IET Information Security

Research Article

Securing solar energy-harvesting road-side ISSN 1751-8709

Received on 11th September 2014
Revised 11th November 2015
unit using an embedded cooperative-hybrid Accepted on 22nd November 2015
doi: 10.1049/iet-ifs.2014.0456
intrusion detection system www.ietdl.org

Qutaiba Ibrahim Ali1

1Computer Engineering Department, Mosul University, Mosul, Iraq
E-mail: qut1974@gmail.com

Abstract: This study deals with the design and implementation of an Embedded Cooperative-Hybrid Intrusion Detection System
(ECHIDS) for a solar energy harvested Road Side Unit(RSU). In order to offer a high level of defense against the various
attacks and to cope against the limited processing and energy resources of RSU, we suggest a cooperative IDS approach. In
this approach, the RSUs do not depend only on their local view to make conclusions about the security status of their network,
but also cooperate with their VANET server by exchanging security reports to create a more global and precise idea about the
security situation of the whole network, the possible attacks and their origins. The other main contribution in this paper is the
attempt to insert a Hybrid Intrusion Detection System functionality (combines all the three IDS techniques :signature based IDS,
anomaly based IDS and behavioral based IDS) into the RSU itself. Each one of these IDSs has its own resistance strategy
against certain classes of attacks which enhances RSUs’ immunity. The suggested IDS was prototyped using an experimental
model based on the Ubicom IP2022 network processor development kit and different practical tests were performed to evaluate
the effectiveness of the suggested solutions.

1 Introduction
Many research works suggest that there is an actual need for a
VANET infrastructure, which consists of various types of fixed
nodes performing different actions according to VANET
applications demands. An important class of these nodes are road-
side units (RSUs) [1, 2]. Due to power supply requirements, it was
recommended to localise RSUs nearer to wired electricity sources,
such as traffic lights [1, 2]. However, such placement limits the
area covered by the RSUs and thus their services. To overcome this
restriction, it is required to establish self-powered RSUs. In our
previous work [3], we suggest that an RSU can harvest the energy
needed for its work from the surrounding environment, especially
solar energy. Such a suggestion permits to install RSUs in any
place without considering the power supply availability and hence,
extensive area can be covered by the VANET infrastructure. We
also suggest that these RSUs would create an ad hoc network in
order to assist each other to deliver data packets to their
destinations, that is why an ad hoc infrastructure is needed. Each
RSU is responsible for providing different VANET services to the
vehicles in a certain area of the city, ranging from traffic safety and
road monitoring services to Internet access & entertainment
services. RSUs, as a part of the VANET infrastructure, receive
different packets from vehicles (vehicle status or Internet access
request), then forward them to the VANET server via the ad hoc
network. As a member in the ad hoc network, an RSU also behaves
as a router which delivers other RSUs traffic to their destinations;
see Fig. 1.
To implement a functional and efficient solar energy powered
RSU, the embedded UBICOM IP2022 platform was chosen to
implement the proposed RSU. The heart of the harvesting module
is the harvesting circuit, which draws power from the solar panels
(4-4.0-100 solar panels from Solar World Inc.), handles energy
storage (2800 mAh, AA battery pairs), and routes the power to the
intended system; see Fig. 1. A DC–DC converter is used to provide
a constant supply voltage to the embedded system and we used
Texas Instruments TPS63000 low-power boost–buck DC–DC
converter to achieve this goal [3].
From the above discussion, it is clear that the RSU plays a
major role in the proposed green VANET infrastructure and hence,
the security of this device must be a priority [4, 5]. The RSUs are
subjected to a plethora of network traffic conditions and security
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
attacks, which can seriously affect their integrity, performance and
power consumption and hence their availability. So our efforts in
this paper focus on the definition of a multitude of security
methods to protect the RSUs (in particular) and the VANET (in
general) against these threats.
2 Literature review
This section presents a survey on the existing research works on
the intrusion detection system (IDS) functionality in an ad hoc
wireless networks which had spanned and covered a wide research
area. Since the nature of the ad hoc networks is distributed and
requires the cooperation of other nodes, many previous works [6–
13] have proposed that the intrusion detection in such networks
should also be both distributed and cooperative. Every node
contributes in the intrusion detection and response by having an
IDS agent running on them. An IDS agent is in charge of
distinguishing and gathering the local events and data to identify
the probable intrusions, as well as initiating a reply separately.
However, the neighbouring IDS agents cooperatively partake in the
global intrusion detection actions when the evidence is uncertain.
On the other hand, some papers [14, 15] suggest enhancing the
ability of an IDS to detect the various types of attacks, under
different conditions, by modifying its internal architecture.
Through combining more than one type of IDS strategies, which is
so widely called the hybrid IDS (HIDS), intrusions detection task
would be more efficient and precious. Many papers dealt with the
building of different IDS approaches against specific types of ad
hoc networks attacks [16–24]. These behavioural-based IDSs, try
to identify the activities of certain types of attacks by comparing
their behaviour against previously defined models (an in depth
comparison among the different IDS methods can be seen in
Table 1). Finally, some research works focus on employing the
reputation and trustfully based verification methods in order to
categorise the different nodes in the VANET [25–28].
Although the majority of the mentioned references give various
IDS solutions for the ad hoc networking environment, they do not
take into consideration the realisation issues of their thoughts on
real platforms, especially embedded systems. Even though, our
previous works in [29, 30] study the implementation challenges of
inserting an IDS functionality into an embedded platform, the
1
Fig. 1 Suggested solar energy-harvested RSU
contribution was limited to a cooperative IDS energised by the
traditional wire power resources. Our efforts in this paper focus on
answering some questions regarding the implementation of a
cooperative HIDS into a renewable energy-dependent embedded
system, questions such as:
i. Is it possible to implement such a sophisticated system into a
resources limited platform?
ii. What do we need to ensure the successful combination of the
different security methods, algorithms and techniques with
solar energy powered system?
iii. What are the assessment of the whole system in terms of its
network performance, practicability, power consumption and
immunity against the different threats?
3 Threats model
In this paper, we are concentrating on the attacks perpetrated
against the RSU itself rather than the VANET infrastructure or its
users and applications. As shown in Fig. 2, the security threats
against an RSU can take different forms and may originate from
different sources. These sources can be an insider attackers (attacks
(1) & (2) in Fig. 2) which are either a ‘VANET user’ (e.g. the
vehicles) or a forged RSU. In other words, the insider attacker is an
authentic user of the network who has some knowledge of the
network and makes use of it for understanding the design and
configuration of the RSUs and the whole network. On the other
hand, the outsider attackers (attack (3) in Fig. 2) make use of the
VANETs’ Internet connection to launch their attacks from a remote
location outside the VANET coverage area [19].
On the other side, when investigating the possible types of
attacks, the RSUs are susceptible to a variety of attacks differ in
their nature, goals and catastrophic effects [20]. We have made a
survey on the possible attacks against the RSUs, according to their
origins, as abstracted in Table 2.
2 IET Inf. Secur.
4 Embedded cooperative-hybrid intrusion
detection system (ECHIDS)
Service availability is an important security issue which means that
an authorised access of the data and other VANET resources is
made ready when requested or demanded. This feature could be
obtained by protecting the system against the different types of
attacks using an IDS. To offer a high level of defence against the
various attacks and to cope against the limited processing and
energy resources in the RSU, we suggest a cooperative IDS
approach. In this approach, the RSUs do not depend only on their
local view to make conclusions about the security status of their
network, but also cooperate with their VANET server by
exchanging security reports to create a more global and accurate
idea about the security situation of the whole network, the possible
attacks and their origins (the term ‘VANET server’ used in this
paper, stands for the control centre of a VANET cluster. It was
assumed that it consists of powerful, cooperative, reliable and
secured servers in order to undertake the different VANET services
and to serve its associated clients. It was also assumed that this
centre was armed with the different strategies to avoid becoming a
single point of failure). The implementation of the suggested
cooperative IDS is shown in Fig. 3a. In such systems, the RSUs
play the role of an IDS sensor, they generate ‘periodically’ their
security status reports, and then forward them to the VANET
server. These reports contain the necessary data about the number,
types and sources of attacks against this RSU at that time. On
receiving these reports, the VANET server accumulates them, and
then performs the necessary processing to obtain the final report
about the security status of this part of the network. Also, the
VANET server suggests the necessary IDS reactions to accomplish
against these attacks and declares them to the RSUs and to the
VANET administrator.
IDSs must be able to distinguish between the normal and the
abnormal activities in order to discover the malicious attempts in
© The Institution of Engineering and Technology 2016
Fig. 2 Threat model against an RSU

real time. There are three main techniques that an IDS can use to
classify the actions; a signature-based IDS, an anomaly based IDSs
and a behavioural-based IDS [19]. One of the main contributions in
this paper is the attempt to insert an HIDS functionality (combines
all the three techniques together) into the RSU itself; see Fig. 3b.
Each one of these IDSs has its own defence strategy against certain
classes of attacks. For example, the signature-based IDS is the best
solution against the well-known Internet attacks, while the anomaly
based is very effective against the denial of service (DoS) attacks
and finally the behavioural-based IDS is used to defend against the
VANET-specific attacks [21, 22]. As shown in Fig. 3b, the input
traffic to the HIDS is firstly sampled and processed (in the data-
processing unit) in order to extract its main features, such as the
average data rate, the maximum data rate and the maximum burst
size and many others. This input traffic is then converted into a
more proper format to be processed by the three different IDSs.
The final decision of the suggested that HIDS is taken based on the
sub-decisions made by the three IDSs. This decision includes the

Table 1 Comparison of different IDS implementations

IDS Name IDS Type Application Power Implementation Summary of IDS Features
Field Source Platform
Watchdog and Cooperative MANET Traditional Computer Simulation The Watchdog consists to monitor the behavior of all nodes, if
Pathrater [16] a malicious node is detected, then a report is sent to the
source node to update its routing table to exclude the
misbehaved node.
CONFIDANT [6] Cooperative MANET Traditional Computer Simulation This IDS is an extension to the DSR routing protocol using a
reputation based mechanism similar to the Watchdog and
Pathrater mechanisms.
Zhang et Lee IDS Cooperative MANET Traditional Computer Simulation This is a cooperative distributed architecture where each node
[7] is responsible for detecting signs of intrusion locally.
CORE [8] Cooperative MANET Traditional Computer Simulation The CORE mechanism offers a solution to counter the selfish
behavior of the nodes. The proposed solution is to offer an
incentives to any node wishing to participate in the
collaborative processes.
ZBIDS [9] Cooperative MANET Traditional Computer Simulation This system splits the network into in to nine non-overlapping
zones (zone A to zone I). The collaborative detection module
works on the ZBIDS agents and uses an aggregation algorithm
on the gateway nodes.
H-Snort [14] Hybrid General Traditional Software This IDS is an extension to the Snort IDS by adding a new pre-
Implementation processor. The results denote the importance of training the
system during a long time to reduce the number of false
alarms.
H – IDS [15] Hybrid General Traditional Software The hybrid IDS is obtained by combining a packet header
Implementation anomaly detection (PHAD) and a network traffic anomaly
detection (NETAD) which are anomaly-based IDSs with the
misuse-based IDS Snort which is an open-source project.
WIDS [29] Cooperative Wireless Traditional Embedded Ubicom This cooperative wireless IDS was designed and implemented
Networks, Network Processor on an embedded Ubicom network processor platform. The
MANET proposed WIDS could be placed in different locations and can
be integrated with different wireless devices because of its
small size and low cost.
WSN Gateway Cooperative WSN Traditional Embedded Ubicom This is an implementation of distributed wireless sensor
IDS [30] Network Processor network gateways armed with an Intrusion Detection System
(UBICOM IP2022 network processor chip). The current design
takes these constrains into consideration as a priority and uses
a special protocol to achieve this goal.

IET Inf. Secur. 3

© The Institution of Engineering and Technology 2016
generation of the security reports of this particular RSU
recommending the blocking actions against the malicious nodes
and modifying the routing tables of this RSU in order to avoid
insecure routes; see Table 3. The details of each one of these IDSs
are listed below:
4.1 Signature-based IDS
In the signature-based IDSs, the observed behaviour is compared
with the known attack patterns (signatures). Action patterns that
may pose a security threat must be defined and stored in the
system. Then, the signature-based detection system tries to
recognise any suspicious behaviour according to these patterns. It
is already concluded from the previous researches in the ad hoc
networks that severe memory constraints make IDSs that need to
store attack signatures relatively difficult to be built and less likely
to be effective [30]. To solve this problem, a signature-based IDS
was realised by assembling a light weight and signature-based IDS,
based on the famous open-source SNORT IDS. SNORT is an open-
source network IDS capable of performing a real-time traffic
analysis and packet logging on the Internet protocol (IP) networks
[30]. SNORT can perform a protocol analysis and a content
searching/matching, and can be used to detect a variety of attacks
and probes [29]. SNORT uses a simple and lightweight rules
description language that is flexible and quite powerful. SNORT
rules are divided into two sections: the rules header and the rules
options [29].
Regarding the RSUs, as they have restricted processing and
energy capabilities, adding additional tasks (such as IDS actions)
may influence dangerously on their performance, so that the
current design takes these constrains into the concern using the
following procedure:
i. The RSUs were loaded with particular rules set (not all rules)
which correspond to the most severe attacks at that occasion.
This decision is reached using the IDS sensors (i.e. the other
RSUs) scattered around the network. These IDS sensors
observe the network conditions (from a security point of view)
and prepare reports of the most frequent attacks at that time.
These reports are sent to the VANET server for more
processing. In its initial status, the complete library of the
SNORT rules was assumed to be partitioned into many groups
and each IDS–RSU was loaded with different sets of these
rules (i.e. distributing all the rules in the real environment).
When these RSUs start their work, the signature-based IDSs
Table 2 Survey of the possible RSU attacks
Attack Source Attack Type
Insider (Attack 1) Denial of service (DOS) Attack
Distributed Denial of service (DDOS) Attack
Sybil Attack
Administrator Impersonation Attack
Application Attack against RSU applications
Timing Attack
Monitoring Attack
Energy Exhaustive Attack
Insider (Attack 2) Denial of service (DOS) Attack
Distributed Denial of service (DDOS) Attack
Black hole attack
Worm hole attack
Application Attack
Timing Attack
Energy Exhaustive Attack
Outsider (Attack 3) Denial of service (DOS) Attack
Distributed Denial of service (DDOS) Attack
Administrator Impersonation Attack
Application Attack
Monitoring Attack
Energy Exhaustive Attack
4 IET Inf. Secur.
begin their sensing and reporting procedure which yields the
rule sets to be fine-tuned gradually according to the network
security status.
ii. The VANET server brings together the reports from the RSUs
and inspects them to allocate the most dangerous attacks at that
instance. Also, it has the classification and processing program
which is used to classify the SNORT rules to speed up the
searching process at the RSUs. After that, the server broadcasts
the processed rules set to all RSUs that exist in the network.
iii. To maintain the efficiency and the performance of the RSUs, a
new rule processing algorithm is recommended. The major
suggestion of the proposed algorithm can be achieved through
employing the preprocessing part of algorithm in the VANET
server and only the searching part of the algorithm is
implemented in the RSUs. Aho-Corasick (AC) algorithm [29]
is chosen in this paper to act as the classification and
processing algorithm (at the VANET server) which builds up a
state machine that encodes all the strings to be searched [30].
The preprocessing part will be sent as an update file from the
server to the RSUs. To assess the performance of the proposed
Ubicom-based IDS, numerous experiments were performed.
Investigational measurements of the searching algorithm of
each phase were performed as two steps. In the first one, the
results were argued by figuring out the required memory
storage derived from the number of the rules that can be stored
in the memory of an RSU; see Fig. 4. The second test involves
measuring the total response time of the proposed IDS when
processing packets having diverse classes of internet attacks;
see Table 4. It is clear that the recommended signature-based
IDS has a satisfactory performance (with respect to the nature
of an ad hoc network) and its rules set occupy a reasonable
space of the available storage memory.
4.2 Anomaly based IDS
This type of IDS focuses on the regular activities, rather than the
attacks behaviour. These systems describe what represents a
‘normal’ behaviour and then treat as intrusion attempts any
activities that diverge from this behaviour by a statistically
considerable amount. The intrusion detector learning task includes
building a predictive model (i.e. a classifier) capable of
distinguishing between the bad intrusions and the normal
connections. Recently, an increasing amount of research has been
conducted on applying the neural networks to detect the intrusions
[20], so that this approach was followed in this paper. As shown
earlier in Fig. 3b, the heart of our anomaly IDS is the prediction
algorithm which actually makes use of an artificial neural network
(ANN) predictor, a three-layer neural network predictor with a
learning rate of 0.25.
In this paper, the total network traffic (in bps) transmitted to/
received from an RSU was considered as the main attribute to
measure the normal system behaviour. The network traffic volume
was derived from an available road traffic statistics (by assuming a
certain network traffic to/from each vehicle [3]) which represents
an averaged number of vehicles passing this particular road (i.e. the
road traffic volume). The road traffic volume is resulting from the
interaction of many other factors such as: the vehicles movement,
the road availability, the drivers behaviour, the road traffic status,
the weather conditions and the users behaviour according to special
circumstances (such as a business day or holidays)[31]. Therefore,
we can see that we have already included many prediction factors
in our ANN training procedure when we dealt with the network
traffic volume. However, in an upcoming future work, these
prediction factors (in addition to others such as the ad hoc network
topology, the RSUs availability and the VANET traffic profiles)
will be taken into account to build a sub-ANN predictor for each
factor which will enhance the accuracy of the anomaly IDS and its
future estimation.
Three ANN-based predictors were built to estimate the network
traffic for different time periods: a week, a month and a year time
scale; see Table 5. However, only one of them could be
implemented at a time due to the memory constraints of the current
© The Institution of Engineering and Technology 2016
Fig. 3 Cooperative HIDS
(a) Cooperative IDS functionality, (b) HIDS architecture
platform. Due to the huge amount of data, a reduction of data is
compulsory and a set of sample values were hauled out and
averaged from the available data. The samples sets were divided
into a training sets and a test sets. The assessment of the model
performance can be done by the mean square error, calculated as
the difference between the forecasted and the actual values [31]. It
is noted that the average error values for the forecasting were
increased as the time scales increase because more variation is
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
expected over a longer time period, due to the changed
environmental, seasonal and circumstantial conditions, which
affect on the road traffic behaviour. Also, the measured false-
positive and false-negative ratios (in which the predicted values are
more or less than the real values [31]) show that our system tends
to generate higher false-positive predictions. However, the error
values are considered satisfactory and fall within the acceptable
range of such systems [31].
5
 hence, constructing an additional defence line against the different
intrusion attempts.

4.3 Behavioral-based IDS

This type of IDS is also based on the divergence from the usual
behaviour in order to identify the attacks, but they are based on
manually defined conditions that explain what a proper operation is
and observe any behaviour with respect to these restrictions. This is
the technique we used in our approach. It is easier to be applied in
the VANETs, since the normal behaviour cannot easily be districted
by the machine learning and training techniques.
To explain the principles of our approach, we have built
Fig. 4 Ubicom IP 2022 memory usage vs. no. of IDS rules
behavioural-based IDS to detect two examples of VANET-specific
attacks: the black hole attack and the energy exhaustive attack.
To show the importance of this subsystem to detect the different
The black hole attack occurs when a compromised node drops a
patterns of an abnormal traffic, example rules were written to
packet that is bound for a particular destination. In this way, an
detect numerous types of DoS attacks and to assign the proper
attacker can selectively filter the traffic from a particular part of the
reaction procedures against them; see Fig. 5 and Table 6. It is clear
network. Other possible variations of the selective forwarding can
that our anomaly based IDS plays an important role in sensing the
involve dropping all the packets or randomly dropping the packets.
abnormal traffic patterns (as determined by the administrator) and
Although the random dropping is less disruptive, it can also be
much harder to be reliably detected and traced [20].
Table 3 Functionality of the response unit Detecting the black hole and selective forwarding attacks can be
a rule on the number of packets being dropped by an RSU (each of
Alert Alert type Decision(s) Destination(s) the RSUs will apply that rule for itself to produce an intrusion
source(s) alert). The adopted method here follows the ‘Watchdog’ approach
internal- Internet attack • drop the packet firewall [32], and it relies on setting a threshold on the rate at which the
IDS1 • update the packets are dropped (we called it recorded dropping rate), and
security status when this threshold is reached an alarm can be generated (the
report packets dropped at a lower rate were returned to other reasons such
internal- DoS attack • drop the packet firewall IDS3 as collisions or node collapse). In this context, with the aim of
IDS2 • update the applying this approach, we assume that for a link between two
security status RSUs, the watchdog nodes will be all the nodes that reside within
report the intersection of their radio range, including the source RSU.
• activate the Also, we assume that the RSUs are capable of simply observe the
power activities of their neighboured RSUs to see whether they forward
management correctly the packets they receive by listening promiscuously to
procedure their transmissions (promiscuously we mean that since the RSUs
internal- black hole • update the network layer are within the range of each other, they can overhear the other
IDS3 attack routing table nodes traffic). Therefore each RSU needs to keep the track of the
packets not being forwarded within a predetermined amount of
• update the
time we called analyser time slot, during which it creates statistics
security status
on the overheard packets (if the packet was not forwarded within a
report
certain amount of time, then the RSU retransmits it again with
external- new security • update the rules IDS1
limited number of retransmission attempts (three attempts in our
VANET report set model)). At the end of each time slot an alert may be generated
server ‘New_Rules
according to the threshold condition, which is sent by that RSU to
Set’
the server as a security report. When the next time slot is started,
external- new security • update the network layer the same process is repeated periodically, for all the RSUs; see
VANET report routing table IDS3 Fig. 6. The next design concern we need to resolve is who is going
server ‘Black_Hole to make the final conclusion that a node is certainly an impostor
Attack’ and the procedures should be taken. In this paper, we makes use of
IDS1–IDS2– security status prepare the security VANET server the cooperative decision-making approach, where the RSUs and
IDS3 status report their associated VANET server cooperate in order to decide
whether a definite RSU is launching a selective forwarding attack
and to take the suitable actions. For instance, if the security reports
Table 4 Tested IDS attacks received by the server inform that more than 50% of the
Attack type Signature Depth, Packet Total neighboured nodes to a certain RSU generate an alert against this
length, byte byte length, time, µs RSU, then it must be regarded as a compromised and should be
byte removed from the routing tables of the other RSUs; see Fig. 6.
1. DDOS – – 106 35.822 The energy exhaustive attack is a special type of DoS attack
based on sending a high traffic volume to an RSU to exhaustive its
2. DOS1 6 32 540 196
stored energy (in the case of battery-based RSUs) rather than
3. DOS2 14 14 790 113.03 jamming the communication medium. Our approach to defend
4. DOS3 – – 400 33.22 against this attack is to adopt a proper power management scheme.
5. RESPONCE 8 8 150 281.00 In this paper, we suggest that an RSU should follow Sleep/
6. EXPLOIT1 6 15 350 98.00 Active periods scheme and perform according to its available
7. EXPLOIT2 3 145 1200 5032.11 energy, specifically, the service rate of the RSU is determined as a
8. WEB-CLIENT 7 122 700 2096.2 function of the RSUs’ power budget. In this case, we need to
define a relation among duty cycling periods (sleep/active),
9. EXPLOIT3 8 92 1400 510.15
average service rate (ASR) and the available energy (AE). We first
10. WEB- 20 52 900 5607.01 start by defining these terms:
COLDFUSION

6 IET Inf. Secur.

© The Institution of Engineering and Technology 2016
 update their routing tables) for a predetermined amount of time
calculated according to AE. When active period starts, the RSU
wakes up and begins to process the packets stored in the WLAN
NIC; see Fig. 7.

5 Implementation issues of the suggested

ECHIDS
This section demonstrates important suggestions to ensure the
successful implementation of the proposed ECHIDS.

5.1 VANET clustering

As illustrated earlier, the suggested security solutions depend
mainly on the interaction between the VANET server and its
associated RSUs. However, the VANET server is prone to become
unavailable either due to a malfunction or to a transmission
medium DoS attack, in such a case the VANET services in general
and the IDS functionality in special are susceptible to be absence
for an unknown period of time. To deal with a such situation, we
suggest that the whole VANET infrastructure (which covers the
roads of a certain city) is divided into logical clusters, each one
consist of a VANET server connected to its associated RSUs [33,
34]; see Fig. 8a. Each cluster is responsible for providing the
VANET services to a certain area of the city.
Fig. 5 Example rule of anomaly IDS Prior to installing the RSUs in the different clusters, a
sophisticated planning procedure is needed [1]. The planning phase
• ASR is the averaged total traffic (in bps) transmitted from and includes two major steps: building a VANET infrastructure map for
received by an RSU. the whole city (i.e. the RSUs placement), then splitting this
• Duty cycling periods: In this paper, the operation time of an infrastructure into several logical VANET clusters. For the first
RSU is divided into slots of (1s) length. Hence, the duty cycle is step, in order to decrease the VANET infrastructure investments
the ratio of the active periods to the total slot time. associated with the transportation systems, the chosen deployment
• AE is the summation of the residual energy in the batteries from rule is of maximum significance when adding the infrastructure for
the last day plus the expected energy in the next day. the vehicular networks [2]. Prior to deploying the RSUs, the
authorities should make a preliminary study which includes
Our approach involves the steps shown in Fig. 7. As each time slot gathering a vital data to make a decision where and how to
is divided into active and sleep periods, an RSU enters the sleep organise the infrastructure nodes [1, 2]. The RSUs could be placed
period first (after notifying the neighboured RSUs in order to in a homogeneous way trying to maximise the coverage area, or
following a non-uniform deployment approach trying to reduce the
deployment cost [5]. According to the adopted deployment
Table 5 Ann predictor parameters strategy, the entire map of the VANET infrastructure for a certain
One Week One Month One Year city could be created. The VANET clustering planning could be
Training Period & 5 Days – 1440 3 Weeks – 8 Months – started from this point. To achieve the VANET clustering goals, the
Samples 2112 5760 planning procedure in this phase must follow the next criteria:
Testing Period & 2 Days – 576 8 Weeks – 768 4 Months –
Samples 2880 • It is favourable to place the VANET server of each cluster where
Mean Square Error 0.007 0.012 0.032 the maximum numbers of the neighboured RSUs (N-RSUs) are
False Positive Ratio 0.005 0.007 0.02 around. For the sake of cluster robustness, the number of the N-
RSUs must be greater than two.
False Negative 0.002 0.005 0.012
Ratio • Limiting the number of the RSUs served by each VANET
cluster server (VCS) in order not to exceed its processing
capability or the network bandwidth.
Table 6 Simulated attacks patterns against anomaly IDS • The shaping of the geographic borders of each cluster must
MPmax = 5 min, MPmin = 3 min, average normal traffic = 0.75 ensure the existence of the maximum number of the adjacent
clusters. The border's shaping procedure must guarantee a
Mbps, ATI = 1.25, ATV = 0.007, MBT = 5 min minimum of two adjacent clusters.
Simulated attack IDS Possible • Also, the maximum number of the gateway-RSUs (G-RSUs)
response countermeasure among adjacent clusters must be ensured. Again, in order to
2.5 min – 1 Mbps constant bit no attack none avoid creating a single point of failure, the number of the G-
rate (CBR) traffic directed to RSUs among the adjacent clusters must also be greater than two.
this RSU • The VANET servers in the different clusters are connected to
3.5 min – 1 Mbps CBR traffic weak keep monitoring to each other (and to the central VANET server) via a dedicated
directed to this RSU probability of MPmax secured physical (wired or wireless) connection in order to
DoS attack exchange the different road statistical data, the nodes (e.g. the
6 min – 1 Mbps CBR traffic CBR DoS activate power RSUs) updated settings and the security reports. This
directed to this RSU attack management strategy arrangement affords a global vision to the current status of the
6 min – 1 Mbps CBR traffic DoS medium change whole VANET infrastructure and the possible threats. Also, this
directed to a neighboured attack communication segmentation is useful to limit the size of the ad hoc network
RSU channel (i.e. the number of the RSUs served by a certain VANET server)
10 min – (0.1 – 1.25) Mbps VBR DoS activate power and to isolate the problems in each cluster which offers a more
variable bit rate (VBR) traffic attack management strategy efficient, robust and secured system. As a consequence to the
directed to this RSU above suggestion, each logical cluster has its own IDS
embedded in its RSUs in cooperation with their local VCS.

IET Inf. Secur. 7

© The Institution of Engineering and Technology 2016

Fig. 6 Suggested anti-black hole attack IDS procedure
To explain the realisation steps of this new type of VANET
clustering, we begin by defining the roles played by the main
actors in this system; see Fig. 8a:
• The N-RSUs: These are the nearest RSUs to the VCS. In
addition to their usual duties, the N-RSUs are also responsible
for monitoring the server availability. If no response is received
from the local VANET server for a time period longer than a
certain threshold, then a server collapse is probable. In such a
case, the N-RSU broadcasts a ‘Local Server Not Available’
alarm to all the RSUs in the cluster to suspend their security
reporting and the VANET-related services with this server.
• The VCS: To maintain the system reliability, each VCS
performs a periodic reporting and archiving procedure with the
central server (CS). Each VCS may be ordered by the CS to take
the authorities of a certain failed VCS. In such case, the VCS
first receives the RSUs’ archival settings from the CS, and then
it sends individual invitation packets to multiple RSUs through
the G-RSUs (which can be considered as bridge nodes among
the neighboured clusters). The VCS waits for a legal response
from the invited RSUs, and then it performs several identity
checking procedures before accepting these RSUs as new
members in its cluster. It is worth to mention that a similar
invitation/response procedure could be followed by the
corrupted VANET server when getting back to the service again.
• The CS: This server is considered as the central management
and database core of the whole VANET. It is responsible for
monitoring the security, the availability, the activities and the
services of the clusters and their nodes. It is also in charge of
storing an updated version of the latest status and configuration
reports of the VANET infrastructure nodes (including their
ciphering secrets). The CS always checks the availability of the
VCSs using different methods and paths (e.g. periodic polling).
If it was found that a certain VCS is not available, then its
associated RSUs will be allocated to the other VCS(s) as
8 IET Inf. Secur.
mentioned before. It is clear that the presence of the CS is
necessary to guarantee the continuity of the system operation, so
that the other VCSs may take the CS authorities (using an
appropriate election algorithm [33, 34]) when it goes down.
• When receiving a ‘Local Server Not Available’ alarm from the
N-RSUs, the other RSUs suspend all the ‘VCS-based’ services
(including the security reporting) and waits for legal invitation
packets from the other VCSs. However, the RSUs can keep their
usual power management procedure according to their latest
settings prior to the VCS collapse.
• The G-RSU: These RSUs were assumed to be placed on the
border lines between the logical clusters. The G-RSUs can be
configured to create bridge connections with the other G-RSUs
(in the other VANET clusters) in order to bypass the necessary
messages when reforming the VANET clusters. The dynamic
allocation procedure is followed in order to construct the G-
RSUs bridges between the adjacent clusters. During the network
discovery procedure, each G-RSU can distinguish between the
local RSUs (belong to its cluster) and the foreign RSUs
(belonged to the other clusters) using different means such as the
subnet IP addresses of the different clusters. The G-RSU(s) can
negotiate with the foreign RSU(s) to create the bridge
connections between them, and then inform their VCSs about
the creation of this bridge connection.
It is important to mention that the transactions required to preserve
the VANET clustering functionality were assumed to be protected
using the necessary message security techniques as mentioned in
[35, 36].
To describe the functionality of the suggested VANET
clustering algorithm, a graphical representation of the algorithm
was developed using the state diagram shown in Fig. 8b. The
functionality of the algorithm was described to recover against two
major faults: a VCS failure (caused by different reasons such as
DoS attack) and the failure of different types of the RSUs. Three
procedures were graphically described (as shown in Figs. 8d–f) to
recover from the above faults and to return back to the normal
VANET cluster operation shown in Fig. 8c. In these procedures,
the different signals and actions were defined carefully in order to
avoid any stalls in the algorithm and to guarantee a smooth flowing
of its different routines.
This subsection presented the main headlines of the suggested
logical clustering procedure which maintains the continuity of the
VANET services (and at the same time the functionality of the
cooperative IDS) in the case of a VCS collapse. However, the
different networking and security procedures related to the
implementation of this suggestion need to be studied in depth in
upcoming future works.
5.2 Entity and message protection
The transactions mentioned earlier between the VANET server and
its associated RSUs are susceptible to many types of attacks and
the care must be paid to immunise the messages and their origins
against them. We suggest the adoption of the necessary methods in
order to obtain:
• Bidirectional entity authentication between the VANET server
and an RSU [35, 36].
• All the security reports are encrypted and sent together with
their HMAC in order to obtain the message confidentiality,
authentication and integrity [35, 36].
5.3 Malicious or misbehaved RSUs detection
In the real world, the RSUs can be susceptible to physical attacks
by malicious entities, or they might be simply misbehaviour. To
discover such RSUs, we suggest the following procedure:
i. In each RSU, there is a long period pseudo random number
generator (PRNG) routine [37]. Another identical copy of this
PRNG exists in the VANET server; see Fig. 8g.
© The Institution of Engineering and Technology 2016
Fig. 7 Suggested anti-energy exhaustive attack IDS procedure
ii. Each pair of these PRNGs are firstly synchronised off-line
prior to installing the RSU in the field. The synchronisation
procedure includes feeding the two routines with the same seed
values, then starting the random numbers generation procedure
until they produce the same sequences. This initialisation point
is saved in the RSU and the server and can be added to the
Factory Default Settings in order to be used later when
resetting the RSU.
iii. At this point, the two PRNGs are ready to generate the
synchronised random numbers which will be used for different
purposes such as generating the random numbers used in the
authentication procedure or to check the functionality of a
certain RSU.
iv. To check an RSU functionality, the VANET server and its
associated RSUs perform periodic synchronisation tests (or in
response to a security report about a misbehaving or a
malicious RSU). These tests are established from the server
side and involve sending an encrypted challenge packet to the
RSU. This packet contains a sequence of random numbers
generated by the PRNG routine in the server side and a time
stamp. On receiving this packet, the RSU performs the identity
check procedure and generates the next sequence of numbers
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
and send them (together with a time stamp) back to the
VANET server.
If the receiver was a malicious or faulty RSU, then it will neither
be able to decrypt the challenge packet, nor be able to generate the
next correct sequence of random numbers. In this case, the VANET
server broadcasts an encrypted security report to all RSUs about
the discovery of a malicious RSU with the necessary details.
6 Experimental investigation of the suggested
ECHIDS
To validate the convenience of the suggested ECHIDS from the
power consumption point of view, several practical tests must be
performed using an experimental network; see Fig. 9. The
experimental network consists of ordinary PCs supplied with
WLAN NICs working at different data rates, the IP2022 Ubicom
platform which was also supplied with the same WLAN NIC, the
energy-harvesting module and a real-time storage oscilloscope. The
purpose of performing these experiments is to emulate the real
VANET environment in which the EHCIDS will be installed.
The objective of the first experiment is to record the electrical
current drained by the RSU according to the different modes of
9
Fig. 8 Securing cooperative IDS transactions
(a) VANET clustering diagram, (b) State diagram of VANET clustering, (c) Local cluster-normal operation state, (d) VCS failure recovery procedure, (e) Local VCS – after being
repaired procedure, (f) RSU(s) failure recovery procedure, (g) PRNG pairs in VANET server and RSUs

operation: Transmission, Reception, IDLE, CPU full load and
SLEEP. The traffic generator PC was programmed to send and
receive a 1 Mbps streamed UDP traffic to and from the IP2022
Ubicom platform. The real-time oscilloscope (Tektronix224) was
used to measure the current drained from the batteries (according
to the different network traffic conditions) by measuring the
voltage across a (0.1 Ω) resistor, which is proportional to the
drained current. Table 7 summarises the settings of this experiment
and lists the average values obtained for different data rates.
The goal of the second experiment is to discover the network
activities of a typical VANET infrastructure and hence, the power
consumption of the proposed RSU under realistic road traffic
10
conditions. To feed the experimental test bed with truthful values, a
simulation model was built using the Network Simulation package.
The goal of building this model is to generate a traffic patterns as
close as possible to the real situations. Our network represents a
VANET cluster of 40 RSU covering (25 km2) area of a typical city.
It was assumed that the vehicles broadcast their 100 byte status
packets each 1s [3], while the RSUs generate their 1000 byte traffic
report ten times per minute and forward them to the VANET server
[3]. According to our earlier analysis in [38], optimised link state
routing (OLSR) protocol gives the best performance compared
with the other ad hoc routing protocols when working in a non-
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
stationary ad hoc topology, so that it was adopted in our simulation
model. The OLSR mechanisms are regulated by a set of parameters
predefined in the OLSR RFC 3626 [4] standard and it was adopted
in our simulation model, see Table 8. To simplify the simulation
model, the RSUs were assumed to be identical and subjected to the
same road traffic conditions. The different network traffic patterns
generated from running the previous simulation model (listed in
Table 8) represent the baseline VANET model, i.e. without the
intervention of any attack or the functionality of the suggested
ECHIDS.
The aim of the next experiment is to measure the effect of the
cooperative signature (SNORT)-based IDS functionality on the
network traffic and hence, the RSU power consumption. The test
bed was fed with the simulation model outcomes (the RSU In/Out
network traffic) while changing both the rules update file size
(number of rules) and the signatures update interval. The results
obtained from performing these tests can be shown in Figs.10a and
b. Increasing the file size while decreasing the update interval
creates more network load and hence more power is consumed due
to the increment in the transmission/reception operations. It is
worth to mention that when using a fully charged 2800 mAh AA
battery, an RSU can work for 27 h under the VANET baseline
traffic pattern; however, the battery life was decreased to 26.5 h
when the update file size was chosen to be (40 kbyte) with a (10
min) update interval (highest extra traffic case). In the real world
implementation, we recommend the file size to be (20 kbyte) with
a (30 min) update interval which is a good compromise between an
RSU invulnerability and its power consumption. Finally, it is worth
to mention that an additional RSUs’ CPU utilisation (due to the
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
additional IDSs’ tasks) was observed to be ranged between (5 and
15%) according to the update file size.
The effect of the black hole attack on the RSU power
consumption and hence its battery life is described in this
experiment. At this point, two variables were changed: the
percentage of an RSUs’ traffic dropped by its neighbours (due to
the black hole attack) and the number of the retransmission
attempts made by the RSU to compensate this dropping. Fig. 10c
shows the destructive effect of such attack on the drained current
and hence the battery life of the RSU as listed in Table 9. These
measurements confirm the importance of our earlier procedure to
cope against this type of attack using the suggested behavioural-
based IDS.
In this context, we also investigated the degradation in the
battery life caused by the energy intensive ‘promiscuous packet
capturing’ task which is needed to perform the suggested defence
against the black hole attack. Fig. 10d shows that as this mode of
operation includes the reception of an additional network traffic
from the neighboured RSUs, more energy is consumed to achieve
this mission. However, including this task into the power budget
planning procedure puts its consumed power within the
predetermined energy utilisation limits and guarantees a longer
battery life.
The purpose of the last experiment is to examine the ability of
the suggested power management method to adapt against the
different working conditions (wherein different AE levels were
assumed) and to defend against unmanaged network traffic
conditions (such as those resulting from the energy exhaustive
attack). Fig. 10e shows that the suggested power management
11
12 IET Inf. Secur.
© The Institution of Engineering and Technology 2016
technique was able to defend against the different DoS traffic
profiles and to adapt its performance according to the AE levels
and hence continue to function in a pre-managed and planned
manner which extends the battery life of the proposed RSU.
7 Evaluation of the ECHIDS characteristics
In the last section of this paper, we will use different evaluation
metrics [39, 40] to assess the overall performance of the suggested
ECHIDS. The system was loaded with 1000 different SNORT
rules, the anomaly based IDS (with weekly traffic predictor) and
the behavioural-based IDS to detect the black hole and energy
exhaustive DoS attacks. Table 10 lists the different characteristics
of the proposed system in terms of its resources utilisation, system
performance and security assessment.
The main remark could be extracted from the system resources
utilisation statistics is that the proposed ECHIDS was integrated
successfully and efficiently into the RSU platform. It is evident that
the suggested IDS consumes a reasonable amount of system
resources with a minimum effect on the RSU original tasks.
However, the observed utilisation is prone to be variant according
to the requirements of the installed IDS strategies.
On the other hand, our design ensures that the insertion of the
additional IDS tasks will not causes a sever degradation in the
nodes or network performance and hence, the VANET safety
services (which require delay values to be in the range of tens of
milliseconds [1, 2]). Again, this performance reflects the current
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
system and it may change with the addition/removal of the
different IDS rules.
Lastly, regarding the IDS security and management features, the
proposed ECHIDS supports a wide range of known attack patterns
(e.g. SNORT rules) and it can be developed to detect sophisticated
ad hoc network attacks. It is also important to mention that the
UBICOM platform has a ready to use simple network management
protocol (SNMP) client which is very important to perform the
RSU (and ECHIDS) remote management and reconfiguration
tasks.
To complete the picture, an extensive security assessment was
made through considering the probable attack vectors and risk
sources while suggesting the appropriate countermeasures; see
Table 10. It can be concluded that the ECHIDS is capable of
detecting and defending against a broad range of security attacks in
the different network layers which enhances the VANET
invulnerability against the security threats using a pre-managed and
transparent fashion.
Compared with the other IDS implementations, it can be seen
that the current system enjoys a rich security features with a
realistic resources utilisation. In our opinion, the most important
factor which governs the successful implementation of an ‘energy
harvesting-battery based’ embedded system is the intelligent
power management algorithm and its ability to adapt against the
different VANET operational and security situations.
13
Fig. 9 Experimental setup

8 Conclusion internal and external threats. The proposed defence strategies took
into account the embedded nature of an RSU and hence the
In this paper, different intrusion detection methods were suggested recommended solutions make a compromise between a highly
to protect solar energy-harvested RSUs against various types of

14 IET Inf. Secur.

© The Institution of Engineering and Technology 2016
secured and a good performed system. To the best of our
knowledge, the combination of such security methods, algorithms
and techniques with a solar energy powered system, was not
discussed before in any previous works. Although these methods
were implemented to serve the VANET security, it can be slightly
modified to be used with other systems such as mobile ad hoc
networks and wireless sensor networks. Our future research work
will follow different directions in order to fill the gap in this field.
We will make use of our experimental network to study the effect
of the other attacks and the defence strategies against them on the
VANET performance in all aspects, especially the power
consumption of its nodes. The second step is to propose a secure

Table 7 Network setup and measured current values

Experiment duration in each case, 5
min
WLAN NIC Belkin (a/b/g) dual-band
wireless PCMCIA
network card F6D3010
supply voltage, V 3
RF power, W 1 dBm
WLAN packet length, byte 1500
packet/s 84
current drained in TX mode, mA 150 (for IEEE802.11a)
current drained in RX mode, mA 120 (for IEEE802.11a)
current drained in IDLE mode (mA) 100
(WLAN NIC disconnected)
current drained in CPU full-load mode 150
(mA) (WLAN NIC disconnected)
current drained in SLEEP mode (mA) (for 1
the Ubicom board only)

Table 8 Simulation model parameters, network traffic and

average drained current values
Simulation time, min 60
No. of RSUs 40
Network span area, km2 25 (5 km × 5 km)
Distance between RSUs, km 1
Vehicles to RSU packet length, byte 100
Vehicles to RSU packets rate, packet/s 1
RSU to server packet length, byte 1000
RSU to server packets rate, packet/min 10
RSU modelling parameters packets processing rate
(packet/s) = 2000 memory
(byte) = 2 M
WLAN settings Data rate (Mbps) : 6, 12,
18 for IEEE802.11a
Average traffic sent from each RSU, 79
kbps
Average traffic received from each RSU, 401
kbps
Total average traffic, kbps 480
Average drained current, mA 104
Battery life (h) for fully charged 2800 27
mAh AA battery

Table 9 Effect of black hole attack on battery life

Packets Battery life (h) Battery life (h) Battery life (h)
dropped, one two three
% retransmission retransmission retransmission Fig. 10 Experimental results
(a) Effect of varying update file size and update interval on RSU traffic, (b) Effect of
attempt attempt attempt
varying update file size and update interval on RSU drained current, (c) Effect of
25 21.5 17.9 15.4
black hole attack on RSUs’ drained current, (d) Effect of promiscuous packet
50 17.9 13.5 10.8 capturing mode on battery life, (e) RSU battery life according to different DoS attack
75 15.4 10.8 8.3 rates
100 13.5 9.0 6.7

IET Inf. Secur. 15

© The Institution of Engineering and Technology 2016
Table 10 Evaluation metrics and security assessment of the suggested ECHIDS
Utilization of System Resources ECHIDS Total Code Size 500 Kbyte
Required Memory for Packets Processing Tasks 650 Kbyte
ECHIDS Total Memory Utilization% 57%(1.15 out of 2 Mbyte)
Extra - Average CPU% Due to Different ECHIDS 25%
Functionality
Extra - Average power Consumption Due to Different 17%
ECHIDS Functionality
System Performance Maximal Throughput with Zero Loss 9 Mbps
Average Induced Traffic Latency 0.55 ms
Maximum Packet Processing Rate (Packet/s) 1800
ECHIDS Security Features False Positive Ratio 2%
False Negative Ratio 1.2%
Depth of System's Detection Capability (+3500 SNORT Attack Signatures + Ad hoc
networks behavioral attacks)
Firewall Interaction Supported & Integrated
Router Interaction Supported & Integrated
Simple Network Management Protocol (SNMP) Supported & Integrated
Interaction
Hybrid Intrusion Detection System Supported & Integrated
Multi-sensor Support (i.e., Cooperative IDS) Supported & Integrated
Distributed Management Supported
Ease of Configuration Supported
SECURITY ASSESSMENT OF ECHIDS
Attack Type Attacks’ Target Defense Strategy
Known Attack Patterns (more than 3500 • RSUs. Signature Based IDS
as defined by SNORT IDS developers) • Network Infrastructure
Denial of Service Attacks • RSUs. Signature Based IDSAnomaly Based IDS
• VANET Infrastructure
Distributed Denial of Service Attacks • RSUs. Signature Based IDSAnomaly Based IDS
• VANET Infrastructure
AD Hoc Routing Attacks AD Hoc Routing Protocols Behavioral Based IDS
Sybil attack RSU services Behavioral Based IDSEntity Authentication
Timing Attack RSU services Signature Based IDSBehavioral Based IDS
Energy Exhaustive attack RSU energy resources Behavioral Based IDSAnomaly Based IDS
Application Attack RSU services Signature Based IDSBehavioral Based IDS
Administrative Impersonation Attack • RSU data & services Entity and Message Authentication
• VANET Functionality
Monitoring Attack RSU data & services Packet Encryption
Illegal Access Attack RSU data & services Entity Authentication
Server Availability Attack • VANET services VANET ClusteringServers Duplication
• VANET Functionality
RSU Impersonation Attack • RSU data & services Malicious RSUs DetectionBehavioral Based
• VANET Functionality IDS
Data Sniffing and modification • RSU data & services Message Authentication and Integrity
• VANET Functionality

and green ad hoc routing protocol, so that the power management
and the security techniques will be taken into consideration in the
earlier design stages.
9 References
[1] Wu, T., Liao, W., Chang, C.: ‘A cost-effective strategy for road-side unit
placement in vehicular networks’, IEEE Trans. Commun., 2012, 60, (8), pp.
2295–2303
[2] Barrachina, J., Garrido, P., Fogue, M., et al.: ‘Road side unit deployment: a
density-based approach’, IEEE Intell. Transp. Syst. Mag., 2013, 5, pp. 30–39
[3] Ali, Q.I.: ‘Design, implementation & optimization of an energy harvesting
system for VANETS’ road side units (RSU)’, IET Intell. Transp. Syst., 2014,
8, (3), pp. 298–307
[4] Ali, Q.I.: ‘Security issues of solar energy harvesting road side unit (RSU)’,
IJEEE J., 2015, 11 (1), pp. 18–31
[5] Filippini, I., Malandrino, F., Cesana, M., et al.: ‘Non-cooperative RSU
deployment in vehicular networks’. WONS Conf., 2012
[6] Buchgger, S., Le Boudec, J.: ‘Performance analysis of the CONFIDANT
protocol’. Proc. IEEE/ACM Workshop on Mobile Ad Hoc Networking and
Computing (MobiHoc'02), Lausanne, Switzerland, June 2002, pp. 226–336
[7] Zhang, Y., Lee, W.: ‘Intrusion detection in wireless ad hoc networks’. Sixth
Int. Conf. on Mobile Computing and Networking, August 2000, pp. 275–283
[8] Michiardi, P., Molva, R.: ‘Core A collaborative reputation mechanism to
enforce node cooperation in MANET’. Communication and Multimedia
Security Conf. (CMCS'02), September 2002
[9] Nasser, N., Chen, Y.: ‘Enhanced intrusion detection system for discovering
malicious nodes in mobile ad hoc networks’. ICC 2007 Conf., 2007
[10] Huang, Y., Lee, W.: ‘A cooperative intrusion detection system for ad hoc
networks’. First ACM Workshop Security of Ad Hoc and Sensor Networks,
Fairfax, VA, 2003
[11] Kachirski, O., Guha, R.: ‘Effective intrusion detection using multiple sensors
in wireless ad hoc networks’. 36th Annual Hawaii Int. Conf. on System
Sciences, 2003
[12] Krügel, C., Toth, T.: ‘Flexible, mobile agent based intrusion detection for
dynamic networks’ (European Wireless, 2002)
[13] Xiao, K., Zheng, J., Wang, X., et al.: ‘A novel peer-to-peer intrusion detection
system using mobile agents in MANETs’. Sixth Int. Conf. on Parallel and
Distributed Computing, Applications and Technologies, 2005
[14] Gómez, J., Gil, C., Padilla, N., et al.: ‘Design of a snort-based hybrid
intrusion detection system’. IWANN 2009, 2009
[15] Aydın, M.A., Zaim, A.H., Ceylan, K.G.: ‘A hybrid intrusion detection system
design for computer network security’, Comput. Electr. Eng. J., 2009, 35, pp.
517–526
[16] Marti, S., Giuli, T.J., Lai, K., et al.: ‘Mitigating routing misbehavior in mobile
ad hoc networks’. Proc. Sixth Annual ACM/IEEE Int. Conf. on Mobile
Computing and Networking, 2000, pp. 255–265

16 IET Inf. Secur.

© The Institution of Engineering and Technology 2016
[17] Kaur, H., Batish, S., Kakaria, A.: ‘An approach to detect the wormhole attack
in vehicular ad hoc network’ Int. J. Smart Sens. Ad Hoc Netw., 2012, 4, pp.
86–89
[18] Sinha, A., Mishra, S.K.: ‘Preventing VANET from DOS & DDOS attack’, Int.
J. Eng. Trends Technol., 2013, 4 (10), pp. 1–9
[19] Erritali, M., El Ouahidi, B.: ‘A survey on VANET intrusion detection
systems’. Proc. 2013 Int. Conf. on Systems, Control, Signal Processing and
Informatics, 2013
[20] Sharma, S., Sisodia, M.: ‘Network intrusion detection by using supervised
and unsupervised machine learning techniques: a survey’, Int. J. Comput.
Technol. Electron. Eng., 2011, 1 , pp. 12–22
[21] Meyer, N., Njeukam, J., Petit, J., et al.: ‘Central misbehavior evaluation for
VANETs based on mobility data plausibility’. Proc. Ninth ACM Int.
Workshop on Vehicular Inter-Networking, Systems, and Applications –
VANET'12, 2012
[22] Grover, J., Laxmi, V., Gaur, M.: ‘Misbehavior detection based on ensemble
learning in VANET’. in Advanced Computing, Networking and Security, ser.
Lecture Notes in Computer Science, (Springer, Berlin, Heidelberg, 2012), vol.
7135
[23] Chang, S., Qi, Y., Zhu, H., et al.: ‘Footprint: detecting Sybil attacks in urban
vehicular networks’, IEEE Trans. Parallel Distrib. Syst., 2012, 23, pp. 1103–
1114
[24] Bouassida, M.S., Guette, G., Shawky, M., et al.: ‘Sybil nodes detection based
on received signal strength variations within VANET’, Int. J. Netw. Secur.,
2009, 9, (1), pp. 22–33
[25] Roman, J.: ‘Trust and reputation systems for wireless sensor networks’
(Troubador Publishing, 2009)
[26] Liao, C., Chang, J., Lee, I., et al.: ‘A trust model for vehicular network-based
incident reports’. 2013 IEEE Fifth Int. Symp. on Wireless Vehicular
Communications (WiVeC), Dresden, 2013
[27] Zhang, J.: ‘A survey on trust management for VANETs’. 2011 IEEE Int. Conf.
Advanced Information Networking and Applications (AINA), Biopolis, 2013
[28] Gerlach, M.: ‘Trust for vehicular applications’. Eighth Int. Symp. on
Autonomous Decentralized Systems (ISADS'07), Sedona, 2007
IET Inf. Secur.
© The Institution of Engineering and Technology 2016
[29] Ali, Q.I., Lazim, S., Fathi, E.: ‘Securing wireless sensor network (WSN)
using embedded intrusion detection systems’, IJEEE J., 2012, 8 (1), pp. 54–
64
[30] Ali, Q.I., Lazim, S.: ‘Design & implementation of an embedded intrusion
detection system for wireless applications’, IET Inf. Secur. J., 2012, 6, (3), pp.
171–182
[31] Yasdi, R.: ‘Prediction of road traffic using a Neural Network Approach’,
Neural Comput. Appl., 1999, 8, pp. 135–142
[32] Marti, S., Giuli, T.J., Lai, K., et al.: ‘Mitigating routing misbehavior in mobile
ad hoc networks’. Proc. Sixth Annual Int. Conf. on Mobile Computing and
Networking (MobiCom'00), 2000, pp. 255–265
[33] Wang, Z., Liu, L., Zhou, M., et al.: ‘A position-based clustering technique for
ad hoc intervehicle communication’, IEEE Trans. Syst. Man Cybern. C, 2008,
38, (2), pp. 201–208
[34] Zhang, L., Elsayed, H., Barka, E.: ‘A novel location service protocol in multi-
hop clustering vehicular Ad Hoc networks’. Proc. Int. Conf. Innovations in
Information Technology (IIT), 2011, pp. 386–391
[35] Raya, M., Hubaux, J.-P.: ‘Securing vehicular ad hoc networks’, J. Comput.
Secur., 2007, 15, pp. 39–68
[36] Samara, G., Al-Salihy, W.A.H., Sures, R.: ‘Security issues and challenges of
vehicular ad hoc networks (VANET)’. Fourth Int. Conf. on New Trends in
Information Science and Service Science (NISS), 2010
[37] Blum, L., Blum, M., Shub, M.: ‘A simple unpredictable pseudorandom
number generator’, SIAM J. Comput., 1986, 15, (2), pp. 364–383
[38] Ali, Q.I., Faher, F.: ‘Evaluation of routing protocols of wireless ad hoc for
SCADA systems using OPNET simulator’. Second Scientific and
Engineering Conf., 2013
[39] Singh, R., Singh, J.: ‘A performance metrics scorecard based approach to
intrusion detection system evaluation for wireless network’, Glob. J. Comput.
Sci. Technol. Netw. Web Secur., 2012, 12, (12), pp. 66–78
[40] Fink, G.A., Chappell, B.L., Turner, T.G., et al.: ‘A metrics-based approach to
intrusion detection system evaluation for distributed real-time systems’.
WPDRTS Conf., 2002
17