security, privacy and protection in different vanet applications security, privacy and protection in...
TRANSCRIPT
Security privacy and protection Security privacy and protection in different VANET applicationsin different VANET applications
afternoon sessionMario Gerla
Vehicular security toolstechniquesOutline
bull Conventional tools Vehicle-PKI and secure positioning
bull New tools (eg anonymous routing routing attack secure incentives situation awareness community trust ldquotrust cloudrdquo of commuters - from the social net proposal)
bull Wormholes in the urban gridbull Privacy vs security trade offs
Conventional techniques
Tamper-proof deviceV-PKI
Anonymous keys Secure Localization
Tamper-proof device
Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel
Digital signatures
Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Vehicular security toolstechniquesOutline
bull Conventional tools Vehicle-PKI and secure positioning
bull New tools (eg anonymous routing routing attack secure incentives situation awareness community trust ldquotrust cloudrdquo of commuters - from the social net proposal)
bull Wormholes in the urban gridbull Privacy vs security trade offs
Conventional techniques
Tamper-proof deviceV-PKI
Anonymous keys Secure Localization
Tamper-proof device
Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel
Digital signatures
Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Conventional techniques
Tamper-proof deviceV-PKI
Anonymous keys Secure Localization
Tamper-proof device
Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel
Digital signatures
Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Tamper-proof device
Each vehicle carries a tamper-proof devicebull Contains the secrets of the vehicle itselfbull Has its own batterybull Has its own clock (notably in order to be able to sign timestamps)bull Is in charge of all security operationsbull Is accessible only by authorized personnel
Digital signatures
Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Digital signatures
Symmetric cryptography is not suitable messages are standalone large scale non-repudiation requirement Hence each message should be signed with a DS Liability-related messages should be stored in the EDR (event data recorder)
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
VPKI (Vehicular PKI)
Each vehicle carries in its Tamper-Proof Device (TPD)bull A unique and certified identity Electronic License Plate (ELP)bull A set of certified anonymous publicprivate key pairs
Mutual authentication can be done without involving a serverAuthorities (national or regional) are cross-certified
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
The CA hierarchy two options
The governments control certificationLong certificate chainKeys should be recertified on borders to ensure mutual certification
Vehicle manufacturers are trustedOnly one certificate is neededEach car has to store the keys of all vehicle manufacturers
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Anonymous keys
bull Preserve identity and location privacybull Keys can be preloaded at periodic checkupsbull The certificate of Vrsquos ith key
bull Keys renewed according to vehicle speed (eg asymp1 min at 100 kmh)
bull Anonymity is conditional on the scenariobull The authorization to link keys with ELPs is distributed
(say police + court)
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Avoiding Big Brother
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
DoS resilience
Vehicles will probably have several wireless technologies onboard To thwart DoS vehicles can switch channels or communication technologies Great market for ldquoCognitive Radiosrdquo
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Data verification by correlation
1048707 Bogus info attack relies on false data1048707 Authenticated vehicles can also send wrong data (on purpose or not)1048707 The correctness of the data should be verified1048707 Correlation can help
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Security analysis
How much can we secure VANETs
bull Messages are authenticated by their signaturesbull Authentication protects the network from outsidersbull Correlation and fast revocation reinforce correctnessbull Availability remains a problem that can be alleviatedbull Non-repudiation is achieved because
bull ELP and anonymous keys are specific to one vehiclebull Position is correct if secure positioning is in place
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
What PK cryptosystem to use
Available options RSA Sign most popular but largest key size
ECDSA (Elliptic Curve) most compactNTRUSign (Nth Truncated Polynomial) fastest in signing and verificationhellip
Signature verification speed matters the most
Further improvements that can helpVehicles verify only relevant contentSeveral messages signed with same key
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Performance comparison
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Not to scale
Performance evaluation
ns-2 simulations
Two scenarios drawn from DSRC
The effect of message size (including the security material) on delay number of received packets and throughput is evaluated
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
How msg size affects Delay hellip
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
hellipNumber of received packets hellip
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
hellipand Throughput
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
How to securely locate a vehicle
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Positioning systems Satellitesbull GPS Galileo Glonass(Outdoor Radio Frequency (RF) ndashTime of Flight
(ToF))
General Systemsbull Active Badge(Indoor Infrared(IR)) Olivettibull Active Bat Cricket(Indoor Ultrasound(US)-based) ATampT Lab
Cambridge MITbull RADAR SpotON Nibble(IndoorOutdoor RF-Received Signal
Strength) Microsoft Univof Washington UCLA+Xerox Palo Alto Labbull Ultra Wideband Precision Asset Location System(IndoorOutdoor RF-
(UWB)-ToF) Multispectral solutions Inc
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Positioning systems (cont)
Ad hoc and sensor nets (no GPS)
bull Convex position estimation (Centralized) UC Berkeleybull Angle of Arrival based positioning(Distributed Angle of
Arrival) Rutgersbull Dynamic fine-grained localization (Distributed) UCLAbull GPS-less low cost outdoor localization(Distributed
Landmark-based) UCLAbull GPS-free positioning (Distributed) EPFL
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
GPS
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
GPS Security ndashExample of attackA GPS simulator can send strong fake signals to mask authentic weak signals
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Distance measurement techniques
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Attacks on RF and Ultra Sound ToF-based techniques
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
The challenge of secure positioning
Goalsbull preventing an insider attacker from cheating about
its own positionbull preventing an outsider attacker from spoofing the
position of an honest node
Our proposal Verifiable Multilateration
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Distance bounding
bull RF distance boundingndash nanosecond precision required 1ns ~ 30cmndash UWB enables clock precision up to 2ns and 1m positioning
indoor and up to 2km outdoor
bull US distance boundingndash millisecond precision required1ms ~ 35cm
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Distance Bounding (RF)1993 (Brands and Chaum) to prevent the Mafia fraud attack
The Bound = (tr-ts)c2 gt dreal
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Conclusion on secure positioning
bull New research areabull Positioning tout court is not yet completely solved
(solutions will rely on GPS on terrestrial base stations and on mutual distance estimation)
bull Time of flight seems to be the most appropriate technique
bull More information available at httpspotepflch
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
New Tools on VANET Security and Privacy
Secure Routing Security Incentives
Situation awareness Trust
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
A Secure Ad-hoc Routing Approach using Localized Self-healing Communities
Jiejun Kong Xiaoyan Hong Yunjung Yi Joon-Sang Park Jun Liu Mario GerlaComputer Science Department Computer Science Department
University of California Los Angeles University of Alabama Tuscaloosajkongyjyijsparkgerlacsuclaedu jliuhxycsuaedu
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Problem Statement
bull Threats to on-demand routingndash Active attack disruptive
bull Denial-of-service attacksbull Packet loss rushing attack black-hole gray-hole
wormholendash Passive attack protocol-compliant
bull Eavesdropper traffic analyst anonymous routing needed
bull We will focus on active threats fromnon-cooperative (selfish or malicious) members (eg INTRUDERS)
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Typical On-demand Routing Attacksbull Most active attacks cause repeated RREQsbull Excessive RREQ repetitions exhaust network resource
ndash Current mechanism to reduce of allowed RREQ floods per connection RREQ rate limit
ndash NOT ENOUGH WHEN ACTIVE ATTACKERS ARE THE BEHIND RREQ ldquoFLOODSrdquo
bull RREP amp DATA packet DROPS ndash Caused by rushing attack etc [Hu et alWiSersquo03]ndash THEY Trigger more RREQ floods
bull Source will keep retrying with repeated RREQ causing massive congestion
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
RUSHING ATTACK
bull Describe RUSHING ATTACK WITH ANIMATIONbull Explain Perrig solution here
source dest
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Outline
bull Review of current countermeasures
bull Community-based secure routing approachndash Strictly localized amp w clearly-defined per-hop operationndash ldquoSelf-healing communityrdquo substitutes ldquosingle noderdquo
bull Our analytic modelsndash Sub-polynomial model for network securityndash Stochastic model for mobile networks
bull Empirical simulation verification
bull Summary
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Other countermeasures (for on-demand routing against active attacks)
bull Cryptographic protectionsndash Cannot stop internal non-cooperative network members they
have the keys [TESLA in Ariadne PKI in ARAN]
bull Network-based protectionsndash Straight-forward RREQ rate limit [DSR AODV]
bull Long RREQ interval causes non-trivial routing performance degradation
ndash Multi-path secure routing[AwerbuchWiSersquo02] [HaasWiSersquo03]
bull Not localized incurs global overhead expensivebull Node-disjoint multi-path preferred but challenging
ndash Perrig solution to rushing (is it also multi path)
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Our designbull Goal Reduce of allowed RREQ floods (per connection) to
minimumndash Ideally 1 initial on-demand RREQ flood for each e2e
connectionndash In spite of attacks
bull Solution ndash Build multi-node self-healing communities to counter non-
cooperative packet lossndash approach applies to wide range of ad hoc routing protocols
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Community 2-hop scenario
bull Explain two hop path hellip intermediate nodes = community
bull Community leader (to be defined later)
community
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Community multi-hop scenario
bull community is dynamically reconfigured (self healing)
communities
source dest
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Community Based Security (CBS)
bull End-to-end communication between ad hoc terminalsbull Community-to-community forwarding (not node-to-node)bull Challenge adversary knows CBS is operated in the network
ndash It would prevent the network from forming communitiesndash Network mobility etc will disrupt CBS
0 1 2 3 4
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Community formation amp re-configurationbull On demand initial configuration
ndash Communities formed during RREPndash Simple heuristics promiscuously overheard 3
consecutive (ACKs of) RREP packets set community membership flag for the connection
bull Goal revisited reduce the need of RREQ floodsndash In spite of non-cooperative packet loss
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Self-healing community around Vformed upon hearing RREPRREQ
RREP EV
V EU
Community formation around V
bull (Potentially non-cooperative) Vrsquos community must be formed at RREPndash Else V drops RREP and succeedsndash V1 and V2 need to know Vrsquos ldquoupstreamrdquo
V1
V2
upstream
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Protocol details
bull (RREQ upstream_node helliphellip)bull (RREP hop_count helliphellip)bull The extra fields can be spared (in DSR or AODV)
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
ACK-based configurationRemove self healing - not an essential attribute
communities (if C forwards a correct RREP)
source destC
Crsquo
Crdquo
BD E
communities(Crsquo and Crdquo not in transmission range amp Crsquo wins)
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Community Concept helpsreduce RREQ in mobile networks
bull How does this work
bull Proactive re-configuration bull Each community loses shape due to mobility
End-to-end proactive probing to maintain the shapendash PROBE unicast ndash PROBE_REP unicast same as RREP
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Reconfig in 2-hop scenario
bull (PROBE upstream hellip)bull (PROBE_REP hop_count hellip)
bull ldquoUnicast probing + take-overrdquo in use
Old community becomes amorphousdue to random node mobility etc
S D
oldF
newF
Newly re-configured community
Node Ds roaming trace
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Communities help in mobile scenario multi-hop case
bull Probing message can be piggybacked in data packetsbull Probing interval Tprobe determined by network dynamics
Simple heuristics Slow Increase Fast Decrease
source dest
PROBE PROBE_REP
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Secure Incentives for Commercial Advertisement Dissemination in
Vehicular Networks
Suk-Bok Lee and Seung Hyun PanTutor Joon-Sang ParkProfessor Mario Gerla
CS 218 Class ProjectFall 2006
Accepted at Mobihoc 2007
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
5231
Presentation Outline
bull Ad dissemination in VANETbull Signature-Seeking Drive
ndash Overviewndash One-level advertisingndash Multi-level advertising
bull Evaluationsbull Discussion
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
5331
Ad Dissemination in VANET
bull Commercial Advertising via Car-to-Car communicationndash Very promising application ndash High mobility nature of vehicles ndash Currently proposed scenarios
bull Electronic coupon system FleaNet Digital Billboards
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Advertising in VANET
Advertisement Content
Ad providers use VANET for disseminating their ads
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Advertising in VANET
Vehicle-Vehicle Communication
Vehicle u keeps forwarding this ad for In-N-Out Burger
u
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
5631
Ad Dissemination in VANET
bull In the real worldhellipndash Non-cooperative behaviors
bull Selfish users bull Malicious users
ndash More serious threatshellipndash eg DoS attacks (making dummy ads propagate over the
network)
bull Even for ldquonaiumlverdquo usersndash Why should they help forward those commercial ads for the
benefit of the business companies
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
5731
Vehicular Ad System
bull Concerns in vehicular ad systemndash Advertisers want to use VANETndash From a vehicle usersrsquo viewpoint the business
companies are exploiting vehicle usersrsquo resources for their own profit
bull Graceful compromisendash Advertisers pay for the incentives for users
bull Charges for network resources bull Or advertising charges
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
5831
Our framework
bull Signature-Seeking Drive (SSD)ndash Secure incentives for cooperative nodesndash No tamper-proof hw assumptionsndash No game theoretic approachesndash Leverages a PKI (public key infrastructure)ndash A set of ad dissemination designs
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
SSD overview
ADI
After verifying ADI Vehicle u may agree to disseminate the ad
Vehicular Authority (VA)
Request forAd permission
Certified Ad
u
Ad Distribution Point (ADP)
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Signature-Seeking Drive Overview
Vehicle-Vehicle Communication
Vehicle u keeps forwarding ADI
u
Rv
ADIADIADI
v
w
Rw
In return receiving vehicles v w provide signed-receipts to u
While driving its way u may collect as many receipts as it forwards ADI
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Signature-Seeking Drive Overview
Gas Station
Virtual Cashier
RwRv
ADIADIADI
Colleted receipts
Receipts are exchangeable with virtual cash at Virtual Cashier (eg gas station)a small portion is reserved for each receipt-providing nodes too
Vehicular Authority (VA)
Transaction Record
VA charges In-N-Out Burger such virtual cash induced by ADIrsquos
Charge
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6231
Uncooperative Model
bull Selfish nodesndash Seek to maximize their own profit
bull Malicious nodesndash Try to intentionally disrupt the system
bull We may encourage selfish nodes to participate in the network with an incentive model yet malicious nodes try to attack the weak point of the model Secure incentive
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6331
Ad Dissemination Models
bull One-level advertisementndash Local advertisingndash Most users receive the ad
with reasonable of forwarding nodes
Fast Food Restaurant I
Ad Distribution Point
Gas Station
Virtual Cashier
u
v
receipts ad
uu u
w y z
x
v
u
w
u
Electronic Company S
Ad Distribution Pointad
u
bull Multi-level advertisementndash Intensive advertising
over the wide area
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
Notations
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6531
One-level advertisement1 Approval for advertisement (company I Vehicular Authority)
2 Agreement with Ad Distribution Point (Irsquos ADP vehicle u)Ad permit
Voucher
bull ADP provides u with a voucher for ursquos exclusive usebull The notion of a voucher limits the dissemination to one-level
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6631
One-level advertisement3 Advertisement Dissemination (vehicle u vehicle v)
4 Receipt Redemption (vehicle u Virtual Cashier VC)
Signed receipt
bull Each VC is connected with VA that maintains all the transactions
bull VC examines whether u has never redeemed ursquos voucher for ADI at any other VC before
Voucher
Collected receipts
Ad permit
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6731
Multi-level advertisement
bull Level-free advertisement
ndash No vouchers any nodes can reuse ADS and cash receipts wo a voucher
ndash Simple and most intensive method for advertisingndash Heavy outlay for advertisement due to too much redundancy
bull Compromise between one-level and level-freendash n-level advertising ndash Company S sets a limit on the number of propagation levelsndash Two designs Hash-chain based and Onion voucher based
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6831
Hash chain based n-level advertising Contacting with Srsquos ADP
of levels S sets Random by S
Advertisement Dissemination (u v)
Advertisement Dissemination (v x)
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
6931
Hash chain based n-level advertising Receipt Redemption (x VC)
bull VC first checks whether n-2 is non-zero and the legitimacy of the corresponding hash value
bull Weaknessesndash No coercive measures for nodes to reduce their permissible
levels by 1ndash Malicious users can throw any permissible value open to the
public
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7031
Onion voucher based n-level advertisingContacting with Srsquos ADP Example of onion voucher
Advertisement Dissemination (u v)
Onion voucher for u
Onion voucher for v
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7131
Onion voucher based n-level advertisingReceipt Redemption (x VC) Example of onion voucher
bull VC checks that of nodes included in OV is not bigger than nbull Onion voucher secures n-level disseminationbull Overhead by three-way handshake
xrsquos Onion voucher
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7231
Evaluationsbull Communication costbull Storage requirementbull Computation overheadbull Analysis
ndash Incentive perspectivendash Security of Signature-Seeking Drive
bull Simulations on ns-2ndash Westwood area (4Km x 4Km) with 1000 carsndash West LA (10Km x 10Km) with 5000 cars
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7531
Computation overheadbull Ex vehicle u has 100 neighbors within its communication range and
all the neighbors send out their ads at regular interval of r msndash Hash chain based n-level ad model
bull Lower bound of processing time for each incoming ad = verifying time x 2 + signing time = 1845 ms
bull r ms 100 gt 1845 ms interval length gt 1845 sec
ndash Onion voucher based n-level ad model
bull Due to three-way handshake ad processbull Lower bound of processing time for each incoming ad amp receipt = ad
processing time (verifying time x 2 + signing time = 1845 ms) + receipt processing time (verifying time + signing time = 1087 ms) = 2932 ms
bull r ms 100 gt 2932 ms interval length gt 2932 sec
bull Note each car may have multiple kinds of ads at a time
bull The interval for each kind of ad may be multiple times of the above interval
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7731
Simulationsbull Running on ns-2bull Mobility model from Saha et albull Two scenarios
ndash Westwood area (4x4Km) with 1000 carsndash West LA (10x10Km) with 5000 cars
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7831
Unrealistic aspects in our simulation model
bull Mobility modelndash No traffic controlndash Always constant speedndash Random starting point and destination for each nodendash All nodes are always moving within the target area
bull No parked cars no newcomers or cars leaving the area
bull Number of nodesndash Too few cars in our simulation modelndash More than 10000 cars in Westwood areandash More than 5 million cars in LA
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
7931
Westwood area (4x4Km) with 1000 cars
Ad Coverage within Initial 30 Minuntes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60 70 80 90 100
Number of Level 1 Nodes
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
bull Ad coverage using varying number of Level 1 nodesbull Ad coverage by time
Ad Coverage with 10 L1 Nodes
0
100
200
300
400
500
600
700
800
900
1000
10 20 30 40 50 60
Time (min)
Num
ber
of A
d R
ecei
ving
Nod
es
One-Level2 - Level3 - LevelLevel-Free
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-
The END
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 75
- Slide 77
- Slide 78
- Slide 79
- Slide 81
-