Vehicular networks are likely to become the most relevant form of mobile ad hoc networks. In this paper, we address the security of these networks. We provide a detailed threat analysis and devise an appropriate security architecture. We also describe some major design decisions still to be made, which in some cases have more than mere technical implications. We provide a set of security protocols, we show that they protect privacy and we analyze their robustness, and we carry out a quantitative assessment of the proposed solution.

In this work, we investigate the use of directional antennas and beam steering techniques to improve performance of 802.11 links in the context of communication between a moving vehicle and roadside APs. To this end, we develop a framework called MobiSteer that provides practical approaches to perform beam steering. MobiSteer can operate in two modes – cached mode – where it uses prior radio survey data collected during “idle ” drives, and online mode, where it uses probing. The goal is to select the best AP and beam combination at each point along the drive given the available information, so that the throughput can be maximized. For the cached mode, an optimal algorithm for AP and beam selection is developed that factors in all overheads. We provide extensive experimental results using a commercially available eight element phased-array antenna. In the experiments, we use controlled scenarios with our own APs, in two different multipath environments, as well as in situ scenarios, where we use APs already deployed in an urban region – to demonstrate the performance advantage of using MobiSteer over using an equivalent omni-directional antenna. We show that MobiSteer improves the connectivity duration as well as PHY-layer data rate due to better SNR provisioning. In particular, MobiSteer improves the throughput in the controlled experiments by a factor of 2 – 4. In in situ experiments, it improves the connectivity duration by more than a factor of 2 and average SNR by about 15 dB.

Abstract — Recent advances in vehicular communications make it possible to realize vehicular sensor networks, i.e., collaborative environments where mobile vehicles equipped with sensors of different nature (from toxic detectors to still/video cameras) inter-work to implement monitoring applications. In particular, there is an increasing interest in proactive urban monitoring where vehicles continuously sense events from urban streets, autonomously process sensed data, e.g., recognizing license plates, and possibly route messages to vehicles in their vicinity to achieve a common goal, e.g., to permit police agents to track the movements of specified cars. This challenging environment requires novel solutions, with respect to those of more traditional wireless sensor nodes. In fact, different from conventional sensor nodes, vehicles exhibit constrained mobility, have no strict limits on processing power and storage capabilities, and host

In mobile networks, authentication is a required primitive of the majority of security protocols. However, an adversary can track the location of mobile nodes by monitoring pseudonyms used for authentication. A frequently proposed solution to protect location privacy suggests that mobile nodes collectively change their pseudonyms in regions called mix zones. Because this approach is costly, self-interested mobile nodes might decide not to cooperate and could thus jeopardize the achievable location privacy. In this paper, we analyze the non-cooperative behavior of mobile nodes with a game-theoretic model, where each player aims at maximizing its location privacy at a minimum cost. We first analyze the Nash equilibria in n-player complete information games. Because mobile nodes in a privacy-sensitive system do not know their opponents ’ payoffs, we then consider incomplete information games. We establish that symmetric Bayesian-Nash equilibria exist with simple threshold strategies in n-player games and derive the equilibrium strategies. By means of numerical results, we show that mobile nodes become selfish when the cost of changing pseudonym is small, whereas they cooperate more when the cost of changing pseudonym increases. Finally, we design a protocol- the PseudoGame protocol- based on the results of our analysis.

We argue that the traditional notion of trust as a relation among entities, while useful, becomes insufficient for emerging data-centric mobile ad hoc networks. In these systems, setting the data trust level equal to the trust level of the data- providing entity would ignore system salient features, rendering applications ineffective and systems inflexible. This would be even more so if their operation is ephemeral, i.e., characterized by short-lived associations in volatile environments. In this paper, we address this challenge by extending the traditional notion of trust to data-centric trust: trustworthiness attributed to node-reported data per se. We propose a framework for data-centric trust establishment: First, trust in each individual piece of data is computed; then multiple, related but possibly contradictory, data are combined; finally, their validity is inferred by a decision component based on one of several evidence evaluation techniques. We consider and evaluate an instantiation of our framework in vehicular networks as a case study. Our simulation results show that our scheme is highly resilient to attackers and converges stably to the correct decision.

The contents of this report reflect the views of the authors who are responsible for the facts and the accuracy of the data presented herein. The contents do not necessarily reflect the official views or policies of the State of California. This report does not constitute a standard, specification, or regulation.

A frequently proposed solution to node misbehavior in mobile ad hoc networks is to use reputation systems. But in ephemeral networks- a new breed of mobile networks where contact times between nodes are short and neighbors change frequently- reputations are hard to build. In this case, local revocation is a faster and more efficient alternative. In this paper, we define a game-theoretic model to analyze the various local revocation strategies. We establish and prove the conditions leading to subgame-perfect equilibria. We also derive the optimal parameters for voting-based schemes. Then we design a protocol based on our analysis and the practical aspects that cannot be captured in the model. With realistic simulations on ephemeral networks we compare the performance and economic costs of the different techniques.

Transportation safety, one of the main driving forces of the development of vehicular communication (VC) systems, relies on high-rate safety messaging (beaconing). At the same time, there is consensus among authorities, industry, and academia on the need to secure VC systems. With specific proposals in the literature, a critical question must be answered: can secure VC systems be practical and satisfy the requirements of safety applications, in spite of the significant communication and processing overhead and other restrictions security and privacy-enhancing mechanisms impose? To answer this question, we investigate in this paper the following three dimensions for secure and privacy-enhancing VC schemes: the reliability of communication, the processing overhead at each node, and the impact on a safety application. The results indicate that with the appropriate system design, including sufficiently high processing power, applications enabled by secure VC can be in practice as effective as those enabled by unsecured VC.

In the context of vehicular ad-hoc networks (VANETs), a number of highly promising convenience applications have been proposed. These include collecting and distributing information on the traffic situation, distributed monitoring of road and weather conditions, and finding available parking places in a distributed, cooperative manner. Unfortunately, all of these applications face major problems when a VANET is used as a means to distribute the required information. In particular a large number of vehicles needs to be equipped with dedicated VANET technology before these applications can provide a useful service. Even if customers were willing to purchase a system which is not immediately useful, it would still take quite some time until the required density of equipped cars is reached. In contrast, affordable always-on mobile Internet access is already mainstream. Such Internet connectivity could be used to build the proposed applications in a different fashion: by using peer-to-peer communication, essentially creating a peer-topeer network of cars sharing traffic information. This allows to overcome the limitations of VANETs, while it preserves their key benefits of decentralization and robustness. In this paper, we describe the technical challenges that arise from such an approach, point out relevant research directions, and outline possible starting points for solutions.

The vehicular networking environment is characterized by time-varying traffic density and relatively high vehicular mobility rates. Enabling networking in the vehicular environment is challenging due to the rapidly changing topology and the vast network of roadways. In this article, we present an analytical model to describe the behavior of message propagation in a delay tolerant network formed over moving vehicles. We describe a model where partitioning between connected subnets exists in a network with time-varying topology. A messaging scheme exploits the time-varying partitioning to enable data exchange in a delay tolerant network setting. We derive the bounds for performance of message propagation in the vehicular networking environment. The analytical bounds derived are compared with simulation results for characteristics of the vehicular networking environment such as vehicular traffic density, transmission range and vehicular speed. The results depict the observation of phase transition in message propagation rate with increasing vehicle traffic density. Importantly, we are able demonstrate the limits of densities of bi-directional vehicle traffic at which the transitions occur. The results show that the delay tolerant networking assumption provides gains for message propagation over traditional ad hoc networking schemes that rely on path formation. Finally, we show that increased mobility of vehicles actually aids in message propagation, contrary to the expectation that it would be a hindrance due to frequent topology changes. This work is supported by the NSF under grant No. CNS-0435353. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science