A Survey: Intrusion Detection System for Vehicular Ad-Hoc Networks (VANETs)

In recent years, the security issues on Vehicular ad hoc networks (VANETs) have become one of the primary concerns. Vehicular Ad Hoc Network has attracted both research and industrial community due to its benefits in facilitating human life and enhancing the security and comfort. However, various issues have been faced in such networks such as information security, routing reliability, dynamic high mobility of vehicles that influence the stability of communication. Furthermore, VANETs are vulnerable against attacks so this can directly lead to the corruption of networks and then possibly provoke big losses of time, money, and even lives. This paper presents a survey of VANETs attacks and solutions in carefully considering other similar works as well as updating new attacks and categorizing them into different classes.


Introduction
Vehicular Ad-hoc Network (VANET) is not a new topic, it continues to provide new research challenges and problems [1]. It is a technology that uses moving cars as nodes in a network to create a mobile network [2]. The main objective of VANET is to help a group of vehicles to set up and maintain a communication network among them without using any central base station or any controller. A vehicle can communicate with another vehicle directly which is called Vehicle to Vehicle (V2V) communication, or a vehicle can communicate to an infrastructure such as a Road Side Unit (RSU), known as Vehicle-to-Infrastructure (V2I) [1].
VANETs introduce applications of Intelligent Transport System which provides legitimate information to the users on the road in order to increase the road and users safety. It is very effectively used for spontaneous creation of wireless network of vehicles for exchanging information between them, for improved transport and traffic management and to enable various users to be sufficiently informed about the road and make safer and smarter decisions on road by using transport networks [3].
With the development of VANET applications, there are so many issues raised. Among many other issues, security issue of VANET cannot be ignored. VANETs have wireless nature property, which makes it vulnerable for attackers to exploit. This opens the door for attackers to unconsciously or intentionally damage a part of or the total network. Attacks to VANETs may lead to catastrophic consequences such as the losses of lives in the case of traffic accident, losses of time (e.g., tampering traffic jam made by attacks) or financial losses (i.e., in payment services) [4].

Security Requirements in VANETs
Security in VANET is critical due to vulnerabilities exist during information transmission in VANET, which causing VANET exposed to the attacks. In order to maintain a secure vehicular communication and networks, VANET security system should satisfy with the requirements. Some of the requirements are essential for all networks, but some are definite for VANET only [5]. Those requirements are: 2.1. Authentication: in order to allow the communication between vehicles which sending and receiving information, VANET should authenticate each of them. This process may comprise the identification of the sender identity and the legitimacy of the sender to use the network [5]. Authenticity involves proof of identity. Users should be able to identify each other's identity with which they are interacting. It can be verified through authentication process so the unauthorized entity cannot participate in the communication.

Availability
: is defined as the degree of the VANET system that must be operable and available when needed.
A fast response time also must applicable for some applications [5]. 2.3. Privacy: is one of the most important requirements in VANET. Privacy must ensure that the identity of the drivers and the location of the vehicles are not being exposed [5]. An attacker can easily intercept the message passing from sender to the receiver so that privacy can be leaked and content can be modified. So that secure message passing is required in VANET. 2.4. Integrity: the information exchange in between the sender and the receiver should be free from the alteration attacks. Thus, information can be trusted [5]. The message must not be altered in transit; it should be received at receiver node same as it is sent at sender node. Integrity guarantees that message has not been altered by unauthorized persons while in transmission.

Non-repudiation:
it ensures that the origin of the information cannot be denying that it has sending the information [5]. Non-repudiation ensures that the sender and receiver cannot deny having sent and received the message respectively.

Attackers in VANET
3.1. Passive Attackers: As the name suggests these attackers do not participate in the communication process but only surveillance the wireless channel to bring out information and pass them to other attackers that is they have an indirect involvement in the attack [6]. 3.2. Active Attackers: Active attackers have a direct involvement in the attack. These kinds of attackers either generate a wrong set of information or do not forward the correct information received that is the message is misinformed [6].

Insider Attackers:
Such attackers are the legitimate users having complete knowledge of the configuration and usage of the network which provides them an easier access to creating problems as compared to other attack [6].

Outsider Attackers:
As compared to the insider attackers these create fewer problems. Such intruders are the legitimate users and create problems by misusing the protocols of the network and thus attackers in such cases are limited [6].

Malicious Attackers:
The objective of such attackers is to disturb the effective working of the network without drawing any personal benefits from it, but harming the network members and its function. Such attackers cause a severe damage to the network and are thus considered as the most hazardous [6]. 3.6. Rational Attackers: Being more predictable, such attackers seek to draw out personal benefits from the attack [6].

Local Attackers:
Attackers are limited to a specified area and thus attack with a limited scope. But this may involve the main area of the road thus causing a severe damage in the network [6].

Attacks in VANET
VANETs are exposed to various types of attacks both from internal and external. Attacks are mainly classified by two types inside and outside attacks. In an outside attack, the attacker is not a part of the network while in an inside attack, the attack can be initiated by compromised or malicious nodes that are part of the network. In the following, we discuss some potential cyber-attacks on VANET applications.

Denial of Service (DoS) Attack
: is always one of the most serious level attacks in every network. The scenarios to perform are very diverse. The main aim is to prevent the authentic users to access the network services. In DoS attacks, attackers may transmit dummy messages to jam the channel and thus, reduce the efficiency and performance of the network. A part of or the total network is no longer available to legitimate users [4]. The below figure describe the concept of DoS.

Gray Hole attack:
This attack occurs if some node dropping 50% of the packets and rest 50% is sending by altering the message [6]. 4.4. Black hole attack: is the attack that is carried out to disrupt the normal performance of the networks. It is a security attack in which malicious node absorbs all data packets by sending fake routing information and drops them without forwarding them. In black hole attack, a malicious node uses its routing protocol in order to advertise itself for having the shortest path to the destination node or to the packet it wants to intercept. Attacker node will always have the availability in replying to the route request and thus intercept the data packet and retain it. In protocol based on flooding, the malicious node reply will be received by the requesting node before the reception of reply from actual node; hence a malicious and forged route is created. When this route is establish, now it's up to the node whether to drop all the packets or forward it to the unknown address [7].

Selective Forwarding Attack:
In this attack, malicious node acts as a normal node but it selectively drops some packets [8]. Black hole attack is the simplest form of selective forwarding attack in which all packets are dropped by the malicious node. 4.6. Wormhole Attack: In this attack, the adversary node creates a virtual tunnel between two ends. An adversary node acts as a forwarding node between two actual nodes. The two malicious nodes usually claim that they are one hop away from the base station. The wormhole attack can also be used to convince two distinct nodes that they are the neighbors by relaying packets between two of them [9]. 4.7. Sinkhole Attack: In this attack, malicious node attracts network traffic towards it. To launch these types of attack, a malicious node attract all adjacent nodes to forward their packets through the malicious node by showing its routing cost minimum. The attacker creates an attack by introducing false node inside a network [8].

Sybil Attack:
In this attack, the node has multiple identities. The routing protocol, detection algorithm and cooperation processes can be attacked by a malicious node [8]. 4.9. Hello Flood Attack: In a sensor network, the routing protocol broadcast hello message to announce its presence to its neighbors. A node which receives the hello message may assume that the source node is within its communication range and add this source node to its neighbor list [10].

Intrusion detection system
Intrusion Detection System (IDS) is used to monitor the malicious traffic in particular node and network. It can act as a second line of defense which can defend the network from intruders. IDS can be a software or hardware tools. IDS can inspect and investigate machines and user actions, detect signatures of well-known attacks and identify malicious network activity. The goal of IDS is to observe the networks and nodes, detect various intrusions in the network, and alert the users after intrusions had been detected. The IDS works as an alarm or network observer it avoids damage of the systems by generating an alert before the attackers begin to attack. It can detect both internal and external attacks. Internal attacks are launched by malicious or compromised nodes that belong to the network, whereas external attacks are launched by third parties who are initiated by outside network [6]. IDS detect the network packets and determine whether they are intruders or legitimate users. There mainly three components of IDS: Monitoring, Analysis and detection, Alarm. The monitoring module monitors the network traffics, patterns and resources. Analysis and Detection is a core component of IDS which detects the intrusions according to specified algorithm. Alarm module raised an alarm if intrusion is detected [6].

Types of intrusion detection systems 1.
Signature Based IDS: Signature based IDS matches the existing profile of the network against predefined attack patterns or signatures. It is also known as a rule-based detection technique. Signatures or patterns are pre-defined, stored in the database and each attack can be detected according to patterns or signatures. This technique is simple to use. This technique only requires patterns of individual attacks and must also store those patterns in some database. This approach needs specific knowledge of the individual attack. It needs more storage space with increasing the number of attacks. Thus, this approach is very expensive. This technique cannot identify new attacks unless their signatures or patterns are manually added into the database. So it needs up-gradation of database regularly with new signatures of attacks. Thus, it is a static approach. This approach has two main disadvantages: a) it needs the knowledge to form attack patterns. b) It cannot discover new and previously Innovative Systems Design and Engineering www.iiste.org ISSN 2222-1727 (Paper) ISSN 2222-2871 (Online) Vol. 11, No.4, 2020 unknown attacks [6].

2.
Anomaly Based IDS: This technique is also known as event-based detection. This technique identifies malicious activities by analyzing the event. Firstly, it defines the normal behavior of the network. Then, if any activity differs from normal behavior then its mark as an intrusion. In this approach, a malicious node can be detected by matching the current protocol specification with previously defined protocol state. This approach detects attacks more efficiently than Signature based IDS. The main concepts behind this kind of security mechanisms are copied from statistical behavior modeling, which identifies malicious contents in a precise and reliable way with giving little incorrect positives rates. Automated training is generally used to define a normal behavior of the system. It is a very costly method for resource-constrained objects [6].

3.
Specification Based IDS: This technique is somewhat similar to anomaly detection technique. In this technique, the normal behavior of the network is defined by manually, so it gives less incorrect positives rate. This technique attempts to excerpt best between signature-based and anomaly based detection approaches by trying to clarify deviations from normal behavioral patterns that are created neither by the training data nor by the machine learning method. The development of attack or protocol specification is done by manually so it takes more time. So, this can be a disadvantage of this approach [6].

Existing IDS Approaches Anomaly Based Approaches
In [11], the authors proposed detection and interception of Black Hole Attack using Anomaly based approach. The paper was intended to present an effectual approach to detect and intercept this attack taking into account Dynamic MANET on-demand (DYMO) routing protocol. This work presupposes working in three modulesplanting, detection and ultimately the interception against the black hole attack. An IDS is initiated on the notion of machine leaning using MATLAB software. A relative scrutiny of IDS grounded on classifiers like K-Nearest Neighbor, Support Vector Machine, Decision tree and neural network is also conducted to make it certain that the best feasible classifier is settled on for administering the IDS. The analysis of the put forward work is subsequently accomplished taking miscellaneous metrics covering packet drop rate, average transmission delay, Packet Delivery Ratio along with throughput.
1. Specification Based approaches Chen Jun [12] proposed event processing based IDS to solve the problem of real time of IDS in VANET. In this approach, they designed the IDS architecture on the basis of Event Processing Model (EPM). It is rule-based IDS in which rules are stored in Rule Pattern Repository and takes SQL and EPL of Epser as a reference. According to obtained result, this approach consumed more CPU resources, consumed less memory and took less processing time than traditional IDS.
Ms. T. Eswari [13] proposed a rule-based intrusion detection system framework for VANET. There are three main phases of this approach. The first phase is local auditing phase which validates the packets to verify that packet is arriving from a valid neighboring node or not. The second phase is rule application phase which works in promiscuous mode. The third phase is intrusion detection phase which detects routing attacks by validating data collected from content suppression unit. This security mechanism can be able to detect only routing attacks.
In [14], the author analyze the effect of the wormhole attack in Optimized Link State routing (OLSR), which is a standard proactive routing protocol for VANET. A modified version of wormhole attack is developed in this paper, called camouflaging wormhole attack, and a corresponding specification based IDS is designed to detect and prevent this attack. Finally, Network Simulator (NS2) is used to measure the performance of the propose algorithm. The subsequent experimental results show that the efficiency of the proposed scheme.
2. Cluster-Based Approach Christian Cervantes [15] proposed IDS to detect sinkhole attacks for VANET called as INTI which is implemented in Cooja simulator. The proposed system defines four modules. The first module is Cluster con-figure ration module which is responsible for classifying a node like members, leaders and associated according to their network functions. The second one is monitoring of routing module in which observer node monitors the number of transmissions is performed. The third one is attacker detection module which detects the sinkhole attacking node. The fourth module is the isolation of attacker module which isolates the malicious node from the cluster and it also raised an alarm to inform its neighboring nodes. The simulation result shows that 92% detection rate is achieved. This approach only detects sinkhole attacks so work can be enhanced by detection of other types of attacks.
3. Hybrid Approach Shahid Raza [16] proposed a real-time intrusion detection system in IoT called as SVELTE. SVELTE is only IDS available in VANET which is implemented in Contiki OS. In this approach, there are three main centralized elements which are placed in 6LoWPAN Border Router. The first element is 6LoWPAN Mapped which collects information about the RPL protocol and rebuild the networks in 6BR. The second element is intrusion detection element which detects the intrusion by analyzing the mapped data. The third element is a distributed mini firewall which filters the malicious traffic before it reaches to the network. This approach can only detect spoofing attacks Innovative Systems Design and Engineering www.iiste.org ISSN 2222-1727 (Paper) ISSN 2222-2871 (Online) Vol. 11, No.4, 2020 13 inside the network, sinkhole and selective forwarding attacks.

Conclusion
In this paper, we made an attempt to provide a survey on the intrusion detection system for the VANET (vehicular ad-hoc network). With the development of VANET, there are so many issues raised. Among many other issues, security issues cannot be ignored. Here we discussed some potential security attacks which are made on VANET applications and various intrusion detection approaches which are available to mitigate those attacks. Still those approaches cannot be able to detect all types of cyber-attacks and are not feasible for VANET because it requires more processing power, memory and bandwidth for intrusion detection. Thus, future research in this direction would be to develop lightweight security mechanism which will take fewer resources for intrusion detection.