VCC is a computing paradigm which consists of vehicles cooperating with each other to realize a lot of practical applications, such as delivering packages. Security cooperation is a fundamental research topic in Vehicular Cloud Computing (VCC). Because of the existence of malicious vehicles, the security cooperation has become a challenging issue in VCC. In this paper, a trust-based model for security cooperating, named DBTEC, is proposed to promote vehicles’ security cooperation in VCC. DBTEC combines the indirect trust estimation in Public board and the direct trust estimation in Private board to compute the trust value of vehicles when choosing cooperative partners; a trustworthy cooperation path generating scheme is proposed to ensure the safety of cooperation and increase the cooperation completion rates in VCC. Extensive experiments show that our scheme improves the overall cooperation completion rates by 6~7%.
Many new applications have been raised on the vehicular technology by V2V (Vehicle-to-Vehicle) and V2I (Vehicle-to-Infrastructure) communications [
One of the promising applications in VCC is performing tasks by vehicles’ cooperation. This application, which is more difficult than the existing ones in depth and breadth, has important significance: in the traditional Delay Tolerant Network (DTN) and Peer-to-Peer Network, it can only disseminate information. But, in VCC, not only can this application disseminate information, but also it can do more practical work, such as delivering packages, luggage, and credentials [
Taxi network is a typical scenario of VCC. Each taxi in this scenario is regarded as a vehicle which can share information by communicating in a point-to-point manner and accessing internal broadcast by communication devices. From the perspective of traditional view, taxis can be modeled as mobile nodes in DTN. However, more applications can be achieved when modeled in VCC. In particular, when performing a task, vehicle can apply for cooperating with several vehicles, which will improve service quality and reduce resource consumption. Listed below are several concrete examples. (a) Vehicle
The examples listed above can be summarized as the following application scenario: vehicle
Figure
Cooperation path.
Trivial cooperation path
Nontrivial cooperation path
There are several challenges in this application scenario. (a) The first challenge is lack of trust information. How to choose trustworthy vehicles is a vital problem in this application scenario. However, there are thousands of vehicles in a metropolis. It is unrealistic for a vehicle to have trust information of all vehicles in the metropolis. In fact, for a certain vehicle, the reliability of most of vehicles is unknown. When a vehicle needs cooperation to perform a task, such as delivering a package, the phenomenon of lack of trust information makes choosing trustworthy cooperative vehicles difficult. (b) The second challenge is ensuring the safety and success of tasks. In traditional communication network, such as DTN, we can encrypt information to ensure the safety and privacy. Even if the encrypted information is destroyed by attackers, we still can retransmit this information to ensure the task’s reliability [
In this paper, a trust-based model is proposed to promote the secure cooperation in VCC. Listed below are the contributions of this paper.
(1) A double board based trust estimation and correction (DBTEC) scheme is proposed to predict the reliability of vehicles and guide the selection of trustworthy cooperative vehicles in a more effective manner. In traditional scheme, vehicles use information acquired in direct interactions with other vehicles to update the trust information of other vehicles. But in DBTEC scheme, Public board is introduced to enrich the method of acquiring trust information. Every vehicle stores the service quality and trust information of other vehicles, which are acquired in the direct interactions with other vehicles, in their own storage, called Private board. In addition, they use Public board, which stores public estimated service quality for other vehicles reported by all vehicles in cloud to update and correct the trust information stored in Private board. The method of updating and correcting trust information from Public board, called trust value estimation model, is based on the following inference: the information acquired from direct interaction is trustworthy; vehicles can use this information as touchstone to confirm if a certain vehicle is trustworthy. Then, based on the public estimated service quality related to the trustworthy vehicle in Public board, vehicles can update and correct the trust information of other vehicles in Private board and use the revised trust information to guide their future selection of cooperative partners.
(2) A new method of constructing cooperation path is proposed in this paper. In traditional scheme, the cooperation path is fixed once it is constructed. This static method is not suitable for VCC. In this paper, we propose a dynamic cooperation path construction scheme. In the proposed scheme, every vehicle dynamically searches and selects cooperative vehicles and constructs new node in cooperation path by analyzing the feedback of detections. The new vehicles will recursively repeat this process until finishing the task.
(3) Extensive theoretical analysis and simulation have been made to prove the effectiveness of this paper from aspects of security and reliability.
The rest of this paper is organized as follows. In Section
Extensive researches have been done on the topic of trust computing and inference [
Haddadou et al. give a dynamic solution based on reputation model for vehicles in [
However, the amount of trust information acquired in direct interactions is limited. In a large network, the number of nodes can be up to thousands. So the trust information acquired from direct interactions is sparse in that network. Judging the reliability of vehicles only using direct interactions will lead to cold start problem. There are several definitions of cold start. The main idea of cold start is that when a new object enters the network, because of the deficiency of trust information acquired from interactions, it is hard to judge if a vehicle is malicious, which makes choosing a right cooperative partners difficult [
The traditional application in VCC is disseminating information. For example, Rostamzadeh et al. propose a safe and reliable trust-based framework for disseminating information in vehicular networks [
Suppose that there are
There are two kinds of service requests in VCC: user requests and cooperation requests. The major difference between them is that user requests are generated by users, but cooperation requests are generated by vehicles. The following paragraphs describe these two kinds of requests.
Typical instances of user requests include delivering packages, picking up passengers, or tourist group with minimized costs. Vehicles can accept user requests and provide services to requestors for some payment. Once vehicles’ accepted user requests cannot be finished by themselves, they will select several trustworthy vehicles which are willing to provide services and send cooperation request to them.
Once those vehicles receive cooperation requests, they will cooperate to provide services together. These vehicles still may not be able to fulfil the tasks by themselves and further send cooperation requests to other trustworthy vehicles recursively. This recursive process will form a nontrivial cooperation path (see Figure
All cooperation path forms set
The quality of service (QoS) can be modeled as a value between 0 and 1 called service quality. Different vehicles can provide different quality of service. For vehicle
Vehicles in
In order to prevent malicious vehicles from disrupting the network, normal vehicles should avoid sending cooperation requests to them. They store the estimated trust value and estimated service quality for other vehicles in storage, called Private board, and use this information to guide the selection of trustworthy vehicles when sending cooperation requests. As will be illustrated in Section
Besides Private board, In DBTEC schemes, all vehicles can access a public cloud storage space, called Public board, anywhere and selectively report their estimated service quality for other vehicles to it. Vehicles can use the information in Public board to update the estimated trust value stored in Private board. As will be illustrated in Section
Note that estimated service quality is selectively reported to Public board, which means some service quality information may not be updated to Public board. Several reasons may result in this phenomenon: privacy protection, avoiding revenge, and network interruption.
There are
Generally speaking, this can be regarded as a kind of collusion attack since all malicious vehicles can benefit from cooperatively slandering normal vehicles and acquire much more opportunities to provide services.
The application scenario considered in this paper is as follows: in Vehicular Cloud Computing (VCC), vehicles will receive user’s service requests and provide services to them. In the process of providing services to users, if vehicles can finish the task, they will provide services directly to users, which forms a trivial cooperation path whose length is 1 hop (see Figure
In the process of cooperation, vehicles may wrongly choose malicious vehicles for cooperation, which will lead to the failure of the cooperation. We refer to selecting a vehicle to cooperate as a choice. A wrong choice means selecting a malicious vehicle for cooperation. A right choice means selecting a normal vehicle for cooperation. If there exists a wrong choice in a cooperation path, we say this cooperation path is failed. There are three aims in the application scenario to overcome the challenge described above.
In general, we can combine the above three optimization requirements and try to find a scheme which satisfies the following three formulas together in this application scenario of VCC:
Notations describes some important notations used throughout this paper.
The main contribution of DBTEC schemes is to combine Public board with Private board to guide the selection of cooperative vehicles. In traditional scheme, vehicles can only acquire trust information from direct interactions with other vehicles [
Compared with traditional scheme, DBTEC scheme has major advantages. One of them is overcoming the problem that trust information is deficient in the stage of cold start. In the stage of cold start, vehicles do not have enough trust information to guide the selection of cooperative partners, which will significantly increase the probability that malicious vehicles get the opportunity of providing services. DBTEC scheme uses the trust information we already have as a touchstone to check the consistency and inconsistency in Public board and further updates the Private board’s trust information. This process is just like diffusion of trust information; vehicles will get a lot of indirect information from the process, which will overcome the problem that trust information is deficient and increase the accuracy rate of selecting right vehicles.
Described below are the DBTEC schemes from high level.
As described in system model, there are
For a normal vehicle
For a malicious vehicle
Figure
The process of cooperation in DBTEC.
In the following subsections, we describe the Public board model, Private board model, behavior of normal vehicles, trust value estimation model, and cooperation path generating model, respectively.
All vehicles can access Public board, which is stored in cloud storage, anywhere. Public board stores the public estimated service quality for vehicle
The scale of
Vehicle can register to join VCC. For vehicle
After initialization, Public board will handle the following two events: If receiving estimated service quality for vehicle If a certain vehicle inquires about the estimated service quality for vehicle
The pseudocode of Public board is presented in Algorithm
Initialize all scalars in Initialize all scalars in ( ( ( ( ( ( ( ( (
All vehicles store Private board in their own storage to guide the selection of trustworthy cooperative vehicles.
For vehicle
The meaning of
Besides
These timestamps are stored to prevent updating Private board using the same information repeatedly.
Every normal vehicle stores its own Private board and can access Public board anywhere.
When entering VCC, all normal vehicles will send a registering request to Public board, report their own self-estimated service quality to Public board, and then wait for the package sent by Public board which stores all vehicles’ self-estimated service quality to initialize its Private board.
After registering, for normal vehicle
Note every cooperation path corresponds to a solution to a service request. The service quality of a cooperation path is defined as the minimum service quality provided by vehicles in cooperation path. Every cooperation path consists of many subcooperation paths whose starting node is an intermediate node in original path and ending node is the ending node of the original task.
After vehicles which received cooperation request finish the cooperation request from vehicle
Concretely speaking, vehicle
In Formula (
The pseudocode of normal vehicles is presented in Algorithm
Initialize all scalars in Initialize all scalars in Register itself by reporting Waiting for self-estimated service quality of other vehicles sent by Public board ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
Trust value estimation model can update the information of Private board based on Public board to increase the precision of trust value estimation and guide the selection of cooperative vehicles. In particular, this model will take great effects when trust information is deficient, such as cold start stage.
Trust value estimation model is based on this observation: when vehicle The estimated service quality for vehicle Public board’s all estimated service quality reported by vehicle
Vehicle
For a certain vehicle
According to observation
For a certain vehicle
In the case where
When the difference between
When the difference between
In the case where
According to observation
We will detail this model in the next two subsections. Section
We detail the trust value estimation model and propose a temporary detailed scheme called DBTEC-1 in this section, which will be further improved in the next subsection.
Below we detail the two rules listed above.
For vehicle
Condition
For a certain vehicle
In the case where
In the case where
The pseudocode of this scheme is presented in Algorithm
( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
We further improve the performance of DBTEC-1 in this subsection.
In the beginning stage of VCC, deficiency of information will make many trust value estimation schemes invalid. This phenomenon is called cold start.
DBTEC-1 scheme cannot guide the selection of cooperative partner well when in stage of cold start because it can only take effect when vehicles’ trust value becomes larger than threshold
Unlike DBTEC-1, we no longer use an absolute threshold as a starting condition of trust value estimation scheme. We can adjust the influence of trust value estimation scheme according to the trust value of vehicles. The more trustworthy the vehicle is, the more influence it will have in trust value estimation scheme.
This improvement can significantly enhance the performance of DBTEC-1, especially in the stage of cold start, since it can address the trust information deficiency problem in cold start stage, in which most of the failed cooperation happened. DBTEC scheme with this improved trust value estimation model is called DBTEC-2, which is an improved version of DBTEC-1.
Below we introduce the improvement in detail.
According to the description above, two new parameters,
When
Below are the rules of the improved scheme.
For a certain vehicle
For a certain vehicle
In the case where
In the case where
The pseudocode of this scheme is presented in Algorithm
( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
When vehicle
The key problem in constructing cooperation path is how to guarantee the quality and the safety of service provided by the cooperation path. Users always want to receive service with high quality under the condition that the safety of this service can be guaranteed. For example, users who want to deliver a package to person
To overcome the key problem, three factors have to be considered: the trust value, the service quality, and the near completion degree of cooperative vehicles.
The estimated trust value and the service quality are known to vehicles. The near completion degree of a vehicle means to what extent can this vehicle perform the task. When vehicle
Assume that the estimated service quality for vehicle
When selecting cooperative vehicles, vehicle
The algorithm of generating cooperation path is presented in Algorithm
vehicle ( ( ( ( ( ( ( ( ( ( ( ( (
In this section, we will prove the effectiveness of DBTEC schemes by theoretical analysis and extensive experiments. In Section
All simulation programs are implemented by C++ with Visual Studio 2013. The proportion of malicious vehicles to all vehicles is 40%~70%; the time interval between two consecutive timestamp is defined as 15 minutes. In a timestamp, the probability of receiving user requests for every vehicle is 20% in experiments of the average estimated trust value and the success ratio of each stage and 70% in experiments of the total success ratio of cooperation requests.
Five threat models are analyzed in Section
Three major indexes are computed in each threat model. They are the average estimated trust value of malicious and normal vehicles, the total success ratio of cooperation requests, and the success ratio of each stage.
The performances of three schemes are analyzed in each index. They are traditional scheme, DBTEC-1, and DBTEC-2. In traditional scheme, Public board is deprecated and vehicles can only acquire trust information by direct interaction [
Assume that we use the number of vehicles involved in VCC, that is,
In DBTEC-1 scheme, the whole structure of the pseudocode is formed by two-tier nested loops. The maximum running number of outer loops is
DBTEC-2 scheme is very similar to DBTEC-1 except that a little extra computation is introduced to compute
This is a comparatively simple treat model. In this model, malicious vehicles will report a mendacious self-estimated service quality to Public board when registering. When seeking cooperative partners, vehicles tend to send cooperation requests to vehicles with high service quality. Malicious vehicles expect to deceive them using the mendacious self-estimated service quality. After registering, malicious vehicles will move in the limited area and wait for cooperation requests, but they will not accept any user requests in these threat models.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure
Time-average trust value of normal vehicles.
Figure
Time-average trust value of malicious vehicles.
In general, Figures
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model. The success ratio is defined as the proportion of cooperation requests sent to normal vehicles to total cooperation requests in a certain timespan. The total success ratio is defined as the success ratio from initialization to current timestamp. Figure
Time-total success ratio.
This phenomenon can be explained by the following observation: total success ratio is dominated by the cooperation requests sent in the stage of cold start. In the stage of cold start, the deficiency of trust information leads to a lot of mistaken selections of cooperative partners, which dominate the change of total success ratio. The more mistakes made in this stage are, the less total success ratio is. As time goes on, vehicles’ direct interaction accumulated a lot of trust information which can guide the selection of cooperative partners effectively. The changes of total success ratio in traditional scheme and in DBTEC scheme tend to be similar in this stage. The reason why DBTEC-1’s positive influence is small, especially in the stage of cold start, is that DBTEC-1 will take effects when some vehicles’ trust information is larger than
In general, DBTEC is better than traditional scheme in the total success ratio, DBTEC-2 increases much more total success ratio compared to DBTEC-1 and traditional scheme, and DBTEC-1 increases the total success ratio in a small amount.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model. We set every 50 timestamps as a stage in the experiment. The success ratio of each stage is the success ratio in timespan of 50 timestamps. Figure
Time-success ratio of stages.
This threat model is more complicated than the previous one. In this model, malicious vehicles not only will report mendacious self-estimated service quality to Public board when registering but also will pretend to be normal vehicles and perform the same as them. Experimental results proof, in this threat model, that DBTEC will distinguish malicious vehicles and normal ones better than the former threat model; DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure
Time-average trust value of normal vehicles.
Figure
Time-average trust value of malicious vehicles.
In general, Figures
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model. Figure
Time-total success ratio.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model. The experimental method is the same as Figure
Time-success ratio of stages.
In this model, malicious vehicles not only will report mendacious self-estimated service quality to Public board when registering but also will report low estimated service quality of normal vehicles to slander them even if these normal vehicles never provide services to them. By slandering normal vehicles, malicious vehicles’ opportunities of providing services increase indirectly. This can be regarded as a collusion attack as illustrated in Section
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure
Time-average trust value of normal vehicles.
Figure
Time-average trust value of malicious vehicles.
In general, Figures
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model. Figure
Time-total success ratio.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model. The experimental method is the same as Figure
Time-success ratio of stages.
In this model, which can be regarded as a stronger collusion attack than the previous model, malicious vehicles will report mendacious self-estimated service quality to Public board when registering, report low estimated service quality of normal vehicles to slander them even if these normal vehicles never provide services to them, and praise other malicious partners by reporting high estimated service quality of them. By slandering normal vehicles, malicious vehicles’ opportunities of providing services increase indirectly. By collusively praising malicious partners, the overall number of opportunities of malicious vehicles increases significantly. Experimental results proof that DBTEC will also distinguish malicious vehicles and normal ones in this threat model; DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure
Time-average trust value of normal vehicles.
Figure
Time-average trust value of malicious vehicles.
In general, Figures
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model. Figure
Time-total success ratio.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model. The experimental method is the same as Figure
Time-success ratio of stages.
This threat model is the most complicated because of the disguise of malicious vehicles. When registering, malicious vehicles will report a mendacious self-estimated service quality to Public board; as time goes on, malicious vehicles have an unstable performance. Sometimes, they will act just the same as normal vehicles, but, sometimes, they will provide abnormal services, such as extremely poor service quality. Experimental results proof that DBTEC will also distinguish malicious vehicles and normal ones in this threat model. DBTEC-2 has better effects than DBTEC-1.
We first analyze the influence of DBTEC-1 and DBTEC-2 on average estimated trust value in this threat model.
Figure
Time-average trust value of normal vehicles.
Figure
Time-average trust value of malicious vehicles.
In general, Figures
Then, we analyze the influence of DBTEC-1 and DBTEC-2 on total success ratio of cooperation requests in this threat model. Figure
Time-total success ratio.
Finally, we analyze the influence of DBTEC-1 and DBTEC-2 on the success ratio of each stage in this threat model. The experimental method is the same as Figure
Time-success ratio of stages.
In this paper, we propose a trust-based security cooperation model, called DBTEC, which combines direct trust information stored in Private board with indirect trust information stored in Public board to guide the selection of cooperative partners in VCC. The experiments prove the effectiveness of DBTEC schemes.
With the advance of Internet of Things, the form of many practical applications, such as delivering physical objects, has changed. Vehicle networks have made extensive cooperation between vehicles possible. Security is a key requirement for cooperation. The DBTEC schemes give a better solution to security cooperation.
The set of all vehicles in VCC
The number of vehicles in VCC
The
The set of service qualities of all vehicles
The
The set of malicious vehicles in VCC
The set of normal vehicles in VCC
The number of malicious vehicles in VCC
The public estimated service quality for vehicle
The timestamp at which vehicle
Estimated service quality for vehicle
Estimated trust value for vehicle
The timestamp at which vehicle
The timestamp at which vehicle
The timestamp at which vehicle
The authors declare that there are no competing interests regarding the publication of this article.
This work was supported in part by the National Natural Science Foundation of China (61379110, 61073104, 61572528, 61272494, and 61572526) and the National Basic Research Program of China (973 Program) (2014CB046305).