VANET Routing Replay Attack Detection Research Based on SVM

In the process of establishing routing in VANET, because of the interference of routing request (RREQ) and routing response (RREP), the nodes in the network are busy with looking for routing or establishing routing. The impact on the network performance is extremely serious, such as increasing a lot of network overhead, consuming valuable bandwidth resources. In this paper, the influence of routing replay attack in VANET is studied. Four typical characteristic are extracted by "cross layer" selecting feature vector. The feasibility of VANET routing replay attack IDS based on SVM is verified through simulation experiment.


ROUTING REPLAY ATTACK
In the communication process based on AODV routing protocol of VANET, establishing routing between nodes is on-demand type.If the source node needs to send a message to the destination node, firstly, the source node will query their own routing table, if the path to the destination node is not exist in the table, source node will be broadcast a route request packet RREQ in the network.Adjacent nodes will query their own routing information table after receiving the RREQ, if the path to the destination node is exist in the table, the RREP message will be sent back directly, passing by relay node to the source node.If not, continued to send RREQ to adjacent nodes, until find the path.The forward routing is established after source node received the RREP.This is the normal communication process based on AODV routing protocol.
In general, a relay node will forward RREP in order to set up the forward routing, when there are malicious nodes in network, malicious nodes would deliberately to interference of communication process, such as not forwarding RREP, makes the forward routing cannot be established.Or not forward RREQ, making the source node can't find the destination node.As shown in figure 1, B is the source node, P is the destination node, B will be broadcast a RREQ message to find the path of the P, in the process of normal communication, relay node, such as C, D, will forward RREQ, and continue to backward forward RREP after find the destination node P. In exceptional circumstances, such as D is a malicious node, after receiving RREP, D does not forward RREP to C, but drops the RREP and give an error, result in C and B can,t receive RREP of P, unable to form traffic route to the destination node P, forming a routing replay attack.

Routing replay attack Scenario simulation
This linear model is used to set up routing response team attack scenario in this paper, the specific scene parameter settings are as follows: By software NS-2, the corresponding simulations with tcl script is run in the normal and routing reply attack scenario, and the corresponding trace files are got.The attacked trace file as shown in figure 2.

Routing replay attack extracting feature vector
Because the routing request packet and data packets are affected in routing replay attack, the method of crosslayer statistical feature vectors are using in this paper.The send and receive packet statistics and the packets send and receive situation of related to node communication in VANET MAC layer and routing layer are selected as routing replay attack feature vectors.The characteristics of the specific record as shown in table 2.  The first record as RREQ_s type, show node 0 at the time of 2.0s, broadcast a RREQ packet of node 0 as source node, node 1 as the destination node.
The second record as RREP_r type, show node 7 at the time of 2.151811992s, receive a RREP packet of node 0 as source node, node 19 as the destination node.
The third record as RREP_f type, show node 5 at the time of 2.151811992s, forword a RREP packet of node 0 as source node, node 19 as the destination node.
Reading data from the detailed records, each node in any period of packet types and transceiver can be counted, then formed the available SVM feature vector.For example, by NS -2 a piece of data simulation to generate the following records: node 6 are 1.Note that in the routing request packet number statistics, if only considering the routing layer data communication, the data records are identified as the fourth field in the "MAC" records do not conform to the requirements, identified as "RTR" on behalf of the routing layer data record is the record of this article needs.So, the RREQ_s number of node 5 is 1 instead of 2, by the same token, the RREQ_r number of node 4 and node 6 is 1 rather than 2.
In order to effectively detect the routing replay attack, the "Cross-layer" method is used to choose feature vector.According to different layer, the refinement of feature vector as shown in table 3. the MAC layer of CBR package delivery number, routing layer receives the number of CBR packages, the routing request packet routing layer number of RREQ and RREP response are chosen as feature vector of detecting routing replay attack, taking a unit time interval eigenvector statistics.Table 3 represents a period of time of a node is in the light of different packet types.In order to reduce the amount of calculation and improve the efficiency of detection, when choosing the characteristics of the raw data vector, not all feature vectors are counted, only some representative feature vectors are did for SVM training.
After the routing reply attack feature vectors ready, the awk program should be write according to the requirement.Detailed traversal raw data, each node can be got normal state and routing reply attack state eigenvector count.
Using programs on normal simulation data and simulation data of routing reply attack feature vector extraction, 2001 samples from positive and negative feature vector are got.As shown in figure 3, it is statistical feature vector data samples every 0.5 s under the routing replay attack from node 15.

Intrusion detection classifier training results and analysis
The optimal parameters and the positive and negative feature vector are input to SVM training, the routing replay attack intrusion detection classifier model as shown in figure 6.The simulation results of routing replay attack intrusion detection show that, on the choice according to the characteristics of the routing replay attack vector, the selected four features for routing replay attack detection is feasible, the establishment of VANET routing replay attack IDS based on SVM can obtain better testing result.

Figure 3 .
Figure 3. routing replay attack feature vector samples

Figure 6 .
Figure 6.intrusion detection classifier model Reoccupy has trained SVM classifier model forecast test sample, the prediction results are obtained as shown in figure 7.

Figure 7 .
Figure 7. prediction results From the result, Number of iterations of the intrusion detection classifier training algorithm is 183.The offset item in the discriminant function is 0.322970.The value of objective function is -116.107189.The number of support vector is 357, and the positive number is 178, the negative number is 179.The prediction accuracy reach 99.95%.The simulation results of routing replay attack intrusion detection show that, on the choice according to the characteristics of the routing replay attack vector, the selected four features for routing replay attack detection is feasible, the establishment of VANET routing replay attack IDS based on SVM can obtain better testing result.

Table 1 .
Routing replay attack Scenario parameter settings

Table 2 .
routing replay attack feature

Table 3 .
routing replay attack feature format