Detection of Sybil & DDoS Attacks in

VANET using Intelligent Technique

*Urmila Bhanja1 , Ankit Majhi2 , Smrutirekha Sahoo3 , Debapriya Parida4

1
Department of Electronics & Telecommunication Engineering, Professor of ETC, Indira Gandhi
Institute of Technology, Sarang, India
2,3
B.Tech students, Department of Electronics & Telecommunication Engineering,Indira Gandhi
Institute of Technology, Sarang, India
4
Department of Electronics & Telecommunication Engineering, Research Scholar, Indira Gandhi
Institute of Technology, Sarang, India

Abstract
Vehicular Adhoc network (VANET) are more prone to various types of at-
tacks. Sybil attack is the most dangerous attack in vehicular adhoc network as it
creates multiple fake identities and creates traffic congestion.Fake identities are
used to enter the network illegally.On the other hand, distributed denial of service
(DDoS) attack intentionally blocks the users from accessing any online services.
It temporarily disrupts or interrupts the service of the hosting server. These
types of attacks in VANET cause severe damage to vehicles, passengers travelling
in the vehicles by inducing traffic congestion, and may also cause minor or fatal
accidents.Hence, it is highly essential to early detect such attacks in VANET to
protect the vehicles and human kind. In this work, a novel model is proposed
using fuzzy logic controllers (FLCs) to detect both the Sybil and the DDoS at-
tacks in VANET.Furthermore, performance of attack detection is also analysed
and compared with the existing techniques. The proposed model yields better
accuracy, sensitivity, and recall value compared to the existing techniques. Mar-
gin of error for the attack detection is also estimated for 95% of the confidence
interval.
Keywords: Sybil attack; DDoS attack; Fuzzy Logic Controller; VANET; Margin of error

1. Introduction
Internet of Things (IOT) is like a boon, which makes out Vehicular Adhoc Network (VANET)
possible. However, everything that is shared or provided in server attracts threat and manipulation.
Any alteration in the information or the real time data can lead to chaos among vehicles. System
failure can impact the safety of people on road. Hence, the top priority should be the security of
VANET system. Security attacks can lead to system failure of vehicles, serious accidents, traffic
congestion and an endanger people lives. Along with security,VANET also faces signal fading,
internet connectivity, routing and limited bandwidth issues.

Wireless sensor network (WSN) plays the key role for the development of VANET. WSN con-
tains sensor nodes which senses and gather information of different parameters from environment
and the congregated data is then send into sink for further processing.The sink does examination
∗
Urmila Bhanja E-mail address: urmila@igitsarang.ac.in
2 RELATED RESEARCH REVIEW 2

and desegregated the data received from the sensor nodes. The sensor nodes send the required
information to the end user through wireless communication. Applications of WSN is growing
significantly due to its low cost, low power consumption, small size and has lots of various ap-
plications in health care, military, education, and traffic control through VANET etc. However,
it faces security issues, manipulation and finally, loss of data. WSN and VANET mainly get af-
fected by different types of attacks. When passive attacks happen there is no alteration in data
therefore it makes the detection of passive attacks difficult but in active attacks the data is altered
during the transmission between the sender and the receiver.Some examples of active attacks are
Denial of Service (DoS), Distributed Denial of Service (DDoS),Session replay attack,Masquerade
attack,Trojans,Worm Node,Node Replications,Sybil attack,Sinkhole etc.[1]
DDoS attack is the one which has a drastic effect on WSN as well as on VANET because due
to this the target nodes or vehicles are flooded with multiple number of packets and the nodes
can not receive any genuine requests from other vehicles. These large number of zombies generate
heavy traffic in the network .The IP address can also get spoofed and can come under the control
of attackers.In DDoS attack through lot of sources the attacker sends lots of packets, which causes
more usage of battery power and thus floods the network, which leads the user to be less respon-
sive. Moreover, energy consumption also becomes more.The DDoS attackers constantly change
their methods of attacks. Hence,the security measures should be updated from time to time.[2]
Sybil attack is a serious attack in which a malicious vehicle fakes identity of any vehicle or other
multiple vehicles and used those identities to send fake messages or data hence disrupting the whole
functionality of the VANET network [3]. The nodes are thus called Sybil nodes whose identity has
been spoofed and attacker nodes are called malicious nodes. It is difficult to identify the fake nodes
as the stolen identity is genuine. There are several methods proposed by different researchers to
detect and mitigate the attack.[4]
Research is going on recently to overcome these security attacks. In VANET, it is really hard to
differentiate between legitimate and malicious packets as the nodes, RSUs, and servers are dis-
tributed, which makes hard to identify DDoS attack and prevent it. The attack causes system
shutdown,lag in network,denial of service and power drainage of nodes. Therefore, implementation
of secured VANET architecture is significant with secured communication and standard protocols.
In this work, DDoS and Sybil security attack detection is performed for a VANET. The security re-
quirements are Authentication,Availability,Confidentiality, Encryption, Non-repudiation,Integrity,
Privacy, Data verification, Access control, Traceability and revocability.[5] Through these tech-
niques, the message is verified and authorized by a vehicle or RSU. Tamper Proof device can
also be used to retrieve lost or manipulated messages. For data integrity, digital signatures are
used. Using temporary key the identity of users are hidden from unauthorized nodes. False mes-
sages are eliminated, and data consistency is verified with similar messages for correct data with
neighbouring vehicles.

2. Related Research Review

Security maintenance in VANET is an important critical issue, which has resulted lots of re-
search and studies. It makes secured data transmission, movement of vehicles and confidentiality
of vehicles in a VANET. Mostly the attack detection and prevention techniques in literature are
based upon artificial intelligence, machine learning and soft computing techniques.Dummy mes-
sages transmitted by DDoS attackers jam the channel thus reduces the performance and efficiency
of the network. DDoS attacks have become common in internet today. Even the traditional In-
trusion Detection System are ineffective in countering distributed DoS attack and Sybil attack.
Countering DDoS attacks is complex as it contains various level of networks, needs cooperation
and trust among various domains.
Zhengmin et al. have proposed a solution to detect the DDoS attack using fuzzy logic technique. In
the first stage, types of attack is detected and in the second stage strength of the DDoS flooding is
decided using intelligent fuzzy logic technique [6]. Pajila et al. have proposed a Fuzzy-based DDoS
attack detection and recovery mechanism in Wireless Sensor Network .They have used parameters
such as Response time, Packet Lost, Energy consumption, Distance, and Packet size for the detec-
tion of attack[7]. Haydari and Yilmaz have proposed a detection model where, RSUs collect packets
within a range depending on the protocol that vehicles are using. The detection is solely depended
2 RELATED RESEARCH REVIEW 3

on single parameter i.e., no of packets collected with respect to time.Pearson’s Divergence (PD)
method is used by the authors for attack detection in networks at low false positive rates (FPRs).
Running time is more to detect the attack and attacks are not mitigated effectively[8]. Authors
have proposed game based fuzzy Q-learning (G-FQL), which is a combination of gaming theory
and fuzzy Q-learning algorithms in wireless sensor network (WSNs). However, the intrusion de-
tection system can identify the future attacks by adjusting it’s learning parameters through fuzzy
Q-learning model. The model is also compared with other existing soft computing techniques in
terms of accuracy of detection,lifetime of networks, consumption of energy and efficiency. However,
the proposed model is capable of handling minor-class DDoS attack[9].
Defence mechanism based on session initiation protocol (SIP) uses IP-spoofing methods to detect
the DDoS attack. This method reduces the CPU load, uses three module-statistics to detect the
abnormal traffic by comparing it with other statistics. In this work, detection depends upon traffic
conditions[10].
Detection of Sybil attack, Black hole attack as well as DoS attack is done by using the RSA algo-
rithm. Detection of attacks through RSA algorithm is quite complex and time consuming[11].
Singh et al. have proposed a mechanism to detect DoS attack in VANET using Enhanced At-
tacked Packet Detection Algorithm (EAPDA). The authors have considered three parameters such
as throughput, false positive rate and delay. In this work, RSU calculates the TS(Time-slot) for
the EAPDA algorithm and detects the malicious packets[12]. Sybil attack is also one of the dan-
gerous attacks, which seriously affects the operation of VANET and can lead to other potential
attacks. The malicious node fakes its identity and spread fake messages to mislead the nearby
vehicles, which leads to fatal accidents and traffic congestion on roads.For the Sybil attack various
assumptions are taken by the authors based on theoretical insight to mitigate the Sybil attack[13].
Authors have also explored Sybil attack detection using two level fuzzy based method (2LFSD)
using location verification and analysis. First the vehicle data is collected and put into the first
FLC,the lightly suspected data is further forwarded for communication whereas the highly sus-
pected data are forwarded to the second FLC for attack detection[14]. In [15], authors have
proposed a novel biologically-inspired spider monkey time synchronization (SMTS) techniques for
large-scale VANET to boost packet delivery time synchronization at minimized energy consump-
tion. This technique is used to examine Sybil attack strategies on VANET for the prediction of
vehicular collision in dense zone.
In [16], authors have proposed a trust model, which detect Sybil nodes in neighbouring vehicles
within the transmission range.The model works based on assumption with precise location accuracy
with Event Data Recorder (EDR) for recording real-time event etc, which is complex to adjust
in real-time environment. However, the model also faces complexities when there are multiple
Sybil nodes within a particular transmission range. Authors in [17], have proposed a technique for
detection of Sybil nodes in VANET. RSU performs Sybil attack detection by comparing different
parameters such as distance and angle between two vehicles extracted from beacon packets send
by each vehicles to RSU. Beacon packets contain Vehicle-ID, timestamp and position of vehicles.
The approach takes long observation time and hence, time taken for Sybil attack detection is more.
Authors in [18], have proposed a methodology for Sybil attack detection, which is not dependent
on any RSU. Threshold value is found by varying the number of attackers and no of Sybil identities
created by attacker. Any vehicle having neighbours for more duration of time than threshold value
are considered as Sybil nodes. However, high mobility of vehicles can affect the detection. The
detection is Sybil nodes is highly dependent on threshold value. So, careful selection of threshold
value is main issue in the proposed paper[18]. Author in [19], also has developed an attack resistant
model to counteract different types of VANET attacks such as Sybil attack, replay attack, denial of
service, masquerade attack, message suppression attack. Additionally, trustworthiness of vehicles
are evaluated based on rate of updation of vehicle, unique ID of vehicle and duration of presence
of a vehicle in the VANET.

Few of the authors in literature have managed to detect Sybil attack, DDoS attack in VANET
with higher detection rate, complex algorithms, and VANET traffic conditions. The authors also
have proposed attack detection technique using various parameters such as number of packets,
throughput, delay, false positive rate etc. Few authors have estimated accuracy of attack detec-
3 PROPOSED MODEL 4

tion. Most of the authors have considered detection of Sybil or DDoS attack using various soft
computing techniques.However, none of the authors have estimated margin of error while detecting
attack.Also, in literature very few papers are found that detect both DDoS and Sybil attack.

In our proposed work, we have developed a model to detect both Sybil and DDoS attack using
fuzzy logic controllers. In the proposed work, a data base is generated for DDoS attack detection.
Parameters such as total busy time, signal to noise interference ratio (SNIR) lost packets, packet
loss ratio(PLR), which are strongly correlated with each other, which is proved through pearson
correlation analysis are considered. The simulation time is kept constant for all scenarios. How-
ever, for Sybil attack detection a known database is considered and parameters such as throughput,
end to end delay and packet delivery ratio are extracted and used for attack detection. Margin
of error is evaluated for both the attacks for 95% of the confidence interval. Confusion matrix is
obtained through linear regression technique and performance parameters such as accuracy, recall,
sensitivity, and precision are evaluated and compared with other existing papers.

3. Proposed Model
Due to lack of centralized authority, it becomes challenging to detect the attacks, which affect
the VANET. In this work, we have proposed a model to detect DDoS and Sybil attack in VANET.
These are the common attacks, which actually affect the majority of VANET.
Figure.1 depicts the flow chart of the proposed Sybil and DDoS attack in VANET using Fuzzy Logic
Controllers (FLCs).Data base for the detection of DDoS attack is generated using OMNET++ soft-
ware by considering the vehicle nodes, attack nodes and road side unit (RSU). Correlation matrix
is developed for the data set to estimate the correlation between parameters.Correlation matrix
also estimates null hypothesis, which detects error in the data. Data that do not possess null
hypothesis are considered for detection of DDoS attack; while remaining data are erroneous and
hence, rejected and not considered for attack analysis. In this work, margin of error is fixed at
0.05. Correlation among communication parameters are carried out through correlation matrix.
It is seen in the literature that parameters possess correlations are prone to attacks [18]. There-
fore, in this work parameters that possess correlation are selected from the data base to detect
the DDoS attack. If there is no correlation among parameters, the data can be send for further
communication without any attack analysis. Furthermore, an analysis is carried out with all the
correlated parameters to find out the most significant parameters responsible for the DDoS at-
tack discussed in section 5. These parameters are selected as input variables to the fuzzy logic
controller-1 (FLC-1). FLC-1 detects the chance of the DDoS attack. If the DDoS attack is found
to exist, communication is stopped.

On the other hand, for Sybil attack detection an existing database is considered[20].From
the existing database significant parameters such as end to end delay, packet delivery ratio, and
throughput are extracted,which are the inputs to the FLC-2. Output of the FLC-2 decides the
Sybil attack status based on the input parameters of FLC-2. Trust value of vehicles are also taken
into consideration for the detection of Sybil attack along with the parameters extracted from the
database. Hence, in this work Sybil work status is decided by combination of significant database
parameters and trust value of vehicles. Trustworthiness of vehicles are estimated based on cer-
tificate based evaluation,distributed trust based evaluation,and reputation score based evaluation.
Certificate based evaluation checks whether the vehicle is certified or not. If vehicle is not certified
or certificate is duplicate then ’distrust’ is forwarded to RSU by the authorized vehicle in the
VANET.

In distributed trust evaluation, each of the vehicles of the VANET have a list of trusted ve-
hicles.The vehicle is not a trusted vehicle if the pubic key and private key of the sign message is
not matched. Public key is shared among all the vehicles. Private key is an unique key given to
each of the vehicles.Public key makes a pair with private key. If matching pair is not found, then
’distrust’ is forwarded to RSU by the receiving vehicle.
3 PROPOSED MODEL 5

Figure 1. Flow chart of Sybil and DDoS attack detection using Fuzzy Logic Controller in VANET
3 PROPOSED MODEL 6

Figure 2. Flow chart of Trust value Evaluation in VANET

In reputation score based evaluation, according to the vehicle behaviour in the network the
reputation score is obtained and updated every one hour. The threshold value of the reputation
score is fixed at 0.5. If the reputation score is less than 0.5 then ’Distrust’ is forwarded to RSU.
Reputation score is evaluated on a scale of 0 to 10 from each of the vehicles. Reputation score of
a vehicle is estimated by taking the average of the reputation scores obtained from all the vehicles
of the network. In this work, binary value is assumed for trust and distrust parameters. For trust
parameter the value is assigned ′ 1′ and distrust parameter the value is assigned ′ 0′ . As shown
in Fig.2, Sybil attack status is evaluated considering both the vehicle trust and parameter based
attack status obtained from the FLC-2.Communication among vehicles is stopped if the status of
the attack is high.
Fuzzy logic rule is designed for each of the attacks and is depicted in Table.1 and Table.6 for
DDoS and Sybil attack respectively. Triangular membership functions are considered for input
and output variables. Mamdani fuzzy inference system is used in the proposed model. Output of
FLC-1 depicts the status of the DDoS attack.Output of FLC-2 depicts the status of Sybil attack
based on performance parameters.Furthermore, final Sybil attack evaluation is done by considering
the trustworthiness of vehicles in the VANET.
Fig.2 depicts the flowchart of vehicle trust evaluation.Trust value of vehicles is also estimated shown
4 FUZZY INFERENCE SYSTEM (FIS) 7

in Fig.2. If the trust value is Low, the Sybil attack status is high irrespective of FLC-2 output.If
the trust value is high then, the output of FLC-2 decides the Sybil attack status. Final trust value
is estimated by the road side unit (RSU). It considers certificate based trust value, reputation score
based trust value, and distributed trust value. It is assumed that if any of these three trust values
is low then, the final trust value is low as estimated by the RSU.

4. Fuzzy Inference System (FIS)

FLC-1 is the first fuzzy logic controller (FLC) used in the proposed model for DDoS attack
detection. In the FLC, linguistic variables are used to express the rules based on human perception
when the data is uncertain.Three attributes that are prone to attacks are chosen from the database
considered as the input variables to FLC-1. Three input variables are channel busy time, SNIR
lost packet, and packet loss ratio (PLR) used for predicting the DDoS attack and the output
variable detects the chance of the DDoS attack.Table. 1 describes the Fuzzy rules that are used
for predicting the DDoS attack. Fuzzy rule table defines the rules and relationship between input
and output variables based on human perception. The range of input variables such as channel
busy time, SNIR lost packet, and packet loss ratio (PLR) are depicted in Table.2, Table.3, and
Table.4 respectively. Similarly the range of output variable, which represents DDoS attack status
is depicted in Table.5. Range of input variable such as total busy time is estimated from the
database generated using OMNET++ while considering 126 vehicle nodes and different numbers
of DDoS attackers. In this work, 4, 8, 6, and 10 number of attackers are considered. Low range of
all the input variables are calculated in presence of 4 to 6 attackers, medium range of all the input
variables are calculated in presence of 6 to 8 attackers and high range of all the input variables are
estimated in presence of 8 to 10 attackers. For example, value of SNIR lost packets for high range
is estimated as the mean value of SNIR lost packets obtained in presence of 8 to 10 attackers.
Value of SNIR lost packets for medium range is estimated as the mean value of SNIR lost packets
obtained in presence of 6 to 8 attackers. Similarly, value of SNIR lost packets for low range is
estimated as the mean value of SNIR lost packets obtained in presence of 4 to 6 attackers. The
output of FLC-1 represents the DDoS detection status range , which can also be expressed in
percentage.
4 FUZZY INFERENCE SYSTEM (FIS) 8

Table 1. Fuzzy Rule Table (FLC-1)

Sl. No. Total busy Time SNIR Lost Packets PLR Attack Status
1 Low Low Low Low
2 Low Low Medium Low
3 Low Low High Low
4 Low Medium Low Low
5 Low Medium Medium Medium
6 Low Medium High Medium
7 Low High Low Medium
8 Low High Medium High
9 Low High High High
10 Medium Low Low Medium
11 Medium Low Medium Medium
12 Medium Low High Medium
13 Medium Medium Low Medium
14 Medium Medium Medium Medium
15 Medium Medium High High
16 Medium High Low High
17 Medium High Medium High
18 Medium High High High
19 High Low Low Medium
20 High Low Medium Medium
21 High Low High High
22 High Medium Low High
23 High Medium Medium High
24 High Medium High High
25 High High Low High
26 High High Medium High
27 High High High High

Table 2. Total Busy Time(Input variable of FLC-1)

Sl. No Total busy time Range

1 low 0-30
2 medium 20-72
3 high 55 above

Table 3. SNIR Lost Packets(Input variable of FLC-1)

Sl. No SNIR Lost Packets Range

1 low 0-17
2 medium 13-313
3 high 270-485

Table 4. Packet Loss Ratio(Input variable of FLC-1)

Sl. No Packet Loss Ratio Range

1 low 0-0.7
2 medium 0.5-0.95
3 high 0.95 above
4 FUZZY INFERENCE SYSTEM (FIS) 9

Table 5. DDoS Attack Status(Output variable of FLC-1)

Sl. No "DDoS Attack Sta- Range [0-1]

tus "
1 low 0-0.4
2 medium 0.25-0.75
3 high 0.6 above

Table 6. PDR(Input variable of FLC-2)

Sl. No Input variable Range [0-1]

"PDR "
1 low [-0.4-0.5]
2 medium [0.3-0.85]
3 high [0.8-1.2]

Table 7. End to End Delay(Input variable of FLC-2)

Sl. No Input variable Range [260-340]

"E2E Delay "
1 low [250-301]
2 medium [295-322]
3 high [317-352]

Table 8. Throughput(Input variable of FLC-2)

Sl. No Input variable Range [720-820]

"Throughput "
1 low [700-750]
2 medium [740-800]
3 high [790-820]

Table 9. Sybil Attack Status(Output variable of FLC-2)

Sl. No "Sybil Attack Sta- Range [0-1]

tus"
1 low [0-0.4]
2 medium [0.3-0.7]
3 high [0.6-1]
4 FUZZY INFERENCE SYSTEM (FIS) 10

Table 10. Fuzzy Rule Table (FLC-2)

Sl. No. PDR E2E Throughput Status

1 Low Low Low Medium
2 Low Low Medium Medium
3 Low Low High Medium
4 Low Medium Low High
5 Low Medium Medium High
6 Low Medium High High
7 Low High Low High
8 Low High Medium High
9 Low High High High
10 Medium Low Low Medium
11 Medium Low Medium Medium
12 Medium Low High Low
13 Medium Medium Low High
14 Medium Medium Medium Medium
15 Medium Medium High Medium
16 Medium High Low High
17 Medium High Medium High
18 Medium High High High
19 High Low Low Low
20 High Low Medium Low
21 High Low High Low
22 High Medium Low Medium
23 High Medium Medium Medium
24 High Medium High Low
25 High High Low High
26 High High Medium Medium
27 High High High Low

FLC-2 is the second fuzzy logic controller (FLC) used in the proposed model for Sybil at-
tack detection. Three attributes that are prone to Sybil attacks are considered from an existing
database considered as the input variables to FLC-2 [20]. Three input variables are end to end
delay, packet delivery ratio (PDR) and throughput used for predicting Sybil attack and the output
variable detects the status of Sybil attack based on rules of the FLC-2.Table. 10 describes the
fuzzy rules that are used for predicting the Sybil attack status.
Fuzzy rule table referred as FLC-2 defines the rules and relationship between input and output
variables based on human perception. The range of input variables such as packet delivery ratio
(PDR), end to end delay, and throughput are depicted in Table.6, Table.7, and Table.8 respec-
tively. Similarly, the range of output variable is depicted in Table.9.
In this work, input and output variables follow triangular membership function. Mamdani fuzzy
inference system is used for the fuzzy model.
Membership functions of input variables for DDoS attack are depicted in Figures 3,4,5 and mem-
bership function of output variable for DDoS attack is depicted in Figure 6. Similarly, Membership
functions of input variables for Sybil attack are depicted in Figures 7,8,9 and membership function
of output variable for Sybil attack is depicted in Figure 10.
4 FUZZY INFERENCE SYSTEM (FIS) 11

Figure 3. Membership Function of "Packet Loss Ratio"

Figure 4. Membership Function of "SNIR"

4 FUZZY INFERENCE SYSTEM (FIS) 12

Figure 5. Membership Function of "Total Busy Time"

Figure 6. Membership Function of " DDoS Attack detection Status"

4 FUZZY INFERENCE SYSTEM (FIS) 13

Figure 7. Membership Function of "End to End Delay"

Figure 8. Membership Function of "Packet Delivery Ratio"

4 FUZZY INFERENCE SYSTEM (FIS) 14

Figure 9. Membership Function of "Throughput"

Figure 10. Membership Function of "Sybil Attack detection Status"

4 FUZZY INFERENCE SYSTEM (FIS) 15

Figure 11. "Fuzzy ruler view of DDoS attack Status for High condition"

Figure 12. "Fuzzy ruler view of DDoS attack Status for Medium condition"
4 FUZZY INFERENCE SYSTEM (FIS) 16

Figure 13. "Fuzzy ruler view of DDoS attack Status for Low condition"

Figure 14. "Fuzzy ruler view of Sybil attack Status for High condition"
4 FUZZY INFERENCE SYSTEM (FIS) 17

Figure 15. "Fuzzy ruler view of Sybil attack Status for Medium condition"

Figure 16. "Fuzzy ruler view of Sybil attack Status for Low condition"

To check correctness of the proposed fuzzy rules for the DDoS attack detection status, fuzzy
ruler views are depicted in Figs 11,12 and 13 for high,medium and low conditions of DDoS attack
detection respectively.Similarly, To check correctness of the proposed fuzzy rules for the Sybil attack
status, fuzzy ruler views are depicted in Figs 14,15 and 16 for high,medium and low conditions of
Sybil attack detection respectively.
5 RESULT AND DISCUSSIONS 18

5. Result and Discussions

First we created a VANET scenario with vehicle nodes, road side units and attackers in
OMNET++ environment and simulation is done for a particular time with fixed number of vehicle
nodes, road side units and attackers. Vehicle mobility is implemented in OMNET++ via SUMO
and VEINS. After simulation in OMNET++, various VANET performance parameters are col-
lected and a database is created.

Fig.17 depicts the simulation scenario in OMNET++ environment assuming fixed number of
vehicle nodes, attacker nodes and RSUs. Zoomed version of VANET scenario is depicted in Fig.
18.

Figure 17. Simulation Scenario using OMNET++ Software

5 RESULT AND DISCUSSIONS 19

Figure 18. Simulation Scenario using OMNET++ Software (zoomed version)

The number of vehicles are fixed in the simulation environment. In this work, number of
attacker nodes and road side units are varied to check the level of DDoS attack detection status.
In this section, initially DDoS attack detection is discussed and a VANET simulation environment
is created for it. During VANET simulation using OMNET++, a database is created.The database
generates the following parameters, which are described below for the DDoS attack detection status
using OMNET++ software.

• RXTX Lost Packets: A packet is not received because packet is sent while receiving.
• SNIR Lost Packets: A packet is not received due to bit error.
• Dropped Packet: Packet is dropped at the medium access control (MAC) layer.
• SlotBackOff: Going into back-off because channel is busy when new packet arrives from
upper layer.
• Time Into BackOff: Number of times the slot BackOff happens.
• Total Busy Time: Indicates the total time the wireless channel remains busy.
• Total Lost Packets: It is the addition of SNIR Lost Packets and TXRX Lost Packets.
• Busy Time: Duration of time the application layer remains busy.
• Total Time: Total time the simulation environment is run using OMNET++.

The following assumptions are made during VANET simulation for creating a database for the
DDoS attack detection.

1. Constant simulation time for all scenarios (380s, Step Resolution - 1ps)
2. In all cases, we consider the same number of vehicle nodes (126 nodes)
3. Every simulation values are same, so we create different scenarios for our analysis and for
choosing actual parameters that affect the attack most.
5 RESULT AND DISCUSSIONS 20

4. We observed the level of significance (Pearson value) obtained in Fig. 19 is less than 0.05 for
few parameters, which indicates that the null hypothesis is rejected.
5. We set few parameters constant during the simulation mentioned below :

• Bit rate = 6 Mbps

• Minimum Power Level = -89 dBm
• Transmitter power = 20 mW

• Header Length = 80 bit (created in the Application Layer)

In this work, we have chosen the medium access control (MAC) Layer parameters for the correlation
analysis. DoS attacks at MAC layer could significantly affect the network throughput and data
packet collision rate. Database is created with multiple parameters that effect the DDoS attack.
We have chosen few of the parameters from the database for the estimation and detection of
attacks if there is no hypothetical null in the parameters. For selecting DDoS attack parameters
from the database, correlation matrix is applied on the data set to check hypothetical null of various
parameters. Furthermore, experiments are carried out to check the most significant parameters
affecting the DDoS attack. Using various parameters of the database, we have plotted the scattered
graph.From the graph, the most significant parameters are considered to detect the DDoS attack.
To verify the parameters that effect mostly the DDoS attack experiments are carried out considering
4, 6, 8 and 10 attackers. Scatter plot and correlation matrix shown in Figs 19 and 20 depict the
significant DDoS attack parameters, which are considered for evaluation of DDoS attack in the
VANET. In this paper, we have simulated and shown five scenarios using OMNET++ environment
mentioned below.

1. Normal situation without any DDoS attackers in VANET.

2. Presence of four DDoS attacker nodes in VANET.

3. Presence of six DDoS attacker nodes in VANET.
4. Presence of eight DDoS attacker nodes in VANET.

5. Presence of ten DDoS attacker nodes in VANET.

In all the cases total of 126 vehicle nodes are assumed. Two scenarios are created in the simulation
with one RSU node and two RSU nodes. We have obtained the level of significance (pearson value)
for four, six, eight and ten attackers during the simulation, one of which is shown in the scatter plot
of Fig.19. Fig.19 depicts the scatter plot for four numbers of attackers. It is observed from Fig. 19
that the pearson value of parameters such as receive broadcast, RxTx lost packets, total busy time,
total lost packets, SNIR lost packets, and average channel busy time is less than 0.05 and hence,
the null hypothesis is rejected. This implies that the correlation matrix for these parameters is
not an identity matrix, and the variables are correlated. Hence, these parameters can be used for
detection of DDoS attack. It is also observed from Fig.19 that the pearson value of parameters
such as busy time, slot back off and time into back off is more than 0.05, which indicates that these
parameters are not correlated and hence these parameters can never be utilized for detection of
DDoS attack hence, discarded. Furthermore, simulation is repeated in VANET environment us-
ing OMNET++ for choosing correlated parameters that effect mostly the DDoS attack under the
presence of various numbers of attacks. Parameters such as received broadcast, receive-transmit
lost packets,total busy time, busy time, total lost packets, slot back off, SNIR lost packets, time
into back off, channel busy time average are generated under normal scenario without presence
of any attackers and also under the presence of different numbers of DDoS attackers depicted in
correlation matrix shown in Fig. 20. It is observed that SNIR lost packets, and total busy time
vary significantly for 4,6,8 and 10 number of DDoS attacks and correlation of parameters are close
5 RESULT AND DISCUSSIONS 21

to one. It is known that the parameters are highly correlated if the value of the correlation pa-
rameters are close to one[18].Therefore, these two parameters along with packet delivery ratio are
considered for attack detection in this work. Other performance parameters are less than 0.9 for
various attackers and hence, discarded. Packet loss ratio (PLR) is defined below.
a
P LR = (1)
(a + c)
Where, ′ a′ represents total number of packets lost sent by a vehicular node, number of packets
sent by a vehicular node is represented by ′ c′ .′ a′ is defined below.

a=m+n (2)

Where, ′ m′ represents total number of packets lost during transmission and reception, and ′ n′
represents number of packets lost because of noise and interference.

Figure 19. Scatter Plot & Pearson Value for 4 Attackers

5 RESULT AND DISCUSSIONS 22

Figure 20. Correlation matrix while keeping receive broadcast constant

Figs. 21, 22 and 23 depict the pictures, which are generated during the VANET simulation
under the assumption of normal condition and 4, 6, 8 and 10 DDoS attacker conditions to observe
the effect of attack on various parameters such as SNIR lost packets, total busy time and packet
loss ratio for various nodes respectively. In this work, nodes represent vehicles in VANET. It is
observed from the database that total busy time and SNIR lost packets increase with increase
number of attackers. Both the parameters get affected by the numbers of attacks.However, for
6 and 8 attackers slight change is observed for total busy time and SNIR lost packets. Packet
delivery ratio has less impact on the DDoS attack as is observed from Fig.23. Therefore, while
making fuzzy rules for FLC-1, more emphasis is given on ’total busy time’, ’SNIR lost packets’
compared to that of ’packet loss ratio’ for detection of DDoS attack.
5 RESULT AND DISCUSSIONS 23

Figure 21. SNIR Lost Packets under 4,6,8,10 DDoS Attackers

Figure 22. Total Busy Time under under 4,6,8,10 DDoS Attackers
5 RESULT AND DISCUSSIONS 24

Figure 23. Packet Loss Ratio under 4,6,8,10 DDoS Attackers

Assumptions for Sybil attack are mentioned below.

1. Parameters such as end to end delay, throughput and packet delivery ratio are extracted
from an existing database.[20]
2. Number of attacker nodes kept fixed for every simulation.

3. Input variables to the FLC-2 shown in Fig.1 are end to end delay, throughput and packet
delivery ratio.
4. In the proposed model to detect Sybil attack, trustworthiness of vehicles are also taken into
consideration.

5. Output of FLC-2 and trustworthiness of vehicles decide the Sybil attack status in the VANET.
6. VANET environment is kept identical for both the attack scenarios.
7. Trustworthiness value of vehicles are based on validation of three parameters such as certifi-
cate based evaluation, reputation score evaluation, distributed trust evaluation.

8. Trust value is assumed to be ′ 1′ and distrust value is assumed to be ′ 0′ while making trust-
worthiness evaluation of the VANET.
9. If trustworthiness or trust value is low then attack status is assumed to be high irrespective
of the FLC-2 output.

10. Combination of trustworthiness of vehicles and FLC-2, which is based on performance pa-
rameters decide the Sybil attack status of the VANET. Vehicle trust evaluation procedures
are described below.
5.1 Vehicle Trust Evaluation Methods 25

5.1. Vehicle Trust Evaluation Methods

5.1.1. Certificate based Evaluation[21]
Certificate based evaluation checks whether the vehicle is certified or not. It also checks if any
one else try to use other invalid certificates. If a vehicle is not certified or certificate is duplicate
then ’distrust’ a value of ′ 0′ is forwarded to RSU by an authorized vehicle in the VANET.

5.1.2. Reputation Score Based evaluation[21]

In reputation score based evaluation, according to the vehicle behaviour in the network the
reputation score can be updated. If the reputation score is less than the threshold value of 0.5
then ’Distrust’ a value of ′ 0′ is forwarded to next phase for evaluation.

5.1.3. Distributed Trust Evaluation[21]

In distributed trust evaluation, each and all the vehicles of the VANET have a list of trusted
vehicles. If the vehicle is not a trusted vehicle or the pubic key and private key of the sign message
is not matched then ’distrust’ a value of ′ 0′ is forwarded to RSU.

Figures 24, 25 and 26 depict end to end delay, packet delivery ratio and throughput respectively
for different vehicular nodes under normal and Sybil attack scenarios.As is obvious, it is observed
that delay, packet delivery ratio and throughput get reduced in the presence of Sybil attackers.

Figure 24. End to End Delay for Sybil Attacks

[20]
5.1 Vehicle Trust Evaluation Methods 26

Figure 25. Packet Delivery Ratio for Sybil Attacks

[20]

Figure 26. Throughput for Sybil Attacks

[20]
5.1 Vehicle Trust Evaluation Methods 27

Fig.24 is a comparison plot of end to end delay for various numbers of vehicular nodes with
Sybil attack. It is observed that delay is more when the attack occurs.Moreover, Sybil attacks can
increase the end-to-end delay as the Sybil nodes may introduce longer routes and additional hops,
leading to increased packet delivery time.
Fig.25 is a comparison plot of packet delivery ratio for various numbers of vehicular nodes with
Sybil attack. It is observed that packet delivery ratio (PDR) is reduced when the attack occurs.In
general, a Sybil attack can reduce the PDR and throughput of a VANET system because the Sybil
nodes may not forward packets correctly, leading to packet loss and decreased efficiency of the
network. PDR is defined below.
x
P DR = (3)
y
y =s+r (4)
Where, x represents number of packets sent by a vehicular node. Number of packets received by a
′ ′

vehicular node is represented by ′ y ′ . ′ s′ denotes received broadcast packet, and ′ r′ denotes received
unicast packets. Fig.26 is a comparison plot of throughput for various numbers of vehicular nodes
with Sybil attack. It is observed that throughput is reduced when the attack occurs.
In all the plots, number of nodes represent number of vehicles active in the VANET. In all the cases,
number of vehicles vary from 10 to 50 in the VANET. The impact of the Sybil attack on PDR,
throughput, and end-to-end delay may vary depending on the location, number of Sybil nodes,
the communication range, the routing protocol, and the detection and prevention mechanisms in
place to mitigate the attack. As the number of nodes in Sybil attack increases the PDR decreases,
Throughput also reduces from its normal value and the end to end (E2E) delay increases with the
number of nodes. Performance analysis is done further to evaluate accuracy of detection, margin
of error of attack detection for 95% of the confidence interval, precision, sensitivity and recall are
estimated and compared with the existing work[22].

Figure 27. Performance comparison of DDoS Attack Detection

In this paper, Linear regression technique is adopted to create confusion matrix on 453 data
5.1 Vehicle Trust Evaluation Methods 28

sets for the DDoS attack and 500 data sets for the Sybil attack. 80% of data set is used for training
and 20% of data set is used for testing for both the attacks. Fig. 27 depicts the comparison of
performance metrics of DDoS attack detection with the existing work. It is observed that the
proposed model yields better accuracy, recall and sensitivity than the other existing techniques
such as support vector machine(SVM), K-nearest neighbor (KNN), decision tree (DT), artificial
neural network (ANN), and KSVM in case of DDoS attack[22].
For the Sybil attack also, accuracy, recall,sensitivity and precision are estimated and shown in Fig
28.It is observed that proposed model works well also for the Sybil attack with 94.05% accuracy.

Figure 28. Performance comparison of Sybil Attack Detection

Fig. 29 depicts the comparison of detection rate with different existing techniques such as Adap-
tive Black Widow Optimization(ABWO) with RSA, Greywolf Optimization Algorithm (GWO) and
Cuckoo Search Optimization (CSO)[23]. It is observed that the proposed model exhibits better
detection rate compared to the existing techniques.
6 CONCLUSION 29

Figure 29. Comparison of Detection rate for both the DDoS and Sybil Attack

Attack detection accuracy can also be estimated from margin of error. The mean error is found
to be 0.00793 and 0.010832 for the DDoS and Sybil attack respectively, the standard deviation is
found to be 0.110228 and 0.111310 for the DDoS and Sybil attack respectively and margin of error
is found to be 0.0229562 and 0.021974 for the DDoS and Sybil attack respectively for 95% of the
confidence interval.

6. Conclusion
In this work, we have developed a novel model that uses fuzzy logic controllers for detecting
the DDoS and Sybil attacks in VANET. Performance of DDoS and Sybil attack detection is done
through different performance parameters such as accuracy, recall, sensitivity through linear re-
gression technique by considering 453 data sets for the DDoS and 500 data sets for the Sybil attack.
It is found that the proposed model detects both the DDoS and the Sybil attacks and performance
parameters are better than the other existing techniques such as support vector machine(SVM), K-
nearest neighbor (KNN), decision tree (DT), artificial neural network (ANN), and KSVM. Margin
of error is also found to be 0.0229562 and 0.021974 for the DDoS and Sybil attack respectively for
95% of the confidence interval. Detection rate for the proposed model also exhibits better results
compared to few existing algorithms such as Adaptive Black Widow Optimization(ABWO) with
RSA, Greywolf Optimization Algorithm (GWO) and Cuckoo Search Optimization (CSO).

Funding:
No funding is received for the proposed research work and submitted paper.
Conflict of Interests:
Authors have no conflict of interests.
Availability of data and material:
Data is available. When required will be submitted. Data for the DDoS attack is generated through
OMNET++ software. Sybil attack database is taken from an existing literature. All the materials
related to the paper is available.
Code availability:
Codes are available and will be shared when required.
Authors’ contributions:
All the authors have equal contributions for generating codes. Manuscript is written by the corre-
sponding author. Figures and Tables are drawn by the other authors.
REFERENCES 30

References
[1] M. Sachdeva, G. Singh, K. Kumar, and K. Singh, “Ddos incidents and their impact: A review.”
Int. Arab J. Inf. Technol., vol. 7, no. 1, pp. 14–20, 2010.
[2] R. Van Der Heijden, “Security architectures in v2v and v2i communication,” in Proc. 20th
Student Conf. IT, 2010, pp. 1–10.
[3] M. N. Mejri, J. Ben-Othman, and M. Hamdi, “Survey on vanet security challenges and possible
cryptographic solutions,” Vehicular Communications, vol. 1, no. 2, pp. 53–66, 2014.
[4] V. H. La and A. R. Cavalli, “Security attacks and solutions in vehicular ad hoc networks: a
survey,” International journal on AdHoc networking systems (IJANS), vol. 4, no. 2, pp. 1–20,
2014.
[5] G. Samara, W. A. Al-Salihy, and R. Sures, “Security analysis of vehicular ad hoc nerworks
(vanet),” in 2010 second international conference on network applications, protocols and ser-
vices. IEEE, 2010, pp. 55–60.
[6] Z. Xia, S. Lu, J. Li, and J. Tang, “Enhancing ddos flood attack detection via intelligent fuzzy
logic,” Informatica, vol. 34, no. 4, 2010.
[7] P. B. Pajila, E. G. Julie, and Y. H. Robinson, “Fbdr-fuzzy based ddos attack detection and
recovery mechanism for wireless sensor networks,” Wireless Personal Communications, pp.
1–31, 2022.
[8] A. Haydari and Y. Yilmaz, “Real-time detection and mitigation of ddos attacks in intelligent
transportation systems,” in 2018 21st International Conference on Intelligent Transportation
Systems (ITSC). IEEE, 2018, pp. 157–163.
[9] S. Shamshirband, A. Patel, N. B. Anuar, M. L. M. Kiah, and A. Abraham, “Cooperative game
theoretic approach using fuzzy q-learning for detecting and preventing intrusions in wireless
sensor networks,” Engineering Applications of Artificial Intelligence, vol. 32, pp. 228–241,
2014.
[10] I. M. Tas, B. G. Unsalver, and S. Baktir, “A novel sip based distributed reflection denial-of-
service attack and an effective defense mechanism,” IEEE access, vol. 8, pp. 112 574–112 584,
2020.
[11] P. Shah and T. Kasbe, “Detecting sybil attack, black hole attack and dos attack in vanet using
rsa algorithm,” in 2021 Emerging Trends in Industry 4.0 (ETI 4.0). IEEE, 2021, pp. 1–7.
[12] A. Singh and P. Sharma, “A novel mechanism for detecting dos attack in vanet using enhanced
attacked packet detection algorithm (eapda),” in 2015 2nd international conference on recent
advances in engineering & computational sciences (RAECS). IEEE, 2015, pp. 1–5.
[13] G. Guette and B. Ducourthial, “On the sybil attack detection in vanet,” in 2007 IEEE inter-
national conference on Mobile Adhoc and sensor systems. IEEE, 2007, pp. 1–6.
[14] M. Maleknasab Ardakani, M. A. Tabarzad, and M. A. Shayegan, “Detecting sybil attacks
in vehicular ad hoc networks using fuzzy logic and arithmetic optimization algorithm,” The
Journal of Supercomputing, vol. 78, no. 14, pp. 16 303–16 335, 2022.
[15] C. Iwendi, M. Uddin, J. A. Ansere, P. Nkurunziza, J. H. Anajemba, and A. K. Bashir, “On
detection of sybil attack in large-scale vanets using spider-monkey technique,” IEEE Access,
vol. 6, pp. 47 258–47 267, 2018.
[16] G. D. Putra and S. Sulistyo, “Trust based approach in adjacent vehicles to mitigate sybil
attacks in vanet,” in Proceedings of the 2017 International Conference on Software and e-
Business, 2017, pp. 117–122.
REFERENCES 31

[17] J. Grover, M. S. Gaur, V. Laxmi, and N. K. Prajapati, “A sybil attack detection approach
using neighboring vehicles in vanet,” in Proceedings of the 4th international conference on
Security of information and networks, 2011, pp. 151–158.
[18] B. A. Bensaber, C. G. P. Diaz, and Y. Lahrouni, “Design and modeling an adaptive neuro-
fuzzy inference system (anfis) for the prediction of a security index in vanet,” Journal of
Computational Science, vol. 47, p. 101234, 2020.
[19] U. Bhanja, “An attack resistance model for trustworthiness evaluation in vanet,” in 2020 IEEE
17th India Council International Conference (INDICON), 2020, pp. 1–7.
[20] S. T. Getaneh, “Enhanced security mechanism to detect sybil attacks in vanets,” Ph.D. dis-
sertation, Doctoral dissertation, 2019.

[21] J. Grover, M. S. Gaur, and V. Laxmi, “Trust establishment techniques in vanet,” Wireless
Networks and Security: Issues, Challenges and Research Trends, pp. 273–301, 2013.
[22] N. Kadam and R. S. Krovi, “Machine learning approach of hybrid ksvn algorithm to detect
ddos attack in vanet,” International Journal of Advanced Computer Science and Applications,
vol. 12, no. 7, 2021.
[23] Y. S. Devi and M. Roopa, “An adaptive bwo algorithm with rsa for anomaly detection in
vanets.”