23906 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO.
12, DECEMBER 2022
LSTM-Based Intrusion Detection System for
VANETs: A Time Series Classification
Approach to False Message Detection
Yantao Yu , Graduate Student Member, IEEE, Xin Zeng , Xiaoping Xue , Member, IEEE, and Jingxiao Ma
Abstract— In vehicular ad hoc networks (VANETs), vehicles
broadcast emergency messages and beacon messages, which
enable drivers to perceive traffic conditions beyond their visual
range thus improve driving safety. However, internal attackers
can launch a false message attack for selfish purposes by
reporting a non-existent traffic incident in emergency messages.
Moreover, some collusion attackers may spread bogus beacon
messages cooperatively to make the bogus traffic incident more
deceptive. To improve the accuracy of false emergency message
detection, we propose a novel intrusion detection system (IDS)
based on time series classification and deep learning. Consid-
ering that traffic parameters are highly correlated with time,
we collect time series of traffic parameters closely related to
traffic incidents from messages of vehicles near reported traffic
incidents as time series feature vectors. To recognize the pattern
of traffic parameters changing over time more accurately, a traffic
incident classifier based on long short-term memory (LSTM)
is designed and trained using time series feature vectors from
both normal and collusion attack scenarios. Based on the
classification result, the authenticity of the emergency message
can be determined. Finally, we evaluate the performance of
the proposed LSTM-based IDS through extensive simulation.
Simulation results validate that our IDS is more accurate in
false message detection compared with some well-known machine
learning-based schemes.
Index Terms— Vehicular ad hoc networks (VANETs), intrusion
detection, false message detection, time series classification, deep
learning, long short-term memory model (LSTM).
I. I NTRODUCTION
V EHICULAR ad hoc networks (VANETs) have gained
increasing attention from academics and industry in
recent years. With the variety of applications of safety, traffic
efficiency, and infotainment, VANETs have been used as
communication infrastructures of emerging technologies, such
as intelligent transportation systems (ITSs), connected and
autonomous vehicles (CAVs), and smart cities [1].
Improving driving safety is the crucial goal of VANETs.
In VANETs, vehicles share traffic data and road conditions in
Manuscript received 7 October 2021; revised 15 April 2022; accepted 8 July
2022. Date of publication 18 July 2022; date of current version 5 December
2022. This work was supported in part by the National Natural Science
Foundation of China under Grant 61871290, in part by the Shanghai Sailing
Program under Grant 19YF1451500, and in part by the Program of Shanghai
Science and Technology Innovation Action Plan under Grant 19DZ1201100.
The Associate Editor for this article was R. Arghandeh. (Corresponding
author: Xin Zeng.)
The authors are with the College of Electronic and Information Engineering,
Tongji University, Shanghai 201804, China (e-mail: zengxin1@tongji.edu.cn).
Digital Object Identifier 10.1109/TITS.2022.3190432
1558-0016 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
real time by broadcasting messages. These messages enable
drivers to perceive traffic conditions beyond their visual range,
thus helping drivers to take action in advance to avoid traffic
accidents [2].
Due to the safety-critical nature of the messages exchange
in VANETs, it is vital to ensure the security of VANETs,
especially the authenticity of messages. In order to realize
safety applications, vehicles are allowed to broadcast two types
of messages: beacon messages, which are periodic and used to
show the basic motion state of a vehicle in the network, and
emergency messages, which are used to report the occurrences
of traffic incidents (such as accidents, poor road conditions,
and congestion, etc.). However, bogus information can be
injected into the network intentionally (attacker) or uninten-
tionally (faults) [3]. Malicious attackers can broadcast false
emergency messages (like false congestion information) to
change the normal behavior of other vehicles for their benefit.
More seriously, some collusion attackers may spread bogus
beacon messages simultaneously to make the false emergency
messages more convincing. Unreliable messages may mislead
the drivers to make wrong driving decisions, which may reduce
traffic efficiency and even cause major traffic accidents. Hence,
effective detection of false messages is essential in VANETs.
The existing mechanisms for ensuring the information
security of the VANETs can be mainly divided into three
categories: authentication-based scheme, node-centric scheme,
and data-centric scheme. Authentication-based schemes focus
on verifying the identity of the node. Node-centric schemes
evaluate the credibility of vehicles based on their historical
behavior. Data-centric schemes check the plausibility of the
message itself.
In authentication-based schemes [4], the messages are
attached with the sender’s public key certificate and digital
signature which are generated by cryptographic techniques.
Among them, the certificate guarantees that the message comes
from a legitimate user, and the digital signature ensures the
integrity and non-repudiation of the message. However, these
schemes can only isolate illegal nodes, and cannot prevent
internal attackers from spreading false messages.
In recent years, various false message detection methods
for internal attackers have been proposed. In node-centric
schemes [5], [6], the concept of trust or reputation is used
to measure the degree to which a vehicle node can be trusted.
Each vehicle observes the behavior of its neighbors and uses
YU et al.: LSTM-BASED IDS FOR VANETs
a numerical score to evaluate the trustworthiness of the node.
A central reputation server is set to maintain and update
the reputation score of the vehicle node in the network.
However, due to the unique nature of VANETs, such as a
large geographical range and high node mobility, querying
and updating the reputation score is time-consuming, and it is
difficult to meet the real-time requirements for false message
detection.
To address the above challenge, data-centric schemes have
been proposed to detect false messages more effectively by
using fully distributed and localized algorithms, in which each
vehicle collects possible evidence independently or coopera-
tively to verify the authenticity of the safety message. Typical
methods include heartbeat-based scheme [7], consistency and
plausibility checking [8], [9], threshold-based scheme [10],
[11], etc. However, these solutions mainly collect evidence
from the communication process of messages, and few efforts
attempt to utilize out-domain information (i.e. traffic parame-
ters) to analyze whether the reported traffic incident actually
happened.
Some schemes [12]–[14] choose traffic flow as the observa-
tion data on macroscopic traffic conditions. The actual traffic
condition is estimated according to the statistical trend of
traffic flow. However, the calculation of traffic flow is based
on a linear speed-density model called Greenshields, which is
not accurate to fit real traffic data. It is noted that some more
realistic nonlinear speed-density models are proposed in the
field of transportation, such as Greenberg, Underwood, and the
logistic model [15]. These models show a better fitting effect
on empirical observation data [16]. So it can be concluded
that the linear Greenshields model is insufficient for estimating
actual traffic conditions.
As a universal nonlinear model [17], deep learning is suit-
able for fitting nonlinear traffic models. By introducing various
nonlinear activation functions, it can fit complex nonlinear
functions. Furthermore, traffic parameters are highly correlated
with time. With strong ability of nonlinear modeling and time
series processing, the long short-term memory model (LSTM)
is suitable for identifying traffic conditions based on the
time series of traffic parameters in our intrusion detection
system (IDS).
In summary, with the help of emergency messages and bea-
con messages, vehicles can perceive traffic conditions beyond
their visual range. However, these messages can be false and
affect driving decisions. To detect a false emergency message,
vehicles need to determine whether the current traffic condition
matches the description of the message. To accurately identify
the current traffic condition, we collect multiple types of traffic
parameters from the vehicles near the reported traffic incident,
and the mapping relationship between traffic parameters and
specific traffic incidents is established considering time and
position factors. To prevent collusion attacks, we also consider
the fact that false beacon messages may mislead the intrusion
detection of false emergency messages. The contributions of
this paper can be summarized as follows:
(1) The proposed IDS constructs time series of traffic
parameters of all the vehicles within a certain range of
the warning vehicle, to comprehensively describe the traffic
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23907
condition around the warning vehicle. In our scheme, the
attacker or collusion attackers cannot affect other vehicles by
simply forging several beacon messages. Instead, they need to
assess the current traffic trend over time and precisely affect
the statistical time series within a certain range and within
a period of time, which makes their attacking attempt very
difficult, if not impossible, to succeed.
(2) An LSTM-based traffic incident classifier is designed
and trained to classify time series of traffic parameters, and
the pattern of traffic parameters changing over time can be
accurately recognized. The effect of time steps on the accuracy
of the LSTM-based classifier is also investigated.
(3) To detect false emergency messages under collusion
attacks more effectively, in the process of training the traffic
incident classifier, we collect data sets under varying collu-
sion attacker proportions. We also investigate the effect of
collusion attacker proportions on the accuracy of the proposed
IDS.
The remainder of this paper is organized as follows. Related
work is discussed in Section II. The VANETs model and
attack model are presented in Section III. In Section IV, the
overview of the proposed IDS is provided. The results of
the performance evaluation are showed in Section V, and the
conclusion is drawn in Section VI.
II. R ELATED W ORK
The security of VANETs is a critical issue that has been the
focus of research for many years [18]. The users of VANETs
are informed of traffic incidents based on received safety
messages. Therefore, false messages pose a major threat to
traffic safety. The traditional authentication-based schemes use
cryptographic techniques, such as digital signature [19] and
pseudonym [20], to ensure the legitimacy of the node identity
and the integrity of the message. However, these mechanisms
can isolate external attackers but cannot guarantee that mes-
sages from legitimate vehicles are true. Several approaches
aimed at detecting false messages from internal attackers have
been proposed and they can be mainly classified into two
categories: (1) node-centric scheme (i.e. trust/reputation-based
scheme), and (2) data-centric scheme (i.e. information-oriented
scheme).
In node-centric schemes, the reliability of a message is
evaluated according to the past communication history of
the sender vehicle [21]. A numerical score (i.e. trustworthi-
ness/reputation score) is used to quantify the healthy degree
of a vehicle node. A message is considered reliable if its sender
node has a sufficiently high score. A centralized infrastructure
called reputation server (i.e. trusted authority) is designed by
Li et al. [5] to collect, update and certify the reputation score
of each vehicle. However, it’s impractical to maintain trust
or reputation in a centralized way due to the high mobility
with dynamic topology and larger network size of VANETs.
The trust management of vehicles can also be implemented in
a decentralized/self-organizing way. In [6], a reputation man-
agement system is built for each vehicle to quickly establish a
trust relationship with other vehicles. The trust-based scheme
is useful but it’s not suitable for delay-sensitive applications
(e.g. false emergency message detection) as trust is built over
23908 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022
a period of time. Moreover, false messages from vehicles with
high reputation cannot be identified.
Data-centric schemes have been proposed to tackle these
problems. It directly evaluates the reliability of the message
itself, rather than identifying malicious nodes. Each vehicle
collects evidence to verify received messages locally or with
the help of neighboring vehicles. Gurung et al. [22] propose
the Real-time Message Content Validation (RMCV) scheme
in VANETs to estimate the trustworthiness of messages based
on content similarity, content conflict, and route similarity.
But this scheme dose not perform well when the propor-
tion of false messages in the network is high. To overcome
this shortcoming, Sun et al. [23] designs a data trust frame-
work based on the idea of verifying the implied effect of
a vehicle’s reported data by using secure wireless physical
layer measurements. In the heartbeat-based scheme [7], each
vehicle continuously collects beacon messages (contain speed,
position, and steering angle of senders) from its neighboring
vehicles, and calculates the expected position of senders at the
next sampling time. If the predicted position is inconsistent
with the reported position, the suspicion index of the sender
increases. When the suspicion index exceeds the threshold, the
sender is regarded as a malicious vehicle. In the threshold-
based scheme [10], [11], a vehicle accepts an emergency
message only if the number of received messages reporting
the identical information exceeds a predefined threshold. It’s
easy to implement but it’s hard to determine the optimal
threshold. The above schemes focus on how the evidence
is collected from the communication process of messages,
and the inherent characteristics of traffic data have not been
analyzed to estimate actual traffic conditions.
In realistic traffic scenarios, the occurrence of traffic inci-
dents will cause abnormal fluctuations in traffic parameters.
By observing the changes in traffic parameters, whether
the traffic incident actually happened can be judged. Traffic
flow-based schemes [12]–[14] choose traffic flow as obser-
vations of macroscopic traffic conditions. Zaidi et al. [12]
propose a host-based IDS to detect false emergency messages
using a traffic model, in which vehicles share their observation
data on the traffic condition, and a hypothesis test method is
used to identify the changes in traffic flow and decide to accept
or reject the emergency message. Liu et al. [13] extract two
typical traffic patterns, i.e. lane-blocking and blocking-free,
and establish a traffic model to estimate the probability density
function of traffic parameters. Based on Bayesian inference,
the likelihood of each traffic pattern is calculated to determine
whether the accident reported by the emergency message has
occurred. In [14], an IDS for VANETs is proposed to detect
false information attacks and Sybil attacks. It’s able to extract
more distinct traffic flow features by taking the range of
distance between vehicles into account.
The above schemes based on traffic flow consider the impact
of traffic incidents on traffic parameters, and the calculation
of traffic flow is based on the oversimplified Greenshields
model [24], in which speed and vehicle density obey a negative
correlation linear relationship. Due to the nonlinear nature
of traffic flow [25], the Greenshields model is not accurate
to fit real traffic data. This linear speed-density model was
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
improved to nonlinear models in several studies that fol-
lowed. Greenberg [26] hypothesizes a logarithmic relationship
between speed and density, while Underwood [27] establishes
an exponential model. It is observed that the Greenberg model
has a better fit for congested conditions, while the Under-
wood model behaves well under uncongested conditions [28].
Wang et al. [16] propose a logistic model of the equilibrium
speed-density relationship. The empirical validation shows
that the proposed five-parameter logistic model matches the
empirical observation data better than the previously proposed
models. It can be seen that the linear Greenshields model
is insufficient for matching actual traffic data. With strong
nonlinear fitting ability, machine learning or deep learning can
establish the mapping between traffic parameters and real traf-
fic conditions more effectively. Some machine learning-based
approaches for false message detection in VANETs have been
proposed, such as support vector machine (SVM) [29], [30],
back propagation neural network (BPNN) [31], random forest
(RF) [32], etc. However, few studies consider the fact that
traffic parameters are highly correlated with time, so the
pattern of traffic parameters changing over time cannot be
accurately extracted.
To address the challenging problems mentioned above, this
work proposes a novel IDS based on deep learning and time
series classification. Comparisons are made between the pro-
posed scheme and the main existing VANET security schemes
as shown in Table I. As a data-centric scheme, the proposed
scheme can detect false messages from internal attackers and
those with a high reputation, which make up for the weakness
of authentication-based schemes and node-centric schemes,
respectively. Different from traditional data-centric schemes,
our scheme detects false messages based on the effect of traffic
incidents on traffic parameters, which can judge whether the
traffic incidents happen. Unlike the existing traffic flow-based
schemes that evaluate the traffic condition only by stationary
traffic statistics and thus the pattern of traffic flow is not well
revealed, our proposed scheme constructs time series of traffic
parameters to comprehensively describe the traffic condition
and can extract the pattern of traffic parameters changing over
time using deep learning. In order to successfully launch an
attack, the attackers need to evaluate the current traffic trend
over a period of time, and cooperatively forge their beacon
messages to precisely affect the statistical time series, which
is very difficult to realize.
III. S YSTEM M ODEL
A. VANETs Model
As shown in Fig. 1, we consider a road safety application
where a vehicle broadcast an emergency message to report
a traffic incident, and a VANETs model on a highway is
provided. There are three roles, i.e. warning vehicle, own
vehicle, and neighboring vehicle. The own vehicle refers to the
considered vehicle that receives an emergency message and is
about to run IDS’s algorithm to detect false messages. The
warning vehicle is the witness of the traffic incident and the
sender of the emergency message. The neighboring vehicles
are within the communication range of the own vehicle and
can directly communicate with the own vehicle.
YU et al.: LSTM-BASED IDS FOR VANETs 23909

TABLE I
C OMPARISON B ETWEEN THE P ROPOSED S CHEME AND E XISTING VANET S ECURITY S CHEMES

Fig. 1. VANETs model on a highway.

In this model, each vehicle broadcasts a beacon message
every time tbeacon . The own vehicle (V0 ) stores beacon mes-
sages of neighboring vehicles (V1 to V6 ) for the latest observa-
tion time tobserve in a table called Current Neighbor List (CNL)
(which will be elaborated in Chapter 4). Suppose that at time
t0 , V1 senses a traffic incident (e.g. an accident), and it will
broadcast an emergency message to vehicles behind. When
V0 receives the emergency message, its CNL stores beacon
messages of neighboring vehicles within [t0 − tobserve , t0 ].
To verify the authenticity of the emergency message, V0 col-
lects evidence related to vehicles in the observation area
(V1 , V2 , and V3 ) from CNL and runs the IDS algorithm. The
observation area is near the warning vehicle and is included
in the communication range of the own vehicle. This area is
closer to the traffic incident, so it can better reflect the current
traffic situation.
Each vehicle can get the number of its neighboring vehicles
by checking their IDs in messages received at a certain
time. In addition, we assume that each vehicle is equipped
with a GPS device that can accurately obtain its position
Pos(X pos , Ypos ).
B. Message Format
1) Beacon Message: To communicate with the neighbor-
ing vehicles, each vehicle continuously broadcasts a beacon
message (Beacon Msg) with a period tbeacon . The beacon
message mainly contains the information of the vehicle motion
state [33], and we define its format as:
Beacon Msg(I D, v, a, Pos),
where I D, v, a, and Pos represent the vehicle’s identity,
speed, acceleration, and position, respectively.
2) Emergency Message: Emergency messages are driven by
traffic incidents. When a vehicle senses the occurrence of a
road traffic incident, it will broadcast an emergency message

Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23910 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022

Fig. 2. A scenario of false message attack. Fig. 3. A scenario of collusion attack.

(Emergency Msg) containing traffic incident information to

the vehicles behind it. Refer to [34], its format is defined as:
Emergency Msg(I D, E type , E pos ),
where E type is the type of traffic incident, such as accidents,
poor road conditions, congestion, etc., and E pos is the location
of the incident.
Fig. 4. Scheme of the proposed IDS.
C. Attack Model
In VANETs, internal attackers can broadcast false messages
VE spreads the periodic false beacon message Beacon Msg 
independently or cooperatively. Refer to [35], 2 forms of
cooperatively. The bogus beacon message has the following
attacks related to false emergency messages are defined.
format:
1) False Emergency Message Attack: False emergency mes-
sages can be broadcast by a single malicious vehicle to Beacon Msg (I D, v  , a  , Pos  ),
declare a non-existent traffic incident, which affects the driving
where v  , a  , and Pos  are the bogus speed, acceleration, and
decisions of subsequent vehicles.
position of the sender, and their changing trends over time
A scenario of a false emergency message attack is shown
match the false traffic incident.
in Fig. 2. VA , VB , and VC are driving normally on the
In reality, large-scale collusion attacks are difficult to
road, but malicious vehicle VC broadcasts a false emergency
achieve. So it is assumed that the majority of vehicles are
Emergency Msg  to declare a non-existent traffic incident.
honest.
The false message can mislead VD to suddenly change its
behavior (e.g. slow down or reroute) and even cause an
IV. LSTM-BASED IDS
accident. The format of the false emergency message can be
represented as: A. Overview
Based on the fact that different traffic incidents will cause
Emergency Msg  (I D, E type
 
, E pos ),
traffic parameters to fluctuate in different patterns, the core

where E type 
and E pos represent the type and position of the idea of the scheme proposed is as follows. Firstly, collect the
non-existent traffic incident respectively. traffic parameters within a period of observation time from
2) Collusion Attack: To make it more difficult to distinguish messages of vehicles near reported traffic incidents to form a
false emergency messages, some collusion attackers forge their multi-dimensional time series (MTS). Secondly, classify the
beacon messages while disseminating false emergency mes- MTS to determine the current traffic incident. Finally, the
sages to simulate the real state of movement after encountering authenticity of the emergency message is judged according to
a traffic incident. In most of the existing IDSs, multiple reports whether the classification result is consistent with the reported
with similar content can be regarded as a stronger signal traffic incident.
of high credibility than a single report. Therefore, collusion As shown in Fig. 4, the proposed IDS is deployed at
attacks can weaken the performance of IDSs and cause serious each vehicle node and it operates in a fully distributed style.
harm to the reliability of VANETs. It mainly consists of 3 modules: time series data concatenation
A scenario of collusion attack is shown in Fig. 3. VA , (Module I), LSTM-based traffic incident classifier (Module II),
VB , VC , and VE are driving normally on the road. Similarly, and decision of false message (Module III).
VC broadcasts a false emergency message. To make the false Each vehicle periodically receives beacon messages from
traffic incident more convincing to VD , the collusion attacker its neighboring vehicles and collects real-time traffic data

Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
YU et al.: LSTM-BASED IDS FOR VANETs
TABLE II
C URRENT N EIGHBOR L IST
from it. When a vehicle receives an emergency message, its
IDS’s algorithm for false emergency message detection is
triggered. A time series data concatenation process (Module I)
is first performed, in which the vehicle concats traffic data into
multi-dimensional time series as evidence for traffic incident
classification. In Module II, a pre-trained LSTM-based traffic
incident classifier is responsible for identifying the current
traffic incident. Finally, false emergency message detection
(Module III) is executed based on the classification result of
traffic incidents. Among them, the model parameters of the
traffic incident classifier have been trained by the central server
according to the existing historical traffic database. The dataset
is collected from realistic traffic data and updated in real time.
B. Time Series Data Concatenation
This module aims to collect time series of traffic parameters
closely related to traffic incidents, as evidence for real-time
identification of traffic incidents, and to provide input for the
traffic incident classifier.
Similar to [14], the vehicle in the proposed scheme main-
tains the Current Neighbor List (CNL) by collecting beacon
messages, which contain its neighboring vehicles’ traffic data.
Different from [14], the CNL in this paper stores the time
series of traffic data in the latest period of time tobserve , that
is, there are data at n = tobserve /tbeacon  points in time.
An example of the CNL stored by a vehicle at time t is shown
in Table II.
In Table II, v i,T is the time series of the speed of Vi
 T ∈ {t − n + 1, t − n + 2, . . . , t − 1, t}, that is, v i,T =
on
v i,t −n+1 , v i,t −n+2 , . . . , v i,t −1 , v i,t . The sampling time inter-
val of the data is tbeacon . a i,T and Pos i,T are the time series
of acceleration and position of Vi on T respectively.
At time t + 1 (i.e., at the next sampling time), the CNL
will be updated, and store the time series of the vehicle on
T  ∈ {t − n + 2, t − n + 3, . . . , t, t + 1}.
Suppose that the own vehicle Vo receives the emergency
message from Vw (i.e. the warning vehicle) at time t, and
obtains the time series feature vector Xo,T from its stored
CNL to accurately describe the current traffic condition. The
definition of Xo,T is shown in formula (1) and the meaning
of each feature is shown in Table III.
 
Xo,T = v w,T , aw,T , d w,T , v̄ w,T , ā w,T , N w,T . (1)
The above features include traffic parameters of the warning
vehicle (v w,T , aw,T , and d w,T ) and the vehicles in the obser-
vation area (v̄ w,T , ā w,T , and N w,T ). When vehicle drivers
encounter different traffic conditions, they will take different
driving decisions (such as slowing down, changing lanes,
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23911
TABLE III
T HE M EANING OF E ACH F EATURE OF THE T IME S ERIES F EATURE
V ECTOR U SED FOR T RAFFIC I NCIDENT C LASSIFICATION
etc.), which can be reflected by the speed, acceleration, and
other traffic parameters of the vehicle showing the different
trends over time. Moreover, the influence of traffic incidents
is distance-dependent. So v w,T , aw,T , and d w,T are taken into
account. In addition, traffic incidents will affect the group of
vehicles in the affected area. The driving status of neighboring
vehicles is closely related to each other [12], so the group
traffic parameters of the observation area can reflect the current
traffic condition near the warning vehicle. So v̄ w,T , ā w,T ,
and N w,T are also used. In summary, the impact of traffic
incidents on traffic parameters in time and space is considered
in the time series feature vector.
To calculate Xo,T , the data of vehicles in the observation
area need to be selected from the CNL of Vo at time t. Let
Snei,t be the set of neighboring vehicles of Vo and Sobs,t be
the set of vehicles in the observation area at time t. The Sobs,t
can be obtained as:
 
Sobs,t = Vi |Vi ∈ Snei,t , Dist(Posi,t , Posw,t )  robs , (2)
where robs is the radius of the observation area and
Dist(Posi,t , Posw,t ) is the distance between Vi and Vw at
time t.
Since Xo,T includes the average traffic parameters (v̄ w,T ,
āw,T ) and they might be dominated by a small number of
vehicles who spread extreme data in their beacon messages,
we introduce outlier detection mechanism to detect large-scale
modifications of traffic parameters by attackers and filter out
undesired data for the LSTM-based classifier to better operate.
Grubbs’s test [36] is employed to detect outlier vehicles,
as it is a widely-used method to detect outliers in a univariate
data-set and its excellent adaptability has been proved through
extensive experimental data.
Denote Sobs,t = {Vid1 , Vid2 , . . . , Vidk }, where k = |Sobs,t |
and idi is the index of the i-th vehicle in the CNL. For
each Vidi ∈ Sobs,t , we calculate its average speed v̄ i during
T by v̄ i = tT =t −n+1 v idi,T /n and obtain the average speed
reference set as Sv = {v̄ 1 , v̄ 2 , . . . , v̄ k }. We use Grubbs’s test
to obtain the set of outlier vehicles Sout from Sobs,t based on
Sv by the following steps.
Firstly, we calculate the sample mean μ andthe sample
standard deviation σ of Sv respectively by μ = v̄ i /n and
 v̄ i ∈S v
σ =[ (v̄ i − μ)2 /(n − 1)]0.5 .
v̄ i ∈Sv
23912 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022
TABLE IV
T YPICAL C RITICAL VALUES (N,α) OF G RUBBUS ’ S T EST
Secondly, we calculate the Grubbs’s test statistic G by:
v̄ p = arg max |v̄ i − μ|,
v̄ i ∈Sv
|v̄ p − μ|
G= , (4)
s
where v̄ p is the value with the largest absolute deviation from
μ and is most likely to be an outlier.
Thirdly, we obtain the critical value of Grubbs’s test (N,α) ,
which is related to the sample size N and the significance
level α. The significance level α is usually taken as 0.05 or
0.01, corresponding to 95% and 99% confidence intervals,
respectively. Some (N,α) values are listed in Table IV [37].
Finally, If G > (|Sv |,α) , which means v̄ p is an outlier, then
v̄ p is removed from Sv , and Vid p is added in Sout .
The above 4 steps should be repeated until there are no
outliers in Sv . Then we identify the complete outlier vehicles
Sout with significant misbehavior. These vehicles are likely to
be collusion attackers and their extreme data might reduce the
performance of the IDSs. Accordingly, the data of the vehicles
in Sout will not be considered in the calculation of Xo,T .
Since we assume that the majority of vehicles are honest,
we used the outlier detection method to firstly filter out poten-
tial attempts of spreading extreme data in beacon messages
by attackers. On the basis of it, a minority of collusion
attackers can hardly affect the statistical traffic trend expressed
by the group traffic parameters. Thus, the ability to resist
collusion attacks is enhanced. However, the outlier detection
will introduce some computing overhead. Through analysis,
the time complexity of this process is O[(n + q)k], where q is
the number of outlier vehicles. Since q is normally very small
and n is a constant, the time complexity is acceptable.
For the calculation of Xo,T , we can easily get v w,T and
aw,T from the CNL of Vo , and d w,T ,v̄ w,T , āw,T ,N w,T can be
respectively calculated by fomular (5)-(8) at each time point.
dw,t = Dist(Posw,t , E pos),
 v i,t
v̄ w,t =  ,

|Sobs,t |
Vi ∈Sobs,t
 ai,t
āw,t =  ,

|Sobs,t |
Vi ∈Sobs,t

Nw,t = |Sobs,t |,
 L=−
where Sobs,t = Sobs,t − Sout .
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
(3)
Fig. 5. Proposed LSTM network structure.
C. LSTM-Based Traffic Incident Classifier
This module uses an LSTM network to classify the obtained
time series feature vectors and identify current traffic incidents.
Its core task is the multi-classification of MTS.
1) Dataset Format: The data set D = {(X1,T , ŷ1 ),
(X2,T , ŷ2 ), . . . , (X N,T , ŷ N )} is a collection of pairs (Xi,T , ŷi )
where Xi,T is the time series feature vector, ŷi is the corre-
sponding one-hot label vector of each traffic incident, and N is
the total number of samples. According to formula (1), the size
of the input sample Xi,T is [6×n], where n is the total number
of time steps in the time series. In addition to normal traffic
conditions, we consider 3 types of common traffic incidents
that can affect the normal driving of vehicles, namely accident,
poor road condition, and congestion. So ŷi is a vector with
4 dimensions.
2) LSTM Network Structure: The structure of the LSTM
network built in this paper is shown in Fig. 5. It consists of
one input layer, one LSTM layer, two dense layers, and one
output layer. The input layer inputs the time series feature
vectors Xi,T into the LSTM layer at each time step. The LSTM
layer with 32 hidden units is used to extract the features of
the time series. To obtain a better feature extraction effect, two
dense layers are used. The number of neurons in each dense
layer is 64 and 32 respective. The output layer has 4 units
corresponding to 4 traffic patterns. Since its activation function
is softmax, the output vector y has only 4 values added up
to 1, and represents the probability distribution of each traffic
incident.
3) Model Training: The training of the network takes
minimizing the loss function as the optimization objective
(5) to iteratively obtain the optimal network parameters. Cross
(6) entropy is chosen as the loss function to measure the distance
between the output probability distribution and the expected
probability distribution. To reduce the impact of data noise on
(7) the network, regularization is also used in the loss function.
The loss function can be calculated by:
(8)
1   (k) λ  2
N 3
( ŷi ln y(k)
i )+ w , (9)
N 2N w
i=1 k=0
YU et al.: LSTM-BASED IDS FOR VANETs
where ŷ(k) (k)
i and y i are the k-th dimension of the i-th sample
of the output vector and label vector respectively, w is the
connection weights of the network, and λ is the regularization
parameter.
To minimize training error while avoiding local minimal
points, Adam optimizer, a modification of stochastic gradi-
ent descent (SGD) optimizer with adaptive learning rates,
is applied for back propagation through time (BPTT) in this
paper. Meanwhile, min-max scaling is used to preprocess the
traffic data, and the dropout method for LSTM is applied to
reduce overfitting.
D. Decision of False Message
This module detects false emergency messages based on
whether the traffic incident classification results are consistent
with the reported incident.
Suppose that the result of traffic incident classification is E,
and the reported traffic incident is Ê. In order to check the
consistency of them, the match factor x match is calculated by:
x match = E ⊕ Ê,
where ⊕ means exclusive OR.
If x match is 0 (i.e. classification result match the reported
traffic incident), the emergency message is judged as a real
message, prompting the driver to take appropriate driving
decisions; otherwise if x match is 1, the emergency message
is rejected, and the warning vehicle is regarded as a malicious
node and reported.
V. P ERFORMANCE E VALUATION
A. Simulation Setup
1) Traffic and Communication Simulation: To evaluate the
proposed IDS, extensive simulations were done using Sim-
ulation of Urban Mobility (SUMO), OMNET++, and Veins.
SUMO is a traffic mobility simulator with the ability to gen-
erate highly realistic vehicular behavior by specifying types,
speed limits, and traffic flow rates. OMNET++ is a component-
based C++ library and framework that is used for network
simulation. Veins combines OMNET++ with SUMO to create
a layer for VANETs simulation [38]. Therefore, SUMO is used
to generate mobility trace files, and OMNET++ is used to
load these trace files by Veins and run the proposed IDS. The
simulation parameters are shown in Table V.
We utilize SUMO to simulate the driving state changes
of vehicles under different traffic incidents. Similar to
[12]–[14], we establish a 3-lane highway with a length of
5km to analyze the impact of traffic incidents on traffic
parameters. By setting traffic signal schedules, road section
speed limit, etc., 3 types of common traffic incidents, namely
accidents, poor road conditions, and congestion, are set at
random locations on the highway. To simulate different road
conditions, the maximum speed limit of the highway is set as
28m/s, 22m/s, and 17m/s, respectively. In order to simulate
different traffic densities, the vehicle arrival time interval is
set as 1s, 2s, and 3s, respectively [12]. The simulation time is
set as 4000s. To support VANET communication, the wireless
protocol is based on 802.11p [39], and the transmission range
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23913
TABLE V
VANET S I NTRUSION D ETECTION S IMULATION PARAMETERS
of each vehicle is set as 500m in each direction [40]. The
transmission interval is set as 0.5s [33], that is, each vehicle
broadcasts a beacon message every 0.5 seconds. Considering
the traffic density of highways, the observation area radius is
set to be 250 meters. We use the 95% confidence interval for
the Grubbs’ test-based outlier detection.
(10) Legitimate vehicles will broadcast emergency messages to
neighboring vehicles after detecting an incident, while mali-
cious vehicles will randomly send false emergency messages
or bogus beacon messages. After receiving an emergency
message, each vehicle independently judges and records the
authenticity of the message. By collecting and analyzing the
judgment results of the emergency messages of all legal vehi-
cles, the performance of the proposed IDS can be evaluated.
2) LSTM Network Training: In order to select the optimal
LSTM-based traffic incident classifier, Python and Pytorch (an
open source machine learning framework) are used to build
and train the LSTM network model.
The proposed IDS cannot be trained and tested directly by
ready databases due to the shortage of well-known datasets
of real traffic incident scenarios. Therefore, we utilize SUMO
to set up different traffic scenarios, collect traffic data in the
process of each vehicle’s response to each traffic incident,
and calculate the corresponding time series feature vector as
a sample. In addition, to enhance the IDS’s defense effect
against collusion attacks, samples are also collected in sce-
narios where there are some collusion attackers continue to
spread bogus beacon messages that conform to the vehicle
motion law under the false traffic incident. We collect around
80000 samples from scenarios with 3 types of traffic incidents
(accident, poor road condition, and congestion) and varying
collusion attacker proportions (0, 10%, 20%, 30%, 40%, and
50%) as the data set. Each sample has data at 20 points in time
(i.e. the observation time is 10 seconds). By cropping the data
set by time, we also collect data sets with smaller values of
observation time (4s, 6s, and 8s).
The data set is randomly divided into the training set and
the testing set according to the ratio of 4:1. The training
parameters are shown in Table VI.
B. Evaluation Metric
In general, we evaluate the performance of the proposed
IDS in terms of three metrics: accuracy, F1 score, and false
23914 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022
TABLE VI
LSTM N ETWORK T RAINING PARAMETERS
positive rate (FPR). F1 score can be calculated by precision
and recall.
Accuracy is the ratio of correctly classified messages to
the total messages. Precision shows the ratio of correctly
classified false emergency messages to the total classified
false emergency messages. Recall shows the ratio of correctly
classified false emergency messages to the total actual false
emergency messages. F1 score is the weighted average of
precision and recall. FPR is the percentage of false emergency
messages that are incorrectly classified as true messages. They
can be calculated by the following formulas.
TP +TN
Accur acy = , (11)
T P + T N + FP + FN
TP
Pr eci si on = , (12)
T P + FP
TP
Recall = , (13)
T P + FN
Pr eci si on × Recall
F1 = 2× , (14)
Pr eci si on + Recall
FP
FPR = , (15)
T N + FP
where T P is the number of correctly classified false emer-
gency messages; F N is the number of false emergency
messages classified as true emergency messages; F P is the
number of true emergency messages classified as false emer-
gency messages; T N is the number of correctly classified true
emergency messages.
C. Simulation Results
We calculate the accuracy, F1 score, and FPR of the
proposed LSTM-based IDS under different attack scenarios,
and compare them with the existing machine learning schemes
based on RF [32] and BPNN [31]. Each simulation scenario
for IDS performance evaluation was run 50 times with around
3000 detection results analyzed in each round, and the average
values are used as the final results in Table VIII and Fig. 7-9.
1) Traffic Parameters Under Different Traffic Incidents:
Under each traffic incident, we randomly select the speed of
10 vehicles for analysis. Fig. 6 shows the changes in the speed
of selected 40 vehicles over time when affected by different
traffic incidents. In a normal scenario, the speed of vehicles
fluctuates slightly around a stable value. When encountering
an accident, vehicles will decelerate firstly and then change
lanes, so the speed will firstly drop and then rise to the stable
value. When vehicles enter a road section with poor road
conditions, the speed will decrease and then stabilize at a lower
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
Fig. 6. Speed under different traffic incidents.
value. When congestion occurs, the speed of vehicles will be
reduced to 0. It can be seen that the traffic data of vehicles
will show different trends over time under different traffic
incidents.
2) Performance of LSTM-Based Traffic Incident Classifier:
To evaluate the performance of the LSTM-based traffic inci-
dent classifier, we train and test the classifier with varying
values of observation time (from 4s to 10s). Table VII shows
the performance of the LSTM-based traffic incident classifier
on the entire testing set and each traffic incident with varying
values of observation time.
The results show that the proposed LSTM-based traffic
incident classifier can accurately judge 4 types of traffic
conditions, namely normal (i.e. without traffic incidents), poor
road condition, accident, and congestion. It can also be seen
that the classifier becomes more accurate when the value
of observation time increases. In other words, when more
time steps of data are input, the effect of time series feature
extraction is better. However, it will also increase computing
and storage overhead. So the observation time needs to be
carefully selected. In the following parts of this paper, the
observation time is fixed at 10s.
3) IDS Performance Analysis Under False Emergency Mes-
sage Attack: In this attack scenario, malicious vehicles only
report the types of traffic incidents that do not match the
actual situation, that is, all the beacon messages of vehicles
are real. Table VIII illustrates the performance of each scheme
in terms of accuracy, F1 score, and FPR when the actual
traffic condition is normal, poor road condition, accident,
and congestion respectively. The average performance under
4 types of traffic conditions is also shown in the table. It can
be seen that the three schemes all have good defensive effects
against a single false emergency message attack, and the
proposed scheme is better than other schemes in all evaluation
metrics. The results show that the LSTM-based classifier can
more accurately establish the mapping relationship between
traffic data and traffic incidents due to its strong ability of
nonlinear modeling and time series processing.
4) IDS Performance Analysis Under Collusion Attack: In
the collusion attack scenario, there is a certain percentage
YU et al.: LSTM-BASED IDS FOR VANETs 23915

TABLE VII
P ERFORMANCE OF THE LSTM-BASED C LASSIFIER

TABLE VIII
P ERFORMANCE OF IDS S W ITH N O C OLLUSION ATTACKER

of collusion attacker vehicles forging beacon messages that

conform to the motion law of false traffic conditions. The
average performance of each scheme with the varying ratios
of collusion attackers is illustrated in Fig. 7, where the ratio
of collusion attackers increases from 10% to 50%. Fig. 8(a),
Fig. 8(b), and Fig. 8(c) show the performance of each scheme
under the scenario where the actual traffic condition is nor-
mal while the false traffic condition is poor road condition,
accident, and congestion respectively. Fig. 9(a), Fig. 9(b),
and Fig. 9(c) show the performance of each scheme under
the scenario where the actual traffic condition is poor road
condition, accident, and congestion respectively while the false
traffic condition is normal.
It can be observed that the proposed IDS can detect false
emergency messages with a very high accuracy rate under
a small proportion of collusion attackers. The accuracy of
Fig. 7. Performance of three IDSs under collusion attack.
the proposed scheme starts to drop below 95% when the
collusion attacker ratio surpasses 40%. However, in reality,
it is very hard to deploy that plentiful collusion attackers into a
pre-selected scenario.
Overall, the performance of the three schemes decreases
with the increase in the proportion of collusion attackers. The
main cause is that with the increase in the number of collusion
attackers, the more the traffic data received from neighboring
vehicles deviate from the real traffic condition. In other words,
legal vehicles are more likely to be misled when the collusion
attackers take advantage in number.

Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23916 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022

Fig. 8. Performance of three IDSs when actual traffic condition is normal. Fig. 9. Performance of three IDSs when false traffic condition is normal.

The results also show that the performance of the proposed
scheme is better than other schemes under different ratios
of collusion attackers. The effective detection of collusion
attacks by the proposed LSTM-based IDS can be attributed
to the following reasons. Firstly, numerous traffic parameters
collected from vehicles near the reported traffic incidents
can mitigate the impact of partial false beacon messages.
Secondly, the time series feature vectors combine the impact
of traffic incidents on traffic parameters in time and space,
and they are hard to be forged by collusion attackers. Thirdly,
the LSTM-based classifier can accurately identify the pattern
of traffic parameters changing over time. Finally, using data
under varying collusion attackers ratios to train the classifier
improves the robustness of the proposed LSTM-based IDS.

Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
YU et al.: LSTM-BASED IDS FOR VANETs
VI. C ONCLUSION
In this paper, an LSTM-based IDS for false emergency
message detection is proposed and tested. Time series of traffic
parameters closely related to traffic incidents are collected
and calculated as time series feature vectors. An LSTM-based
classifier is designed and trained to identify current traffic
incidents based on time series feature vectors from both nor-
mal and collusion attack scenarios. Based on the classification
result of time series feature vectors, the authenticity of the
emergency message can be judged. We conduct extensive
simulations to evaluate the performance of the proposed IDS
using SUMO, OMNET++, and Veins. The simulation results
show that the proposed IDS exhibits better performance under
false message attacks and collusion attacks compared with the
BPNN-based scheme and RF-based scheme. Equipped with
the proposed LSTM-based IDS, vehicles can accurately infer
the actual traffic incident and effectively resist false message
attacks and collusion attacks.
In the near future, the work can be extended by utilizing big
data collected from real traffic scenarios. Furthermore, we plan
to incorporate more accurate deep learning algorithms within
IDS to detect new types of attacks in VANETs, such as Sybil
attacks and denial of service attacks.
R EFERENCES
[1] H. Al-Omaisi, E. A. Sundararajan, R. Alsaqour, N. F. Abdullah, and
M. Abdelhaq, “A survey of data dissemination schemes in vehic-
ular named data networking,” Veh. Commun., vol. 30, Aug. 2021,
Art. no. 100353.
[2] H. Li, G. Zhao, L. Qin, H. Aizeke, X. Zhao, and Y. Yang, “A survey
of safety warnings under connected vehicle environments,” IEEE Trans.
Intell. Transp. Syst., vol. 22, no. 5, pp. 2572–2588, May 2021.
[3] M. Arshad, Z. Ullah, N. Ahmad, M. Khalid, H. Criuckshank, and
Y. Cao, “A survey of local/cooperative-based malicious information
detection techniques in VANETs,” EURASIP J. Wireless Commun. Netw.,
vol. 2018, no. 1, pp. 1–17, Dec. 2018.
[4] D. Manivannan, S. S. Moni, and S. Zeadally, “Secure authentication and
privacy-preserving techniques in vehicular ad-hoc networks (VANETs),”
Veh. Commun., vol. 25, Oct. 2020, Art. no. 100247.
[5] Q. Li, A. Malip, K. M. Martin, S.-L. Ng, and J. Zhang,
“A reputation-based announcement scheme for VANETs,” IEEE Trans.
Veh. Technol., vol. 61, no. 9, pp. 4095–4108, Nov. 2012.
[6] R. Sugumar, A. Rengarajan, and C. Jayakumar, “Trust based authentica-
tion technique for cluster based vehicular ad hoc networks (VANET),”
Wireless Netw., vol. 24, no. 2, pp. 373–382, Feb. 2018.
[7] R. P. Barnwal and S. K. Ghosh, “Heartbeat message based misbehavior
detection scheme for vehicular ad-hoc networks,” in Proc. Int. Conf.
Connected Vehicles Exp. (ICCVE), Dec. 2012, pp. 29–34.
[8] R. van der Heijden, S. Dietzel, and F. Kargl, “Misbehavior detection
in vehicular ad-hoc networks,” in Proc. 1st GI/ITG KuVS Fachgespräch
Inter-Vehicle Commun. Univ. Innsbruck, Feb. 2013, pp. 23–25.
[9] T. Yang, W. Xin, L. Yu, Y. Yang, J. Hu, and Z. Chen, “Misdis:
An efficent misbehavior discovering method based on accountability
and state machine in VANET,” in Proc. Asia–Pacific Web Conf. Berlin,
Germany: Springer, Apr. 2013, pp. 583–594.
[10] L. Chen, S.-L. Ng, and G. Wang, “Threshold anonymous announcement
in VANETs,” IEEE J. Sel. Areas Commun., vol. 29, no. 3, pp. 605–615,
Mar. 2011.
[11] J. Shao, X. Lin, R. Lu, and C. Zuo, “A threshold anonymous authenti-
cation protocol for VANETs,” IEEE Trans. Veh. Technol., vol. 65, no. 3,
pp. 1711–1720, Mar. 2016.
[12] K. Zaidi, M. B. Milojevic, V. Rakocevic, A. Nallanathan, and
M. Rajarajan, “Host-based intrusion detection for VANETs: A statistical
approach to rogue node detection,” IEEE Trans. Veh. Technol., vol. 65,
no. 8, pp. 6703–6714, Aug. 2016.
[13] J. Liu, W. Yang, J. Zhang, and C. Yang, “Detecting false messages in
vehicular ad hoc networks based on a traffic flow model,” Int. J. Distrib.
Sensor Netw., vol. 16, no. 2, Feb. 2020, Art. no. 1550147720906390.
Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.
23917
[14] J. Liang, J. Chen, Y. Zhu, and R. Yu, “A novel intrusion detection system
for vehicular ad hoc networks (VANETs) based on differences of traffic
flow and position,” Appl. Soft Comput., vol. 75, pp. 712–727, Feb. 2019.
[15] X. Liu, J. Xu, M. Li, L. Wei, and H. Ru, “General-logistic-based speed-
density relationship model incorporating the effect of heavy vehicles,”
Math. Problems Eng., vol. 2019, pp. 1–10, Feb. 2019.
[16] H. Wang, J. Li, Q.-Y. Chen, and D. Ni, “Logistic modeling of the
equilibrium speed–density relationship,” Transp. Res. A, Policy Pract.,
vol. 45, no. 6, pp. 554–566, Jul. 2011.
[17] Y. LeCun, Y. Bengio, and G. E. Hinton, “Deep learning,” Nature,
vol. 521, pp. 436–444, Dec. 2015.
[18] Z. Lu, G. Qu, and Z. Liu, “A survey on recent advances in vehicular
network security, trust, and privacy,” IEEE Trans. Intell. Transp. Syst.,
vol. 20, no. 2, pp. 760–776, Feb. 2019.
[19] L. Zhang, Q. Wu, J. Domingo-Ferrer, B. Qin, and C. Hu, “Distributed
aggregate privacy-preserving authentication in VANETs,” IEEE Trans.
Intell. Transp. Syst., vol. 18, no. 3, pp. 516–526, Mar. 2017.
[20] R. Lu, X. Lin, T. Luan, X. Liang, and X. Shen, “Pseudonym changing
at social spots: An effective strategy for location privacy in VANETs,”
IEEE Trans. Veh. Technol., vol. 61, no. 1, pp. 86–96, Jan. 2012.
[21] R. Hussain, J. Lee, and S. Zeadally, “Trust in VANET: A survey of
current solutions and future research opportunities,” IEEE Trans. Intell.
Transp. Syst., vol. 22, no. 5, pp. 2553–2571, May 2021.
[22] S. Gurung, D. Lin, A. Squicciarini, and E. Bertino, “Information-
oriented trustworthiness evaluation in vehicular ad-hoc networks,” in
Proc. Int. Conf. Netw. Syst. Secur. Berlin, Germany: Springer, Jun. 2013,
pp. 94–108.
[23] M. Sun, M. Li, and R. Gerdes, “A data trust framework for VANETs
enabling false data detection and secure vehicle tracking,” in Proc. IEEE
Conf. Commun. Netw. Secur. (CNS), Oct. 2017, pp. 1–9.
[24] B. D. Greenshields, “A study of traffic capacity,” in Highway Research
Board Proceeding. Washington, DC, USA: Highway Research Board,
1935, pp. 448–477.
[25] D. Kang, Y. Lv, and Y.-Y. Chen, “Short-term traffic flow prediction with
LSTM recurrent neural network,” in Proc. IEEE 20th Int. Conf. Intell.
Transp. Syst. (ITSC), Oct. 2017, pp. 1–6.
[26] H. Greenberg, “An analysis of traffic flow,” Oper. Res., vol. 7, no. 1,
pp. 79–85, Feb. 1959.
[27] R. T. Underwood, “Speed, volume and density relationship,” Qual.
Theory Traffic Flow, Yale Bureau Highway Traffic, New Haven, CT,
USA, 2008, pp. 141–188.
[28] S. Ardekani, M. Ghandehari, and S. Nepal, “Macroscopic speed-flow
models for characterization of freeway and managed lanes,” Institutul
Politehnic Din Iasi. Buletinul. Sectia Construct. Arhitectura, vol. 57,
no. 1, p. 149, 2011.
[29] O. A. Wahab, A. Mourad, H. Otrok, and J. Bentahar, “CEAP: SVM-
based intelligent detection model for clustered vehicular ad hoc net-
works,” Expert Syst. Appl., vol. 50, pp. 40–54, May 2016.
[30] A. Alsarhan, M. Alauthman, E. Alshdaifat, A.-R. Al-Ghuwairi, and
A. Al-Dubai, “Machine learning-driven optimization for SVM-based
intrusion detection system in vehicular ad hoc networks,” J. Ambient
Intell. Humanized Comput., pp. 1–10, Feb. 2021.
[31] J. Zhang, L. Huang, H. Xu, M. Xiao, and W. Guo, “An incremental BP
neural network based spurious message filter for vanet,” in Proc. IEEE
Int. Conf. Cyber-Enabled Distrib. Comput. Knowl. Discovery, Oct. 2012,
pp. 360–367.
[32] S. Gyawali, Y. Qian, and R. Q. Hu, “Machine learning and reputation
based misbehavior detection in vehicular communication networks,”
IEEE Trans. Veh. Technol., vol. 69, no. 8, pp. 8871–8885, Aug. 2020.
[33] R. Molina-Masegosa, M. Sepulcre, J. Gozalvez, F. Berens, and
V. Martinez, “Empirical models for the realistic generation of coop-
erative awareness messages in vehicular networks,” IEEE Trans. Veh.
Technol., vol. 69, no. 5, pp. 5713–5717, May 2020.
[34] ETSI, Intelligent Transport Systems (Its); Vehicular Communications;
Basic Set of Applications; Part 3: Specifications of Decentralized Envi-
ronmental Notification Basic Service, document ETSI TS 102 637-3,
2010.
[35] S. Sharma and B. Kaushik, “A survey on internet of vehicles: Applica-
tions, security issues & solutions,” Veh. Commun., vol. 20, Dec. 2019,
Art. no. 100182.
[36] M. Urvoy, D. Goudia, and F. Autrusseau, “Perceptual DFT watermarking
with improved detection and robustness to geometrical distortions,”
IEEE Trans. Inf. Forensics Security, vol. 9, no. 7, pp. 1108–1119,
Jul. 2014.
[37] Z. Chen, T. Yin, and T. Liu, “3G mobile map service publishing and
data flow testing,” in Proc. 1st Int. Conf. Agro, Geoinform. (Agro-
Geoinformatics), Aug. 2012, pp. 1–4.
23918 IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, VOL. 23, NO. 12, DECEMBER 2022

[38] J. Kamel, M. R. Ansari, J. Petit, A. Kaiser, I. B. Jemaa, and P. Urien, Xiaoping Xue (Member, IEEE) received the B.S.
“Simulation framework for misbehavior detection in vehicular net- degree in wired communication from Tongji Uni-
works,” IEEE Trans. Veh. Technol., vol. 69, no. 6, pp. 6631–6643, versity (formerly Shanghai Railway University),
Jun. 2020. Shanghai, China, in 1987, and the Ph.D. degree
[39] M. Sepulcre, J. Gozalvez, and B. Coll-Perales, “Why 6 Mbps is not in communication and information systems from
(always) the optimum data rate for beaconing in vehicular networks,” Beijing Jiaotong University, Beijing, China, in 2009.
IEEE Trans. Mobile Comput., vol. 16, no. 12, pp. 3568–3579, Apr. 2017. He is currently a Professor and the Director of
[40] K. Abboud, H. A. Omar, and W. Zhuang, “Interworking of DSRC the Department of Information and Communication
and cellular network technologies for V2X communications: A survey,” Engineering, Tongji University. His research inter-
IEEE Trans. Veh. Technol., vol. 65, no. 12, pp. 9457–9470, Dec. 2016. ests include secure broadband wireless communi-
cation theory under high-speed moving conditions,
safe computing theory and methods, formal software and security evaluation
theory and methods, and security and privacy in vehicular networks.
Yantao Yu (Graduate Student Member, IEEE)
received the B.S. degree in communication engi-
neering from Dalian Maritime University, Dalian,
China, in 2019. He is currently pursuing the Ph.D.
degree in information and communication engineer-
ing with Tongji University, Shanghai, China. His
main research interests are security and privacy in
vehicular networks.

Xin Zeng received the B.Sc. degree in communica-

tion engineering from Tongji University, Shanghai,
China, in 2009, and the Ph.D. degree in electronics
and communication from Telecom ParisTech, Paris,
France, in 2014.
From 2014 to 2018, he was an Advanced
Researcher and a Standard Delegate at Huawei Cor-
poration, focusing on 5G physical layer research
and standardization. Since February 2018, he has
been as Assistant Professor with the Information and
Communication Department, Tongji University, spe-
cialized on wireless communication physical layer design, vehicle networks,
and applications of artificial intelligence. He has been selected by Shanghai
Sailing Program and involved one project from the National Natural Science
Foundation of China. The related research achievements won the second prize
of Shanghai Science and Technology Progress Award in 2019.
Jingxiao Ma received the B.Eng. degree from the
University of Birmingham, U.K., in 2011, the M.Sc.
degree in wireless communications from the Univer-
sity of Southampton, U.K., in 2012, and the Ph.D.
degree from The University of Sheffield, in 2018.
He is currently a Post-Doctoral Researcher with the
College of Electronics and Information Engineering,
Tongji University, where he is focusing on the areas
of relay beamforming, massive MIMO systems, and
cognitive radio networks.

Authorized licensed use limited to: Universidad Tecnica Federico Santa Maria. Downloaded on May 22,2023 at 19:49:44 UTC from IEEE Xplore. Restrictions apply.