A Trust-Based Model for Security Cooperating in Vehicular Cloud Computing

1School of Information Science and Engineering, Central South University, Changsha 410083, China 2College of Information Engineering, Xiangtan University, Xiangtan 411105, China 3Department of Software, Ajou University, Suwon 443749, Republic of Korea 4Graduate School of Advanced Integration Science, Chiba University, Chiba 263-8522, Japan 5Department of Computer Science, University of Tsukuba, Tsukuba 305-8573, Japan

One of the promising applications in VCC is performing tasks by vehicles' cooperation.This application, which is more difficult than the existing ones in depth and breadth, has important significance: in the traditional Delay Tolerant Network (DTN) and Peer-to-Peer Network, it can only disseminate information.But, in VCC, not only can this application disseminate information, but also it can do more practical work, such as delivering packages, luggage, and credentials [1,4,10,11].
Taxi network is a typical scenario of VCC.Each taxi in this scenario is regarded as a vehicle which can share information by communicating in a point-to-point manner and accessing internal broadcast by communication devices.From the perspective of traditional view, taxis can be modeled as mobile nodes in DTN.However, more applications can be achieved when modeled in VCC.In particular, when performing a task, vehicle can apply for cooperating with several vehicles, which will improve service quality and reduce resource consumption.Listed below are several concrete examples.Mobile Information Systems (a) Vehicle  has received a user request and promised to pick up a passenger in street  at timestamp , but traffic jam has made it impossible for vehicle  to finish this task.In this situation, vehicle  can request vehicle  to perform this task.There are two preconditions when selecting vehicle .First, vehicle  has ability to fulfil this task; second, vehicle  should be trustworthy.(b) Vehicle  has received a user request and promised to perform a task which cannot be finished by itself individually, such as picking up a tourist group.In this situation, vehicle  should select  reliable vehicles and send cooperation request to them for performing this task together.(c) Vehicle  has received a user request and promised to deliver an important package to person  in street .In real scenario, this task has to be performed by cooperation of several vehicles.For instance, first, vehicle  delivers this package to vehicle ; then vehicle  delivers it to vehicle ; finally, vehicle  delivers it to person .This process forms a cooperation path.In order to guarantee the safety of the package, how to select trustworthy vehicles in cooperation path is a challenging problem.
The examples listed above can be summarized as the following application scenario: vehicle  has received a user request for performing certain tasks.These tasks not only include the traditional applications in DTN [20][21][22], such as relaying information, but also can be extended to physical request, such as delivering objects.However, for some reason, vehicle  cannot fulfil the task by itself.In order to finish this task, it sends request for cooperation to  vehicles which are willing to offer help.In the cases when vehicles which received the cooperation request still cannot fulfil the tasks by themselves, they will further send this cooperation request to other vehicles recursively to request from them to offer help to finish the remaining tasks, which forms a nontrivial cooperation path.
Figure 1 illustrates a concrete example of the summarized application scenario: when vehicle  receives a user request of delivering a package to person  in street  as soon as possible.If vehicle  can finish this whole task by itself, it will provide services to user directly, which forms a trivial cooperation path whose length is 1 hop, namely, a hop from user to vehicle .If vehicle  cannot deliver the package to person  directly, vehicle  will finish what it can do and then send messages to other vehicles to ask if they are willing to cooperate to perform the rest of the task.Vehicles that give positive response form a set Υ. Vehicle  will select several trustworthy vehicles in set Υ and send cooperation request to them.Assume vehicle  has received cooperation request from vehicle .If vehicle  can finish the whole task by itself, it will provide services to requestor vehicle  directly.If vehicle  still cannot finish the task by itself, it will do what it can do and further recursively send the cooperation request to other vehicles just like vehicle .This recursive process forms a nontrivial cooperation path.Every cooperation path corresponds to a solution to user request.
There are several challenges in this application scenario.(a) The first challenge is lack of trust information.How to choose trustworthy vehicles is a vital problem in this application scenario.However, there are thousands of vehicles in a metropolis.It is unrealistic for a vehicle to have trust information of all vehicles in the metropolis.In fact, for a certain vehicle, the reliability of most of vehicles is unknown.When a vehicle needs cooperation to perform a task, such as delivering a package, the phenomenon of lack of trust information makes choosing trustworthy cooperative vehicles difficult.(b) The second challenge is ensuring the safety and success of tasks.In traditional communication network, such as DTN, we can encrypt information to ensure the safety and privacy.Even if the encrypted information is destroyed by attackers, we still can retransmit this information to ensure the task's reliability [20][21][22][23][24][25][26].Things are different in VCC; physical objects can also be delivered in this paradigm.Irreversible loss will be made if the physical objects are ruined by malicious vehicles.
In this paper, a trust-based model is proposed to promote the secure cooperation in VCC.Listed below are the contributions of this paper.
(1) A double board based trust estimation and correction (DBTEC) scheme is proposed to predict the reliability of vehicles and guide the selection of trustworthy cooperative vehicles in a more effective manner.In traditional scheme, vehicles use information acquired in direct interactions with other vehicles to update the trust information of other vehicles.But in DBTEC scheme, Public board is introduced to enrich the method of acquiring trust information.Every vehicle stores the service quality and trust information of other vehicles, which are acquired in the direct interactions with other vehicles, in their own storage, called Private board.In addition, they use Public board, which stores public estimated service quality for other vehicles reported by all vehicles in cloud to update and correct the trust information stored in Private board.The method of updating and correcting trust information from Public board, called trust value estimation model, is based on the following inference: the information acquired from direct interaction is trustworthy; vehicles can use this information as touchstone to confirm if a certain vehicle is trustworthy.Then, based on the public estimated service quality related to the trustworthy vehicle in Public board, vehicles can update and correct the trust information of other vehicles in Private board and use the revised trust information to guide their future selection of cooperative partners.
(2) A new method of constructing cooperation path is proposed in this paper.In traditional scheme, the cooperation path is fixed once it is constructed.This static method is not suitable for VCC.In this paper, we propose a dynamic cooperation path construction scheme.In the proposed scheme, every vehicle dynamically searches and selects cooperative vehicles and constructs new node in cooperation path by analyzing the feedback of detections.The new vehicles will recursively repeat this process until finishing the task.
(3) Extensive theoretical analysis and simulation have been made to prove the effectiveness of this paper from aspects of security and reliability.
The rest of this paper is organized as follows.In Section 2, related works are reviewed.In Section 3, the system model, threat model, and problem statement are described.In Section 4, the DBTEC schemes are proposed.Section 5 gives the analysis of experimental results.We conclude this paper in Section 6.

Related Work
Extensive researches have been done on the topic of trust computing and inference [27][28][29][30] and they have been applied to various networks, such as Peer-to-Peer (P2P) file-sharing networks [31,32], service network [1,9,18], wireless sensor networks (WSNs) [30], crowd sensing network [3], and social networks [28].The aim of trust computing and inference is to select cooperative partner using computed trust value information [29].Kamvar et al. [31] proposed trust computing and inference scheme in the Peer-to-Peer (P2P) file-sharing networks based on historical uploads, which is called EigenTrust.Inferring trust information through historical behaviors is a common method used in networks.In EigenTrust scheme, to encourage legitimate and trustworthy behaviors and improve the network's overall performance, some privilege is given to trustworthy objects.The main difficulties of EigenTrust are that, when applying it to distributed network, it is difficult to share trust information with others.This proposal mainly concentrates on P2P file-sharing networks.However, in a dynamic environment, such as vehicular ad hoc networks (VANETs), this proposal is not feasible.
Haddadou et al. give a dynamic solution based on reputation model for vehicles in [27], which differs from the solution in [31].The basic idea of [27] is to add a category criterion to drivers.
However, the amount of trust information acquired in direct interactions is limited.In a large network, the number of nodes can be up to thousands.So the trust information acquired from direct interactions is sparse in that network.Judging the reliability of vehicles only using direct interactions will lead to cold start problem.There are several definitions of cold start.The main idea of cold start is that when a new object enters the network, because of the deficiency of trust information acquired from interactions, it is hard to judge if a vehicle is malicious, which makes choosing a right cooperative partners difficult [28].To overcome the cold start problem, researchers introduce the concepts of direct trust information and indirect trust information.Direct trust information is acquired in the direct interactions between two objects.Indirect trust information is the trust information inferred from other objects' recommendation trust information.For example, object  has no direct interactions with object , but object  has directly interacted with object .Assuming that object 's trust value to object  is  → and object  recommends object  to object  with trust value  → , object  can infer that the trust value to object  is  → =  → ×  → from the recommendation trust information.Combining direct trust information and indirect trust information enhances the computation of trust value [28], but how to effectively compute the trust value is a complicated issue, which needs an extensive research.
The traditional application in VCC is disseminating information.For example, Rostamzadeh et al. propose a safe and reliable trust-based framework for disseminating information in vehicular networks [29].With the advance of crowd sensing network, Internet of Vehicles, and Internet of Everything, delivering physical objects is becoming an emergent application in society.The safety and reliability of delivering physical objects are important requirement in this application, which becomes a key issue in research.This paper discusses this issue in detail.

The System Model and Problem Statement
3.1.System Model.Suppose that there are  registered vehicles. = { 1 ,  2 , . . .,   } is the set of vehicles.All vehicles will move randomly in a limited area.
There are two kinds of service requests in VCC: user requests and cooperation requests.The major difference between them is that user requests are generated by users, but cooperation requests are generated by vehicles.The following paragraphs describe these two kinds of requests.
Typical instances of user requests include delivering packages, picking up passengers, or tourist group with minimized costs.Vehicles can accept user requests and provide services to requestors for some payment.Once vehicles' accepted user requests cannot be finished by themselves, they will select several trustworthy vehicles which are willing to provide services and send cooperation request to them.
Once those vehicles receive cooperation requests, they will cooperate to provide services together.These vehicles still may not be able to fulfil the tasks by themselves and further send cooperation requests to other trustworthy vehicles recursively.This recursive process will form a nontrivial cooperation path (see Figure 1(b)).
All cooperation path forms set C = {c 1 , c 2 , . . ., c  } in which c  is a trivial/nontrivial cooperation path.|C| =  is the number of cooperation paths in VCC.The length of cooperation path c  is |c  |, which is equal to the number of cooperation requests generated to finish a task.A cooperation path can be subdivided to many subcooperation paths, whose starting nodes are one of the nodes in the paths and ending nodes are the original paths' ending nodes; this concept will be used in Section 4.4.
The quality of service (QoS) can be modeled as a value between 0 and 1 called service quality.Different vehicles can provide different quality of service.For vehicle   , its service quality is   .The set of service quality of all vehicles is  = { 1 ,  2 , . . .,   }.
Vehicles in Φ can be categorized into two types: normal vehicles and malicious vehicles.Malicious vehicles will use various means to strive for the opportunities of providing services, such as reporting mendacious trust value or service quality and colluding with other malicious vehicles.Once malicious vehicles get the opportunities, they will screw the service requests up in various manners, such as colluding with other malicious vehicles to provide low-quality services or destroy packages, to disrupt the network, and to benefit themselves.Assume that the first ℎ vehicles in Φ are malicious, which consist of set  = { 1 ,  2 , . . .,  ℎ }.The remaining vehicles are normal, which consist of set  = { ℎ+1 ,  ℎ+2 , . . .,   }.Obviously,  ∪  = .
In order to prevent malicious vehicles from disrupting the network, normal vehicles should avoid sending cooperation requests to them.They store the estimated trust value and estimated service quality for other vehicles in storage, called Private board, and use this information to guide the selection of trustworthy vehicles when sending cooperation requests.As will be illustrated in Section 4.3, the Private board of vehicle   can be modeled by two sets: where    is the estimated service quality of   recorded by   and    is the estimated trust value of   recorded by   .Several timestamps (  ,  col  , and  row  ) are also recorded to trace the recording time.
Besides Private board, In DBTEC schemes, all vehicles can access a public cloud storage space, called Public board, anywhere and selectively report their estimated service quality for other vehicles to it.Vehicles can use the information in Public board to update the estimated trust value stored in Private board.As will be illustrated in Section 4.3, the Public board can be modeled by two × matrices,   and   , where   records the public estimated service quality reported by vehicles and   records the reporting timestamps.
Note that estimated service quality is selectively reported to Public board, which means some service quality information may not be updated to Public board.Several reasons may result in this phenomenon: privacy protection, avoiding revenge, and network interruption.

Threat Model.
There are ℎ malicious vehicles in VCC, which consist of set  = { 1 ,  2 , . . .,  ℎ }; four possible malicious behaviors are listed below.These malicious behaviors can be combined to form sophisticated malicious models, such as providing unstable services.In Section 5.3, five malicious models are introduced to analyze the performance of DBTEC schemes.
(1) Report False Self-Estimated Service Quality to Public Board When Registering.High-quality service is wanted by users.Normal vehicles and users tend to choose vehicles providing high-quality services as cooperative partners.Normal vehicle   reports true service quality   it can provide, which is called self-estimated service quality, to Public board when registering.Malicious vehicles can deceive normal vehicles by reporting mendacious self-estimated service quality to Public board; this deception method is effective especially in the stage of cold start, in which trust information is deficient.
(2) Slander Normal Vehicles.As described above, normal vehicles and users tend to choose vehicles providing highquality services as cooperative partners.Slander normal vehicles by reporting estimated service quality lower than normal level to Public board will reduce the probability that normal vehicles get opportunities of providing services, which increase the malicious vehicles' opportunity indirectly.
Generally speaking, this can be regarded as a kind of collusion attack since all malicious vehicles can benefit from cooperatively slandering normal vehicles and acquire much more opportunities to provide services.
(3) Collude with Malicious Vehicles by Praising Malicious Partners.This is a stronger collusion attack than the previous one since it has direct impacts on confusing normal vehicles.It praises malicious vehicles by reporting estimated service quality above their normal level to Public board, which can directly increase malicious vehicles' opportunities of providing services.
(4) Malicious Vehicles Camouflage Themselves as Normal Vehicles by Acting Like Them in Most of Time.Malicious vehicles can pretend to be normal vehicles by behaving just like them and provide unstable services.In this malicious scenario, the malicious vehicles behave normally generally.However, sometimes they will act some malicious behavior to benefit themselves.Because of the camouflage, this attack is hard to find.

Problem Statements.
The application scenario considered in this paper is as follows: in Vehicular Cloud Computing (VCC), vehicles will receive user's service requests and provide services to them.In the process of providing services to users, if vehicles can finish the task, they will provide services directly to users, which forms a trivial cooperation path whose length is 1 hop (see Figure 1(a)).But vehicles may not be able to finish the task by themselves for some reason.In this case, vehicles will choose several trustworthy vehicles which are willing to offer help and send cooperation request to them.Vehicles which receive cooperation request still may not be able to completely finish the task by themselves.They will recursively send cooperation requests to other vehicles until the task is finished.The recursive process of completing tasks forms a nontrivial cooperation path (see Figure 1(b)).A cooperation path corresponds to a solution to user request in this application scenario.Specifically, the cooperation path is trivial in the case when vehicle which receives the user request can finish the user request directly and no further cooperation happened.The key challenge of this application scenario is how to select vehicles, which can guarantee the success of the service and maximize the quality of service for cooperation.
In the process of cooperation, vehicles may wrongly choose malicious vehicles for cooperation, which will lead to the failure of the cooperation.We refer to selecting a vehicle to cooperate as a choice.A wrong choice means selecting a malicious vehicle for cooperation.A right choice means selecting a normal vehicle for cooperation.If there exists a wrong choice in a cooperation path, we say this cooperation path is failed.There are three aims in the application scenario to overcome the challenge described above. ( (2) Minimize the Failure Rate of Choices.Similarly, assume that all choices in VCC form set = c  ∪ c  , where c  is the set of right choices and c  is the set of wrong choices.So the number of choices is |c| and the number of wrong choices is |c  |.The failure rate of choices is defined as  c and we should also minimize it: (3) Maximize Quality of Service of All Cooperation Paths.
We define the quality of service of a cooperation path as the minimum service quality provided by vehicles in the cooperation path.This definition is reasonable because of the Cannikin law.Assume that the quality of service of cooperation path  is Q  , where  ∈ {1, 2, . . ., |C|}.Therefore the total quality of services is ∑ |C| =1 Q  .We should maximize the average service quality of cooperation path: In general, we can combine the above three optimization requirements and try to find a scheme which satisfies the following three formulas together in this application scenario of VCC: Notations describes some important notations used throughout this paper.

DBTEC Schemes
4.1.Overview.The main contribution of DBTEC schemes is to combine Public board with Private board to guide the selection of cooperative vehicles.In traditional scheme, vehicles can only acquire trust information from direct interactions with other vehicles [28].Unlike the traditional scheme, in DBTEC schemes, vehicle  not only uses the information acquired in direct interaction but also uses trustworthy vehicles' public estimated service quality stored in Public board.When vehicle  needs to cooperate, it will choose a cooperative partner.DBTEC schemes use the information stored in Public board, which is a public information storage stored in cloud, to update the estimated trust value stored in vehicle 's Private board and then uses updated Private board to further guide the selection of proper cooperative partners.In DBTEC schemes, vehicles with high estimated trust value in vehicle 's Private board are called trustworthy.The trustworthy vehicles' public estimated service quality stored in Public board is just like the touchstone used to test whether an unfamiliar vehicle is malicious.When vehicle  trusts vehicle , DBTEC will check public estimated service quality for all vehicles reported by vehicle  in Public board and all estimated service quality for vehicle  reported by all vehicles to find the inconsistency and use the inconsistency to find malicious vehicles.
Compared with traditional scheme, DBTEC scheme has major advantages.One of them is overcoming the problem that trust information is deficient in the stage of cold start.In the stage of cold start, vehicles do not have enough trust information to guide the selection of cooperative partners, which will significantly increase the probability that malicious vehicles get the opportunity of providing services.DBTEC scheme uses the trust information we already have as a touchstone to check the consistency and inconsistency in Public board and further updates the Private board's trust information.This process is just like diffusion of trust information; vehicles will get a lot of indirect information from the process, which will overcome the problem that trust information is deficient and increase the accuracy rate of selecting right vehicles.
Described below are the DBTEC schemes from high level.As described in system model, there are  vehicles in VCC.Different vehicles can provide different quality of service.For vehicle   , its service quality is   .Vehicles can be categorized into two types: malicious vehicles and normal vehicles.There are ℎ malicious vehicles in VCC.Public board is a public cloud storage which can be accessed by vehicles anywhere.All vehicles can report their estimated service quality for other vehicles to Public board.All vehicles store a Private board in which they keep their own estimated trust value and estimated service quality information for other vehicles.
For a normal vehicle   , when vehicle   receives a user request, it will check if it can be done by itself; if not, it will search for vehicles which are willing to perform this task, use trust value estimation model to update the information stored in Private board using the information stored in Public board, choose several cooperative vehicles using the synthesized score which is computed from the estimated trust information and service quality information stored in Private board, and send cooperation requests to them.After the cooperative vehicles provide services to vehicle   , vehicle   will rate the service quality of cooperative vehicles, update the estimated service quality information and trust information in Private board, and selectively report the estimated service quality to Public board.For a malicious vehicle   , it will use various methods to strive for the opportunities of providing services.Once malicious vehicles get these opportunities, they will screw the service requests up in various manners to disrupt the network and benefit themselves.Common malicious behaviors include reporting false self-estimated service quality, slandering normal vehicles, praising malicious partners, and providing unstable services (see Section 3.2).
Initialize: Initialize all scalars in   with 0.5; Initialize all scalars in   with 0. ( These timestamps are stored to prevent updating Private board using the same information repeatedly.

Normal Vehicles. Every normal vehicle stores its own
Private board and can access Public board anywhere.
When entering VCC, all normal vehicles will send a registering request to Public board, report their own selfestimated service quality to Public board, and then wait for the package sent by Public board which stores all vehicles' self-estimated service quality to initialize its Private board.
After registering, for normal vehicle   , it will receive a user request at some times.If vehicle   can finish the user's task, it will provide services to users directly, which forms a trivial cooperation path whose length is 1 hop (see Figure 1(a)).If vehicle   cannot finish the task by itself for some reason, it will send messages to other vehicles to ask if they can cooperate to perform this task.Vehicles which give positive responses form set Υ. Vehicle   then uses trust value estimation models to update its own Private board using the information from Public board and uses the updated Private board to compute synthesized score.Vehicle   will then send cooperation request to vehicles in Υ with large synthesized score.Vehicles receiving cooperation request will provide service to vehicle   .In the process of providing service, they may send cooperation request recursively to more vehicles.The recursive process will form a nontrivial cooperation path (See Figure 1(b)).
Note every cooperation path corresponds to a solution to a service request.The service quality of a cooperation path is defined as the minimum service quality provided by vehicles in cooperation path.Every cooperation path consists of many subcooperation paths whose starting node is an intermediate node in original path and ending node is the ending node of the original task.
After vehicles which received cooperation request finish the cooperation request from vehicle   , vehicle   will estimate the quality of this service, update its own Private board, and report the updated item to Public board selectively (they may not report it for self-protection or privacy-protection).
Concretely speaking, vehicle   sends cooperation request to vehicle   , vehicle   may finish this task by itself or by further cooperation with other vehicles, and the service quality provided by vehicle   for this cooperation request is , which is the minimum service quality in subcooperation path starting from vehicle   (i.e., the original cooperation paths' starting node is vehicle   ).Vehicle   will update    to  according to Formula (11) In Formula (11) S e t   to current time stamp (17) Report service quality  to Public board (18) diff fl End If (24) End For (25) End If (26)  We will detail this model in the next two subsections.Section 4.5.1 will give a concrete scheme; DBTEC scheme with this section's trust value estimation model is called DBTEC-1.Section 4.5.2 will improve the scheme to solve cold start problem; DBTEC scheme with this section's improved trust value estimation model is called DBTEC-2.

DBTEC-1.
We detail the trust value estimation model and propose a temporary detailed scheme called DBTEC-1 in this section, which will be further improved in the next subsection.
Below we detail the two rules listed above. according to Formula (13) and updates  row ,→ to current timestamp: if diff  ≤ , vehicle   updates    to   using Formula (15) and updates  row ,→ to current timestamp: End If (10) End If (11) End For (12) For The pseudocode of this scheme is presented in Algorithm 3.

DBTEC-2.
We further improve the performance of DBTEC-1 in this subsection.
In the beginning stage of VCC, deficiency of information will make many trust value estimation schemes invalid.This phenomenon is called cold start.
DBTEC-1 scheme cannot guide the selection of cooperative partner well when in stage of cold start because it can only take effect when vehicles' trust value becomes larger than threshold .We can improve the original scheme based on this observation.
Unlike DBTEC-1, we no longer use an absolute threshold as a starting condition of trust value estimation scheme.We can adjust the influence of trust value estimation scheme according to the trust value of vehicles.The more trustworthy the vehicle is, the more influence it will have in trust value estimation scheme.
This improvement can significantly enhance the performance of DBTEC-1, especially in the stage of cold start, since it can address the trust information deficiency problem in cold start stage, in which most of the failed cooperation happened.DBTEC scheme with this improved trust value estimation model is called DBTEC-2, which is an improved version of DBTEC-1.
Below we introduce the improvement in detail.
According to the description above, two new parameters,  1 and  2 , are introduced into the scheme to control the influence of trust value estimation model. 1 and  2 can be computed according to the following two formulas: When    ≥ , vehicle   is completely trustworthy and therefore the influence degree  1 is corresponding to  1 , which is the biggest influence degree.When    < , Formula (16) maps trust value 0.5∼ if diff  ≤ , vehicle   updates    to   using Formula (21) and updates  row ,→ to current timestamp: Case 2. In the case where    = 0, in other words,    has not been updated, make vehicle   accept a virtual cooperation from vehicle   whose service quality is    : set    as    , update the trust value of vehicle   according to this virtual cooperation using Formula (11), and update  row ,→ to current timestamp.
The pseudocode of this scheme is presented in Algorithm 4.

Cooperation Path Generating Model.
When vehicle   receives a user request, such as delivering a package to person  in a certain place as soon as possible, if vehicle   can finish this task by itself individually, it will provide services to user directly, which forms a trivial cooperation path whose length is 1 hop, that is, a hop from user to vehicle   .If vehicle   cannot finish this task by itself, for example, vehicle   cannot deliver the package to person  directly, vehicle   will finish what it can do and then send messages to other vehicles to ask if they are willing to cooperate to perform the rest of the task.Vehicles give positive response form set Υ. Vehicle   will select several vehicles in set Υ according to computed synthesized scores and send cooperation request to them.Assume that vehicle   has received cooperation request from vehicle   .If vehicle   can finish the task, it will provide services to vehicle   .If vehicle   still cannot perform the task by itself, it will do what it can do and further recursively send the cooperation request to other vehicles just like vehicle   .This recursive process forms a nontrivial cooperation path (see Figure 1).The cooperation path starting from vehicle   can be viewed as a subcooperation path of the cooperation path starting from   as described in Section 4.4.Note that a cooperation path is corresponding to a solution to a user request.
The key problem in constructing cooperation path is how to guarantee the quality and the safety of service provided by the cooperation path.Users always want to receive service with high quality under the condition that the safety of this service can be guaranteed.For example, users who want to deliver a package to person  expect the package to be sent to person  as soon as possible without any damage.
To overcome the key problem, three factors have to be considered: the trust value, the service quality, and the near completion degree of cooperative vehicles. (1) Co m p u t e 1 and  2 (4) For   in {  | 1 ≤  ≤  and  ̸ =  and  ̸ = } (5) S e t  col ,→ to current time stamp (10) End If (11) End If (12) End For (13) For The estimated trust value and the service quality are known to vehicles.The near completion degree of a vehicle means to what extent can this vehicle perform the task.When vehicle   sends messages to vehicle   asks if it is willing to cooperate, vehicle   will report the near completion degree of itself on this task to vehicle   if it is willing to cooperate.The near completion degree is different from the service quality, which means the quality of service provided by vehicles in the process of providing service.For example, when the task is delivering a package, the near completion degree of vehicle   is how far vehicle   can deliver this package (it may pass the package on to another cooperative partner after delivering the packages to the farthest place it can reach).Obviously, in order to reduce the length of cooperation path as much as possible, vehicles should greedily choose the vehicle which can do more parts of the task as their cooperative partner.Because the greedy strategy will indirectly minimize the failure rate of cooperation, there is a certain probability of choosing malicious vehicles when sending cooperation request.Therefore the longer the cooperation path is, the more choices to be made are and the larger the probability that malicious vehicles get opportunities to provide services is. Assume where  1 > 0,  2 > 0,  3 > 0, and When selecting cooperative vehicles, vehicle  will compute synthesized score of vehicles in set Υ and choose vehicles with large synthesized score to cooperate with.
The algorithm of generating cooperation path is presented in Algorithm 5.

Performance Analysis and Experimental Results
5.1.Overview.In this section, we will prove the effectiveness of DBTEC schemes by theoretical analysis and extensive experiments.In Section 5.2, the time complexity of DBTEC schemes is given to illustrate the theoretical performance of DBTEC schemes.In Section 5.3, the performance of DBTEC schemes is analyzed by experiments and simulations.All simulation programs are implemented by C++ with Visual Studio 2013.The proportion of malicious vehicles to all vehicles is 40%∼70%; the time interval between two consecutive timestamp is defined as 15 minutes.In a timestamp, the probability of receiving user requests for every vehicle is 20% in experiments of the average estimated trust value and the success ratio of each stage and 70% in experiments of the total success ratio of cooperation requests.
Five threat models are analyzed in Section 5.3.They are reporting false self-estimated service quality, pretending to be normal vehicles, slandering normal vehicles, praising malicious partners, and providing unstable services.They all have been described in Section 3.2.
Three major indexes are computed in each threat model.They are the average estimated trust value of malicious and normal vehicles, the total success ratio of cooperation requests, and the success ratio of each stage.The performances of three schemes are analyzed in each index.They are traditional scheme, DBTEC-1, and DBTEC-2.In traditional scheme, Public board is deprecated and vehicles can only acquire trust information by direct interaction [28].More concretely speaking, traditional scheme can be regarded as a reduction version of DBTEC scheme without Public board model and trust value estimation model.DBTEC-1 and DBTEC-2 are proposed in Section 4.5.DBTEC-2 is an improved version of DBTEC-1, which can address the trust information problem in cold start stage as illustrated in Section 4.5.2.

Complexity Analysis.
Assume that we use the number of vehicles involved in VCC, that is, ℎ, as the measure to model the input size of the scheme, which is a natural choice in this scenario.It is easy to analyze the time complexity of DBTEC schemes.
In DBTEC-1 scheme, the whole structure of the pseudocode is formed by two-tier nested loops.The maximum running number of outer loops is (ℎ).In worst cases, the maximum running number of inner loops is also (ℎ).Therefore, the worst-case time complexity of DBTEC-1 is (ℎ 2 ), which can be immediately computed by vehicular chips.
DBTEC-2 scheme is very similar to DBTEC-1 except that a little extra computation is introduced to compute  1 and  2 , which is  (1).Therefore, the worst-case time complexity of DBTEC-2 is also (ℎ 2 ), which can be immediately computed by vehicular chips.

Reporting False Self-Estimated Service
Quality.This is a comparatively simple treat model.In this model, malicious vehicles will report a mendacious self-estimated service quality to Public board when registering.When seeking cooperative partners, vehicles tend to send cooperation requests to vehicles with high service quality.Malicious vehicles expect to deceive them using the mendacious self-estimated service quality.After registering, malicious vehicles will move in the limited area and wait for cooperation requests, but they will not accept any user requests in these threat models.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure 3 illustrates the increment of average estimated trust value of normal vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis of this figure is timestamp and the vertical axis is the estimated trust value of normal vehicles.As illustrated by Figure 3, in traditional scheme, the increment of average estimated trust value of normal vehicles is slow, but when using DBTEC scheme the speed of increment increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of increment more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
Figure 4 illustrates the decrement of average estimated trust value of malicious vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis of this figure is timestamp and the vertical axis is the estimated trust value of malicious vehicles.As illustrated by Figure 4, in traditional scheme, the decrement of average estimated trust value of malicious vehicles is slow, but when using DBTEC schemes the speed of decrement increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of decrement more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
In general, Figures 3 and 4 illustrate that DBTEC has significantly positive influence on estimating trust value of vehicles.DBTEC-2 performs much better than DBTEC-1, especially in the stage of cold start.
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model.The success ratio is defined as the proportion of cooperation requests sent to normal vehicles to total cooperation requests in a certain timespan.The total success ratio is defined as the success ratio from initialization to current timestamp.Figure 5 illustrates the increment of total success ratio as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis of this figure is timestamp and the vertical axis is the total success ratio from initialization to current timestamp.As illustrated by Figure 5, the positive influence of DBTEC-1 on total success ratio is comparatively small when compared with the positive influence of DBTEC-2.Particularly in the stage of cold start, the total success ratio of DBTEC-1 is nearly equal to the total success ratio of traditional scheme.DBTEC-2 outperforms DBTEC-1 and traditional scheme significantly in the total success ratio.This phenomenon can be explained by the following observation: total success ratio is dominated by the cooperation requests sent in the stage of cold start.In the stage of cold start, the deficiency of trust information leads to a lot of mistaken selections of cooperative partners, which dominate the change of total success ratio.The more mistakes made in this stage are, the less total success ratio is.As time goes on, vehicles' direct interaction accumulated a lot of trust information which can guide the selection of cooperative partners effectively.The changes of total success ratio in traditional scheme and in DBTEC scheme tend to be similar in this stage.The reason why DBTEC-1's positive influence is small, especially in the stage of cold start, is that DBTEC-1 will take effects when some vehicles' trust information is larger than .In other words, DBTEC-1 may not take effects in the stage of cold start and the behavior of DBTEC-1 in that stage is very similar to the behavior of traditional scheme.When this condition is satisfied, traditional scheme has accumulated a lot of trust information to guide its cooperative partners' selection and DBTEC-1 can only take effects in limited cases.However, DBTEC-2 can provide trust information even in the stage of cold start, which sharply reduces mistaken selections.That is why it is far better than DBTEC-1 and traditional scheme.
In general, DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio compared to DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model.We set every 50 timestamps as a stage in the experiment.The success ratio of each stage is the success ratio in timespan of 50 timestamps.Figure 6 illustrates the increment  of the success ratio of each stage, namely, each 50 timestamps.The horizontal axis of this figure is timestamp and the vertical axis is the success ratio of the stage the timestamp belongs to.As illustrated by Figure 6, the success ratio of stages of both traditional scheme and DBTEC schemes increases as time goes on.Both DBTEC-1 and DBTEC-2's increasing speed outperforms traditional scheme.DBTEC-2's increasing speed outperforms DBTEC-1 in every stage significantly; this phenomenon is significant especially in the stage of cold start.In general, DBTEC' success ratio of each stage is larger than traditional scheme in each stage.DBTEC-2 increases larger success ratio of each stage compared to DBTEC-1, especially in the stage of cold start.

Pretending to Be Normal
Vehicles.This threat model is more complicated than the previous one.In this model, malicious vehicles not only will report mendacious selfestimated service quality to Public board when registering but also will pretend to be normal vehicles and perform the same as them.Experimental results proof, in this threat model, that DBTEC will distinguish malicious vehicles and normal ones better than the former threat model; DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure 7 illustrates the increment of average estimated trust value of normal vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 3.As illustrated by Figure 7, similar results will be obtained as in Figure 3.In traditional scheme, the increment of average estimated trust value of normal vehicles is slow, but when using DBTEC schemes the speed of increment increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of increment more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2. Figure 8 illustrates the decrement of average estimated trust value of malicious vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 4.As illustrated by Figure 8, similar results will be obtained as in Figure 4; in traditional scheme, the decrement of average estimated trust value of malicious vehicles is slow, but when using DBTEC schemes the speed of decrement increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of decrement more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
In general, Figures 7 and 8 illustrate that DBTEC has significantly positive influence on estimating trust value of vehicles.DBTEC-2 performs much better than DBTEC-1, especially in the stage of cold start.DBTEC schemes can take effects even in more complicated situations.
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model.Figure 9 illustrates the increment of total success ratio as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis are the same as Figure 5.As illustrated by Figure 9, similar results will be obtained as in Figure 5; the positive influence of DBTEC-1 on total success ratio is comparatively small when compared with the positive influence of DBTEC-2.Particularly in the stage of cold start, the total success ratio of DBTEC-1 is nearly equal to the total success ratio of traditional scheme.DBTEC-2 outperforms DBTEC-1 and traditional scheme significantly in the total success ratio.In general, Figure 9 illustrates that DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio compared to DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model.The experimental method is the same as Figure 6. Figure 10 illustrates the increment of the success ratio of each stage, namely, each 50 timestamps.The horizontal axis and the vertical axis are the same as Figure 6.As illustrated by Figure 10, similar results will be obtained as in Figure 6.The success ratio of stages of both traditional scheme and DBTEC schemes increases as time goes on.Both DBTEC-1 and DBTEC-2's increasing speed outperforms traditional scheme.DBTEC-2's increasing speed outperforms DBTEC-1 in every stage significantly; this phenomenon is significant especially in the stage of cold start.In general, Figure 10 illustrates that DBTEC' success ratio of each stage is larger than traditional scheme in each stage.DBTEC-2 increases larger success ratio of each stage compared to DBTEC-1, especially in the stage of cold start.

Slandering Normal
Vehicles.In this model, malicious vehicles not only will report mendacious self-estimated service quality to Public board when registering but also will report low estimated service quality of normal vehicles to slander them even if these normal vehicles never provide services to them.By slandering normal vehicles, malicious vehicles' opportunities of providing services increase indirectly.This can be regarded as a collusion attack as illustrated in Section 3.2.Experimental results proof that DBTEC will also distinguish malicious vehicles and normal ones in this threat model; DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure 11 illustrates the increment of average estimated trust value of normal vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 3.As illustrated by Figure 11, similar results will be obtained as in Figure 3.In traditional scheme, the increment of average estimated trust value of normal vehicles is slow, but when using DBTEC schemes the speed of increment increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of increment more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
Figure 12 illustrates the decrement of average estimated trust value of malicious vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 4.As illustrated by Figure 12, similar results will be obtained as in Figure 4; in traditional scheme, the decrement of average estimated trust value of malicious vehicles is slow, but when using DBTEC schemes the speed of decrement increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of decrement more significantly than DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.vehicles.DBTEC-2 performs much better than DBTEC-1, especially in the stage of cold start.DBTEC schemes can take effects even in complicated situations.Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model.Figure 13 illustrates the increment of total success ratio as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis are the same as Figure 5.As illustrated by Figure 13, similar results will be obtained as in Figure 5; the positive influence of DBTEC-1 on total success ratio is comparatively small when compared with the positive influence of DBTEC-2.Particularly in the stage of cold start, the total success ratio of DBTEC-1 is nearly equal to the total success ratio of traditional scheme.DBTEC-2 outperforms DBTEC-1 and traditional scheme significantly in the total success ratio.In general, Figure 13 illustrates that DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio compared to DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model.The experimental method is the same as Figure 6. Figure 14 illustrates the increment of the success ratio of each stage, namely, each 50 timestamps.The horizontal axis and the vertical axis are the same as Figure 6.As illustrated by Figure 14, similar results will be obtained as in Figure 6.The success ratio of stages of both traditional scheme and DBTEC schemes increases as time goes on.Both DBTEC-1 and DBTEC-2's increasing speed outperforms traditional scheme.DBTEC-2's increasing speed outperforms DBTEC-1 in every stage significantly; this phenomenon is significant especially in the stage of cold start.In general, Figure 14 illustrates that DBTEC' success ratio of each stage is larger compared to traditional scheme in each stage.DBTEC-2 increases larger success ratio of each stage compared to DBTEC-1, especially in the stage of cold start.

Praising Partners and Slandering Normal
Vehicles.In this model, which can be regarded as a stronger collusion attack than the previous model, malicious vehicles will report mendacious self-estimated service quality to Public board when registering, report low estimated service quality of normal vehicles to slander them even if these normal vehicles never provide services to them, and praise other malicious partners by reporting high estimated service quality of them.By slandering normal vehicles, malicious vehicles' opportunities of providing services increase indirectly.By collusively praising malicious partners, the overall number of opportunities of malicious vehicles increases significantly.
Experimental results proof that DBTEC will also distinguish malicious vehicles and normal ones in this threat model; DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure 15 illustrates the increment of average estimated trust value of normal vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 3.As illustrated by Figure 15, similar results will be obtained as in Figure 3.In traditional scheme, the increment of average estimated trust value of normal vehicles is slow, but when using DBTEC schemes the speed of increment increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of increment more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
Figure 16 illustrates the decrement of average estimated trust value of malicious vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 4.As illustrated by Figure 16, similar results will be obtained as in Figure 4; in traditional scheme, the decrement of average estimated trust value of malicious vehicles is slow, but when using DBTEC schemes the speed of decrement increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of decrement more significantly compared to DBTEC-1, especially when in the stage of cold start, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.especially in the stage of cold start.DBTEC schemes can take effects even in complicated situations.Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model.Figure 17 illustrates the increment of total success ratio as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis are the same as Figure 5.As illustrated by Figure 17, similar results will be obtained as in Figure 5; the positive influence of DBTEC-1 on total success ratio is comparatively small when compared with the positive influence of DBTEC-2.Particularly in the stage of cold start, the total success ratio of DBTEC-1 is nearly equal to the total success ratio of traditional scheme.DBTEC-2 outperforms DBTEC-1 and traditional scheme significantly in the total success ratio.In general, Figure 17 illustrates that DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio than DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model.The experimental method is the same as Figure 6. Figure 18 illustrates the increment of the success ratio of each stage, namely, each 50 timestamps.The horizontal axis and the vertical axis are the same as Figure 6.As illustrated by Figure 18, similar results will be obtained as in Figure 6.The success ratio of stages of both traditional scheme and DBTEC schemes increases as time goes on.Both DBTEC-1 and DBTEC-2's increasing speed outperforms traditional scheme.DBTEC-2's increasing speed outperforms DBTEC-1 in every stage significantly; this phenomenon is significant especially in the stage of cold start.In general, Figure 18 illustrates that DBTEC' success ratio of each stage is larger than traditional scheme in each stage.DBTEC-2 increases larger success ratio of each stage compared to DBTEC-1, especially in the stage of cold start.

Providing Unstable
Services.This threat model is the most complicated because of the disguise of malicious vehicles.When registering, malicious vehicles will report a mendacious self-estimated service quality to Public board; as time goes on, malicious vehicles have an unstable performance.Sometimes, they will act just the same as normal vehicles, but, sometimes, they will provide abnormal services, such as extremely poor service quality.Experimental results proof that DBTEC will also distinguish malicious vehicles and normal ones in this threat model.DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure 19 illustrates the increment of average estimated trust value of normal vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 3.As illustrated by Figure 19, similar results will be obtained as in Figure 3.In traditional scheme, the increment of average estimated trust value of normal vehicles is slow, but when using DBTEC schemes the speed of increment increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of increment more significantly compared to DBTEC-1, especially when in the stage of cold start, and the final average estimated trust value is larger than DBTEC-1, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.
Figure 20 illustrates the decrement of average estimated trust value of malicious vehicles as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis of this figure are the same as Figure 4.As illustrated by Figure 20, similar results will be obtained as in Figure 4; in traditional scheme,  the decrement of average estimated trust value of malicious vehicles is slow, but when using DBTEC schemes the speed of decrement increases significantly.When comparing DBTEC-1 and DBTEC-2, it is obvious that DBTEC-2 increases the speed of decrement more significantly compared to DBTEC-1, especially when in the stage of cold start, and the final average estimated trust value is less than DBTEC-1, which proves the improvement of DBTEC-2 as illustrated in Section 4.5.2.In general, Figures 19 and 20 illustrate that DBTEC has significantly positive influence on estimating trust value of vehicles.DBTEC-2 performs much better than DBTEC-1, especially in the stage of cold start.DBTEC schemes can take effects even in these complicated situations.Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model.Figure 21 illustrates the increment of total success ratio as time goes on using traditional scheme, DBTEC-1, and DBTEC-2, respectively.The horizontal axis and the vertical axis are the same as Figure 5.As illustrated by Figure 21, similar results will be obtained as in Figure 5; the positive influence of DBTEC-1 on total success ratio is comparatively small when compared with the positive influence of DBTEC-2.Particularly in the stage of cold start, the total success ratio of DBTEC-1 is nearly equal to the total success ratio of traditional scheme.DBTEC-2 outperforms DBTEC-1 and traditional scheme significantly in the total success ratio.In general, Figure 21 illustrates that DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio than DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model.The experimental method is the same as Figure 6. Figure 22 illustrates the increment of the success ratio of each stage, namely, each 50 timestamps.The horizontal axis and the vertical axis are the same as Figure 6.As illustrated by Figure 22, similar results will be obtained as in Figure 6.The success ratio of stages of both traditional scheme and DBTEC schemes increases as time goes on.Both DBTEC-1 and DBTEC-2's increasing speed outperforms traditional scheme.DBTEC-2's increasing speed outperforms DBTEC-1 in every stage significantly; this phenomenon is significant especially in the stage of cold start.In general, Figure 22 illustrates that DBTEC' success ratio of each stage is larger than traditional scheme in each stage.DBTEC-2 increases larger success ratio of each stage compared to DBTEC-1, especially in the stage of cold start.

Conclusion
In

Figure 2 :
Figure 2: The process of cooperation in DBTEC.

Figure 2
illustrates a concrete example of the process of cooperation in DBTEC.A passenger in train station wants to hire a taxi; he sends user request by mobile phone to vehicle  with blue shadow.Unfortunately, when vehicle  is driving to train station, it encounters a traffic jam in a street.Obviously, it cannot finish the task by itself in time.It seeks neighboring vehicles which are willing to offer help and combines trust information stored in Private board with information stored in Public board to predict the reliability of these neighboring vehicles.Then it sends cooperation request to a trustworthy vehicle, namely, the vehicle with green shadow.The trustworthy vehicle drives to train station to pick up the passenger and send him to destination.In the following subsections, we describe the Public board model, Private board model, behavior of normal vehicles, trust value estimation model, and cooperation path generating model, respectively.

Figure 3 :Figure 4 :
Figure 3: Time-average trust value of normal vehicles.

Figure 7 :Figure 8 :
Figure 7: Time-average trust value of normal vehicles.

Figure 11 :Figure 12 :
Figure 11: Time-average trust value of normal vehicles.

Figure 15 :Figure 16 :
Figure 15: Time-average trust value of normal vehicles.

Figure 19 :
Figure 19: Time-average trust value of normal vehicles.

Figure 20 :
Figure 20: Time-average trust value of malicious vehicles.
1) Minimize Failure Rate of Cooperation.Assume that all cooperation paths in VCC form set C = C  ∪ C  , where C  is the set of successful cooperation paths and C  is the set of failed cooperation paths.So the number of cooperation paths is |C| and the number of failed cooperation paths is |C  |.The failure rate of cooperation is defined as  C and we should minimize it: 4.2.Public Board Model.All vehicles can access Public board, which is stored in cloud storage, anywhere.Public board stores the public estimated service quality for vehicle   reported by vehicle   , called    , and the timestamp at which it was reported, called    .Public board can be expressed by two matrices,   and   : 1) While true (2) If   reports its estimated service quality value  for   If   inquires public estimated service quality value of   The algorithm running in Public board.The scale of    is between 0 and 1.    = 0.5 is a neutral service quality estimation.When    < 0.5, the service quality is worse than normal level.Conversely, when    > 0.5, the service quality is better than normal level.   is a value larger than or equal to 0.    = 0 means no updating of estimated service quality has been committed and    is still the initial value.Vehicle can register to join VCC.For vehicle   , it sends a registering request to Public board and report its own service quality   , called self-estimated service quality, to it (service quality can be fake if the vehicle is malicious) when registering; Public board will store this service quality in    and update the corresponding    to 0. After reporting its own service quality to    , Public board will pack all vehicles' selfestimated service quality together and send it to vehicle   ; vehicle   will use this information as initial service quality to update Private board.If receiving estimated service quality for vehicle   reported by vehicle   , Public board will update the service quality stored in    and timestamp    .(2) If a certain vehicle inquires about the estimated service quality for vehicle   reported by vehicle   , Public board will pack the service quality   All vehicles store Private board in their own storage to guide the selection of trustworthy cooperative vehicles.For vehicle   , assume that its estimated service quality for vehicle   is    and its estimated trust value for vehicle   is    .Both of them will be stored in its Private board.In other words, vehicle   's Private board records The meaning of    is similar to    as described in Section 4.2.The scale of trust value    is between 0 and 1.    = 0.5 is a neutral trust value estimation.When    < 0.5, vehicle   thinks vehicle   is malicious.Conversely, when    > 0.5, vehicle   thinks vehicle   is normal.Besides   and   , several timestamps are stored in vehicle   's Private board: the timestamp    at which vehicle   updates    and the timestamp at which vehicle   updates    because of trusting in vehicle   (this timestamp can be divided into two subtimestamps: the subtimestamp  col ,→ at which vehicle   updates    from column perspective because of trusting in vehicle   and the subtimestamp  row ,→ at which vehicle   updates    from row perspective because of trusting in vehicle   ).In other words, besides   and   , vehicle   records 4.3.Private Board Model.
, set    to , and update    to current timestamp simultaneously.
,  is the threshold to check if the service quality    and  are close enough;  1 and  2 are parameters used to control the extent of change in    .diff > ; namely, the difference between    and  is large, which means the difference between estimated service quality of this cooperation and service quality of last cooperation (or the initial service quality of vehicle   ) is large and therefore the service quality of vehicle   , namely,   , is not stable (or vehicle   's initial service quality is false); we should decrease    according to parameter  2 .Conversely, diff ≤  means the service quality of vehicle   , namely,   , is stable (or vehicle   's initial service quality is true); we should increase    according to parameter  1 .The pseudocode of normal vehicles is presented in Algorithm 2. 4.5.Trust Value Estimation Model.Trust value estimation model can update the information of Private board based on Public board to increase the precision of trust value estimation and guide the selection of cooperative vehicles.In particular, this model will take great effects when trust information is deficient, such as cold start stage.Trust value estimation model is based on this observation: when vehicle   trusts vehicle   , the following statements are true: (1) The estimated service quality for vehicle   stored in vehicle   's Private board, namely,    , is true.(2) Public board's all estimated service quality reported by vehicle   is true.Vehicle   uses this observation to update other vehicles' trust value and estimated service quality in Private board and prevent malicious vehicles from taking part in cooperation.The following two rules describe the method.Rule 1.For a certain vehicle   with high trust value    in vehicle   's Private board, if the difference between    and    is large, where  ∈ { | 1 ≤  ≤  and  ̸ =  and  ̸ = }, decrease    .According to observation 1, the estimated service quality for vehicle   stored in vehicle   's Private board, namely,    , is true.If the difference between    and    is large, it is likely that vehicle   reports a false service quality to Public board, which is a malicious behavior; vehicle   should decrease its trust value.For a certain vehicle   with high trust value    in vehicle   's Private board, if   vehicle   updates the Private board according to two cases.Case 1.In the case where    ̸ = 0, in other words,    has been updated, if the difference between    and    is large, decrease    .If the difference between    and    is small, then check   Initialize all scalars in   and   with 0.5 Initialize all scalars in   ,  col  and  row  = {  1 ,   2 , . . .,    } as vehicles in Υ with first  largest synthesized score (12) Send cooperation request to vehicles in   (13) For vehicle   in   (14) Receive service from vehicle   with quality : if    is small, then further decrease    ; if    is large, then further increase    .Initialize: The algorithm running in normal car   .When the difference between    and    is large, according to observation 2,    is close to real value, and therefore    may deviate from the real value, which means vehicle   provides different service quality to different vehicles maliciously.Vehicle   should decrease    .When the difference between    and    is small, there are two cases to analyze: both vehicle   and vehicle   believe vehicle   is malicious or both vehicle   and vehicle   believe vehicle   is normal.We can use the estimated trust value for vehicle   stored in vehicle   's Private board, namely,    , to distinguish the two cases.When    is small, vehicle   can infer that both vehicle   and vehicle   think vehicle   is malicious; vehicle   further decreases    .Conversely, when    is large, vehicle   can infer that both vehicle   and vehicle   think object   is normal; vehicle   further increases    .In the case where    = 0, in other words,    has not been updated, if    is large enough, make vehicle   accept a virtual cooperation from vehicle   whose service quality is    : set    as    and update the trust value of vehicle   according to this virtual cooperation using Formula (11).According to observation 2, vehicle   can update the estimated service quality for vehicle   in Private board using    , which is a trustworthy value when vehicle   is trustworthy.
where  ∈ { | 1 ≤  ≤  and  ̸ =  and  ̸ = }, vehicle   decreases    to   according to Formula (12) and updates  col ,→ to current timestamp.  =  (   −  2 * diff  ) .→ ≥ 0 guarantees that    has been updated since initialization and vehicle   will not update trust value using the same information repeatedly. col ,→ is the subtimestamp at which vehicle   updates    from column perspective because of trusting in vehicle   .In other words, this subtimestamp records the timestamp.Rule 1 is used to update trust value's last time.   ≤  col ,→ means no updating has been committed to    since using Rule 1 last time.Repeat updating using the same information will lead to error.Formula (12) means vehicle   will decrease    according to parameter  2 if diff  > .Rule 2. For a certain vehicle   with trust value    ≥  in vehicle   's Private board, if    >  row ,→ ≥ 0, where  ∈ { | 1 ≤  ≤  and  ̸ =  and  ̸ = }, vehicle   updates the Private board according to two cases.Case 1.In the case where    ̸ = 0, in other words,    has been updated, suppose that the difference between    and    is diff  = |   −    |.If diff  > , vehicle   decreases    to Rule 1.For vehicle   with trust value    ≥  in vehicle   's Private board, if    >  col ,→ ≥ 0 and diff  = |   −    | > , means vehicle   will decrease    according to parameter  2 if the difference between    and    is large (diff  > ).  means that if vehicle   is likely to be a normal vehicle, we further increase    according to parameter  1 .The more trustworthy vehicle   is, the larger amount of increment    has.Conversely, if vehicle   is likely to be a malicious vehicle, we further decrease    according to parameter  2 .The less trustworthy vehicle   is, the larger amount of decrement   In the case where    = 0, in other words,    has not been updated, make vehicle   accept a virtual cooperation from vehicle   whose service quality is    : set    as    , update the trust value of vehicle   according to this virtual cooperation using Formula (11), and update  row ,→ to current timestamp.
in {  | 1 ≤  ≤  and  ̸ to 0∼ 1 .The larger    is, the larger influence degree  1 is. 2 has similar conclusion.When    ≥ , vehicle   is completely trustworthy and therefore the influence degree  2 is corresponding to  2 , which is the biggest influence degree.When    < , Formula (17) maps trust value 0.5∼   to 0∼ 2 .Below are the rules of the improved scheme.For a certain vehicle   with trust value    ≥ 0.5 in vehicle   's Private board, compute  1 and  2 .If   For a certain vehicle   with trust value    ≥  in vehicle   's Private board, compute  1 and  2 .If    >  row ,→ ≥ 0, where  ∈ { | 1 ≤  ≤  and  ̸ =  and  ̸ = }, vehicle   updates the Private board according to two cases.
that the estimated service quality for vehicle   stored in vehicle   's Private board is    , the estimated trust value for vehicle   stored in vehicle   's Private board is    , and vehicle   's normalized near completion degree on task  is    .We can synthesize the three factors and use them to compute the synthesized score which can guide the selection of cooperative vehicles.Vehicle   's synthesized score to vehicle   is If   can finish task  (2)   can finish task  (3) Return   's service quality (4) Else (5) Subdivide task  into  0 ,  1 ,  2 , . . .,   (6)   finishes the subtask  0 (7) Search vehicles willing to perform the rest of tasks which form set  and receive their    ( = 1, 2, . . ., ) (8) Compute synthesized score of vehicles in  (9) Select vehicles with the first  largest synthesized score which forms set   (10) For   in this paper, we propose a trust-based security cooperation model, called DBTEC, which combines direct trust information stored in Private board with indirect trust information stored in Public board to guide the selection of cooperative partners in VCC.The experiments prove the effectiveness of DBTEC schemes.With the advance of Internet of Things, the form of many practical applications, such as delivering physical objects, has changed.Vehicle networks have made extensive cooperation between vehicles possible.Security is a key requirement for cooperation.The DBTEC schemes give a better solution to security cooperation.The set of all vehicles in VCC : The number of vehicles in VCC   : The th vehicle in VCC : The set of service qualities of all vehicles   : The th vehicle's self-estimated service quality : The set of malicious vehicles in VCC : The set of normal vehicles in VCC ℎ: The number of malicious vehicles in VCC    : The public estimated service quality for vehicle   reported by vehicle      : The timestamp at which vehicle   's estimated service quality for vehicle   is reported    : Estimated service quality for vehicle   in vehicle   's Private board    : Estimated trust value for vehicle   in vehicle   's Private board    : The timestamp at which vehicle   updates     col  : The timestamp at which vehicle   updates    from column perspective because of trusting in vehicle    row ,→ : The timestamp at which vehicle   updates    from row perspective because of trusting in vehicle   . Φ: