|Abstract||Automobile accidents are one of the major causes of death in the Western world.
In previous decades, automobile manufacturers and researchers have investigated a broad spectrum of solutions to this challenge.
Within this solution space, communication between vehicles has long been a promising direction that enables highly advanced driver assistance systems.
Current generation assistance systems operate through the use of automotive sensors, which have limited range; to provide the vehicle with a more complete picture of its surroundings, various standards have been proposed to enable information exchange between vehicles.
Recent developments in this field, which integrate more components into this communication architecture, give rise to cooperative intelligent transport systems (C-ITS).
Most C-ITS applications, in particular including safety applications, make decisions based on both information received from local sensors and messages received from others.
One aspect of C-ITS that is essential for successful deployment is its security against invalid behavior and malicious attacks.
Without such protection, the validity of the information received from other vehicles cannot be guaranteed, and thus the reliability of all C-ITS applications is affected.
Research has invested significant effort in the development of basic security services, such as pseudonymization and sender authentication.
One area that has received limited attention in standardization is that of misbehavior by authentic entities in the network.
For example, a malicious vehicle may transmit false messages, triggering an emergency response and causing a collision between other vehicles.
This cannot be prevented through standard security services, such as cryptographic signatures, because a malicious vehicle is an authentic sender.
In general the detection of such invalid application data is termed misbehavior detection.
Because different attacks are typically detected through different misbehavior detection mechanisms, the combination of these outputs (i.e., fusion) for decision making is an essential component.
This thesis addresses this topic by designing Maat, a generic misbehavior detection framework that ensures the validity of received data.
The contributions of this thesis include (a) a detailed survey of existing misbehavior detection mechanisms, (b) Maat, a proposal for a generic fusion framework for misbehavior detection in C-ITS, (c) multi-source fusion operations for subjective logic, which forms the mathematical foundation of our framework, (d) several novel detection mechanisms, (e) a detailed review of evaluation methodologies and proposals for novel metrics, (f) a new, public dataset that serves as a baseline for comparison of misbehavior detection mechanisms, (g) a detailed evaluation of the proposed mechanisms and fusion operations, and (h) an outlook discussing how these results can be applied to other cyber-physical systems.
The survey in this thesis provides an overview and classification of existing misbehavior detection mechanisms along various axes, including the scope of detection, type of data used and susceptibility to attacks.
Not only does this provide a solid foundation for the requirements on Maat, it also supports the development of attacks and misbehavior detection mechanisms in the wider field.
Within this thesis, we build a framework, called Maat, to fuse misbehavior detection results through subjective logic.
Subjective logic is a mathematical framework that enables the expression of uncertainty on data through objects called subjective opinions.
Maat applies this logic to build a flexible data management and fusion system, which determines the trustworthiness of data whenever it is accessed by applications.
To support this data management, Maat uses a directed graph to store the data and the associated detection results.
By recording both the data and the associated detection results separately, a wide range of potential new detectors can be explored.
In addition, it enables the verifiable exchange of detection results for revocation.
Subjective logic provides a variety of fusion operators to fuse subjective opinions.
However, for some of these operators, fusion of multiple opinions (multi-source fusion) is not well-defined due to non-commutativity.
In order to implement Maat, these operators were generalized to the multi-source fusion setting: we provide this generalization for weighted belief fusion (WBF) and consensus \& compromise fusion (CCF).
We also discuss how transitive trust relations can be applied within our framework.
Maat contains a set of new detection mechanisms that exploit properties of subjective logic to more accurately model the detection results.
We use these mechanisms to show that fusion can increase detection performance compared to individual detection mechanisms.
As part of our survey of related work, we found that there are significant methodological differences and evaluation criteria.
In this thesis, we provide an overview of those differences, and propose a new evaluation methodology that goes significantly beyond the rigor exhibited by existing work.
This methodology includes a set of application-centric metrics for cooperative adaptive cruise control, one of the primary C-ITS applications, as well as metrics to assess overall detection performance in a widely deployed system.
One issue we encountered in reproducing the work of others is the fact that there are no publicly available benchmarks against which misbehavior detection mechanisms can be tested.
In this thesis, we present a public dataset that can serve as a baseline for such benchmarks.
Based on this new methodology and the presented dataset, we provide a detailed evaluation of Maat's features.
This includes a study of detection performance by different detection mechanisms, a comparison of fusion operations, and the analysis of weighing between detectors.
We also revisit the idea of exponential weighted averaging (EWA) of detection output to protect against accidental faults.
Our results show that Maat can provide an overall improvement in detection performance, while the EWA reduces performance even when attacks are persistently executed.
We attribute this failure of EWA to the types of attacks executed in our experiments, whose detection depends on the spatial relationship between attacker and observer.
This evidence suggests that EWA is not suitable in these specific scenarios.
In summary, this thesis studies the topic of misbehavior detection in cooperative intelligent transport systems.
Misbehavior detection exploits knowledge of physical processes to determine the trustworthiness of data and entities in a cyber-physical system.
Through our developed fusion framework for misbehavior detection mechanisms, the safety and security of such systems can be improved significantly.
Future work in this field could includes the integration of misbehavior detection with sensor fusion processes to validate sensor data and protect against attacks on such systems, as well as extensions that enable reliable reporting and sharing of parts of Maat's world model.||dc.description.abstract