Abstract:
In
urban vehicular networks, where privacy, especially the location privacy
of
anonymous vehicles is highly concerned, anonymous verification of vehicles is
indispensable. Consequently, an attacker who succeeds in forging multiple
hostile identifies can easily launch a Sybil attack, gaining a disproportionately
large influence. In this paper, we propose a novel Sybil attack detection
mechanism, Footprint, using the trajectories of vehicles for identification while
still preserving their location privacy. More specifically, when a vehicle
approaches a road-side unit (RSU), it actively demands an authorized message
from the RSU as the proof of the appearance time at this RSU. We design a
location-hidden authorized message generation scheme for two objectives:
first, RSU signatures on messages are signer ambiguous so that the RSU
location information is concealed from the resulted authorized message;
second, two authorized messages signed by the same RSU within the same
given period of time (temporarily linkable) are recognizable so that they can
be used for identification. With the temporal limitation on the likability of two
authorized messages, authorized messages used for long-term identification
are prohibited. With this scheme, vehicles can generate a location-hidden
trajectory for location-privacy-preserved identification by collecting a
consecutive series of authorized messages. Utilizing social relationship among
trajectories according to the similarity definition of two trajectories, Footprint
can recognize and therefore dismiss “communities” of Sybil trajectories.
Rigorous security analysis and extensive trace-driven simulations demonstrate
the efficacy of Footprint.
anonymous vehicles is highly concerned, anonymous verification of vehicles is
indispensable. Consequently, an attacker who succeeds in forging multiple
hostile identifies can easily launch a Sybil attack, gaining a disproportionately
large influence. In this paper, we propose a novel Sybil attack detection
mechanism, Footprint, using the trajectories of vehicles for identification while
still preserving their location privacy. More specifically, when a vehicle
approaches a road-side unit (RSU), it actively demands an authorized message
from the RSU as the proof of the appearance time at this RSU. We design a
location-hidden authorized message generation scheme for two objectives:
first, RSU signatures on messages are signer ambiguous so that the RSU
location information is concealed from the resulted authorized message;
second, two authorized messages signed by the same RSU within the same
given period of time (temporarily linkable) are recognizable so that they can
be used for identification. With the temporal limitation on the likability of two
authorized messages, authorized messages used for long-term identification
are prohibited. With this scheme, vehicles can generate a location-hidden
trajectory for location-privacy-preserved identification by collecting a
consecutive series of authorized messages. Utilizing social relationship among
trajectories according to the similarity definition of two trajectories, Footprint
can recognize and therefore dismiss “communities” of Sybil trajectories.
Rigorous security analysis and extensive trace-driven simulations demonstrate
the efficacy of Footprint.
The design of a Sybil attack detection scheme in urban vehicular networks should achieve three goals:
1. Location privacy preservation: a particular vehicle would not like to
expose its location information to other vehicles and RSUs as well since such
information can be confidential. The detection scheme should prevent the
location information of vehicles from being leaked.
2. Online detection: when a Sybil attack is launched, the detection scheme
should react before the attack has terminated. Otherwise, the attacker could
already achieve its purpose.
3. Independent detection: the essence of Sybil attack happening is that the
decision is made based on group negotiations. To eliminate the possibility that
a Sybil attack is launched against the detection itself, the detection should be
conducted independently by the verifier without collaboration with others.
No comments:
Post a Comment