Privacy and Security Management in Intelligent Transportation System

Metropolitan transportation is a dynamic and non-linear complex system. In such a system, there are possibilities of altering, monitoring, forging, and accessing private, public, and resource information of depot staff and communicating agents by unauthorized agencies the metropolitan area. Existing solutions for the management of security and privacy of communicating agents in an intelligent public transportation system (IPTS) do not adapt to the dynamic occurrence of real-time event information. Therefore, existing solutions are insufficient to address the randomness and other characteristics pertaining to a non-linear complex system such as an intelligent transport system (ITS). To this end, in this article, we propose a privacy and security management scheme for ITS depot staff in a metropolitan area. This scheme provides privacy and security management in the transportation industry during the exchange of information regarding vehicle allocation, dispatch, revocation, financial, and maintenance. Absence of such an aforementioned scheme leads to anomalies such as impersonation of genuine staff and malicious and greedy staff. We use the emergent intelligence (EI) technique to collect, analyze, and share information, and take dynamic decisions during the security and privacy management of the depot staff in transport industries. The EI technique provides autonomy, flexibility, adaptiveness, robustness, self-organization, and evolution to address the randomness and behavior of a non-linear complex system pertaining to the transportation system in metropolitan areas. The proposed scheme is implemented using the Crypto++ package, and the results indicate that the scheme efficiently manages the security and privacy in transportation industries in metropolitan areas.


I. INTRODUCTION
Metropolitan areas which include urban areas, satellite cities, rural areas, etc., are highly congested. They are divided into regions, and each region is further subdivided into zones. A transportation depot is built (especially, in metropolitan cities in India) for each region to satisfy the commuting needs The associate editor coordinating the review of this manuscript and approving it for publication was Rongxing Lu . of people. Depots in transportation industries are premises where resources (e.g., vehicles, fuel, staff) are stored, managed, and allocated by the manager (e.g., agent). Owing to the dynamic arrival rates of the commuters, staff, and vehicles in transport depots [1], there may be possibilities of altering, monitoring, and forging the public and private information of transport depots and staff by third parties [2]. Moreover, the third parties can use the private and public data to create situations such as traffic congestion, underutilization of To this end, in this article, we propose a privacy and security management scheme for supporting IPTS depots in metropolitan areas using an emergent intelligence (EI) technique. The proposed scheme is based on the integration of the transport depot staff's policies, pseudonymous technique, cryptographic techniques, bilinear pairing, and EI technique. The IPTS depot staff is categorized into three levels to provide three different levels of privacy. Each level is determined by a policy managed by the regional trusted authority (RTA). These policies are formed using the depot staff's credentials that comprise the type of staff, working time, working place, authentication information, the signature of RTA, and pseudonyms. The proposed scheme provides accurate and reliable information (e.g., resource availability, resource allocated, traffic conditions) to the transport depot agents, which can be shared with the neighbor depot's agents.
The remainder of the paper is organized as follows. Section II presents the system model, assumptions, and preliminaries of the proposed scheme. Section III presents the principle of the EI technique. Sections IV and V discuss the principles of the privacy preservation scheme and policybased transport depot staff. Section VI presents the performance analysis and results. Finally, Section VII concludes the paper.

II. SYSTEM MODEL
In this section, we present the necessary assumptions, definitions, communication network model, attack model, and background of the mathematical concepts.

A. PUBLIC TRANSPORT DEPOT
A public transport depot in a metropolitan area is the transport system's operating base [22]. The depot contains many administrative functions, engineering, and managerial functions for staff. There are three grades of the staff: depot manager (DM), operations and engineering manager (OEM), and administrative, personnel, and accounts staff (APAS). Each staff member discharges their respective duties and interacts with others. RTAs, who are responsible for issuing the initial security keys and parameters, are deployed at the depot. It is assumed that they can be trusted and cannot be compromised.

C. POLICY-BASED PRIVACY
A policy is a set of rules under which a specific action can be taken on a particular sensitive resource [24]. There are two cryptographic primitives for enabling privacy-aware policy enforcement.
1) Policy-based encryption: This cryptographic primitive requires data to be encrypted according to the policy such that only organizations compliant with the policy can successfully decrypt the plaintext data. 2) Policy-based signature: This cryptographic primitive uses the policy to generate digital signature. Only the entities that satisfy the policy can generate a valid digital signature. These cryptographic primitives involve developing privacy policies, automated trust negotiation, trust establishment, access control, etc. In this article, we use the policy-based encryption cryptographic primitive for the privacy preservation of transport depot staff during the exchange and/or access of information about vehicle allocation, dispatch, revocation, financial transactions, and maintenance. In the absence of a privacy preservation scheme, anomalies such as impersonation, and malicious and greedy staff can be seen at the transport depot.

D. ATTACK MODEL
In a metropolitan area, various entities (e.g., vehicles, RSUs, agents) are connected via communication links. These links are highly vulnerable to attacks. Attackers can access, alter, monitor, and forge private information. These malicious tasks executed by the attackers can be classified into internal and external, depending on the attackers' locations [16].
An external attacker observes the ongoing communication and analyzes traffic-related data; however, they cannot decipher messages. On the contrary, internal attackers such as malicious agents and staff have full rights to access both public and private information of transport depots. Therefore, if compromised, they can become powerful attackers. Among the several possible attack scenarios in metropolitan areas, we consider the following attack scenarios in this study.
1) Impersonation of Genuine Staff: The attacker pretends to be the staff to fool others and access privileged information.
2) Malicious Staff: Malicious behavior can result in illegal access to data, which can have a dangerous impact during emergencies. 3) Greedy Staff: The greedy staff tries to use resources for their benefit. They may create unnecessary problems such as traffic jam, lane blocking, etc. The proposed scheme assures privacy and security under the abovementioned scenarios, which are discussed in subsequent sections.

E. PRELIMINARIES
The proposed privacy preservation scheme uses the following basic mathematical concepts.
1) Bilinear Pairing: A bilinear mapping function pairs an element between two groups and another group [25]. Definition: Consider groups, g 1 and g 2 (multiplicative and additive), with the same order, p, where p = q n , n ∈ Z + , and q is a prime number. The bilinear mappingê : g 1 × g 1 → g 2 satisfies the following three properties. a) Bilinearity: e(M , M ) is a generator of g 2 . c) Computability: The algorithm to compute bilinear mapê : g 1 × g 2 . 2) Elliptic Curve Discrete Logarithm Problem (ECDLP) [21]: Given points X and Y of the group, find the value of k such that Xk = Y .

III. EI TECHNIQUE
The EI methodology is an extension of the multi-agent system (MAS), in which agents are involved in group activities and individual decision-making. The EI strategy is one category of agents' mutual intelligence [23], [33]- [35]. This group of agents interacts cooperatively, coordinately, and collaboratively to provide dynamic independent decisions. The EI technique can be used to perform individual tasks and subtasks in parallel, thereby providing a partial (or complete) solution. EI is the intelligence of a task-oriented group of agents [14]. Groups of agents interact periodically and on-demand in a dynamic and unpredictable environment to provide decisions to achieve the common goals of the system. Herein, the entities have a common interest, whereas the entities of a MAS may have diverging interests.
To illustrate the EI technique, consider task t A in a 3-node network as shown in Fig. 2. Depending on its objectives, t A is divided into sub-tasks: st A 1 , st A 2 , and st A 3 . These subtasks are respectively assigned to the three different agents and executed independently. The EI technique is deployed at node A, and the task is initiated. This technique generates and  dispatches three agents (A 1 , A 2 , A 3 ) to nodes A, B and C, respectively. Furthermore, the three agents independently solve the assigned task using local and global knowledge. Finally, all the agents send their individual decisions to agent A 1 . Agent A 1 uses the following equation to provide the collective intelligence of the group.
, and d(st A 3 ) are the decisions of individual agents taken at nodes A, B, and C, respectively. The ITS has several characteristics outlined below that make it suitable to be solved by the EI technique rather than by MAS or SI.
• Complexity: A transportation system's behavior is considerably complex to be modeled with the traditional approach, owing to the lack of synchronization among different components of the system. The EI technique, which is based on the observed and collected data is more suitable for modeling such complex systems.
• Qualitative data: A transportation system comprises both quantitative and qualitative data. A considerable amount of qualitative data must be dealt with in such a system, and the process can be facilitated using the EI technique.
• Non-linear and dynamic system: Transportation systems are non-linear, dynamic, and complex stochastic systems. Therefore, in their case, it is often not possible to find the optimal solution. The EI technique provides a natural alternative to obtain optimal or sub-optimal solutions.
• Simple model: Most of the methods of the ITS for metropolitan area are built upon precise analytical models. However, in reality, it is challenging to model the ITS traffic, security, and privacy accurately. However, the EI technique does not require a precise model.
• The EI technique is adaptable to the dynamic, uncertain, and complicated system under consideration and replenishes the environment by creating autonomous regenerating feedback loop through spontaneous interaction among a group of agents. Thereby, it allows to provide intelligent behaviors for transportation in metropolitan areas.
Some works attempted to use the EI technique for solving the problem [31], [32]. However, they have not provided a clear methodology to solve the assigned tasks in unpredictable environments. Therefore, in this research, for a metropolitan area, the acquisition, analysis, and sharing of transport depot staff information such as private, public, and transport resource information and dynamic decision information is done using the EI technique.

IV. PROPOSED POLICY-BASED PRIVACY PRESERVATION SCHEME FOR ITS
In this section, we present the policy-based privacy preservation system setup, three levels of depot staff privacy preservation, and EI technique-based privacy preservation for depot staff. Table 1 lists the symbols used in the paper and their descriptions.

A. SYSTEM SETUP
The policy-based privacy-aware cryptosystem (PAC) setup is achieved by two randomizing algorithms: (1) PAC setup and (2) RTA setup algorithms.

1) PAC SETUP
Given a secret key, k, as input parameter, execute the following.
3) n is a random number chosen from N * , and let Public parameters describe the different groups and public functions that are used in the system.

2) RTA SETUP
The RTA chooses a random master-key, s ∈ Z * p , and uses it to compute the corresponding public key, RTA PK = sX . All system participants have access to the public key.

B. TRANSPORT DEPOT STAFF PRIVACY PRESERVATION MODEL
In this subsection, we discuss three different privacy policies for three levels of the depot staff. Here, we define a policy using logical expressions that comprise conjunctions (∧) and disjunctions (∨) using the user credentials. We define an assertion for each staff member at the depot. An assertion provides information about the staff member's attributes, properties, capabilities, etc. It is encoded as a binary string, A ∈ {0, 1} * . The details of the representations of assertions are out of scope of this article. Assertions are represented as credentials, and their validity is provided by the RTA using signature verification. These credentials are generated using the credential generation (CredGen) algorithm by the RTA whenever an assertion is valid.
The RTA defines the credentials and certifies their validity. The proposed policy-based privacy preservation scheme has three levels of depot staff depending upon their grades. As shown in Figure 3, the hierarchy of the depot staff is: (1) APAS, (2) OEM, and (3) DM. The proposed policy-based privacy preservation scheme provides different levels of privacy to each level in the staff hierarchy that runs at the transport depot depending upon the privacy parameters, as shown in Figure 4. The privacy preservation at levels 1, 2, and 3 are presented in the following subsections. The APAS at the depot are registered with the RTA. During registration, the APAS provides their private information to the RTA. The RTA then encrypts and stores this information in its database. The RTA provides authentication information (Auth-Info) such as username/password. The level 1 policy (pol 1 ) is formed by the RTA at the depot using the credentials of APAS as: Personnel staff, Accounts staff} and ID is the identity of staff member x. The following steps are used to preserve the privacy of staff. The notations in Table 2 based on policy 1 issued by the RTA are used.
Before the level 1 staff can share information such as processed cash and vehicle and staff information with the level 2 manager, both parties must mutually authenticate each other. We use a certificate-based authentication scheme, wherein certificates are issued by the RTA, as shown in Figure 5.
The following steps are performed during mutual authentication. The OEM at the depot registers with the RTA. During registration, the OEM provides their private information to the RTA. The RTA then hides and stores this information in its database. The RTA provides authentication (username/password) and confidential information (signature from the RTA). The level 2 policy (pol 2 ) is formed by the RTA at the depot using the credentials of the OEM as pol 2 =< Depot i , y : where y ∈ {Operation manager, Engineering manager}, ID represents manager identity information, β is RTA's private key, and M is the message.
To preserve the privacy of depot staff at level 2 using pol 2 , the steps described in IV-C must be repeated. However, in these steps, the privacy-preserving policy must be changed from pol 1 to pol 2 , although with the same parameters. Before level 2's manager starts sharing information such as allocated buses and crews, dispatched, and maintenance with level 3's DM, they must mutually authenticate each other using the procedure described in IV-C for level 1 staff by changing level 1 to 2, level 2 to 3, and pol 1 to pol 2 .

E. PRIVACY PRESERVATION AT LEVEL 3
The DM, who is an agent at the depot, registers with the RTA. The private information provided by the DM to the RTA during registration is encrypted and stored in its database by the RTA. The RTA provides authentication information (username/password), confidential information (signature from RTA), and a pseudonym. The level 3 policy is formed by the RTA at the depot using the credentials of the DM as: where pseudonym is a pseudo-identity given by the RTA to the DM or agent using their credential data.
For preserving the privacy of the depot staff at level 3 using pol 3 , the steps described in IV-C must be repeated. However, in the steps, the privacy-preserving policy must be changed from pol 1 to pol 3 . The DM has the right to access information at levels 1 and 2. The privacy-preserved information exchange is presented in the following subsections.

F. TRANSPORT DEPOT STAFF's PUBLIC/PRIVATE DATA COLLECTION AND SHARING
In this subsection, we discuss the EI technique-based depot staff information collection, sharing, and common decisionmaking in a metropolitan area. Additionally, we discuss the degree of depot staff privacy preserved and disclosed in a metropolitan area.
The steps in the EI technique-based decision-making at a metropolitan area depot are as follows.
(1) Initiator depot's agent uses staff, RSUs, agents, and vehicles to form a cluster or group. (2) The required resources are analyzed and estimated, and it is decided whether private or public information needs to be exchanged among them. The waiting time required at each depot is estimated. (3) During emergencies, the history and analyzed information is used to estimate the resources needed, traffic jams, waiting time, etc. (4) The information regarding the estimations is used to decide the staff' cooperative, negotiative, and competitive interaction. (5) During these interactions, a certain degree of private and/or public information of the same or other levels of staff and depots is shared and accessed. (6) Finally, the EI technique at the initiator depot decides (i) an accurate percentage of the type of information that must to be shared with the staff of particular depots and (ii) the revocation of malicious depot staff from the depot. The static agent (SA) deployed at each metropolitan area depot manages the DM functions. It creates and dispatches mobile agents (MA) to the level 1 and 2 staff. These MAs collect and analyze public data of depot and private data of depot staff, and share them with the SA. The SA analyzes the information collected from a group of the depot staff and takes dynamic decisions to achieve a common goal. During decision-making, there is a possibility of the of occurrence emergency incidents or a change in the depot staff's levels. These sudden changes are incorporated into the privacy preservation scheme. This proves that the EI technique is adaptable. During adaptation, the scaling factors to disclose a certain percentage of information based on the depot staff level and type of emergency incidents are defined.
The EI technique forms groups comprising mutually authenticated depot staff. This depot staff shares information with some constraints that are defined by the EI technique based on the depot staff level, sudden occurrence of emergency events, etc. These constraints are used to define the values of scaling parameters such as α, β, γ , λ, µ, and ζ ; they take values in the range of [0, 1]. Three key parameters are described in Table 3.
The EI technique uses the probabilistic model to define the extent of privacy that must be disclosed and preserved among the depot staff level. Let i, j, and k indicate APAS, OEM, and DM, respectively. The probabilistic privacy model that defines the extent of privacy preservation and disclosure  of private and public data of the depot staff level, is shown in Figure 6.
The level i depot staff's probabilities of disclosing private and public (shareable) data to j and k are denoted as P i,j d and P i,k d , respectively, and they are given as where P s and P p denote the public or shareable and private data of staff i, respectively. Similarly, probabilities of not disclosing private and public data are given as follows.
The probabilities of disclosing private and public or shareable data of OEM level j to i and j to k are denoted as P j,i d and P j,k d , respectively. They are given as follows.
Similarly, the probabilities of not disclosing private and public data are given as follows.
The probabilities of disclosing private and public or shareable data from the depot staff and DM (level k to i and k to j) are denoted as P k,i d and P k,j d , respectively, and they are given as follows.
Similarly, the probabilities of not disclosing private and public data are given as follows.

G. TRANSPORT DEPOT STAFF REVOCATION
Identification of misbehavior of legitimate staff (i.e., insiders) at a metropolitan area transport depot is considerably difficult and complex. Insiders possess the credentials and policies issued by the RTA to perform authentication and their respective functions; therefore, the misbehavior of legitimate staff needs to be revocated by revealing the confidential information.
Malicious behavior of the legitimate staff is observed during interactions by the upper, lower, and peer level staff at the metropolitan area depot. The observing staff uses their policies to identify the misbehavior of legitimate staff. It then records the misbehavior events and creates a misbehavior of legitimate staff report (MSR), i.e., MSR = < MIS, Pol i , ID x >, where MIS is the misbehavior information, Pol i is the policy of i-th level and ID x is the identity of misbehaving legitimate staff, x. The observing staff sends the encrypted MSR to the RTA. The RTA decrypts the message and considers the average of all the reports collected from the observing staff. Then it considers the average feedback from all and uses ID x and Pol i to make a decision regarding the revocation of staff x.

V. PERFORMANCE ANALYSIS
In this section, we analyze the performance of the proposed system by considering performance measures such as latency of schemes, revocation latency, response time, and execution time. The proposed scheme has been scripted and implemented in C++-we used the pairing-based cryptography (PBC) library [28] for the elliptical curve and pairing operations and the Crypto++ package [27] for implementation of the proposed schemes. The implementation was performed on a desktop computer (dual-CPU Intel Core, i5 processor) with 12 GB RAM. The performance measures' results were averaged over 500 randomized simulation runs. For the comparative analysis of the simulation results, we used the ECC and RSA algorithms. The critical sizes of ECC: 224 and RSA: 2048; and ECC: 2048 and RSA: 3078 bits provide the same security level.    [15], RSA, and the proposed scheme. The proposed privacy preservation scheme requires lesser pseudonym generation time for the transport DM as compared to that of ECPP. RSA performs better than the proposed scheme; however, it provides a lower level of privacy than provided by the proposed scheme. In the simulation, the time fields count the time from the start of the process execution till the process ends. Analytically, these time fields are used to calculate the actual revocation time required to revocate the malicious behavior of the transport depot staff from the formed network. The revocation time that is denoted by T RL is given as follows.
As observed from literature, the ECPP scheme is the only scheme used to revoke nodes, and we compare the proposed scheme with it. In the proposed scheme, the RTA and RSUs in the metropolitan area require considerably lesser time than the ECPP scheme to search and revoke the agent, because the ECPP scheme requires more time for pairing and multiplication operations. Consequently, the transport depot staff privacy scheme is faster than the existing ECPP scheme.
The response time of the transport depot staff privacy scheme is shown in Fig. 7(c). To improve the response time, minimize communication delay, and minimize computational delay, we use the elliptic curve public-key cryptography (i.e., ECC) instead of the RSA cryptography. ECC can provide the same level of security as the RSA, while using a smaller key. RSA-based authentication generates considerably larger packets compared to those generated by the ECC-based authentication. The response times for different schemes for different numbers of pseudonyms and key sizes are presented in Fig. 7(c).
Execution time is the time required to verify the staff privacy preservation based on policies 1, 2, and 3. Table 3 Table 4 presents the different cryptographic operations required during policy execution.
The T pol 1 priv is given as follows.
where,  Similarly, the execution times required to verify the privacy preservation based on policies 2 and 3 are T pol 2 priv and T pol 3 priv , respectively. They are given as follows. Table 5 shows the execution times with policies 1, 2, and 3 for preserving the metropolitan area depot staff privacy. The execution time of Policy 3 is higher than that of the others and that of the ECPP scheme, as shown in Figure 8(a). This is because of the pseudonyms of the DM, i.e., agent that periodically changes its value.
We estimate the probability of privacy loss of levels 1 to 3 with different percentages of private and public data disclosed at the metropolitan area depot as shown in Table 6. TABLE 6. Estimation of probability of privacy loss of levels 1 to 3 with percentages of private data disclosed (P PDD ) and public data disclosed (P PuDD ). Figure 8(b) shows the probability of privacy loss of different levels of depot staff with varying amounts of private and public data disclosed at the metropolitan area depot. The proposed scheme preserves the privacy of the private data of depot staff and shows flexibility with the public data. Privacy disclosure is done depending upon the depot staff levels and the type of data, i.e., private or public; this is shown in Figure 8(b). Figure 8(c) shows the percentages of the staff's private and public data disclosed and protected from other staff.

VI. CONCLUSION
In this article, we proposed a novel security and privacy management scheme for the intelligent public transportation industry in a metropolitan area. The proposed scheme provides privacy to the depot staff depending upon the policy issued by the RTA using the staff's credentials. It protects the public and private data of transport depots and staff. It outperforms the existing scheme, ECPP, on the following measures: (i) reduces the time taken for pseudonym generation (2 ms versus 11 ms of ECPP), (ii) improves revocation time of the misbehaving legitimate staff from the transport depot (40 ms versus 350 ms of ECPP), and (iii) reduced the execution time of policies 1, 2, and 3 (52 ms versus 65 ms of ECPP). The results demonstrate that the proposed scheme is a more efficient and accurate real-time implementation in a metropolitan area.