemination (u v)

Onion voucher for u

Onion voucher for v

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7131

Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher

bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake

xrsquos Onion voucher

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7231

Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis

ndash Incentive perspectivendash Security of Signature-Seeking Drive

bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7531

Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and

all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model

bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms

bull r ms 100 gt 1845 ms interval length gt 1845 sec

ndash Onion voucher based n-level ad model

bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad

processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms

bull r ms 100 gt 2932 ms interval length gt 2932 sec

bull Note each car may have multiple kinds of ads at a time

bull The interval for each kind of ad may be multiple times of the above interval

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7731

Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios

ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7831

Unrealistic aspects in our simulation model

bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area

bull No parked cars no newcomers or cars leaving the area

bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

7931

Westwood area (4x4Km) with 1000 cars

Ad Coverage within Initial 30 Minuntes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60 70 80 90 100

Number of Level 1 Nodes

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time

Ad Coverage with 10 L1 Nodes

0

100

200

300

400

500

600

700

800

900

1000

10 20 30 40 50 60

Time (min)

Num

ber

of A

d R

ecei

ving

Nod

es

One-Level2 - Level3 - LevelLevel-Free

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81

The END

• Slide 1
• Slide 2
• Slide 3
• Slide 4
• Slide 5
• Slide 6
• Slide 7
• Slide 8
• Slide 9
• Slide 10
• Slide 11
• Slide 12
• Slide 13
• Slide 14
• Slide 15
• Slide 16
• Slide 17
• Slide 18
• Slide 19
• Slide 20
• Slide 21
• Slide 22
• Slide 23
• Slide 25
• Slide 26
• Slide 27
• Slide 28
• Slide 29
• Slide 30
• Slide 31
• Slide 32
• Slide 33
• Slide 34
• Slide 35
• Slide 36
• Slide 37
• Slide 38
• Slide 39
• Slide 40
• Slide 41
• Slide 42
• Slide 43
• Slide 44
• Slide 45
• Slide 46
• Slide 47
• Slide 48
• Slide 49
• Slide 50
• Slide 51
• Slide 52
• Slide 53
• Slide 54
• Slide 55
• Slide 56
• Slide 57
• Slide 58
• Slide 59
• Slide 60
• Slide 61
• Slide 62
• Slide 63
• Slide 64
• Slide 65
• Slide 66
• Slide 67
• Slide 68
• Slide 69
• Slide 70
• Slide 71
• Slide 72
• Slide 75
• Slide 77
• Slide 78
• Slide 79
• Slide 81