WO2011026092A1 - System and method for detecting and evicting malicious vehicles in a vehicle communications network - Google Patents

System and method for detecting and evicting malicious vehicles in a vehicle communications network Download PDF

Info

Publication number
WO2011026092A1
WO2011026092A1 PCT/US2010/047293 US2010047293W WO2011026092A1 WO 2011026092 A1 WO2011026092 A1 WO 2011026092A1 US 2010047293 W US2010047293 W US 2010047293W WO 2011026092 A1 WO2011026092 A1 WO 2011026092A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicles
vehicle
malicious
innocent
detective
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2010/047293
Other languages
French (fr)
Inventor
Eric Van Den Berg
Tao Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Iconectiv LLC
Original Assignee
Telcordia Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telcordia Technologies Inc filed Critical Telcordia Technologies Inc
Priority to JP2012527093A priority Critical patent/JP2013503403A/en
Priority to EP10812746.5A priority patent/EP2473926A4/en
Publication of WO2011026092A1 publication Critical patent/WO2011026092A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/20Services signaling; Auxiliary data signalling, i.e. transmitting data via a non-traffic channel
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/44Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/46Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for vehicle-to-vehicle communication [V2V]

Definitions

  • the present invention relates to malicious behavior detection and malicious vehicle detection in a vehicle communications network.
  • Agents interested in malicious behaviors include all entities that may engage in such behaviors and/or profit from it. These agents are grouped into three categories according to the amount of resources they may have to cause harm to the vehicular network:
  • the first category of attackers are solitary attackers who mainly operate on their own. They have limited monetary resources and use the Internet as their main source of information. Examples of attackers in this category include: Unscrupulous or opportunistic individuals; Computer hackers; Automotive, electronic, or computer hobbyists; and Very loosely organized groups.
  • the second category of attackers are typically one or more groups of individuals who are moderately coordinated, communicate on a regular basis, have moderate resources, can obtain information not publicly known or available. Examples of attackers in this category include: Corrupt Insiders and Unscrupulous Businesses.
  • the third category of attackers are highly organized, have access to expansive resources, can infiltrate organizations and obtain closely held secrets, may consider life and individuals expendable to achieve their goals, and may be supported by governing bodies of foreign nations. Examples of attackers in this category include: Organized Crime and Foreign nations.
  • V2V vehicle-to vehicle
  • Attackers could modify the communication content coming from their vehicles' software or hardware, including: inaccurate traffic conditions, including false warnings related to forward collisions, blind spot situations, lane changes, unsafe passing; and inaccurate driving conditions or patterns, such as false statements about speeds, braking, directions, positions, and intersection movement.
  • Attackers could modify the communication functionalities of their vehicles' software or hardware to carry out attacks, such as one of the attacks above and the following: modifying transmission timing intervals of messages; delaying the delivery of messages; sending more messages than the vehicle is designed to; not sending messages for a long enough time interval; and disabling the functioning of a vehicle's software, say, because of privacy concerns. Attackers could attempt to impersonate vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations.
  • network entities e.g., servers
  • Attackers could act as intruders and attempt to use data stored on vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations.
  • malicious use of the certificates to cause harm to the vehicles networks and applications need to be detected so that these certificates can be revoked.
  • Malicious vehicles used to cause significant harm to the vehicle networks and applications need to be detected and "evicted" from the vehicle communications network. If vehicles have frequent
  • infrastructure network connectivity they can rely on trusted servers in the infrastructure network to detect and respond to security threats. These infrastructure servers could collect information from a large number of vehicles and have sufficient processing capabilities to analyze the data to detect malicious activities. However, when vehicles have sporadic or zero infrastructure connectivity along the roads, attackers could perform attacks without being monitored by any highly trusted entities such as infrastructure servers. Vehicles can no longer rely on any infrastructure-based servers to help detect malicious activities. As a result, attacks will have much higher chances to be successful, and attackers would have a much higher chance of being undetected. Vehicles would have to rely on themselves and interactions with other potentially untrusted vehicles to detect malicious activities and mitigate their impacts.
  • V2V communications particularly with no infrastructure network support
  • Such a capability allows the vehicles to communicate securely without being excessively impacted by malicious activities without relying on infrastructure network connectivity.
  • the majority vote principle is used to decide when to deem another vehicle untrustworthy and to send a warning message about this untrusted vehicle.
  • a majority vote detection mechanism relies on an 'honest majority': every node must have more good neighbors than bad. Therefore, local communication graph structure can have a significant effect on the dynamics of the voter model, see, e.g., V. Sood, T. Antal, S. Redner, "Voter models on heterogeneous networks", Phys. Rev. E, April 2008.
  • Bad nodes can eliminate good nodes if they form a local majority.
  • Good nodes can eliminate bad nodes if they have a local majority. Specifically, they can send sufficiently many 'warning' and/or 'disregard' messages in LEAVE, for example.
  • any vehicle can evict any other vehicle by
  • the present invention provides an approach that combines the vote and the sacrifice principles using a mathematical model called the "Mafia Game".
  • the Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles). This combined approach does not lead to a false decision probability which the vote and the sacrifice mechanisms have to address. Furthermore, a low level of mobile or fixed infrastructure network connectivity could significantly increase the performance of the proposed approach.
  • some vehicles may be used by attackers to send false information to other vehicles which may jeopardize the safety of other vehicles.
  • a malicious vehicle may broadcast erroneous emergency break light messages to cause neighboring vehicles to think the malicious vehicle is breaking hard so the other vehicles will also have to reduce their speeds suddenly, which may cause accidents.
  • Vehicles should be able to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (eliminating) suspected malicious vehicles from the system. Evicting a vehicle is to ignore the messages sent from the vehicle for a specified time period.
  • Such malicious behavior detection and mitigation methods can allow vehicles to communicate securely without being excessively impacted by malicious activities without relying on infrastructure network connectivity.
  • the present invention combines the voting and the sacrifice principles using a mathematical model based on the "Mafia Game".
  • the Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles). This combined approach does not need to a false decision probability which the vote and the sacrifice mechanisms have to address.
  • a low level of mobile or fixed infrastructure network connectivity could significantly increase the performance of the proposed approach.
  • the method for detecting and evicting malicious vehicles enables vehicles to have secure communications for significantly longer time, compared to prior art PKI solutions, before having to communicate with Certificate Authorities and therefore significantly reducing reliance on roadside infrastructure networks. This translates to a significantly small number of roadside network access points (base stations) that will be required to support the PKI operations for V2V communications, hence significantly reducing the costs of system deployment.
  • the proposed method has a provable bound on the number of malicious vehicles the system can tolerate before the system loses its ability to detect and evict malicious vehicles.
  • FIG. 1 shows a system architecture for the invention.
  • Fig. 2 is a flow chart of actions taken by innocent vehicles.
  • Fig. 3 is a flow chart of actions by detective vehicles. DETAILED DESCRIPTION
  • vehicles are classified into the following categories:
  • Malicious (Mafia) vehicles 100 are vehicles that have been detected to behave significantly differently from the behaviors designed by the vehicle manufacturers.
  • Malicious vehicles are assumed to have full knowledge of who the other malicious vehicles in a neighborhood are. That is, collusion among malicious vehicles is possible. Through collusion, "Malicious" vehicles can create a local majority to eliminate a non- Malicious vehicle. "Malicious” vehicles can adapt their behaviors to that of Innocent vehicles so that they can postpone detection. In other words, they do not have to behave malicious all the time. Innocent vehicles 102 are vehicles that behave as designed by the vehicle manufacturers.
  • Detective vehicles 104 are innocent vehicles that have the ability to detect whether another vehicle is innocent or malicious.
  • Vigilante vehicles are vehicles deemed/verified by the detective vehicles as innocent vehicles.
  • Resident vehicles 106 are vehicles of all categories combined in a given region or neighborhood.
  • the vehicles can be viewed to be playing a game consisting of the following iterations or rounds: 1) Resident vehicles' Turn: Referring to Fig. 2, all Resident vehicles pick a vehicle to eliminate by majority vote 200. Each resident vehicle votes 202 to eliminate one vehicle. The votes from the Resident vehicles are received by the other vehicles 204. The vehicle receiving the most votes is then eliminated 206. In case of a tie, a vehicle is chosen uniformly at random from the vehicles receiving the maximum number of votes. The identity of the eliminated vehicle is revealed publicly via dissemination of a "Disregard" message. 2) Malicious vehicles' Turn: Malicious vehicles choose an innocent vehicle to eliminate.
  • infrastructure-based servers to help determine whether another vehicle is malicious or not.
  • the anonymous vote is used to coordinate votes of the Vigilante vehicles with the other (at least the Innocent) vehicles. Each Resident vehicle still announces its vote in a plurality vote.
  • the anonymous vote is necessary to keep the identity of Vigilante vehicles unknown to non- Vigilante vehicles, in particular, unknown to Mafia vehicles. In this sense, the Vigilante vehicles are indeed an 'Anti-Mafia'.
  • the cryptographic assumptions, in particular the anonymous pre-communication round, can be removed, if there are a simple majority of Vigilante vehicles among the Resident vehicles.
  • d detectives In particular, for any ⁇ >0, there is a d such that d detectives have a probability of winning of at least 1 - ⁇ against a mafia of size (1/2 - ⁇ ) R.
  • voting will take a bounded number of sub-rounds that is polynomial in the number of "Resident" vehicles. This assumption can be satisfied even if the vehicles' votes need to be propagated over several hops, i.e., when not all vehicles are within one-hop broadcast range with each other. Furthermore, the number of
  • each vehicle can take between rounds is also bounded by a polynomial in the number of residents.
  • the optimal game for the Innocent vehicles will be the following: Suppose there is a single Detective vehicle. Referring to Fig. 3, during the first T 1 / »7 R rounds, the detective collects information about vehicles at random 300. The other Innocents vote in each round to eliminate a vehicle at random.
  • the Detective compiles a list ⁇ of so-called "Vigilante" vehicles that are vehicles known to be Innocents 302.
  • should be larger than the number of Malicious (Mafia) vehicles r ⁇ (since i/?J > ?1 for 0 ⁇ ?? ⁇ 1 ).
  • the group of Vigilantes acts as an "anti-Mafia”.
  • the Detective encrypts the list of Vigilantes, and sends the encrypted list to each member of ⁇ so that the Vigilantes know which vehicles are also Vigilantes 304.
  • the Detective then asks everyone to eliminate him. Upon being eliminated, the identity of the Detective is revealed, and therefore each Vigilante knows that the messages and encrypted list they have received is genuine.
  • the highest ranking (numbered) member of V selects a member outside of V to be eliminated, and communicates to the other members of V the identity of the vehicle to be eliminated, say p. All Innocent vehicles abstain from voting in a secure anonymous vote to coordinate/select the next vehicle p to eliminate. After this pre communication round, every non-Mafia vehicle sends a 'Disregard-p' message.. This shows that a single Detective vehicle can significantly increase the number of
  • an enhanced malicious vehicle detection and eviction method is as followings:
  • Time is divided into time periods of equal or variable lengths.
  • the Resident vehicles in the region pick one vehicle to eliminate by majority vote. Each Resident vehicle picks one vehicle it wants to eliminate and sends out its vote in a message to other vehicles. The vehicle receiving the most votes is eliminated. In case of a tie, a vehicle is chosen uniformly at random from the vehicles receiving the maximum number of votes. The identity of the eliminated vehicle is revealed publicly via dissemination of a "Disregard" message. If the eliminated vehicle is a Detective vehicle, this fact is revealed as well b.
  • Each Detective vehicle acquires the "Malicious" or "Innocent" status of a single randomly selected vehicle. This status is then revealed only to the Detective vehicles.
  • the Detective vehicle may collect messages from other vehicles and may communicate with infrastructure-based servers to help determine whether another vehicle is malicious or not.
  • the Detective vehicle encrypts the white list of Vigilantes and sends the encrypted list to each member of V so that the Vigilante vehicles know which other vehicles are also vigilantes.
  • the Detective vehicle then asks other vehicles to eliminate itself by sending out a "Disregard" message revealing its own identity. Upon being eliminated, the identity of the detective is revealed, and therefore each Vigilante vehicles know that the messages and encrypted list white list" they have received is genuine.
  • aspects of the present disclosure may be embodied as a program, software, or computer instructions embodied in a computer or machine usable or readable medium, which causes the computer or machine to perform the steps of the method when executed on the computer, processor, and/or machine.
  • the system and method of the present disclosure may be implemented and run on a general-purpose computer or computer system.
  • the computer system maybe any type of known or will be known systems and may typically include a processor, memory device, a storage device, input/output devices, internal buses, and/or a communications interface for communicating with other computer systems in conjunction with communication hardware and software, etc.
  • a module maybe a component of a device, software, program, or system that implements some "functionality", which can be embodied as software, hardware, firmware, electronic circuitry, or etc.
  • the terms "computer system” and "computer network” as may be used in the present application may include a variety of combinations of fixed and/or portable computer hardware, software, peripherals, and storage devices.
  • the computer system may include a plurality of individual components that are networked or otherwise linked to perform collaboratively, or may include one or more stand-alone components.
  • the hardware and software components of the computer system of the present application may include and may be included within fixed and portable devices such as desktop, laptop, server, and/or embedded system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Traffic Control Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

In a vehicle communication network, some vehicles may be used by attackers to send false information to other vehicles which may jeopardize the safety of other vehicles. Vehicles should be able to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (eliminating) suspected malicious vehicles from the system. Evicting a vehicle is to ignore the messages sent from the vehicle for a specified time period. Voting and sacrifice principles are combined using a mathematical model based on the "Mafia Game". The Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles).

Description

SYSTEM AND METHOD FOR DETECTING AND EVICTING MALICIOUS VEHICLES IN A VEHICLE COMMUNICATIONS
NETWORK CROSS-REFERENCE TO RELATED APPLICATIONS
This application claims the benefit of U.S. Provisional Application No. 61/238,681, filed on August 31, 2009, which is incorporated by reference herein in its entirety. FIELD OF THE INVENTION
The present invention relates to malicious behavior detection and malicious vehicle detection in a vehicle communications network. BACKGROUND OF THE INVENTION
Agents interested in malicious behaviors include all entities that may engage in such behaviors and/or profit from it. These agents are grouped into three categories according to the amount of resources they may have to cause harm to the vehicular network:
The first category of attackers are solitary attackers who mainly operate on their own. They have limited monetary resources and use the Internet as their main source of information. Examples of attackers in this category include: Unscrupulous or opportunistic individuals; Computer hackers; Automotive, electronic, or computer hobbyists; and Very loosely organized groups.
The second category of attackers are typically one or more groups of individuals who are moderately coordinated, communicate on a regular basis, have moderate resources, can obtain information not publicly known or available. Examples of attackers in this category include: Corrupt Insiders and Unscrupulous Businesses.
The third category of attackers are highly organized, have access to expansive resources, can infiltrate organizations and obtain closely held secrets, may consider life and individuals expendable to achieve their goals, and may be supported by governing bodies of foreign nations. Examples of attackers in this category include: Organized Crime and Foreign nations. Some of the potential motivations that may drive agents to exhibit malicious behaviors within a vehicular network, in an order of increasing impact, are: Sadistic pleasure in harming other vehicles or the entire vehicular network; Preferential treatment from the vehicular network for the purposes of evading law enforcement, assisting in criminal operations, or diverting attention from a primary attack; Prestige in a successful hack or a new virus launch; Manipulate traffic authority decisions; Acquiring personal advantages in driving conditions or economic gain; e.g., committing insurance fraud or car theft; Promote national, political, and special interests; and Civil, political and economic disruption, including warfare. Security attacks and malicious behaviors based on communications activities in a vehicle-to vehicle (V2V) communications environment can be categorized as follows:
1) Attackers could modify the communication content coming from their vehicles' software or hardware, including: inaccurate traffic conditions, including false warnings related to forward collisions, blind spot situations, lane changes, unsafe passing; and inaccurate driving conditions or patterns, such as false statements about speeds, braking, directions, positions, and intersection movement.
2) Attackers could modify the communication functionalities of their vehicles' software or hardware to carry out attacks, such as one of the attacks above and the following: modifying transmission timing intervals of messages; delaying the delivery of messages; sending more messages than the vehicle is designed to; not sending messages for a long enough time interval; and disabling the functioning of a vehicle's software, say, because of privacy concerns. Attackers could attempt to impersonate vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations.
Attackers could act as intruders and attempt to use data stored on vehicles or other network entities (e.g., servers) to cause harm to the vehicular network operations. In order to ensure safe and secure operation of a vehicle communications system, malicious use of the certificates to cause harm to the vehicles networks and applications need to be detected so that these certificates can be revoked. Malicious vehicles used to cause significant harm to the vehicle networks and applications need to be detected and "evicted" from the vehicle communications network. If vehicles have frequent
infrastructure network connectivity, they can rely on trusted servers in the infrastructure network to detect and respond to security threats. These infrastructure servers could collect information from a large number of vehicles and have sufficient processing capabilities to analyze the data to detect malicious activities. However, when vehicles have sporadic or zero infrastructure connectivity along the roads, attackers could perform attacks without being monitored by any highly trusted entities such as infrastructure servers. Vehicles can no longer rely on any infrastructure-based servers to help detect malicious activities. As a result, attacks will have much higher chances to be successful, and attackers would have a much higher chance of being undetected. Vehicles would have to rely on themselves and interactions with other potentially untrusted vehicles to detect malicious activities and mitigate their impacts.
In V2V communications, particularly with no infrastructure network support, it is essential for the vehicles to be able to rely on themselves and distributed techniques to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (or eliminating) suspected malicious vehicle from the system (i.e., to ignore the messages sent from the suspected malicious vehicle). Such a capability allows the vehicles to communicate securely without being excessively impacted by malicious activities without relying on infrastructure network connectivity.
Several approaches exist in the prior art in which vehicles decide locally whether or not to evict a suspected malicious vehicle from the system. Two methods have recently been considered for V2V vehicular communications networks are: voting mechanisms, and 'Sacrifice' by individual vehicles, in which a suspected device is evicted together with its 'accuser', (This is also sometimes termed "suicide for the common good').
In a voting mechanism, such as LEAVE described by T. Moore et al, "Fast exclusion of errant devices from vehicular networks", Proceedings IEEE SECON, San Francisco, CA, June 16-20, 2008, vehicles vote by exchanging signed claims of impropriety of another vehicle. Each vehicle then adds these warning messages to its 'accusation list'. Once the warning votes against a vehicle exceed a threshold, the accused vehicle is placed on a 'blacklist', similar to a local or temporary certificate revocation list (CRL). For nodes which are placed on the blacklist, additional 'disregard this vehicle' messages will be broadcast to other vehicles. Typically, the majority vote principle is used to decide when to deem another vehicle untrustworthy and to send a warning message about this untrusted vehicle. A majority vote detection mechanism relies on an 'honest majority': every node must have more good neighbors than bad. Therefore, local communication graph structure can have a significant effect on the dynamics of the voter model, see, e.g., V. Sood, T. Antal, S. Redner, "Voter models on heterogeneous networks", Phys. Rev. E, April 2008. Bad nodes can eliminate good nodes if they form a local majority. Good nodes can eliminate bad nodes if they have a local majority. Specifically, they can send sufficiently many 'warning' and/or 'disregard' messages in LEAVE, for example.
For V2V communications, consider the following threat model: attackers can disseminate false messages and abuse the elimination mechanism. Furthermore, multiple attackers can collude.
In a 'sacrifice' based model, any vehicle can evict any other vehicle by
simultaneously agreeing to limit its own participation in future V2V communications hence giving his decision more credibility. Therefore, in this scheme it is easier to evict a node than in a vote-based mechanism where a majority votes from multiple vehicles are used to decide whether to evict a vehicle. However, abuse of this mechanism is made more costly by forcing simultaneous removal of the accuser: 'Disregard' messages by an accuser cause simultaneous disregard of both the suspected node and its accuser. The prior art fails to address how to determine how many malicious vehicles can the vehicle network tolerate before the innocent vehicles loss their ability to detect and evict malicious vehicles. The present invention has a provable bound on the number of malicious vehicles the system can tolerate before the system loses its ability to detect and evict malicious vehicles. This is important for determining how long the malicious detection and eviction method can continue to run before it has to rely on other means, such as communications with infrastructure-based intrusion detection systems, to eliminate the malicious vehicles.
SUMMARY OF THE INVENTION
The present invention provides an approach that combines the vote and the sacrifice principles using a mathematical model called the "Mafia Game". The Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles). This combined approach does not lead to a false decision probability which the vote and the sacrifice mechanisms have to address. Furthermore, a low level of mobile or fixed infrastructure network connectivity could significantly increase the performance of the proposed approach.
In a vehicle communication network, some vehicles may be used by attackers to send false information to other vehicles which may jeopardize the safety of other vehicles. For example, a malicious vehicle may broadcast erroneous emergency break light messages to cause neighboring vehicles to think the malicious vehicle is breaking hard so the other vehicles will also have to reduce their speeds suddenly, which may cause accidents.
Vehicles should be able to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (eliminating) suspected malicious vehicles from the system. Evicting a vehicle is to ignore the messages sent from the vehicle for a specified time period.
Such malicious behavior detection and mitigation methods can allow vehicles to communicate securely without being excessively impacted by malicious activities without relying on infrastructure network connectivity. The present invention combines the voting and the sacrifice principles using a mathematical model based on the "Mafia Game". The Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles). This combined approach does not need to a false decision probability which the vote and the sacrifice mechanisms have to address. Furthermore, a low level of mobile or fixed infrastructure network connectivity could significantly increase the performance of the proposed approach. The method for detecting and evicting malicious vehicles enables vehicles to have secure communications for significantly longer time, compared to prior art PKI solutions, before having to communicate with Certificate Authorities and therefore significantly reducing reliance on roadside infrastructure networks. This translates to a significantly small number of roadside network access points (base stations) that will be required to support the PKI operations for V2V communications, hence significantly reducing the costs of system deployment.
The proposed method has a provable bound on the number of malicious vehicles the system can tolerate before the system loses its ability to detect and evict malicious vehicles.
Connecting Mafia Game Theory to designing a practical PKI solution for V2V communications has not been described elsewhere. The present invention will be better understood when the following description is read in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 shows a system architecture for the invention.
Fig. 2 is a flow chart of actions taken by innocent vehicles.
Fig. 3 is a flow chart of actions by detective vehicles. DETAILED DESCRIPTION
As shown in the system architecture in Fig. 1, vehicles are classified into the following categories:
Malicious (Mafia) vehicles 100 are vehicles that have been detected to behave significantly differently from the behaviors designed by the vehicle manufacturers.
Malicious vehicles are assumed to have full knowledge of who the other malicious vehicles in a neighborhood are. That is, collusion among malicious vehicles is possible. Through collusion, "Malicious" vehicles can create a local majority to eliminate a non- Malicious vehicle. "Malicious" vehicles can adapt their behaviors to that of Innocent vehicles so that they can postpone detection. In other words, they do not have to behave malicious all the time. Innocent vehicles 102 are vehicles that behave as designed by the vehicle manufacturers.
Detective vehicles 104 are innocent vehicles that have the ability to detect whether another vehicle is innocent or malicious.
Vigilante vehicles are vehicles deemed/verified by the detective vehicles as innocent vehicles.
Resident vehicles 106 are vehicles of all categories combined in a given region or neighborhood.
Applying the Mafia Game model to a V2V communications network, the vehicles can be viewed to be playing a game consisting of the following iterations or rounds: 1) Resident vehicles' Turn: Referring to Fig. 2, all Resident vehicles pick a vehicle to eliminate by majority vote 200. Each resident vehicle votes 202 to eliminate one vehicle. The votes from the Resident vehicles are received by the other vehicles 204. The vehicle receiving the most votes is then eliminated 206. In case of a tie, a vehicle is chosen uniformly at random from the vehicles receiving the maximum number of votes. The identity of the eliminated vehicle is revealed publicly via dissemination of a "Disregard" message. 2) Malicious vehicles' Turn: Malicious vehicles choose an innocent vehicle to eliminate. The only information announced publicly by the malicious vehicles will be the identity of the vehicle eliminated and whether it was a detective vehicle or not. Again, the result can be disseminated via a "Disregard" message. 3) Detective's Turn (if there are detective vehicles): Each detective vehicle acquires the Malicious or Innocent status of a vehicle. This status is then revealed only to the Detective vehicles. Detectives, for instance, can be police vehicles. Here, the Detective vehicle may collect messages from other vehicles and may communicate with
infrastructure-based servers to help determine whether another vehicle is malicious or not.
After round t 5 there are Re = R - 2t Resident vehicles in the system. And the Mafia Game has two possible outcomes:
The "Innocent" vehicles win if all "Mafia" vehicles have been eliminated and there are still "Innocent" vehicles alive.
The "Mafia" vehicles win if all "Innocent" vehicles have been eliminated when there are still "Mafia" vehicles alive. Next, here are analysis results on the performance of the scheme. For analysis purpose, the following assumptions are made: a) In the game without "Detective" vehicles, assume that all "Resident" vehicles can send a message to all other Resident vehicles simultaneously. This is primarily to assure later votes are not influenced by earlier ones. Otherwise, Mafia vehicles may be able to influence the majority vote in the all-vehicle Residents round, to eliminate an Innocent vehicle with greater likelihood. This can be achieved using cryptographic protocols, for example. b) In the game with Detectives, we assume that Residents can vote anonymously and the Residents can securely exchange messages, e.g. using a PKI system, with anonymized certificates.
The anonymous vote is used to coordinate votes of the Vigilante vehicles with the other (at least the Innocent) vehicles. Each Resident vehicle still announces its vote in a plurality vote. The anonymous vote is necessary to keep the identity of Vigilante vehicles unknown to non- Vigilante vehicles, in particular, unknown to Mafia vehicles. In this sense, the Vigilante vehicles are indeed an 'Anti-Mafia'. The cryptographic assumptions, in particular the anonymous pre-communication round, can be removed, if there are a simple majority of Vigilante vehicles among the Resident vehicles. This is easier to achieve when there are multiple, say d detectives: In particular, for any ε >0, there is a d such that d detectives have a probability of winning of at least 1 - ε against a mafia of size (1/2 - ε) R.
Now it will be shown that voting will take a bounded number of sub-rounds that is polynomial in the number of "Resident" vehicles. This assumption can be satisfied even if the vehicles' votes need to be propagated over several hops, i.e., when not all vehicles are within one-hop broadcast range with each other. Furthermore, the number of
computational steps each vehicle can take between rounds is also bounded by a polynomial in the number of residents.
The optimal strategies in the game without detectives are given as follows:
Innocent Vehicle's Optimal Strategy: In iteration t, each "Resident" vehicle
1≤ s≤ R4 picks a random vehicle to eliminate. As long as the "Innocent" vehicles have the majority in each Residents round, a random resident vehicle will be eliminated.
Malicious Vehicle's Optimal Strategy: As long as the "Innocent" vehicles have the majority, the "Mafia" vehicles may as well follow the same strategy of choosing a random innocent in each Residents round. The following results about a network with R Resident vehicles can be derived based on analysis related to the Mafia Games:
In the game without Detectives: Malicious vehicles will surely lose if the number of them is lower than the order of VR, have a comparable chance of winning if the number of them is in the order of ^'κ, and win if the number of them is larger than order VR .
In the game with d > 1 Detectives, The probability of the Malicious vehicles winning is only comparable to the Innocent's winning when there are at least V^
Malicious vehicles, for some constant η that satisfies ° < n≤ * ,
The above results provide several significant insights that provide a solid foundation for designing a V2V security system without roadside infrastructure networks. These insights include, for example, if it is possible to design a malicious vehicle detection and eviction approach so the number of malicious vehicles is kept below their critical mass (for example in the order of ^K or W& with zero or one Detective vehicle), the system will be able to quickly evict the malicious vehicles and maintain safe and secure communications continuously. Also, the addition of a single infrastructure node can significantly decrease the power of Malicious vehicles.
Establishing a 'white list' of vigilante vehicles, which are known innocent vehicles rather than distributing more "Disregard" messages or CRLs is a more effective approach to increase the chance of winning for the Innocents. Furthermore, the suicide of the Detective is particularly powerful, as opposed to the solitary act considered in other mechanisms. This solitary sacrifice is one interpretation of the elimination process after majority vote, which bypasses the need to model false decision probabilities. With one Detective vehicle, the optimal game for the Innocent vehicles will be the following: Suppose there is a single Detective vehicle. Referring to Fig. 3, during the first T1/ »7 R rounds, the detective collects information about vehicles at random 300. The other Innocents vote in each round to eliminate a vehicle at random. After V^ rounds, the Detective compiles a list ^ of so-called "Vigilante" vehicles that are vehicles known to be Innocents 302. At this stage, the number of Vigilantes FV| should be larger than the number of Malicious (Mafia) vehicles rø (since i/?J > ?1 for 0 < ?? < 1 ). The group of Vigilantes acts as an "anti-Mafia". The Detective encrypts the list of Vigilantes, and sends the encrypted list to each member of ^ so that the Vigilantes know which vehicles are also Vigilantes 304. The Detective then asks everyone to eliminate him. Upon being eliminated, the identity of the Detective is revealed, and therefore each Vigilante knows that the messages and encrypted list they have received is genuine.
Once the detective is evicted, in each round, the highest ranking (numbered) member of V selects a member outside of V to be eliminated, and communicates to the other members of V the identity of the vehicle to be eliminated, say p. All Innocent vehicles abstain from voting in a secure anonymous vote to coordinate/select the next vehicle p to eliminate. After this pre communication round, every non-Mafia vehicle sends a 'Disregard-p' message.. This shows that a single Detective vehicle can significantly increase the number of
Malicious vehicles needed to dominate the game to f}®-> 0 < η < i from vϊϊ.
Therefore, an enhanced malicious vehicle detection and eviction method is as followings:
[I]. C onsider an arbitrary geographic al region .
[2] . Time is divided into time periods of equal or variable lengths.
[3] . For each time period: a. The Resident vehicles in the region pick one vehicle to eliminate by majority vote. Each Resident vehicle picks one vehicle it wants to eliminate and sends out its vote in a message to other vehicles. The vehicle receiving the most votes is eliminated. In case of a tie, a vehicle is chosen uniformly at random from the vehicles receiving the maximum number of votes. The identity of the eliminated vehicle is revealed publicly via dissemination of a "Disregard" message. If the eliminated vehicle is a Detective vehicle, this fact is revealed as well b. For each time period T: Each Detective vehicle acquires the "Malicious" or "Innocent" status of a single randomly selected vehicle. This status is then revealed only to the Detective vehicles. Here, the Detective vehicle may collect messages from other vehicles and may communicate with infrastructure-based servers to help determine whether another vehicle is malicious or not.
[4]. During the first Vi^ time periods (rounds), the Detective vehicle compiles and maintains an up to date "white list" V of "Vigilante" vehicles. At this stage, the number of Vigilantes !Vl should be larger than the number of Malicious vehicles l-Ml
(since Φϊ y O for 0 < ij < 1 ). The Detective vehicle encrypts the white list of Vigilantes and sends the encrypted list to each member of V so that the Vigilante vehicles know which other vehicles are also vigilantes. The Detective vehicle then asks other vehicles to eliminate itself by sending out a "Disregard" message revealing its own identity. Upon being eliminated, the identity of the detective is revealed, and therefore each Vigilante vehicles know that the messages and encrypted list white list" they have received is genuine.
[5], Once the Detective vehicle is evicted, the white list of Vigilante vehicles is known to be genuine, and can be acted upon. In each time period (round), the highest ranking (numbered) member of V selects a member outside of V to be eliminated by sending a "Disregard" message to all vehicles in V. All innocent vehicles abstain from voting in a secure anonymous vote to coordinate on the next vehicle p to eliminate. All Vigilante vehicles vote for p. After this round, all vehicles vote for p in the majority vote, and 'Disregard-p' messages are sent. This shows that a single Detective vehicle to significantly increase the number of malicious vehicles needed to dominate the game to ?jR. O < η < l from ^R. Various aspects of the present disclosure may be embodied as a program, software, or computer instructions embodied in a computer or machine usable or readable medium, which causes the computer or machine to perform the steps of the method when executed on the computer, processor, and/or machine.
The system and method of the present disclosure may be implemented and run on a general-purpose computer or computer system. The computer system maybe any type of known or will be known systems and may typically include a processor, memory device, a storage device, input/output devices, internal buses, and/or a communications interface for communicating with other computer systems in conjunction with communication hardware and software, etc. A module maybe a component of a device, software, program, or system that implements some "functionality", which can be embodied as software, hardware, firmware, electronic circuitry, or etc.
The terms "computer system" and "computer network" as may be used in the present application may include a variety of combinations of fixed and/or portable computer hardware, software, peripherals, and storage devices. The computer system may include a plurality of individual components that are networked or otherwise linked to perform collaboratively, or may include one or more stand-alone components. The hardware and software components of the computer system of the present application may include and may be included within fixed and portable devices such as desktop, laptop, server, and/or embedded system. While there has been described and illustrated a system and method for detecting and evicting malicious vehicles in a vehicle communication network, it will be apparent to those skilled in the art that modifications and variations are possible without deviating from the principles and broad teachings of the present invention which shall be limited solely by the scope of the claims appended hereto.

Claims

CLAIMS What is claimed is:
1. A method for vehicles to detect and evict malicious vehicles in a vehicle-to- vehicle communications network using the Mafia Game theory, comprising: malicious mafia vehicles that have been detected to behave significantly differently from the behaviors designed by the vehicle manufacturers, innocent vehicles that behave as designed by the vehicle manufacturers, vigilante vehicles vehicles that are deemed or verified by a detective vehicle as an innocent vehicle which is a vigilante vehicle, and
detective vehicles that are innocent vehicles that have the ability to detect whether another vehicle is an innocent vehicle or a malicious vehicle, or a vigilant vehicle, where resident vehicles are vehicles of all categories in a region.
2. The method of claim 1 , wherein time is divided into periods and during each time period the innocent vehicles will pick a vehicle to eliminate by majority vote and each innocent vehicle votes to eliminate one vehicle in each time period.
3. The method of claim 1 , wherein each innocent vehicle receives votes from other vehicles in each time period and eliminates the vehicle that has received the most votes ,. in case of a tie, a vehicle is chosen uniformly at random from the vehicles receiving the maximum number of votes.
4. The method of claim 1, wherein a vehicle reveals the identity of the eliminated vehicle by sending a "DISREGARD" message to all other vehicles in the region.
5. The method of claim 1, wherein malicious vehicles can also behave as the innocent vehicles and choose an innocent vehicle to eliminate in each time period.
6. The method of 5, wherein a malicious vehicle reveals the identity of the vehicle eliminated and whether the eliminated vehicle was a detective vehicle or not by sending a "DISREGARD" message to other vehicles.
7. The method of claim 1, wherein each detective vehicle acquires the malicious or innocent status of a vehicle and then reveals the status to only other detective vehicles by sending a secure message to the other detective vehicles.
8. The method of claim 1, wherein during the first V1J^ time periods where R is the total number of vehicles in the region and η is a constant value between zero and one, a detective vehicle compiles and maintains an up to date "white list" of vigilante vehicles, encrypts the up-to-date white list or changes to the white list, and sends the encrypted list to each vigilante vehicle on the white list.
9. The method of claim 8, wherein the detective vehicle requests other vehicles to eliminate itself and reveals its identity by sending a "DISREGARD" message to the other vehicles.
10. The method of claim 1, where in each time period, the highest ranking
numbered member of V selects a member outside of V to be eliminated, and communicates to the other members of V the identity of the vehicle to be eliminated, say p where all innocent vehicles abstain from voting in a secure anonymous vote to coordinate/select the next vehicle p to eliminate after this pre-communication round, every (non-Mafia) vehicle sends a 'Disregard-p' message.
PCT/US2010/047293 2009-08-31 2010-08-31 System and method for detecting and evicting malicious vehicles in a vehicle communications network Ceased WO2011026092A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2012527093A JP2013503403A (en) 2009-08-31 2010-08-31 System and method for detecting and evicting malicious vehicles in a vehicle communication network
EP10812746.5A EP2473926A4 (en) 2009-08-31 2010-08-31 SYSTEM AND METHOD FOR DETECTING AND EXPULTING MALWARE VEHICLES IN A VEHICLE COMMUNICATION NETWORK

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US23868109P 2009-08-31 2009-08-31
US61/238,681 2009-08-31

Publications (1)

Publication Number Publication Date
WO2011026092A1 true WO2011026092A1 (en) 2011-03-03

Family

ID=43628438

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2010/047286 Ceased WO2011026089A1 (en) 2009-08-31 2010-08-31 System and methods to perform public key infrastructure (pki) operations in vehicle networks using one-way communications infrastructure
PCT/US2010/047293 Ceased WO2011026092A1 (en) 2009-08-31 2010-08-31 System and method for detecting and evicting malicious vehicles in a vehicle communications network

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/US2010/047286 Ceased WO2011026089A1 (en) 2009-08-31 2010-08-31 System and methods to perform public key infrastructure (pki) operations in vehicle networks using one-way communications infrastructure

Country Status (4)

Country Link
US (4) US8522013B2 (en)
EP (2) EP2473926A4 (en)
JP (1) JP2013503403A (en)
WO (2) WO2011026089A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9729566B2 (en) 2009-08-31 2017-08-08 Vencore Labs, Inc. System and method for detecting and evicting malicious vehicles in a vehicle communications network
US10348753B2 (en) 2009-08-31 2019-07-09 Vencore Labs, Inc. Detecting and evicting malicious vehicles in a vehicle communications network
CN110769393A (en) * 2019-11-07 2020-02-07 公安部交通管理科学研究所 Identity authentication system and method for vehicle-road cooperation
CN112590791A (en) * 2020-12-16 2021-04-02 东南大学 Intelligent vehicle lane change gap selection method and device based on game theory

Families Citing this family (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5261614B2 (en) 2010-05-24 2013-08-14 ルネサスエレクトロニクス株式会社 Communication system, in-vehicle terminal, roadside device
US20130086635A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
US20130093604A1 (en) * 2011-10-13 2013-04-18 GM Global Technology Operations LLC Logistical management of field work
JP5811784B2 (en) * 2011-11-08 2015-11-11 住友電気工業株式会社 Wireless communication system, information providing apparatus, mobile terminal, and method for providing information to mobile terminal
US9756036B2 (en) * 2012-06-15 2017-09-05 Nokia Technologies Oy Mechanisms for certificate revocation status verification on constrained devices
US9654968B2 (en) 2012-07-17 2017-05-16 Texas Instruments Incorporated Certified-based control unit-key fob pairing
EP2713582B1 (en) * 2012-09-28 2018-08-01 Harman Becker Automotive Systems GmbH Method and apparatus for personalized access to automotive telematic services
JP6123443B2 (en) * 2013-04-09 2017-05-10 株式会社デンソー Dangerous vehicle notification device, dangerous vehicle notification program, and recording medium recording dangerous vehicle notification program
US9680650B2 (en) 2013-08-23 2017-06-13 Qualcomm Incorporated Secure content delivery using hashing of pre-coded packets
US9100175B2 (en) 2013-11-19 2015-08-04 M2M And Iot Technologies, Llc Embedded universal integrated circuit card supporting two-factor authentication
US9350550B2 (en) * 2013-09-10 2016-05-24 M2M And Iot Technologies, Llc Power management and security for wireless modules in “machine-to-machine” communications
US10498530B2 (en) 2013-09-27 2019-12-03 Network-1 Technologies, Inc. Secure PKI communications for “machine-to-machine” modules, including key derivation by modules and authenticating public keys
US10700856B2 (en) 2013-11-19 2020-06-30 Network-1 Technologies, Inc. Key derivation for a module using an embedded universal integrated circuit card
WO2015092949A1 (en) * 2013-12-16 2015-06-25 パナソニックIpマネジメント株式会社 Authentication system and authentication method
US9742569B2 (en) * 2014-05-05 2017-08-22 Nxp B.V. System and method for filtering digital certificates
KR20160038091A (en) * 2014-09-24 2016-04-07 현대자동차주식회사 Method and System for Issuing CSR Certificate for Vehicle-to-Anything Communication
WO2016046819A1 (en) * 2014-09-25 2016-03-31 Tower-Sec Ltd. Vehicle correlation system for cyber attacks detection and method thereof
KR101603436B1 (en) * 2014-10-16 2016-03-21 경북대학교 산학협력단 Method for emergency-message broadcasing using vehicular communication
US9602290B2 (en) * 2014-10-16 2017-03-21 Infineon Technologies Ag System and method for vehicle messaging using a public key infrastructure
KR101584001B1 (en) * 2014-10-22 2016-01-08 현대자동차주식회사 Method and System for Detecting Misbehavior for Vehicle-to-Anything Communication
US9853977B1 (en) 2015-01-26 2017-12-26 Winklevoss Ip, Llc System, method, and program product for processing secure transactions within a cloud computing system
US9701280B2 (en) * 2015-04-03 2017-07-11 GM Global Technology Operations LLC Revocation of mobile device communication control privileges
US9865168B2 (en) * 2015-05-15 2018-01-09 Hyundai America Technical Center, Inc Detecting misbehavior in vehicle-to-vehicle (V2V) comminications
US10652027B2 (en) 2015-10-20 2020-05-12 The Boeing Company Airplane identity management with redundant line replaceable units (LRUs) and composite airplane modifiable information (AMI)
DE112017000129A5 (en) * 2016-02-23 2018-06-07 Continental Teves Ag & Co. Ohg Method for improving information security of vehicle-to-X communication and associated system
TWI600334B (en) 2016-03-23 2017-09-21 財團法人工業技術研究院 Security certificate management method for a vehicular network node and vehicular network node applying the same
WO2017190279A1 (en) * 2016-05-03 2017-11-09 华为技术有限公司 Certificate notification method and device
JP6381608B2 (en) * 2016-11-07 2018-08-29 三菱電機株式会社 Wireless communication apparatus and wireless communication method
US10593198B2 (en) * 2016-12-06 2020-03-17 Flir Commercial Systems, Inc. Infrastructure to vehicle communication protocol
US11025607B2 (en) * 2016-12-15 2021-06-01 At&T Mobility Ii Llc V2X certificate management
US10171953B2 (en) 2016-12-15 2019-01-01 At&T Mobility Ii Llc Vehicle event notification via cell broadcast
US10388162B2 (en) * 2017-01-23 2019-08-20 Veniam, Inc. Systems and methods for utilizing mobile access points as fixed access points in a network of moving things, for example including autonomous vehicles
EP3606124B1 (en) * 2017-03-29 2021-12-29 LG Electronics Inc. V2x communication device and data communication method thereof
US20200252804A1 (en) * 2017-06-11 2020-08-06 Lg Electronics Inc. V2x communication device and data communication method thereof
US10790980B2 (en) * 2017-07-14 2020-09-29 International Business Machines Corporation Establishing trust in an attribute authentication system
DK3679684T3 (en) 2017-09-29 2022-10-03 Huawei Int Pte Ltd SECURING COMMUNICATION OUTSIDE OF A VEHICLE USING IBC
CN111417867B (en) * 2017-10-02 2023-10-03 安全堡垒有限责任公司 Detection and prevention of cyber-physical attacks on sensors
US10812257B2 (en) * 2017-11-13 2020-10-20 Volkswagen Ag Systems and methods for a cryptographically guaranteed vehicle identity
US10745010B2 (en) 2017-12-21 2020-08-18 International Business Machines Corporation Detecting anomalous vehicle behavior through automatic voting
CN108668258B (en) * 2018-05-09 2021-05-25 中国信息通信研究院 V2X communication fast identity authentication system and method
US10868677B2 (en) * 2018-06-06 2020-12-15 Blackberry Limited Method and system for reduced V2X receiver processing load using certificates
CN108900494A (en) * 2018-06-22 2018-11-27 安徽尼古拉电子科技有限公司 A kind of method and system using Beidou satellite transmission information
KR102553145B1 (en) * 2018-07-24 2023-07-07 삼성전자주식회사 A secure element for processing and authenticating a digital key and operation metho thereof
US11184178B2 (en) * 2018-09-28 2021-11-23 Blackberry Limited Method and system for intelligent transportation system certificate revocation list reduction
US10439825B1 (en) * 2018-11-13 2019-10-08 INTEGRITY Security Services, Inc. Providing quality of service for certificate management systems
WO2020101506A1 (en) * 2018-11-13 2020-05-22 Apple Inc. Wireless power transfer device authentication
US10955841B2 (en) 2018-12-28 2021-03-23 At&T Intellectual Property I, L.P. Autonomous vehicle sensor security system
US11405206B2 (en) 2018-12-30 2022-08-02 Beijing Voyager Technology Co., Ltd. Systems and methods for managing a compromised autonomous vehicle server
US11418351B2 (en) * 2018-12-30 2022-08-16 Beijing Voyager Technology, Inc. Systems and methods for managing a compromised autonomous vehicle server
US11240006B2 (en) * 2019-03-25 2022-02-01 Micron Technology, Inc. Secure communication for a key exchange
KR102056340B1 (en) * 2019-07-26 2019-12-16 (주)디지파츠 Method, Apparatus and System for Authenticating Shared Vehicle
EP3800792B1 (en) * 2019-10-02 2022-08-03 Zumtobel Lighting GmbH Communication adaptor for a light trunking system, light trunking system comprising at least two such communication adaptors, and method for communicating data over such a light trunking system
WO2021071918A1 (en) * 2019-10-08 2021-04-15 Lg Electronics, Inc. Balancing privacy and efficiency for revocation in vehicular public key infrastructures
CN113079013B (en) 2019-12-18 2023-04-18 华为技术有限公司 Communication method, terminal device, road side unit, server, system and medium
US11388598B2 (en) * 2019-12-19 2022-07-12 Intel Corporation Recover from vehicle security breach via vehicle to anything communication
JP7472491B2 (en) * 2019-12-24 2024-04-23 株式会社Jvcケンウッド Display control device, display device, display control method and program
DE102020103391A1 (en) * 2020-02-11 2021-08-12 Bayerische Motoren Werke Aktiengesellschaft Communication module, means of locomotion and method for operating a communication module
KR102686843B1 (en) * 2020-11-24 2024-07-19 한국전자통신연구원 Apparatus and Method for Cloud-Based Vehicle Data Security Management
US11658828B2 (en) * 2021-02-01 2023-05-23 Ford Global Technologies, Llc Securely transmitting commands to vehicle during assembly
US11669639B2 (en) * 2021-02-25 2023-06-06 Dell Products L.P. System and method for multi-user state change
CN115412264B (en) * 2022-10-31 2022-12-27 北京金睛云华科技有限公司 Vehicle-mounted self-organizing network pseudonym revocation method based on Morton filter
CN117313902B (en) * 2023-11-30 2024-02-06 北京航空航天大学 An asynchronous federated learning method for vehicle formation based on signal game
TWI881657B (en) * 2024-01-09 2025-04-21 緯創資通股份有限公司 Method for identifying false risk warnings in inter-vehicle network and in-vehicle electronic device using the same
CN118612243B (en) * 2024-05-24 2024-11-22 安庆师范大学 Trust evaluation method and system for cooperative authentication of unmanned aerial vehicle and vehicle in Internet of vehicles

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3374042B2 (en) * 1997-05-16 2003-02-04 本田技研工業株式会社 Inter-vehicle communication method
EP1143658A1 (en) * 2000-04-03 2001-10-10 Canal+ Technologies Société Anonyme Authentication of data transmitted in a digital transmission system
EP1360814B1 (en) * 2001-02-06 2007-04-11 Certicom Corp. Mobile certificate distribution in a public key infrastructure
EP1516453A1 (en) * 2002-06-17 2005-03-23 Koninklijke Philips Electronics N.V. Method for authentication between devices
EP1620775A1 (en) 2003-04-28 2006-02-01 Koninklijke Philips Electronics N.V. Method of updating revocation list
US7673345B2 (en) * 2005-03-31 2010-03-02 Intel Corporation Providing extended memory protection
JP2009515232A (en) 2005-07-20 2009-04-09 ベリマトリックス、インコーポレーテッド Network user authentication system and method
US7734050B2 (en) 2006-03-27 2010-06-08 Nissan Technical Center North America, Inc. Digital certificate pool
TWI328937B (en) * 2006-09-22 2010-08-11 Chung Shan Inst Of Science Methodology of near real-time band jamming prevention
US7934095B2 (en) 2006-11-10 2011-04-26 Toyota Motor Engineering & Manufacturing North America, Inc. Method for exchanging messages and verifying the authenticity of the messages in an ad hoc network
US7908660B2 (en) * 2007-02-06 2011-03-15 Microsoft Corporation Dynamic risk management
US8171283B2 (en) 2007-03-19 2012-05-01 Telcordia Technologies, Inc. Vehicle segment certificate management using short-lived, unlinked certificate schemes
US8363832B2 (en) * 2007-03-19 2013-01-29 Telcordia Technologies, Inc. Vehicle segment certificate management using shared certificate schemes
US8869288B2 (en) * 2007-06-08 2014-10-21 Sandisk Technologies Inc. Method for using time from a trusted host device
US20090179775A1 (en) * 2008-01-10 2009-07-16 Gm Global Technology Operations, Inc. Secure information system
DE102008008970B4 (en) * 2008-02-13 2025-07-03 Bayerische Motoren Werke Aktiengesellschaft On-board power system of a motor vehicle with exchangeable cryptographic key and/or certificate
US8194550B2 (en) * 2009-02-09 2012-06-05 GM Global Technology Operations LLC Trust-based methodology for securing vehicle-to-vehicle communications
US8522013B2 (en) 2009-08-31 2013-08-27 Telcordia Technologies, Inc. System and methods to perform public key infrastructure (PKI) operations in vehicle networks using one-way communications infrastructure

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BRAVERMAN ET AL.: "MAFIA: A THEORETICAL STUDY OF PLAYERS AND COALITIONS IN A PARTIAL INFORMATION ENVIRONMENT.", THE ANNALS OF APPLIED PROBABILITY., 2008, pages 1 - 23, XP008157087, Retrieved from the Internet <URL:http://arxiv.org/pdf/math.PR/0609534> [retrieved on 20101014] *
MOORE ET AL.: "Fast exclusion of errant devices from vehicular networks.", SENSOR, MESH AND AD HOC COMMUNICATIONS AND NETWORKS, 2008, XP031282586, Retrieved from the Internet <URL:http:/fieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4557749&tag> [retrieved on 20101014] *
See also references of EP2473926A4 *
SOOD ET AL.: "Voter models on heterogeneous networks.", PHYS. REV. E., 22 April 2008 (2008-04-22), pages 1 - 14, XP008157096, Retrieved from the Internet <URL:http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2471880> [retrieved on 20101014] *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9729566B2 (en) 2009-08-31 2017-08-08 Vencore Labs, Inc. System and method for detecting and evicting malicious vehicles in a vehicle communications network
US10348753B2 (en) 2009-08-31 2019-07-09 Vencore Labs, Inc. Detecting and evicting malicious vehicles in a vehicle communications network
CN110769393A (en) * 2019-11-07 2020-02-07 公安部交通管理科学研究所 Identity authentication system and method for vehicle-road cooperation
CN110769393B (en) * 2019-11-07 2021-12-24 公安部交通管理科学研究所 Identity authentication system and method for vehicle-road cooperation
CN112590791A (en) * 2020-12-16 2021-04-02 东南大学 Intelligent vehicle lane change gap selection method and device based on game theory

Also Published As

Publication number Publication date
US20130305043A1 (en) 2013-11-14
US8973129B2 (en) 2015-03-03
US20110214178A1 (en) 2011-09-01
US8522013B2 (en) 2013-08-27
WO2011026089A1 (en) 2011-03-03
US20150156215A1 (en) 2015-06-04
EP2473926A1 (en) 2012-07-11
JP2013503403A (en) 2013-01-31
US9729566B2 (en) 2017-08-08
US20110213968A1 (en) 2011-09-01
EP2473926A4 (en) 2015-05-20
EP2474143A1 (en) 2012-07-11
EP2474143A4 (en) 2015-05-27
US9021256B2 (en) 2015-04-28
EP2474143B1 (en) 2019-03-20

Similar Documents

Publication Publication Date Title
US9729566B2 (en) System and method for detecting and evicting malicious vehicles in a vehicle communications network
US10348753B2 (en) Detecting and evicting malicious vehicles in a vehicle communications network
Kerrache et al. Trust management for vehicular networks: An adversary-oriented overview
US8397063B2 (en) Method for a public-key infrastructure for vehicular networks with limited number of infrastructure servers
Golle et al. Detecting and correcting malicious data in VANETs
Mejri et al. Survey on VANET security challenges and possible cryptographic solutions
Dhurandher et al. Vehicular security through reputation and plausibility checks
Xu et al. Comprehensive review on misbehavior detection for vehicular ad hoc networks
Abassi VANET security and forensics: Challenges and opportunities
Qureshi et al. Authentication scheme for unmanned aerial vehicles based internet of vehicles networks
Safwat et al. Survey and taxonomy of information-centric vehicular networking security attacks
Sirola et al. An analytical study of routing attacks in vehicular ad-hoc networks (VANETs)
Hatzivasilis et al. MobileTrust: Secure knowledge integration in VANETs
Mohd et al. Simulation and analysis of DDoS attack on connected autonomous vehicular network using OMNET++
Feraudo et al. DIVA: A DID-based reputation system for secure transmission in VANETs using IOTA
Ahmad et al. A novel context-based risk assessment approach in vehicular networks
Varshney et al. Security protocol for VANET by using digital certification to provide security with low bandwidth
Clavijo-Herrera et al. Performance evaluation in misbehaviour detection techniques for DoS attacks in VANETs
Raya Data-centric trust in ephemeral networks
Kamel et al. Feasibility study of misbehavior detection mechanisms in cooperative intelligent transport systems (C-ITS)
Du et al. Security assessment in vehicular networks
Vu et al. Living on the electric vehicle and cloud era: a study of cyber vulnerabilities, potential impacts, and possible strategies
Velayudhan et al. Review on avoiding Sybil attack in VANET while operating in an urban environment
Stępień et al. Security solution methods in the vehicular ad-hoc networks
Boström et al. Wireless Threats Against V2X Communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10812746

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2012527093

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2010812746

Country of ref document: EP