A survey of local/cooperative-based malicious information detection techniques in VANETs

Vehicular ad hoc networks (VANETs) are emerged technology where vehicles and roadside units (RSUs) communicate with each other. VANETs can be categorized as a subbranch of mobile ad hoc networks (MANETs). VANETs help to improve traffic efficiency and safety and provide infotainment facility as well. The dissemination of messages must be relayed through nodes in VANETs. However, it is possible that a node may propagate false information in a network due to its malicious behaviour or selfishness. False information in VANETs can change drivers’ behaviour and create disastrous consequences in the network. Therefore, sometimes false safety messages may endanger human life. To avoid any lass, it is more important to detect and avoid false messages. This paper has explained some important algorithms that can detect false messages in VANETs. The categorization of false message detection schemes based on local and cooperative behaviour has been presented in this article. The limitations and consequences of existing schemes as well as future work has been discussed.


Introduction
VANETs has got much importance for road side safety, security and traffic efficiency in recent years. VANETs has emerged as subclass of mobile adhoc networks (MANETs). VANETs is having various differences in properties from MANETs, therefore protocols of MANETs cannot directly be applied to VANETs [1]. In recent announcements from car manufacturers, they have equipped their vehicles with Wireless Access Vehicular Environment (WAVE) devices. WAVE protocols are based on IEEE 802.11p standard and provide basic radio standard for Dedicated Short Range Communication (DSRC) in VANETs [2] [3] [4] [5]. DSRC protocol is used for Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I) communication [6]. Every vehicle consists of an On Board Unit (OBU), which broadcasts messages about its position, speed and other events. OBU has the capability to verify incoming messages from valid entities. Road Side Units (RSUs) are fix units which monitor vehicles activities and collect important information about nearest vehicles [7] [8] [5]. Vehicular communication consist of two types of messages. Periodic messages showing presence of vehicle in network and emergency messages, which are propagated in the occurrence of some damaging event(s) [3]. Various applications of VANETs exists on road safety, passengers comfort and traffic efficiency [9] [10].
In future VANETs will decrease road accidents by providing real time information about traffic and road status to drivers [9]. The Public Key Infrastructure (PKI) has been developed for VANETs security. The PKI concentrates on data integrity and authentication schemes. It provides traditional solutions for VANETs communication [11]. The Certificate Authorities (CAs) are responsible for maintaining credentials of vehicles in network [7] [12]. However, in V2V communication node misbehaviour may propagate false messages. Where a single malicious node may disturb the whole network [13]. False messages in VANETs can create many issues like higher time required to reach destination, more fuel consumption, higher pollution and traffic accidents [6] [14]. The emergency messages are relayed in multihop fashion in the network. Bandwidth may become limited due to broadcasting of false messages. There must be some mechanisms to detect and avoid these false messages [3]. A malicious vehicle can broadcast false position information in the network that has adverse consequences in safety applications [15] [16] [17] [18] [19] [20]. VANETs routing, safety application, traffic management and data aggregation rely on correct vehicle position information [21] [22].
This article has investigated current research efforts on false data detection schemes, like false messages and false position information detection schemes. This article has also described all existing false message detection schemes. The major contributions of this article are as follows; • Local based false information detection schemes have been categorized into plausibility, consistency and Behaviour based detection schemes. • Cooperative based data detection schemes are normally used for bogus information detection. The cooperative based schemes are divided into behaviour, consistency and trust based detection schemes. Trust based detection techniques are further categorized into direct trust, indirect trust and hybrid trust based detection schemes. • This article has described different detection protocols and their issues. These issues must be eradicated to make VANETs application more reliable and safe. • This paper has brings an analysis of the insight information about these protocols. The rest of the paper is organized as follows; Section II is an introduction to the VANETs. Section III delivers a description on secure communication in the VANETs. Section IV describes misbehaviour in the VANETs. Section V categorizes cooperative based detection schemes for malicious information detection. Section V provides a detailed image of cooperative detection schemes. Section VI presents malicious information detection techniques and finally conclusion and future work has been drawn in section VII.

Vehicular ad hoc networks
VANETs is a sub-class of MANETs that enable vehicles to communicate with each other and Road Side Units (RSUs). In VANETs, vehicles acts as a router node as well as terminal node. The communication takes place in VANETs using V2V and V2I.
The architecture of VANETs consists of different software and hardware components. In VANETs, vehicle are equipped with an On Board Unit (OBU). The RSU OBU RSU Vehicle to Vehicle communication (V2V) .. Vehicle to Infrastructure communication (V2I) .. Figure 1: VANETs Architecture is deployed on road side to monitor network nodes behaviour information [15] and provide internet facility access to passenger on wheels. The CAs distributes security related information through RSU like, public key, private key and privacy related information in VANETs (Fig.1).

CA
In VANETs, communication information consist of two types of messages. Which are beacon and safety messages. Beacon messages are periodic information which shows presence of vehicle in network. It contains position of vehicle, identity of sender, speed and time. Safety messages are broadcasted in the case of safety event occurrence showing location of event [23]. VANETs applications consist of vehicles cooperation for traffic management, notify drivers about danger on road and provide other comfort messages for passengers. VANETs applications improve passenger safety, avoid collission, detection of movable and fixed obstacles and broadcast weather information [24]. Road safety applications consist of Emergency Electronic Brake Light (EEBL), Slow/Stop Vehicle Advisor (SVA), Cooperative Collision Warning (CCW), Road Hazards Notification (RHN) and Post Crash Notifications (PCN) [25] [26]. The driver assistance applications warns driver in specific situations like, overtaking vehicles and traffic congestion. This application category contains toll both collection [27], parking notification and Congested Roads Notification(CRN) [28] [24]. Third kind of applications facilitates drivers and passengers while travelling. It provides mobile internet services, discussions between vehicles [24] and entertainment [29]. MANETs and VANETs have some similar properties like self management and low bandwidth. Frequent disconnected network, vehicles density and pattern of traffic flow are well known challenges in VANETs. These issues directly effects security protocols and safety on wheels.
High mobility of vehicles is one of the important feature, where vehicle moves with different speed and direction. Signals fading is taken place in communication range because there are so many high rise building, houses, vehicles and obstacles specially in cities. It may weaken signal strength as well. High traffic density creates jam in network which may cause frequent disconnections in the network. In high mobility VANETs, routing is very difficult task because vehicle moves with various speeds [30] [31] [32]. High mobility makes a frequent topology change in result over a short time connection that is established between nodes in VANETs. Therefore strong Medium Access Control (MAC) protocols are prerequisite for effective data dissemination strategies to enhance throughput and reduce communication overhead [33] [34] [35]. A dynamic topology network is vulnerable to different security attacks.

Secure Communication in VANET
Wireless network communication makes VANETs faster but evil doer may inject bogus information for accident and misleading purposes. Therefore, safety of information has uttermost priority. It is more important that information must not be modified or deleted by attacker [36]. Secure communication have many important metrics. In non secure communication outsider attackers try to enter with a fake identity in the network. The authentication is important task to tackle because the attackers always try to authenticate with fake key/ID in the network. The sender broadcasted messages must be authenticated to prevent outsider attackers from Denial of Service (DoS) attacks [37]. Where a large number of messages are authenticated through group signatures with low overhead and timely manner [38]. In this category, there are several attacks but key/certificate replication, position faking and Sybil (malicious node create fake IDs and transmit false messages) are considered as critical attacks in VANETs [24]. The delay in authentication should be as minimum as possible [39] [40]. Confidentiality is also security requirement in VANETs and it ensures the fact that data will only be read by authorized entity. In VANETs data are exchanged among nodes and attacker can get information about locations and privacy related to driver. It is difficult task in VANETs to detect an attack on confidentiality. Traffic analysis and information gathering are well known attacks on confidentiality [24]. Securing data from unauthorized alteration during communication in VANETs is very important. Integrity techniques protect data from alteration, deletion and addition. These integrity detection schemes are for V2V and V2I communication in VANETs. In VANETs an attack is happened when sensor or other OBU and RSU are manipulated by malicious node [41]. Replay and fabrication /alteration are well known attacks in VANETs as far as integrity is concerned [24]. Fabrication attack happens when a node creates bogus information in order to get certain privileges [42].
Availability of information is important factor in VANETs. It enables a system to work all the time and provides information to vehicles. The goal behind DoS attack is to bring network down and unavailable [43]. Jamming is to disrupt the communications channel [44] [45]. Spamming are messages that have no usefulness for users [46] [47] and DoS are well known attacks on availability in VANETs.
In [48], insider and outsider DoS attackers are mitigated through Hash Message Authentication Code (HMAC) and threshold value in VANETs. The drawback of this scheme is that malicious node can attack with help of fake messages. In network security non repudiation means to ensure that the communication entities are original and cannot be denied after communication happened. Non repudiation is normally achieved by public key based techniques [49]. Manipulated data related to safety and privacy is always verified for non repudiation. In privacy, the attacker analyses vehicle and driver information throughout the journey. The single identity of vehicle create issues for privacy [7] [50]. The user can easily trace or compromised their personal details [51]. Therefore it is more important to protect vehicle owner's privacy. However, for privacy to provide anonymous authentication with low computational cost is challenging task [52]. Therefore, in VANETs a set of names are assigned to vehicles called pseudonyms. The actual identity is only known to CA that provides pseudonyms. The other nodes and RSUs only know pseudonyms. Pseudonyms are generated in such a way that actual identity cannot be predicted from pseudonyms. The pseudonyms are changed from time to time specially in mix zone, where nodes are not able to observe [53]. If there is only one vehicle in mix zone then change in pseudonyms belongs to same node. In [54], trade-off between security and privacy in VANETs is proposed because trust information is not useful due to frequent change in pseudonyms from time to time.
The management of large number of vehicles require an appropriate security infrastructure. The Public Key Infrastructure (PKI) is a combination of hardware, software and procedural components. A PKI provides many services and the most important is trusted third party validation between the counterparts in VANETs. PKI ensures its role as a Certificate Authority (CA). It delivers sign and keep digital certificates upto date that represents digital IDs of nodes. The new Vehicular Public Key Infrastructure (VPKI) uses digital certificate as a rapid authentication in vehicular environment [24]. There are other security requirements as well that is handled by VPKI (see Fig. 2).
The above security issues are handled by traditional VPKI. However there are insider attackers that are equipped with valid credentials (public key/private key). These attackers propagate fake messages in VANETs. These attacks cannot be detected through VPKI. To detect fake messages, VANETs will need newly developed enhanced security techniques.

Malicious Information Detection In VANETs
VANETs uses different applications for road safety and traffic management. Safety and non safety information is disseminated in vehicular network. Therefore, assessment of node behaviour is required for reliable communication. The misbehaviour in VANETs is referred as a kind of abnormal behaviour of node and it is different from average behaviour of nodes in network [1]. Why misbehaviour happens in VANETs? There are many reasons. According to [6], the causes of misbehavior are divided in two types, intentionally (attacker) or unintentionally (faulty). The intentionally misbehaviour type is further divided into selfishness and malicious intent. The unintentionally misbehaviour happens due signal loss or fault in sensors [5]. The selfishness misbehaviour occurs because node does not want to utilizes its own resources for other node in the case of node centric misbehaviour. While in data centric misbehaviour selfish node broadcasts bogus events information (like false congestion information) to change the normal behaviour of other nodes for own benefit. The malicious misbehaviour (attacker) take place to disturb normal operation and produce confusion in the network. The misbehaviour is sometimes due to signal loss because nodes leave or enter in the network very frequently. The limited communication range of node is also reason for misbehaviour. The faulty sensors information also plays a role towards misbehaviour in VANETs [32].
The main objective to detect those misbehaving nodes that broadcast fake data in VANETs. Revoking misbehaving nodes is a process which may prevent fake packets from further participation in network. Detection schemes are divided in two types, node centric detection and data centric detection. The focus of this article is on fake information detection techniques.

Node Centric Detection
In node centric detection scheme, a security model monitors security credentials of a node, like digital signature with the help of PKI [55]. The node centric mechanism is precisely concern with a participating agent (node) in the network. They verify node behaviour by analysing packet and message pattern. Node centric detection is divided in two categories, behaviour based detection and trust based detection.

Behaviour Based Detection
In behavioural scheme, looking for a node observable behaviour and extract a metric that recognize how healthy nodes behave, for example behaviour schemes may monitor neighbour nodes transmitting packets. Whether rates are exceeding from normal rates or not [55]. In this mechanism, consider how many messages are in correct pattern (message format) has been delivered? The main focus of these mechanisms are node related information [56].
The abnormal behaviour of a node is to monitor packet drop or duplication in VANETs. A verifier node is responsible for monitoring misbehaviour. The verifier node is elected on the basis of their trust value. A verifier may discredit a node that drop or duplicate packets. After crossing threshold value for misbehaviour, a verifier node reports to cluster head (CH) and update whitelist(good nodes) and blacklist(bad nodes). The CH also reports to CA and revoke them from whitelist. The CA updates whitelist, blacklist and broadcast it in network [57].

Trust Based Detection
Trust based detection depends on past and present reputation of node. A node whose reputation is good in past then it is more likely to behave well in future [55]. The main advantage of trust based is that it has one step forward to revocation.
Trust based system consists reputation system that maintains a past communication history of nodes. Trust management also have a voting scheme, where honest vehicles vote for communication in VANETs [56].

Data Centric Detection
Data centric detection focuses on application data from various neighbours. Data centric misbehaviour detection schemes analyse transmitted data for possible misbehaviour. The data is compared with other nodes in network to verify truism of safety messages. In VANTETs vehicles propagate different kind of safety messages for road safety and collision avoidance. The false safety messages are considered misbehaviour in VANETs [1]. In data centric detection scheme node searches for possible evidence to verify application data locally or with help of neighbour vehicles. The detection of false safety alerts consisting of local based detection and cooperative based detection mechanisms.

Local Based Detection
The local based detection techniques check each piece of information independently. In local based detection each received data from same sender will be consistence with a previous data. These techniques do not rely on other nodes response for data detection. These techniques are further divided into following sub categories. These are plausibility checking, consistency checking and behaviour checking (Fig.3).
Plausibility Checking In plausibility checking data from each node is verified through some predefined rules, for example one location is not occupied by two nodes at same time. The allowed speed of vehicles should not exceed that has been established by road authorities. The movement of vehicle is verified by two beacons messages form distance travelled by node. It is compared with speed in beacon messages. The plausibility checking model can be used for an expected misbehaviour and filtering false safety messages. Plausibility model can produce a valid result in case majority vehicles are not honest node because plausibility Checking does not rely on other neighbour information [56].
• Database checking Model: To protect VANETs from false information, plausibility validation in network is proposed and consist of database rules and checking model. These rules depend on messages type. A valid message will be succeeded in all verifications. In order to detect fake vehicle messages, the rule is vehicle location. It will be in range and plausible and time stamp will be checked, also velocity should be plausible [58]. For safety alerts, position verification is important and vehicle will wait for RSUs response which creates more latency [15]. • ELIDV: In Efficient and Light-weight Intrusion Detection scheme for Vehicular network (ELIDV) design to detect false information. The aim of the detection scheme to protect network from three kinds of attacks like false safety messages, integrity and Denial of Service (DoS) attacks. The ELIDV detects false information detection based on set of rules. The drawback of this scheme is when number of node increases then the detection performance decreases [61].
Local Based Consistency Checking In Consistency checking each data must be consistent to previous data, for example node at location A in first report and second time report represent location C. The speed to reach from location A to C must be consistent in second report [55]. In these schemes, false information is detected locally rather than other vehicles in VANETs. The detection is based on consistency of messages from same sender while inconsistency is represented as misbehaviour.
• Data Centric (DC): This algorithm detects false messages and node's misbehaviour by observing their action after sending messages. In data centric Misbehaviour Detection Scheme (MDS), each node locally decide whether information is correct or not. Consistency based scheme fails when nodes are at equal distance from each other. This algorithm also fails when a node turn around. It detects false location information. When vehicle is moving on flyover then actual distance is different from calculated distance. When vehicles are moving in group and one turn to right and others turn to left then vehicles behind them consider it as a correct alert. When nodes are moving in opposite direction and sent false alert so it is not selfish reason but malicious intent. The second drawback is if a node cannot receive a beacon after alert message so it is assumed as misbehaviour but, sometimes honest cannot send beacons due to bad signal. Position verification needs more efficient mechanism rather than sender and receiver timings [7]. • HeartBeat Based Detection (HBBD): A short term misbehaviour detection scheme for node that propagates false position and speed information through heartbeat/beacon messages. The observing node analyse incoming heartbeat/beacons messages for honest and malicious information detection. From present and past information an expected and observed position is calculated. If information doesn't match, the suspicious index of vehicle is increased. When suspicious index crosses threshold value then vehicle is declared as malicious vehicle. The main feature of this misbehaviour detection technique is low overhead and no need of additional sensors but use of beacon messages. This scheme looks for inconsistency in consecutive beacons. This effective has low overhead and gets misbehaviour detection from few beacon messages but beacon messages might loss in a process which effects credibility [62].
Behaviour Based Detection In malicious information detection schemes, driver behaviour has a key role. These schemes monitor behaviour of event reporter. These schemes rely on behaviour information from single node. A scheme required little time for detection because it doesn't need behaviour information of other vehicles in reporter vicinity. It consist of techniques that are elaborated below (Fig.3).
• Trajectory Based detection (TBD): This is a misbehaviour detection scheme for false post crash notification. This detection technique depends upon the behaviour of driver after sending alert. The position of vehicle is sensed each time slot form the time alert receive till passed to crash position. The expected trajectory of event crash modulated mobility is calculated. The actual car trajectory is also calculated. If differences between two trajectories are above the certain threshold then it will be considered as false alert. The reason a car does not follow the crash trajectory otherwise, alert will be considered as true. The main drawbacks of MDS is that it assumes vehicle position. The other issue is low threshold which creates more false positive rate [63]. • Root Cause Based Detection (RCBD): This is another MDS for Post Crash Notification (PCN). After receiving a PCN message observer monitor the behaviour of driver for comparing with expected behaviour of driver. It finds different root causes based on observation between two nodes. Node will follow free mobility model in case of no alert. Node follows crash modulated mobility model in case of alert messages. The scheme assume node will always send right location information. This assumption is invalid because node can send false location information too and may produce false results [64].

Classification of Cooperative Based Detection
The cooperative data detection schemes observe node verification for false information with the help of neighbour nodes. In cooperative data detection techniques when node receives safety related messages then it is checked for data relation with multiple vehicles in the network. The neighbour nodes conformation about safety event will ensure receiver to accept message and notify driver. The main benefit of cooperative detection to identify efficiently misbehaviour node with more confidence. The cooperative based detection schemes have sufficient knowledge for bogus message detection while detecting fake messages. It has produce low false positive and false negative rates of a node. The cooperative based data detection schemes consist of behaviour based detection, trusted based detection and consistency based detection, as shown in (Fig. 3).

Behaviour Based Detection
In behaviour based detection for false event information a receiver is compared with average driver behaviour, with event reporter behaviour at location of the event.
The similarity of average behaviour of vehicles with reporter behaviour confirms an event. In case of behaviour difference below the threshold will provide a solid proof for false information. These kind of detection techniques performance rely on maximum number of honest vehicles in vicinity of malicious node. The behaviour base detection scheme is normally used for verification of false congestion alerts and PCN application. It has some detection techniques that are as follow; • IDS/RC 2 RL: An MDS in where misbehaviour like, false position information or intrusion detection scheme (do not follow known pattern) are tested. In this case more density of vehicles the CRL are compressed through use of bloom filter RC 2 RL (Revocation Using Compressed Certificate Revocation Lists).
An MDS to detect false information by comparing the behaviour of each node with the average behaviour of other nodes in its vicinity to build data models on the fly. Moreover, if a true event appears on the low density, MDS will be considered wrong. It is bad for safety messages [65]. • Acknowledgement Based Detection (ABD): This scheme consists of false information detection and mechanism for non-cooperative node detection to isolate malicious node from the network. A data packet is used for false information detection. Vehicle "A" sends information about dense traffic while another node "B" is moving with an appropriate speed. The node "B" report that "A" is sending false information. Another case in same geographic area that a node sends information about traffic jam while another node reports high speed is also considered as fraud. Non-cooperative node is identified through time stamp acknowledgement packet. In false congestion information of a node is also detected through responses of other nodes in network. A non cooperative node is detected through acknowledgements. The false information detection technique performance is degraded with a decrease of nodes on the road. The second drawback is that acknowledgement process creates a higher overhead and produce more delay for node and that may be time critical messages. For selfish and non-cooperative nodes two lists are used that is Individual Reputation List (IRL) and General Reputation List (GRL). The main limitation of IRL is thta a malicious node can insert wrong information about neighbours without communication with them [9].

Consistency Based Detection
Consistency based detection uses consistency data from multiple vehicles to determine false information. Vehicle uses previous average speed of neighbour vehicles must be consistence with new speed from beacon messages. A maximum difference Consistency mechanisms are used when there is a conflict of information from more than one vehicle. For example, in VANETs environment one group of nodes disseminate false road congestion information while other group propagate no congestion information. Cooperative consistency need maximum number of honest nodes otherwise these scheme would be non-effective for malicious information detection.
• Detection Based on Database (DBD) : The first model proposed for detecting and correcting malicious data in VANETs. It was a general framework that is used to validate safety information based on local sensors data to detect Sybil node attackers. Each node checks validity of data through a model. When inconsistencies are found then data is considered as malicious.
Adversarial model is used based on parsimony argument for best explanations to correct malicious data. There is no validation or performance testing for this approach. To maintain a global data base in VANETs is almost impossible. This scheme does not provide location privacy. This scheme will fail when the number of malicious nodes are more than honest nodes in VANETs [66]. • Detection Based Six source of Information (DBSSI): A security model enable VANETs to distinguish false alerts from legitimate alerts. The detection model is based on six sources of information. The drive is send an alert after agreement of six sources. The filtering model is dependent on two components. One is Threshold Curve (TC) and other is Certainty of Event curve (CoE). The TC depends on distance between event and driver. The CoE means the confidence of received message from neighbour node. If CoE intersect threshold curve then driver will be notofoed. The performance of scheme depends on two parameters which are TC and CoE. The threshold is important to driver while certainty of event is related to event confidence. However, this scheme creates more computation and delay due to six sources for false PCN or congestion event detection. In some scenarios a threshold may not be crossed due to VANETs characteristics. Only to analyse or to endorse the EEBL applications and no further applications has been tested or evaluated [67]. • Secondary Information Based Detection (SIBD): A secondary information is generated in the result of primary information. The secondary information is used for detection of primary information. This scheme depends on how many vehicles generate secondary information. This means correlated information in response to primary information is known as degree of belief.
In the absence of primary alert it is also probability that malicious node send secondary information. However in case of true primary alerts neighbour node sends large number of secondary alerts that provide a belief on primary alert. When degree of belief is 1, it indicates a true event. The degree of belief is 0 shows a false event, however performance of this scheme degraded due high speed. The minimum density of nodes also effect truism of the scheme [68]. • RD 4 : The proposed scheme is RD 4 used for cooperative deceptive data detection. RD 4 filters false accident in VANETs. Detection of true accident is handled by accident sources. The car which is actually involved in accident is equipped with temper proof component to resist against propagation of fake identities. When accident report is received by vehicle the decision is based on the signal strength of his own observation and signal strength of the same event of others. In design when accident happens, the road is black and vehicles slow down. Integrating both signal strength of events for accumulative signal strength, if accumulated signal strength exceeds the pre-set bound to confirm the event. A velocity deceleration used as a signal strength and accumulative signal strength observed by the vehicle. An increase in speed indicates low signal strength which is does not produce good accuracy for false event detection schemes in VANETs [69]. • VANETs Association Rule mining (VARM) : It is an introductory scheme for detection of malicious data disseminated by malicious or faulty node in VANETs. The scheme builds a mining association role based on routine messages in VANETs. These messages provide a relation among vehicles.
In high density a mining association between vehicles on a single vehicle creates more computation overhead. It needs more storage capacity for a single node [70]. for a node is a mechanism that broadcasts fake congestion events. This approach is based on local velocity and distance with help of radar to verify congestion event. It uses kinematic wave to detect congestion period and distance. It is very effective technique against fake IDs and sents false congestion event because kinematic wave packets contains signatures and certificates. In kinematic, wave packet is used for detection of non existing congestion event in VANETs. This is an effective technique for single misbehaviour vehicle (cheater) but when cheater increases then detection process will take more time because distance between leading cheater and last cheater increases as well [71]. • Fox Hole Region (FHR): A scheme to detect false PCN in VANETs. MDS is based on FHR event which happens at a certain location. An FHR is a four co-ordinate region with dimensions depending on speed of the node. The high speed mean larger FHR and low speed have smaller FHR. The FHR consists of safe and unsafe zones. Two consecutive beacons messages are used for average speed of vehicles after that a FHR is found for each vehicle. We find that threshold D, if parameter of belief between D + and Dthere might be misbehaviour. The information may be correct if greater than D + and smaller than D -. The FHR help to find safety value for node on his current location and speed. This detection approach valid for static event like PCN. The weight-age information is obtained from consecutive beacons. In some cases it is not useful when event is near because the vehicle may crosses event location [23]. • Misbehaviour Discovering Method (MisDis): A misbehaviour detection method is known as Misbehaviour Discovering method (MisDis), having accountability of vehicles behaviour by record of evidence to conform it from inside and outside vehicles. MisDis has also identified misbehaviour through inside device (state of automata monitoring) and supervision. A MisDis also keeps a record (security log) for behaviour characteristic of target vehicles. If anything observed then system will inform the RSUs or other security in charge for further assistance. MisDis assumes strong authentication and identification but cannot provide privacy and practical implementation for performance evaluation [72]. • Cooperative Detection and Correction (C − DAC): In Cooperative Detection and Correction (C − DAC), each vehicle calculates his own value of flow (Speed, density, flow, location information) and send information to other vehicles. The rest of the vehicles also calculate value of Speed, density, flow and location information. It provide us a good model for traffic. Each vehicle transmits its flow to another vehicle. If received flow does not match with a VANETs model flow then data will not be accepted. This scheme has effectiveness against node that shares wrong location information. Node which send false information from multiple identities then honest nodes that are behind of malicious node ignore this information because of their own speed.
When multiple attackers send false information then C −DAC scheme cannot detect information as wrong information. The scheme does not provide better result in low density [3]. The scheme performance is enhanced with IDS (Intrusion Detection System). The IDS uses statistical schemes to identify malicious nodes which broadcast false information [73]. • Subjective Logic Based Detection (SLBD): A position verification method by enhancing two position verification methods and fuses its data in framework that is known as subjective logic. The parameters have Acceptance Range Threshold (ART) and Pro-active Neighbour Exchange (PNE). Both mechanisms are integrated in the framework. Subjective logic expresses truth value as opinion which consist belief, disbelief, uncertainty and base rate. Using two methods for position verification ART and exchanging of table is minimum. Therefore more parameter can be used for better results and low false positive rate in VANETs [22].

Trust Based Detection
Trust and reputation are two important tool of security that facilitate nodes in decision making of network [74]. Generally trust is the expectation and level of confidence of one vehicle about other vehicle's action in VANETs [75] [76]. In VANETs a high dynamic environment, an adapted trust establishment are needed. VANETs are ephemeral kind of network where the connection life is very short and vehicles meet for few seconds. Decision about trust of other nodes must be conducted individually rather than other nodes. Therefore trust information is collected from other nodes for very limited time [77]. Trusted based detection techniques assign value to nodes based on their past historical data communication [78]. Trust based detection system is categorised in three trust system as shown in (Fig 3).

Direct Trust
The established trust is based on mutual sharing of information between nodes in VANETs. This kind of trust does not rely on other node's trust information. The direct trust is feasible in VANETs environment but sometimes it cannot provide sufficient trust information for false information detection.
• Particle Filter Based Detection (PFBD): In this scheme particle filtering is performed to check the plausibility of data and asses trustworthiness of neighbour nodes. This scheme combines information from different data sources in one particle filter per neighbour, for example position information is verified through Cooperative Awareness Message (CAM) by sender nodes, neighbour nodes as well as with local sensors (digital road map, radar, Lidar, directional antennas). This scheme is based on the transition shift between two incoming messages. The main benefit of this scheme, it locally assess trust of neighbour for location verification rather than other vehicles. The accuracy of scheme depends on local sensors data and local sensors data effected from high speed. The drawback of this scheme is more computation overhead and delay for a single vehicle [79]. • Behaviour And position Based Trust System (BPBTS) : A method that detects malicious data in traffic signal at intersections. Node creates fake multiple identities (Sybil attack) and transmit information from these fake identities to manipulate traffic signal. The detection of malicious data with the help of combination models expected behaviour of driver and position verification technique. In false information for traffic signal control is detected by control node. The control node assigns trust level to each node for detection of malicious data. The trust change (update) after each node's information is received. Sending data with a low or zero trust is considered as a malicious data. In detection scheme assumption is not valid for node trust to stop on green signal because it will not stop on green signal in selfishness situation [80].

• Similarity Based Trust Management System (SBTMS): A Similarity
Based Trust Management System (SBTMS) checks for bogus safety event detection in node using similarity index. It assigns trust to one-hop neighbour in the network. This scheme also enhances decision making power using trust and utilizing echo protocol to check reaction of reporting vehicle. This scheme is feasible when there is more meeting time between vehicles for communication to build a trust system. The second limitation is when Safety Event Elevator (SEE) sends echo safety event alert to Safety Event Reporter (SER). If SER does not reply due to signal loss or out of range communication from SEE, it is also considered as malicious data [81].

Indirect Trust
In indirect trust system node shares trust information of other nodes based on their past communication relationship. This kind of trust is transitive and effective in terms of sufficient information.
• Proof of Relevance (PoR) : An event verification responsibility is to put on the reporter. When a vehicle sense safety event, it must be endorsed from vehicle in the detecting area and disseminate it in the network. The drawbacks is that malicious node could endorse message with fake digital signature in detecting area. Low density of vehicles in reporter area is also considered as failure of this scheme [82].

Hybrid Trust
Hybrid trust is combination of direct and indirect trust. The hybrid trust system is good for detection rather than individually using direct and indirect trust but, it consumes more time in detection. Therefore VANETs need a short time trust management system.
• Vehicle Ad-Hoc Network Reputation System (VARS): A Vehicle Ad-Hoc Network Reputation System (VARS) uses direct and indirect trust as well as appended opinions from sources to enable confident decisions on event packets. The main problem of this scheme is that it involves accumulation of reputation evaluation which takes more time [83].

• Event Reputation System (ERS): The Event Reputation System (ERS)
prevents inaccurate traffic messages in VANETs. A dynamic reputation system is used to determine the incoming traffic trustworthyness to the driver. In this scheme, vehicle gets enough reputation from inside sensors and received messages. When enough reputations is received then traffic warning will be broadcasting to other vehicles in the network. The scheme is dependent on two parameters; event reputation value and event confidence list. Event reputation system consists of three interfaces and four functionalities. One is event table storage for received messages or event from on board unit sensors. The event table consists of event identity, type of event, time stamp of event, event location, event transmission range, event reputation value and event confidence value list. The event table stores each event separately and set event reputation value. The ERS uses aggregative event observation mechanism and reputation adoption mechanism. The event confidence threshold and event reputation threshold asses event intensity and reliability at the same time.
The limitations of ERS is that event reputation value is low in high speed because of the sensor capability (minimum detection). The event confidence is small in low density. The other factors like event duration and transmission range also has an effect on ERS [84]. • Event Reputation Model (ERM): A event base reputation model where event observer node checks expected behaviour of event reporters. If behaviour matches then reputation of event as well as node's are increases. Otherwise decreases in false information situation. A faulty or malicious node can inject wrong reputation value [85]. • Cascading and Oversimple(CAO): A misbehaving node cannot send malicious information all times but due to selfishness reasons. Therefore depending on circumstance in the network having said that node cannot point out all time a good or bad. Another issue of trust management based on voting system. The voting threshold value is not reached due to constantly changing topology. Another problem in trust management is cascading (where nodes influence other nodes in decision making). The cascading is solved through mechanism where more weight-age is given to node that is closer to event location from nodes which are away from the event location but, till there are loopholes. If nodes are at same distance from event propagating different opinions about same event. Then proposed scheme does not work properly [86]. • RMS: The misbehaviour detection scheme is based on Reputation Management System (RMS). The RMS has three components misbehaviour detection, event rebroadcast, global eviction and filtration of false information. Each node maintains event information and corresponding action for detecting misbehaving nodes. The detection scheme uses risk value of bad node to calculate risk level. The event reporters sense event create alert and send it to their neighbours. If event observer within one hop of reporter can observe the behaviour of reporter, vehicles beyond one hop of reporter are participant and can forward the alert but cannot detect behaviour of reporter [87].

Analysis
The purpose of this article is to provide an overview of current cooperative based malicious information detection schemes in VANETs. The detection of malicious event information is very important for road safety and human lives. This article has categorized data centric misbehaviour detection schemes based on their tendency for malicious information.
Local based detection schemes rely on available information from a single source. Although it is efficient in term time for detection due to not having any dependance on other nodes. There is another well-known parameter for fake data detection that means delay and is experienced in the network due to VANETs characteristics. The delay has various parameters in TABLE 1. A scheme with Low delay is considered to be fast and vice versa [88]. All mechanisms in TABLE1 efficiently detect location of nodes. However, Lack of sufficient information from single node cannot provide accurate result for malicious information detection [7] [62]. The schemes in [7] [62] is also vulnerable to weak signal strength in detection area.
However local base detection can produce good result in low density like [7] [62]. In [63] [64] observing behaviour of node after transmission of safety message. The main drawback of these schemes is they assume valid position information at detection time. A malicious node can provide consistent and plausible data to reduce the effectiveness of local base schemes as in TABLE 1. The accuracy of the schemes are measured in term of overhead and false positive rate in worst scenarios. In worst scenarios there are more malicious vehicles that propagate false messages. The exchange of extra data with vehicles is known as communication overhead. To incorrectly classify honest nodes as malicious is false positive. The schemes having Low overhead and Minimum false positive rates are normally considered better false data detection schemes [73]. (see TABLE 1 and TABLE 2) The cooperative based detection schemes have more effectiveness than local based detection. The neighbour vehicles provide evidence for malicious behaviour. These schemes provide low false positive rate than local based detection schemes. They accurately detects Sybil attacks. Cooperative detection scheme create more overhead and computation rather than local detection schemes. The malicious information detection requires minimum latency as shown in TABLE 2. The [66] [70] maintain database for malicious information detection on single node. A high density network cannot maintain database on one node. The main drawback of these schemes are when malicious nodes increases than honest nodes creates a false result [3]. In VANETs, low density of vehicles also decreases the performance of cooperative detection schemes [9] [65] [68] as shown in TABLE 2.
In VANETs is ephemeral kind of network where connection between nodes are very short time [86]. Therefore VANETs are vulnerable to different security attacks [89]. To constitute trust system is difficult task [90]. A misbehaviour node may not be malicious all the time but due to selfishness. The reasons depends on multiple circumstances in the network. A simple trust model is needed to be constructed for fast data evaluation in VANETs [91]. In [92], trust management system for malicious information detection need high trust nodes and RSUs. The RSUs already has an overhead due other responsibilities. Another issue is trust management on voting systems. The threshold value does not reach due constantly changing topology. In trust management system, faulty or malicious nodes can share false trust information. The single identity of vehicle create problems for privacy. The user can easily trace or compromise their personal details. That is a resaon that a set of names are assigned to a vehicle called pseudonyms. The actual identity is only known to CA who provides pseudonyms [7]. Therefore, pseudonyms are changing after certain time period depending on the mechanism. The trust related data is removed due to privacy issues. For these reasons, VANETs may be needed as trade off between privacy and trust management system [93]. In indirect trust management system, a malicious node can provide bad reputation value for honest node. The majority of vehicle must be honest for false information detection. The trust value is assigned based on their past history of communication but, unpredictable behaviour of vehicle sometimes falsifies their past history.
The following prerequisites are required while designing an efficient trust model for MDS in VANETs [94] as shown in TABLE 3.
• Decentralization: VANETs are dynamic and distributed networks. Therefore, a decentralize trust management system is required for reliable data communication. The trust models use one to one or one to many interaction while trust building in decentralize manners [28]. Some strong authentications are prerequisite for nodes before establishing a decentralize trust management system in VANETs. • Data Scarcity: VANETs have dynamic and distributed type of network where interaction between same nodes in future are almost impossible. Due to short network life the data received at first time is important for trust building. • Network Scalability: Scalability is considered as an important factor for trust management. The density of nodes are more and few of them interact and sent information in the network. The observer need to quickly decide about incoming information. The trust information may be updated a little bit according to the network size. For a good trust management, trade-off between scalability and trust mechanisms are required. In efficient trust management priorities are given to nodes that are frequently interacting. • Metric: In trust management different types of metrics are used for dynamic trust establishment. The metrics for trust management system includes post crash notification (PCN), congestion and weather conditions beacons [95,96].
In [97], trust management system is based on behaviour analysis of neighbour nodes to assign trustworthiness value which is additionally disseminated in network. The priority are given to event reporter that are relatively close to event location [86] or close in term of time. • Confidence: In order to remove uncertainty for event, trust management is requires reliability and confidence in the VANETs. A trust management assigns high trust value to nodes that reports same event [98], [99], [100]. • Security: Trust management system requires strong security credential to authenticate sender that reports safety information in VANETs [101]. Normally PKI is used to verify reporter authenticity in VANETs [102]. • Privacy: In VANETs, decentralized trust management is dependent on strong authentication for vehicles. While using single key create security concern to vehicle owners. Therefore, using multiple keys reduce privacy issues in network [103]. To protect location privacy in VANETs, many pseudonym changing techniques have been proposed to achieve pseudonym changing [104]. In TABLE 3 most of trust management schemes have not provided good privacy. • Robustness: Trust management system itself faces challenges of Sybil attack, new comer attack, betrayal attack (trusted node suddenly started misbehaviour) and bad mouthing attack (some nodes provide low reputation intentionally). A robustness trust mechanism is needed to tackle these kinds of attackers as well. VANETs require a quickly responsive detection mechanism for malicious information detection. New trust management system is necessary that uses current parameters in different scenarios for VANETs. The focus is needed on alert messages rather than nodes. In VANETs, trust management system should have minimum information (data scarcity), strong authentication, privacy and must be decentralized and scalable.

Conclusion and Future Work
In VANETs, vehicle communication takes place with each other and RSUs. VANETs have different kind of applications for healt, safety and traffic efficiency. A malicious node can broadcast bogus messages, which can change the behaviour of other nodes. Therefore, detection of malicious information is an important factor to be investigated. This article has categorised existing detection mechanisms in cooperative data detection, local base detection and trust based detection techniques. Cooperative based detection schemes are efficient in case of dense network and greater number of honest nodes. Trust based detection schemes showed good performance When frequency of interaction among nodes was high. Trust based schemes depends on past interaction information among the nodes for better malicious information detection. However, trust management system and local based detection for malicious information detection has its own challenges due to VANETs characteristics. The existing detection mechanisms cannot provide good and up to the mark performance due to various challenges. Therefore, VANETs requires such detection techniques that should provide data scarcity and have minimum delay time.
Local node information based detection techniques depend on available information from a single node. They are efficient in terms of time because they does not rely on other nodes while detecting bogus messages. The lack of sufficient information from single node does not provide accurate result for malicious information detection. These schemes need more information from single node to enhance their performance.
The cooperative techniques create more delay and overhead while detecting malicious data as compared to local based detection in VANETs. If number of malicious nodes increases than honest in VANETs, then it create false result for malicious data detection. Low density of vehicles in VANETs reduce effectiveness of these techniques as well.