A risk and security assessment of VANET availability using attack tree concept

ABSTRACT


INTRODUCTION
The technological development has reached all domains, especially the communications area, which is undergoing major changes in wireless technology advent. This technology was used by researchers to permit vehicles to interact with each other, with or without infrastructure installed next to the road, which constitutes the networks called Vehicular Ad-Hoc NETwork (VANET).
VANET constitutes the core of the intelligent transport system (ITS) having as main objective the improvement of road safety [1] by taking advantage of the emergence of communication technology and the lowering of the cost of wireless devices. Indeed, thanks to sensors installed in vehicles, or located next to the roads and control centers, vehicle communications will allow drivers to be warned early of possible dangers [2]. In addition, these networks will not only improve road safety but will also offer new services to road users [3], making road use more pleasant. Interesting contributions regarding the exchange of information between vehicles have been proposed recently in several research projects related to road safety.
Typically, the destination vehicle utilizes the information sent by the source vehicle in order to better analyze the situations of the road that arise. This situation can give rise to security attacks by adversaries. Due to the importance of vehicle-to-vehicle exchanges and openings of the VANET  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol. 10, No. 6, December 2020 : 6039 -6044 6040 environment, many attackers can send alerting messages whose content is falsified or prevent a legitimate message being delivered in order to cause accidents [4]. They can prevent the routing of these messages by attacking the network availability in order to make this network unavailable, and then its main goal will become useless.
Our research work aims to ensure the vehicle system's reliability. In order to develop counter measures against threats led by adversaries, it is necessary to analyze and minimize possible attacks against the system's assets. Our analysis of the attack is based on a structure and decision tree called the attack-tree. According to the attack-tree method, we suggest a new risk assessment approach for VANET availability. Attack-tree based risk analyzes use a tree-based approach to model and evaluate system risk and define possible attack strategies that the attacker can lead against this system. Using this approach, the capacity of the attack source can be analyzed and the degree of the effects of attacks led against the network can be estimated. Taking advantage of the attack-tree method, in this paper, we use it to identify the possible threats launched against VANET availability, and we measure further the overall likelihood of the attacker hitting the target goal. Finally, the decision-maker will decide which measures of protection will be implemented based on the quantitative result.
The rest of this paper is structured as follows: Section 2 presents the attack-tree fundamentals. Section 3 introduces the attack-tree model for VANET availability. The risk assessment is analyzed in section 4. Finally, we conclude in section 5.

ATTACK TREE FUNDAMENTALS 2.1. Definition
Bruce Schneier [5,6] has described the attacks trees as a model of threats led against systems. It is an analytical technique in which the system is analyzed from the attacker's point of view in order to find all credible ways in which the attack event can occur. However, when we consider all the different techniques in which a system may be attacked, we will possibly establish the safest countermeasures to avoid such attacks. Attack trees are used in a variety of contexts, such as safety and aerospace, in order to analyze and evaluate attacks against the tamper-resistant electronics system. In addition, they have been used in the field of information technology to analyze attacks against sensors and computer systems and interpret the convenient method by which an attacker can carry out a specific attack [7].
Basically, every node in the attack-tree indicates a particular threat. At top of the tree, we find the root node which represents the global objective of the attacker. The other nodes which are the leaves of the tree represent sub-objectives. Generally, a binary relation (also called operator) is associated with the internal nodes of the tree. These operators can be AND or OR. An AND operator (respectively an OR operator) is considered successful when all of its child nodes (respectively, at least one) are successful. There are different kinds of attack trees such as Defense-tree [8], Protection-tree [9], Attack-defense trees [10], and Vulnerabilities-Tree [11]. They have the same attack-tree characteristics, few aspects which distinguish them.

Attack tree basis
An attack tree is a technique of evaluating network security against its probable attacks. However, we use an attack tree to interpret attacks that an external intruder or insider attacker can generate in a communications network. Attack trees allow us to measure security risks that face a system with regard to losses caused by attacks [12] or the benefit of defenders through the usage of defense security mechanisms. The analysis of a network or a system through this technique contributes to the estimation of a probabilistic risk assessment of the network that facilitates communication systems growth. Initially, the fundamental attack tree does not provide defense mechanisms.
The mechanism used in constructing the attack tree is structured to define the sequence of events leading to the definitive event chosen (root node). The root node in the tree represents the global goal of the attacker, and leaf nodes represent the sub-goals. The attack goal must be carefully selected. In addition, we may have several root nodes reflecting different goals in complex systems. Nodes can be connected, particularly, through AND and OR Boolean operators [13]. These operators are considered as the basic gates to construct the attack tree. The OR gate describes the different manners to attain the same goal (the attack goal may be attained by reaching the first OR the second leaf nodes), while AND gates depict the different ways toward the same goal goal (the attack goal may be attained by reaching the first AND the second leaf nodes).
Eventually, during the construction of the attack tree it is important to ensure that the structure is consistent and to comply with some extra rules which are: -Any element failure induces system failure.

6041
-The successful implementation of all its elements guarantees that the system operates correctly. -When the system fails, the system does not resume service due to a novel attack.
-If the mechanism functions correctly, abduct an attack from the system does not cause its failure. It can happen that an attack on an element reduces or remove the impact of an anterior attack and thus allow the functioning of the system. -Be sure to identify all logical gate's input events before determining their corresponding causes.
-Avoid linking directly two logical gates.
-Choose anterior causes just before the event exists.
On the basis of the above, we designed vehicular ad hoc network attack tree model and selected a range of major privacy issues as targets for the attacker. The availability of vehicular network represents the attacker's goals [14]. The next section includes a stepwise analysis for building our attack tree.

BUILDING ATTACK TREE FOR VANET AVAILABILITY
In order to construct our attack tree, we opt for a step-by-step refinement model. However, VANET availability is the global goal of the attacker and the root node of our attack-tree. This goal is indicated by G as shown in Figure 1. The attack tree construction process involves the following steps: -Identify the global goal (root node) of the attacker: VANET availability (G). -Divide the global goal "VANET availability" within sub-goals. In our case, there are three leaves attached to the root node: Black Hole (S1) [15], Denial of Service (S2) [16], Malware & spam (S3). If only one of the sub-goals is reached, the goal of the attacker will be accomplished. It is possible to extend this list and add several sub-targets. The list of sub-goals could be extended and other sub-goals might be included. -In the following step, we continue the building of the different elements (leaves) of our attack three models: a. The first sub-goal "black hole" can be reached by combining two-element: cheat the routing protocol (E1) and establish a forged route (E2) In a black hole attack, the routing protocol is tricked by a malicious node in order to have a brief route to the target node. Once a pathway is created between the spiteful node and the target node, the attacker can remove incoming and outgoing traffic without informing the source that the packets sent have not reached their destination. Moreover, the attacker can forward the packets anywhere they want [17]. b. Denial of Service (S2) represents the second sub-goal The denial of service or DoS is an attack in which the attacker aims to make a server, service, or infrastructure inaccessible for an undefined duration. This sub-goal can be achieved through: Channel jamming (S21): the attacker's goal, through channel jamming, is to block nodes from reaching network services. This objective can be achieved by transmitting dummy messages (E3) in which the attacker transmits various messages to the other vehicles using fake identities. Through transmitting dummy messages, the attacker can attain his main goal that consists of decreased the reliability and efficiency of the network, furthermore, forcing certain vehicles to exit the roads for his own benefit [18]. Channel jamming may also be obtained by broadcasting high-frequency signals (E4). This task involves the attacker transmitting request messages with higher frequency, which induces a system failure. Consequently, other nodes cannot receive or transmit packets in network [19].
Smurfing (E5): The smurf technique uses the broadcast servers to paralyze the network. This server is capable to duplicate messages and sending it to all nodes on the same network. Actually, the malicious node sends a ping request to one or more broadcast servers by falsifying the source IP address and by providing the IP address of a target machine [20]. Then, the broadcasting server passes on the request to the entire network. All nodes on the network send a response to the broadcasting server. Finally, the broadcast server redirects responses to the target machine. Moreover, when the malicious node sends a request to several broadcast servers located on different networks, all the responses from the nodes on the different networks will be routed to the target machine. In this way, most of the attacker's job is to find a list of broadcast servers and falsify the reply address in order to direct them to the target machine.
Flooding (S22): this technique consists of sending a large quantity of useless data in the network in order to make it unusable, for example by saturating its bandwidth or by causing the nodes of the network to crash, whose denial of service is the possible consequence. This attack can be carried out with two tasks: SYN flood (E6) or UDP flood (E7) [21].
The SYN flood [22] aims to saturate a server by sending a multitude of TCP packets in order to overwhelm the target server with SYN (Synchronized) requests en masse. This will aim to create Like the SYN flood, in the UDP flood, the attacker transmits several UDP requests to the targeted system in order to overwhelm it. Unlike TCP transmission, data can be transferred via UDP without the need for an established connection. As UDP traffic takes priority over TCP, it may quickly interrupt and saturate the network traffic. c. The final sub-goal is malware and spam (S3) Malicious software (Malware) is a program developed by malicious to damage a computer system or access to the private personal information, without the consent of the user or the target node that is infected. Otherwise, in spam messages, the attacker forwards several unsolicited emails to an address in order to overload its mailbox and that to scattered the attention of the user from important messages [21]. To reach this sub-goal (S3), it is requisite to carry out: a) Inserted viruses and worms (E8) in a reliable program by including a clone of itself and being part of it, b) Through submitting spam messages, the attacker uses the quota that is available in an e-mail service to prevent legitimate messages from being sent.

RISK ASSESSMENT
The attacker needs to consider various features containing the attack cost, technique difficulty, and the possibility of being discovered. The main objective is to assign values to each node in the attack tree. In this work, we regard three attributes of the leaf nodes which are: attack cost c L , technical difficulty d L , and the discovering difficulty s L . The grade-level standards are illustrated in Table 1. Those values are attributed to leaf nodes depending on the measures cited in [23]. We use the multi-attribute utility theory [24] in other to relocate these features into attackers' utility value P L , which is the probability of a leaf node occurring. Formula (1) is used to calculate each leaf node's utility.   Table 2 presents the probability P L that each leaf node will occur. Furthermore, the attack tree is converted to binary decision diagram (BDD) [25] in other to compute the overall probability of achieving the objective of the attack. This probability equals 0.2336. After that, we are constructing the attack sequences depending on our attack-defense tree. The sequences of the attack are a real path consisting of a leaf node group. Only when all attack sequence events occur, the attacker can achieve his final objective. When the attack sequences were known, their occurrence probabilities can be calculated and then compared to find which attack sequence the attacker could most probably launch. An attack sequence is described as: So, the probability of an attack sequence is: In order to obtain all attack sequences for our attack-defense tree, we use the Boolean algebra method. The attack sequences to attain the attack goal are: S1={E1,E2}, S2={E3}, S3={E4}, S4={E5}, S5={E6}, S6={E7}, S7={E8}, S8={E9}.
The first sequence {E 1 , E 2 } imply that the adversary can make the network unavailable by cheating the routing protocol (E 1 ) and Establish a forged route (E 2 ), but in the second sequence, the attacker requisite just through transmit dummy messages (E 3 ) and so on. Based on the (2), we compute the attack sequences occurrence probabilities which are shown in Table 3. From Table 3, we can deduce that the attack sequence S7 is the most probable path to occur. Thus, to keep the network protected we should focus on this attack.

CONCLUSION
In this paper, we are proposing a new security analysis method based on the attack-tree to analyze the risk of VANET availability from a system point of view. Furthermore, we are constructing an attack tree with VANET availability leakage as the global objective to analyze the behavior of the attacker. To measure the system risk, we are assigning values to all leaf nodes of the tree and adopt the multi-attribute utility method so the assessment would be more analytical. Based on the analysis of the attack sequences, we recognize the most probable path that the attacker might select. In our future work, we will present a VANET privacy and security risk assessment based on the attack-defense tree model. That model analyzes the defense strategies of the system.