Context-Aware Quantification for VANET Security: A Markov Chain-Based Scheme

Recently, the quantification of VANET security has drawn significant attention due to the lack of standard computational metrics. The salient features of VANET, such as highly dynamic connections, sensitive information sharing, and unreliable fading channels, make the security quantification challenging. Accurate measurement for VANET security depends on the sufficient understanding of “context”, or making sense of the states, environment, or situation. This article proposes a context-aware security quantification scheme for VANET based on the Markov chain. Firstly, a Homogeneous Continuous-Time Markov Chain (HCTMC)-based security state model is designed for VANET. The value of each state of the HCTMC is determined with a value function that incorporates the security strength of transmitted data, dynamic and randomness of the vehicular channel, and transmission delay of the current situated environment of VANETs. Finally, the state transition matrix is derived based on the Homogeneous Discrete-Time Markov Chain (HDTMC) and Homogeneous Poisson Process (HPP). Simulation results show that the security quantification method enables the VANET’s system to adopt context-aware defense strategies according to the situated environment.


I. INTRODUCTION
Vehicular Ad Hoc Network (VANET), as a prominent form of Mobile Ad Hoc Network (MANET), plays an essential role in the future Intelligent Traffic System (ITS) by providing a wide range of applications to improve road safety and driving comfort. It is a distributed self-organizing network built up by high-speed vehicles [1], and is consisted of three parts: Trusted authorities (TA), Road Side Unit (RSU), and On Board Unit (OBU) [2]. TA can be regarded as an authority center that provides RSUs and OBUs with a variety of security services such as registration, identity authentication, and certificate management. Furthermore, RSUs are deployed at alongside the road to transmit the information collected from OBUs to TA. Besides,each vehicle is equipped with an OBU that enables it to communicate with other vehicles or RSUs through Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructures (V2I) modes, respectively.
The associate editor coordinating the review of this manuscript and approving it for publication was Junaid Arshad .
Consequently, VANETs facilitate the real-time exchanges of information on traffic conditions, further provide the prediction of the current environment, and make drivers more aware of driving situations, and take early measures against anomalies [3].
Despite these advantages, VANET is facing various challenges, particularly in the aspect of security. VANET is distinct from other types of MANETs in terms of highly dynamic topology, open-access wireless environment, and the salient features of propagation channels such as time-varying, fading, and path loss, which makes vehicles more vulnerable to various attacks. An attacker may impersonate a legitimate transmitter vehicle, and the messages may be eavesdropped, forged, or replayed by an adversary. VANET must provide adequate security mechanisms to protect against the attacks because the transmitted messages are closely related to driving security.
Most of the recent studies focus on the security mechanisms design, such as authentication, confidentiality, integrity, or privacy [4]. The quantification for VANET security is a prerequisite for vehicles to adopt right defense strategies but remains a challenging issue. Although several works propose quantitative security metrics by designing attacker or threat models [5], [6], they enforce predefined policies in advance. These methods are static and lack the flexibility of protecting against various attacks. The vehicle can only respond to specific attacks but is not capable of behaving adaptively to the potential threats. As a consequence, an accurate quantification should be context aware to understand the surrounding environment.
Compared with the traditional MANET, it is challenging to measure the security level in VANET, where the network is highly dynamic, the link is time-varying, and the scenario random (e.g., urban and suburban). Therefore, this article focus on designing the quantitative security model with context-awareness and environment-adaption by considering the salient features of VANET. Firstly, regarding the environment, the Nakagami multi-pathcand fading of the vehicular network. Furthermore, from the perspective of the vehicle user's inherent characteristics, the transmission delay is incorporated into the security metric to express the vehicle's Quality of Service (QoS) requirement, i.e., time-sensitivity. Besides, regarding the various types of attackers, the attacker's capability is considered in the process of security quantification. At last, the Homogeneous Continuous-Time Markov Chain (HCTMC) and Homogeneous Discrete-Time Markov Chain (HDTMC) are employed to analyze the security state transition under different VANET environment. In conclusion, this article proposes a context-aware method for security quantification based on HCTMC and HDTMC. This scheme enables vehicles to adopt strategies in the dynamic VANET environment adaptively. The main contributions can be concluded as: • A context aware and environment adaptive security quantification scheme for VANET based on the Markov chain is proposed.
• An HCTMC-based security state model is designed by incorporating the dynamic and randomness of the vehicular channel, along with the QoS consideration.
• The matrix of state transition is derived based on the HDTMC and Homogeneous Poisson Process (HPP).
The remainder of this article is organized as follows. Section II overviews the related work in recent years. Section III introduces the system models in detail. Section IV shows the extensive simulation results and numerical analysis. Finally, we give the conclusion in Section V.

II. RELATED WORK
VANET has been extensively studied and is gradually becoming a research hotspot in the 5G era. Hasrouny et al. [4] presented an extensive overview of VANET security challenges and existing solutions in a comprehensive manner. Rehman et al. [7] evaluates the impact of speed differences among vehicles over the performance of two widely adopted classes of messaging schemes in VANETs, namely the furthest distance and link quality based schemes. El-Sayed et al. [8] proposed a new entity centric trust framework using decision tree classification and artificial neural networks.This model uses multifaceted role and distance based metrics like Euclidean distance to estimate the trust. Arif et al. [9] used the HABE encryption method to provide central security and offers secure and reliable communication. The proposed framework can address major VANETs problems by delivering Vehicle to Infrastructure (V2I) and V2V communications. Therefore, with the in-depth study of VANET by more and more domestic and foreign research scholars, the importance of VANET's safety has emerged.
Regarding the security of VANET, Mihai et al. [10] provides a comprehensive classification of related state-of-theart approaches following three key directions: 1) privacy, 2) authentication and 3) message integrity within VANETs. Discussions, challenges and open issues faced by the current and next generation of vehicular networks are also provided. El-Rewini et al. [11] proposed a three-layer framework (sensing, communication and control), through which automotive security threats can be better understood and provides the state-of-the-art review on attacks and threats relevant to the communication layer and presents countermeasures. In [12], a location-based secure preset group is proposed to create a communication network where both local security and global security can be achieved dynamically. Wagan et al. [13] presented a hardware based security framework that uses both standard asymmetric PKI and symmetric cryptography for faster and secure safety message exchange. Szczypiorski et al. [14] improved on Wagan's security framework by addressing problems related to traffic efficiency and public transport operations. It provides a tool to monitor and secure routing protocols, as well as to detect and remove untrusted nodes in the network. Siddiqui and Khaliq [15] proposed a security analysis method based on authentication attacks: classifying attacks based on security requirements and pointing out security vulnerabilities about unique threats. Chen et al. [16] classified the received information based on the routing protocol information and analyzed the security threats for different types of information content.
In terms of security quantification, to obtain the risk value in real-time, Wei et al. [17] designed a hidden Markov to quantify network security risks and assess threats in realtime. Zhang [18] used the big data fuzzy mean clustering algorithm to cluster and evaluate the statistical characteristic information data of network intrusion. By extracting the security status of cyber risks, the high-level spectrum characteristics of big data were quantitatively analyzed, and the quantitative assessment of the security status of cyber risks and the detection of network intrusions were achieved. Griffin et al. [19] proposed a semi-Markov processes (SMP) to model the transition between the security states of abstract software systems to analyze the security of software systems. Almasizadeh and Azgomi [20] presented a suitable method to quantify security: stochastic modeling technology, which treats the intrusion process as a series of basic attack phases and strictly analyzes the interaction between the attacker and the system at each phase. Quantify security by modeling complex attack processes and assessing the required security measures. Rahman et al. [21] constructed a vehicle-to-vehicle task offloading framework that allows vehicles to utilize computation resources available at nearby vehicles. To overcome mobility issues, we implement Context-aware opportunistic offloading schemes based on speed, direction, and locality of vehicles.
Although the safety of VANET has attracted the attention of researchers, few people have been able to evaluate VANET from a quantitative perspective. Most of them use external devices or strengthen the VANET from the perspective of an attacker, or conduct quantitative security research on other system networks. This article focuses on quantifying VANET security using a context awareness-based computational model.

III. METHOD
The quantitative security model and the state transition model are introduced in this section. The HCTMC state model is presented firstly corresponding to each security state of VANET. Then, the quantitative security level of VANET is modeled based on the HCTMC. Finally, we derive the matrix of HCTMC state transition, according to which the VANET can adjust the security defense strategy adaptively according to the situated context.

A. HCTMC STATE MODEL
In this section, an HCTMC state model is used to describe the security states of VANET, as shown in Fig.1. Assume there are seven security level of VANET, i.e., security state, vulnerable state, attacked state, degenerate state, failed state, positive state, and negative state [22]. The HCTMC model is divided into seven states accordingly, where the process starts from the current state and moves successively from one state to another. Furthermore, the security level of each state is quantified as the value of each HCTMC state, which is formulated according to the information security and communication delay in the situated environment. The state transition model in Fig.1 is described as follows. (I) When the system's protection measures are failed (e.g., authentication failure, system upgrade vulnerability, encryption failure, and access control invalid), the system will transfer from a security state to a vulnerable state. Conversely, if the system is capable of protecting against attacks, it will stay in a security state. (II) If an attacker is detected, the vehicular system will immediately take protective measures to eliminate the threat. In this case, the vehicular system transfers from a vulnerable state to a security state. The system in this state periodically monitors the status of the communication and takes appropriate measures against the potential threats. (III) If the system fails to detect an attacker's behaviors in a vulnerable state, it will enter the attacked state. In the attacked state, the system aims to minimize the damage caused by the attacker. At the same time, the system will follow the principle of priority to reply to a security state. (IV) If the strategies adopted by the system fails to resist the attacks, the system will move into a degenerate state. (V) The system transfers from an attacked state in a positive state when the threats are successfully detected and resisted. (VI) The system in a positive state will gradually enter the self-healing phase and move into a safe state. (VII) The system in an attacked state without sufficient protection strategies will moves into the passive state. (VIII) The system situated in a degenerate state will eventually move into a failed state due to the lack of sufficient protective measures. (IX) (X) (XI) The system can be restored from failed, degenerate, or negative state to the initial state by external manual intervention, which helps it upgrade for future security considerations.

B. OBJECTIVE FUNCTION
In this section, the VANET's security level of each current state is formulated as the objective function T by considering the effect of security operation on the communication delay. Therefore, T can be modeled by integrating the expected security strength S e and the delay D and can be expressed as: A large value of T indicates that VANETs are in a relatively safe network environment, where the system operates effectively. On the contrary, the system with a small value of T strives to transfer into a secure state actively. Furthermore, the value range of T is divided into seven sub-ranges corresponding to the seven states of the HCTMC model. α and β are the weights of security and delay metrics, respectively, which depend on the system's requirements for security and delay of communication. The sum of α and β is 1; both of the weights are given as 0.5 by default.

1) SECURITY STRENGTH
The communications among legitimate vehicles could be exposed into the threats of attackers due to the openness and dynamic of wireless channels, as shown in Fig.2. The security strength of the information is quantified according to the amount of computation required by an attacker to crack the messages [23]. Ideally, a computationally secure encryption system makes it impossible for an attacker to crack with exhaustive search. Therefore, the security level of the transmitted messages depends on the attacker's strength to break the cipher. We assume the transmitted frame is encrypted using block encryption where a transmitted frame is split into several data blocks that are encrypted separately. The " vulnerability" of an encrypted data block with length N can be expressed as the probability of being cracked by attackers: where σ denotes the strength of an attacker. An adversary node with the strength σ can crack any encrypted data with length less than or equal to N in limited time, i.e., p r (σ = N ) = p r (σ ≥ N ). The Linear Adversary Strength Model [24] is used to model an attacker's strength as a uniform distribution: 1 N max −N min , where N max and N min are the upper-bound and lower-bound of the data length. Assuming that the data length varies in the range [0, N f ] (i.e., N min = 0, N max = N f ), the vulnerability can be further expressed as: where N f denotes the size of data frame. Furthermore, the security level of a frame depends on the number of attackers who can crack the encrypted block (assuming that all attacks have the same attack capability). Therefore, the security level of a data frame facing n e attackers can be given as: The derivation of n e will be introduced in detail. The average communication transmission range [23] of the transmitter can be expressed as: where µ (vehicles/m 2 ) denotes the total vehicle density, ρ (vehicles/vehicle) is the eavesdropping node density, p t is the transmission power, β is the path loss coefficient, m is the fading coefficient of the Nakagami channel, and γ 0 is the threshold of the carrier-to-noise ratio (CNR). K is a constant related to the path loss model and is expressed as: where G t ,G r represents the gain of the transmitting and receiving antennas, C is the speed of light, and f c is the carrier frequency. W denotes the total input noise power of a legitimate receiver and can be expressed as: where B is Boltzmann constant, T 0 is the noise temperature of the receiving system, A is the channel bandwidth, and F is the noise figure. Substituting (7) and (8) into (6),r can be expressed as: Therefore, the number of eavesdroppers can be roughly estimated as:

2) DELAY
In this subsection, the delay metric D is constructed using the random geometry and queuing theory, which are the primary and extensively used methodological framework for analyzing network delay. Firstly, service rate of the queue can be given as: where p is the transmission probability, and p cf denotes the connection failure probability in each time slot. The activation probability of a legitimate link q is expressed as: where the probability of a packet arriving in each time slot is ξ The queuing system at a legitimate transmitter is a Geo / G / 1 queue, or a discrete-time single-server retry queue [25], [26]. In the Geo / G / 1 queue, the probability of a packet VOLUME 8, 2020 arriving in each time slot is ξ , the probability of successful transmission is p 1 − p cf , and the service time of the data packet is a geometric distribution. According to [25], the average delay of the Geo / G / 1 queue D e can be given as: From the above discussion, we can get the average delay in a dynamic scenario by the following formula. Assuming that all interfering transmitters are activated with the same probability q, the connection failure probability [27] can be expressed as: Substituting (14) into (13), the average delay can be presented as: According to the definition of Lambert-W function, W (z) ∼ x if z → 0. Therefore, the expression of D in (15) can be simplified as (16) It can be concluded that the expression of delay D can be approximated as the simplified form in (16) if one of the following conditions is satisfied: λ l → 0, r 0 → 0, or θ t → 0.

C. STATE TRANSITION
In this section, we mainly introduce the state transition between VANET states. The transition probabilities among states are calculated using HDTMC and Poisson processes that provide a theoretical basis for the security mechanisms of VANET. Vehicles can take appropriate protective strategies according to the current state so that to enter the secure state. The state transition matrix δ(t) at time t can be given as: where δ(0) is the initial state probability vector of HDTMC, λ t denotes the strength of the Poisson process, and P is the transition probability matrix. As shown in Fig.3, the HDTMC model includes seven states and eleven transition routes, each of which is triggered by a trigger event. This article models each trigger event as where the parameter k (ij) denotes the strength of each λ (ij) [22]. The total rate of the Poisson process in the HDTMC model can be expressed as the sum of trigger event's rates: where M is the number of trigger events or transition routes (e.g., M = 11 for Fig. 3). The sum of transition probability can be expressed as: where I = {Ss, Sp, Sv, Sa, Sn, Sd, Sf } is the set of states in HDTMC. P (i,j) denotes the matrix of transition probability that transform from state i to j, which is given as: Obviously, the following equations are satisfied for ∀i, j ∈ I , i = j: p ij = q ij λ ≥ 0, p ii = 1 + q ii λ ≥ 0, and j∈I p ij = 1 + j∈I p ij = 1+ q ii λ + j∈I ,j =i q ij λ = 1. From this, we find the transition probability matrix P to the transition rate matrix Q.
q va 0 0 0 0 0 0 −(q ap +q an +q ad ) q ap q an q ad 0 q ps 0 0 −q ps 0 0 0 Q is a matrix that transitions states by triggering events. At the same time, Q is composed of Q (i,j) for the following 11 events, so the first task is to request Q (i,j) . (24) Q (i,j) in the matrix is the transition rate from statei to state j. Since the transition rate satisfies the Poisson distribution, the intensity of the Poisson process λ u/d (ij) is used to represent the state transition rate, that is: Substituting (20) and (21) into (17), the probability that VANETs in each state can be obtained: The transition probability among states can provide theoretical help for the security mechanism of VANET. The following three examples are given to illustrate the scheme in this article. Firstly, VANET will enter a more vulnerable state when the probability of the security state is low. In this case, the system tries to activate its defense mechanisms to strengthen its security level while minimizing the threats. Secondly, the system will transfer to the attacked state according to the transition matrix δ(t) if it sensed that the fragile state's probability is high, i.e., the system is exposed to more attacks. In this case, the system will be reminded to carry out intrusion detection to avoid potential threats. Thirdly, the system will transfer to the degraded state if the probability of the attacked state is high. In such a case, the system makes the best effects to eliminate the threats to ensure the applications running normally; unnecessary applications may be paused until the security is restored.

IV. RESULTS
We first analyze how the utility function T determines the security state of VANETs in Section IV-A. Furthermore, effects of various environmental parameters on state transition are presented in Section IV-B.

A. ANALYSIS OF THE STATE OF SECURITY
The seven states of VANETs in the state transition model in Fig.1    vehicles to adopt context-aware security strategies adaptively in the dynamic VANET environments. Fig.5 plots the effect of the encrypted block length N on the security strength α. It can be seen from the figure that the security strength is enhanced as the length of the encrypted block increasing from 64 bytes to 1024 bytes with an exponential ratio of two. This uptrend is obvious since the the attacker's strength (i.e., the vulnerability of a data frame) is weakened as the length of encryption block increases according to (4). Therefore, the security level of a data frame and the system's security can be enhanced accordingly. Fig.6 illustrates the effect of packet arrival rate ξ on delay D. It can be observed that the communication delay decreases with the increase of the packet's arrival rate. Furthermore, D approaches positive infinity when the service rate p t equals to ξ . This is because the network becomes dense with a high volume of arrival packets, leading to a significant degradation of the delay. Moreover, the inequality p t (1 − p cf ) < ξ can be satisfied if p t = ξ . In this case, D is approximately equals to infinity according to (13).    7 shows that the effect of transmit power p t on state probabilities. It can be noted that with the increase of the transmission power, the probability of a vehicle entering the safe state decreases, and that of a vehicle accessing to other states (unsafe) increases accordingly. This is because increasing the transmit power p t enlarges the average transmission ranger according to (9), leading to a high risk of exposure to the attackers. Obviously, both security strength S e and objective function T show downtrends according to (5) and (1), respectively. Therefore, the upward transfer intensity λ u (ij) decreases according to (19), and the downward transfer intensity λ d (ij) increases according to (20). That is to say, the vehicle's system tends to transfer into an insecure state with the increase of transmit power. In conclusion, the VANET will be likely to enter unsafe states to prompt the insecure communication environment when the vehicle transmits with higher power. Therefore, being reminded of the insecure environment, the vehicle can adjust its transmit power to protect VANET against the potential threats.  It can be observed that the VANET is less likely to stay in the secure state Ss as the packet transmission probability increases. The reason for this trend is that increasing the packet transmission probability results in a high communication delay, according to (15). Long delay undoubtedly weakens the security strength because the communication of VANET is more likely to be threatened by attackers. Furthermore, according to (19) and (18), the downward transfer intensity λ d (ij) increases while the upward transfer intensity λ u (ij) decreases with the increase of p. Therefore, the system of VANET is more like to move into the vulnerable state Sv, as shown with the green curve in Fig.8. In this case, the system will prompt the vehicle to adjust the packet transmission probability or carry out monitoring strategies to avoid possible attacks. Fig.9 describes the effect of data frame length N f on the probability of each state. It can be observed that the probability of a secure state is in a growing trend but then shows a significant decline as N f increases. An appropriate frame size suggests a positive effect on the objective function T since it can provide good communication performance by sending more messages. In this case, the upward transfer rate λ u (ij) is large, and the downward transfer rate λ d (ij) is small. Therefore, the value of the security state probability δ(s) increases in a short time. However, the excessive size of the data frame burdens the security strength of the messages according to (5), causing the risk of exposure to an insecure environment. As a result, the probability of the VANET in a security state Ss shows a sharp decline. Fig 9 demonstrates that keeping the length of the data frame as 700 bytes approximately could be the best conductive strategy for the security of VANET.

V. CONCLUSION
This article proposes a context-aware and environment adaptive security quantification scheme for VANET based on the Markov chain. An HCTMC-based security quantification model is first constructed by incorporating the dynamic and randomness of the vehicular channel, along with the QoS consideration. Furthermore, the state transition matrix is derived based on the HDTMC and HPP, which provides a guideline for VANET's security defense mechanisms. Finally, extensive numerical calculations are conducted using various combinations of environment variables such as encryption block length, transmit power, and packet arrival rate. The results show that the proposed security measurement is capable of confirming the current security state of VANET based on the sufficient understanding of ''context'', environment, or situation. The system can make effective context-aware secure strategies according to the result of security quantification. This article constructs an HCTMC model with limited states of security levels. Future work will focus on designing quantitative VANET's security model with unlimited or continuous state space.
JIAN WANG received the B.Sc., M.Sc., and Ph.D. degrees in computer science from Jilin University, in 2004, 2007, and 2011, respectively. He is currently a Professor with Jilin University. He has published over 50 articles on international journals. His research interests include wireless communication and vehicular networks, especially for network security and privacy protection.
HONGYANG CHEN received the B.Sc. degree in network engineering from Shenyang Aerospace University, China, in 2017. She is currently pursuing the master's degree with the College of Software, Jilin University. Her research interest includes vehicular ad hoc networks, especially for vehicle safety.
ZEMIN SUN received the B.Sc. and M.Sc. degrees in software engineering and computer science from Jilin University, China, in 2015 and 2018, respectively, where she is currently pursuing the Ph.D. degree. Her research interests include communication quality and security in vehicular networks, and game theory.