5.5 TrioSys for detecting location forgery attacks
5.5.1 Verifying the truthfulness of V2X messages
At this first mechanism, we target to locate the vehicle position through a novel passive localization from wireless signals, namely multi-array relative positioning. When a transmitter starts a transmission session, a receiver( i.e., the vehicle installed our verification system) can collect and use spatial and temporal information from physical signals such as Time-of-Arrival (ToA), Time-Difference-of-Arrival (TDoA), Angle-of- Arrival (AoA) and channel coefficients, to find the relative positions of the transmitter.
Unlike the poor performance of a similar approach on mobile networks, the appearance of multiple antenna and beamforming model in 5G significantly enhances the efficiency of the method, i.e., reducing the position errors between the real location of the transmitter on the field and the estimated value. Having estimated locations from this passive localization, we further verify with the corresponding values of the same vehicle claimed in CAM/BSM messages. If the difference between the estimated and the claimed value is over a threshold, e.g., 5m, the vehicle is likely generating false data. The workflow is detailed as follows.
Assume that the position from the Tx’s claim is PC (as illustrated in Fig. 5.4.1). The difference between our location self-estimation PˆT and the claimed location is dest =
||PC −PˆT||. Therefore, our detection function f(x) is defined as follows:
f(x) =
1 ifx > α,whereαis given
0 otherwise (5.5.1)
where f(dest) = 1 means that Rx will reject the message having that claimed location, since there is a significant difference (i.e., dest ≥α) between the physical location of Tx on
the field and the value claimed in the message. To make sure that the detection reflects the reality on the field, minimizing the error of the estimation value PˆT, i.e., ||PT −PˆT|| →0, is necessary. Moreover, since the location estimation is a key approach to verify the claimed location of a potential malicious transmitter, quantifying the error deviation of the estimation is extremely important. To quantify the measurement, finding the bound of the estimation is a reasonable approach.
According to the system setting, we set the vector ϕthat consists of the following four unknown channel parameters: ToA, TDoA, AoA and channel coefficients.
ϕ= [τs 4τi,j φ˜i,j K]T;i= 1. . . KR, j = 1. . . KT (5.5.2) where ϕ ∈ R4KTKR. In the estimation theory, the Cramer Rao Bound (CRB) sets an upper bound on any parameter estimation performance. In the next section, we detail the finding. The illustration of collecting AoA and DoA values through beamforming space is illustrated in Fig. A.2 of Appendix .
In the communications, a message from Tx can be divided into many packets, and each packet is sent over the air in the form ofnb OFDM symbols. To simplify the notation and without loss of generality, we use the subscript k to denote a sub-carrier of an OFDM symbol in the packets. According to [105], the performance of the unbiased estimatorϕˆ of ϕcan be bound as follows:
Er|ϕ[[ ˆϕ−ϕ][ ˆϕ−ϕ]T]Jϕ−1 =CRB(ϕ). (5.5.3) Here ϕ is observed under Gaussian noise and the Fishing information matrix (FIM) of ϕ derived from the channel parameters is defined as Jϕ =∆ Er|ϕ[∂ϕ∂ϕ∂2 TL(r|ϕ)] ∈ R4KTKRx4KTKR. L(r|ϕ) is the likelihood function [106] of the variable r(f) conditioned onϕ:
L(r|ϕ)∝ − 1 N0
N−1
X
k=1
Z
W
|Rk(f)−Xk|2df (5.5.4) whereXkare derived from Eq. 5.4.3;∝denotes equality after normalizing the distributions of both sides of this equation.
We also define the vector ϕ˜∈ R4+2KTKR as [qT φT τ K], which includes the position, orientation and nuisance parameters transformed from the variables in ϕ. The FIM for the estimator ϕ˜of ϕis expressed by J =T J TT, where T =∆ ∂ϕT. Note that the entries
of the transformation matrix T [105] can be obtained from the parameters in ϕand ϕ˜, which are expressed by the following equations:
c4τi,j =||qi,j|| − ||q1,1||, (5.5.5) whereqi,j is the relative position between the centroid of theith Rx array and the centroid of the jth Tx array.
∂ 4τi
∂q = (u(φr1)−u(φri)) (5.5.6)
∂ 4τi
∂φT
= (uT(φt1− π
2)( ˆP1t−PT)−uT(φti− π
2)( ˆPit−PT))/2 (5.5.7)
∂4φ˜i,j
∂q =u(φri − π
2)/d (5.5.8)
∂4φ˜i,j
∂φT = (uT(φti)( ˆPit−PT))/d (5.5.9) Several other variables such as φri have been well explained in the description of Eq. 5.4.1.
The Position Error Bound (PEB) is obtained through Jϕ˜ and by adding the diagonal entries of 2x2 sub-matrix as follows: P EB =
q
tr[Jϕ−1˜ ]1:2,1:2. Also, the orientation error bound (OEB) is expressed byOEB =q
[Jϕ−1˜ ]3:3, where[.]3,3 denotes the third diagonal entry of Jϕ−1˜ . Intuitively, PEB provides a good reference to set a pre-defined value for α in Eq. 5.5.1, while OEB can be used to know which vehicles are approaching the Rx.
However, due to the influence of the fading/noise/interference effects, the bounds are dynamic and highly sensitive to the surrounding environment condition.
The location and orientation are estimated by using the estimation algorithms such as the DCS-SOMP and SAGE [105] on the transformed received signal space. Applying the found estimated values to the function in Eq. 5.5.1 with a pre-defined α, e.g., 3, we can confirm whether the claimed location is valid. For the non-LOS case, the extensive algorithms such as EXIP [105] can be used to obtain the location estimation.
Efficiency of multi-array vehicle positioning-based verification
To evaluate the efficiency of the approach, we evaluate this work on MATLAB R2018b with TraCI4Matlab/VANET/5G/Communication toolbox. The traffic model (e.g., multiple vehicles, types, diverse movement behavior) is generated by using SUMO and support both the highway (autobahn) and urban traffic (e.g., using OpenStreetMap). σ is allowed to adjust with the movement behavior within[0.1,0.3]. In each case, the number of benign vehicles varies from 1 and up to 300. In both scenarios, the vehicles’ size is set to be 4.5m long and 1.8m wide, the lane size 5m and the road consisting of at least two lanes.
Suppose that each Tx and Rx vehicle is equipped with four conformal arrays (KR =KT
= 4) and the centroids of the arrays are located at the vehicles’ corners. We assume that the antenna system operates at fc = 5.9GHz (dedicated to DSRC) and 40GHz (5G NR Waveform) with 2048 sub-carriers, in which the corresponding sub-carrier spacing is 4f
= 60kHz, NR = 8 and 4f = 120kHz, NR = 16 respectively. We set nb = 1, φR = 0.2, and for the antenna configuration, the received Signal-to-Noise Ratio (SNR) is set at 28 dB for the 5.9GHz configuration and 22dB for the rest.
For the attack scenario, in the first case, the Tx reports its false location with flexible adjustments of the offsets a, b. In the other case, the Tx uses multiple identifiers (pseudonyms) to send messages with various false locations, i.e., Sybil attack. The sending rate of Tx is set at 10 messages/s. Fig. 5.5.1 shows our evaluation results in various conditions. Given effective short-range communication distance in V2X, particularly V2V, our system can detect well (>95%) with α≥5 (Fig. 5.5.1a) while taking only 0.29s to respond for any verification request, even under pressure of multiple-vehicle verification, various positioning attack strategies (as long as dest > α), e.g., random offset a, b and noise interference. The detection rate is defined as the number of attack messages detected by our system divided by the total number of attack messages. Moreover, our detection system gives higher accuracy if the vehicles are equipped with a large number of antennas operating at high-frequency spectrum, although integrating such a configuration may have explicit disadvantages of high energy consumption, high cost, and be subject to more impacts from the surrounding environment (Fig. 5.5.1b when d > 300m& Fig. 5.5.1c).
On the other hand, our physical signal-based analysis system can easily detect a Sybil attack, since no matter how many fake messages sent using different IDs, they all come from a physical signal source (same location estimation).
However, our method may have negative performance, e.g., cannot detect if the offset distance between the claimed location and the location on the field of the attacker is small (d < α or PEB). Note that in this case, our method still succeeds in limiting the attack
1 2 3 4 5 Threshold ( ) in m 0.4
0.6 0.8 1.0
Detection rate
a)
fc=5.9GHz fc=40GHz
0 200 400
Distance between Tx-Rx (d) in m 0.7
0.8 0.9 1.0
Detection rate
b)
fc=5.9GHz fc=40GHz
0.0 0.1 0.2 0.3
Noise variance ( ) 0.8
0.9 1.0
Detection rate
c)
fc=5.9GHz fc=40GHz
0 25 50 75 100
Number of vehicles under verification 0
5 10 15
Response time(s)
d)
fc=5.9GHz fc=40GHz
Figure 5.5.1: Performance results of the proposal in various conditions: a) selection of α b) distance between Tx-Rx (α = 5) c) noise variance d) number of vehicles under verification (exchange data with the Rx).
capability significantly, since the attacker cannot claim a location far from his real position.
In addition, requesting verification supports from the vehicles near the Tx promises to solve the shortcoming, although that can trigger a large volume of extensive exchange traffic. In the worst case, while rarely, if the Rx must verify many vehicles at the same time, e.g., 100, and the attacker’s is the last verified one, the response to the attack (the elapsed time from receiving data to getting the verification result) may be slow and can be up to 16s late (Fig. 5.5.1d). Unfortunately, like all other computation-based approaches, our verification capacity is also limited by the computation capacity of the embedded hardware, e.g., processors in the vehicles. For our current evaluation configuration, the system can help to verify up to20vehicles at the same time without significant degradation in accuracy performance and response time, e.g., 1-2 seconds (Fig. 5.5.1d). Note that, depending on the V2X applications and space among the vehicles, a vehicle at 80km/h can accept the delay up to 1 second or more to adjust the behavior for the sake of safe driving, e.g., braking. Moreover, this shortcoming can significantly be overcome by several ways, for example, sampling the messages, parallel hardware/programming and only verify the Tx vehicles which the Rx’s camera and LIDAR system cannot reach (i.e., blind areas).
Apparently, the LIDAR system is assumed to be reliable; otherwise, the Rx may only perform the verification on the Tx vehicles approaching (e.g., referring to the OEB) within a reasonable distance, e.g., < 100m front/behind, or even merely specific vehicles in range(on-demand verification). Finally, in our approach, the vehicle movement or eventual stop has few influences on the detection accuracy, but signal continuity, the distance between Tx-Rx (i.e.,d), and noise interference (i.e., σ) have more. In fact, dand σ have a significant influence on the accuracy of the location estimation and then the detection (Fig. 5.5.1b& Fig. 5.5.1c), although higherd (e.g., Tx is far from Rx) means the safety of the Rx is less vulnerable to the attacks. A compensation, e.g., the verification supports from the nearby neighbors, RSUs or gNBs, can mitigate such negative influence.
However, several factors such as the number of transmitting and receiving antennas and the multi-path issue can significantly influence the accuracy of the multi-array relative positioning-based verification. In free space, i.e., LOS (in Eq. 5.4.3, L= 1), the CRB of the position estimation error is inversely proportional to the number of receiving antennas corresponding to the number of independent measurements available at the Rx [106].
In contrast, for the presence of NLOS components, the authors [106] also proved that an array of massive antennas, i.e., large NR, also makes negligible the set of geometric configurations significantly impacted by MPCs, and the performance converges to that of the free-space case above. In this case, MPCs are not entirely bad but useful for positioning. Further, the authors in [111] present an approach to be able to exploit information from reflected multi-path components for high-accuracy localization.
Unfortunately, increasing the antenna array size is not always a silver bullet, let alone the increasing cost and energy consumption. For example, spatial correlation is the common phenomenon affecting the performance of the multi-antenna system significantly, e.g., the channel capacity degradation [102] and then time-based measurement, since a short antenna separation will increase the probability of adjacent antennas receiving similar signal components. Given a ULA configuration, placing antennas at the corners is a solution to mitigate this negative phenomenon. According to [112], the settle can provide not only a full 360-degree view around the car but also physically (4.5m long and 1.8m wide at a regular car size) help to increase the antenna separation, i.e., maximize the spatial degrees of freedom and improve to resolve the parameters in the V2V positioning, e.g., TDoA. The influence of spatial correlation and fading interference on 5G V2V positioning in various traffic simulations and fields are beyond this work. Readers can refer to [102], [112], [113] for more detail.
The performance evaluation above proved the reliability of this multi-array relative positioning in detecting the false location dissemination attacks. However, finding a location from the transformed received signal space in that work demands long computation time, e.g., up to several seconds per verification request. To overcome this problem, particularly when verifying many vehicles at the same time, we propose to use this positioning model for the prediction function, instead of letting it work alone. Moreover, unlike prior work, our prediction can remarkably mitigate the negative impact of the noise/fading interference. In the following subsection, we detail the prediction and update mechanism.