VANET Secure Reputation Evaluation & Management Model Based on Double Layer Blockchain

Abstract

Vehicle ad-hoc network (VANET) is interconnected through message forwarding and exchanging among vehicle nodes. Due to its highly dynamic topology and its wireless and heterogeneous communication mode, VANET is more vulnerable to security threats from multiple parties. Compared to entity-based security authentication, it is essential to consider how to protect the security of the data itself. Existing studies have evaluated the reliability of interactive data through reputation quantification, but there are still some issues in the design of secure reputation management schemes, such as its low efficiency, poor security, and unreliable management. Aiming at the above-mentioned issues, in this paper we propose an effective VANET model with a secure reputation based on a blockchain, and it is called the double-layer blockchain-based reputation evaluation & management model (DBREMM). In the DBREMM, we design a reputation management model based on two parallel blockchains that work collaboratively, and these are called the event chain and reputation chain. A complete set of reputation evaluation schemes is presented. Our schemes can reduce observation errors and improve evaluation reliability during trust computation by using direct trust calculation based on the multi-factor Bayesian inference. Additionally, we propose an indirect trust calculation based on the historical accumulated reputation value with an attenuation factor, and a secure a reputation fusion scheme based on the number threshold with the fluctuation factor, which can reduce the possibility of attacks, such as collusive attacks and false information injection. Theoretical analysis and extensive simulation experiments reflect the DBREMM’s security algorithm effectiveness, accuracy, and ability to resist several attacks.

1. Introduction

IoV is a typical application scenario for IoT technology. With the help of the next generation of information and communication technologies and the rapid development of various high-tech devices equipped with intelligent vehicles, such as GPS, radar, and on-board equipment, vehicle nodes can be connected to everything (V2X) through various types of networks to build intelligent transportation systems (ITSs) and realize the vision of the smart city. VANET [1] can be seen as a subset of IoV, which mainly focuses on short-time, real-time, and short-distance communication formed by the interconnection between vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I). In VANET, complex and dynamic data generated by vehicles, human beings, and the environment are communicated and processed in real-time. Data include traffic conditions, traffic accidents, road construction, congestion, etc. It is estimated that about 380TB-4PB of data [2] can be generated annually for the VANET network worldwide, which includes plenty of sensitive information. Due to sensitivity, the security and reliability of the data content is critical to the performance and quality of the delivered services. Reliable information can help vehicles find the fastest route, avoid collisions, etc. Unreliable data can even lead to serious traffic accidents. Meanwhile, VANET uses wireless and heterogeneous media for transmission and is more vulnerable to malicious attacks. Some researchers have carried out comprehensive surveys for VANET security, and pointed out new security concerns and issues in VANET that urgently need to be solved [3,4]. Therefore, the protection of VANET data security is crucial.

Traditional security solutions, such as key pairs, digital certificates, and public key infrastructure (PKI), refer to secure communication schemes for other types of networks and are mainly oriented to entity authentication. They are only applicable to identify malicious entities [5,6]. Nevertheless, in VANET, vehicle nodes are essentially controlled by people, and the entity security of vehicle nodes cannot guarantee the reliability of the data given by the nodes. The consequences of untrustworthy information sent by the perpetrator through legally certified vehicles will be severe. At the same time, due to the high mobility and short-term connectivity of VANET, if there are no appropriate countermeasures, it may be too late for victims to find that the message received is malicious. Malicious vehicles may have been disconnected from the network after committing crimes. Therefore, the protection of vehicle network security should focus specifically on the data.

In order to eliminate internal attacks from VANET, researchers use reputation management models to evaluate the reliability of interactions based on the behaviors and information propagated in the network. As mentioned in previous studies, reputation is the general view of the public on the credibility of others [7]. Furthermore, the quality of the data depends on the reputation of the vehicles [8]. Therefore, the reliability of information given by vehicles can be evaluated by quantifying the reputation of vehicles. Trust refers to the measure of the credibility of the interactive content of nodes, and it is the subjective expectation of one node to another node based on its own experience and preference. Trust can be seen as a short-term evaluation, while reputation is a long-term concept based on trust. Previously, researchers extended the social network to the vehicle network, forming the vehicle social network (VSN) [9,10]. In a VSN, vehicle nodes are connected to each other through mutual interaction, and a tightly coupled self-organizing virtual network is formed. It can be used to manage trust between nodes. In practical VANET scenarios, the establishment of the VSN has a track to follow. A large number of vehicles maintain a relatively stable trajectory while driving to/from work, school, gym, supermarket, etc. Therefore, social networks can be established through frequent communication. However, there are still many vehicles that travel irregularly, such as the ride-sharing cars (Uber, Didi, etc.) and transportation vehicles that require driving across districts or cities, making it difficult for them to establish a frequent and stable communication network. The historical database of these kinds of cars will cause a huge waste of computing power and storage space. In VANET, the different preset reputation levels of vehicles, the degree of impact of reported events, the quantified observation values of the reported and verified credibility of events, and the calculation methods of various parameters are all key issues to be considered in designing the model. In addition, characteristics of VANET, such as the real-time and high mobility make traditional solutions difficult to implement.

The emergence of blockchain technology has provided a large number of innovative solutions for the security issues of VANET. Blockchain is a novel exploration of network world operating rules and technologies [11]. Following the creation of a new typical cryptocurrency.

Bitcoin was proposed [12], and scholars noticed the advantages of the blockchain in the realization of security. In blockchain-based networks, data are stored in blocks in the forms of distributed ledgers, and are protected cryptographically. Each node can hold a full/partial copy of the blockchain. By combining the reputation evaluation and management model with the blockchain, using its advantages of decentralization, irrevocability, traceability, transparency, autonomy, and anonymity, the problems existing in the model can be well solved. At present, some researchers have tried to combine blockchain technology with the VANET reputation management model, but there are still the following unsolved challenges, including:

(i)

Trust is the current judgment of an observation result generated by node interaction, while reputation is the long-term accumulated trust results of a node. In the existing VANET reputation and trust evaluation scheme, there is no good distinction between them. VANET network has its own structure of high mobility, frequent connection, and dynamic topology. Meanwhile, a bunch of vehicles cannot establish frequent and stable interactions with some fixed "social partners". Trust evaluation schemes of VSN based on the historical interactions of nodes are mostly oriented towards mutual trust and do not carry out quantitative calculation on the reputation of the nodes themselves. Furthermore, some researchers have tried to integrate VANET trust management schemes with blockchain technology. To our knowledge, there is no reputation evaluation scheme based on blockchain technology that fully covers the entire reputation updating process, including trust generation, record, and the conversion of trust values into reputation;

(ii)

Bayesian inference uses existing evidence to predict unknown evidence from the perspective of probability, and has been widely used in the trust evaluation of VANET. In the use of Bayesian inference, the similarity of direct comparison information between nodes is mostly adopted to obtain prior distribution, that is, the binomial distribution is directly used as prior distribution. If the information received is the same as self-observation, trust will be obtained, while if it is different, distrust will be obtained. However, due to the differences in vehicles’ speed, distance, and other factors in the actual scenarios, there will always be errors in the observation of an event in different states. Therefore, it is necessary to consider how to integrate various factors, and then compare the reliability of observation content on this basis to prevent misjudgment;

(iii)

Existing schemes consider the indirect trust of neighbor nodes based on security. Assuming that the vehicle node $v_j$ needs to judge the reliability of node $v_i$, $v_{kn}$ is a series of neighboring nodes that provide indirect trust. Most schemes directly fuse the trust of the neighbor node $v_{kn}$ to $v_i$ as an indirect trust, and include it in the measurement of $v_j$’s trust to $v_i$. The problem in these schemes is that the influence of the reputation value is not considered at all. That is, if the historical reputation of $v_j$ is greater than the historical reputation of $v_{kn}$, for $v_j$, the reference value of $v_{kn}$’s trust to $v_i$ should be reduced or directly set to zero;

(iv)

Most of the existing schemes give different measures of direct trust and indirect trust to generate the overall trust. In addition, some researchers add the social metrics of nodes. However, the process of connecting the two concepts of interactive trust and cumulative reputation and updating the reputation value of the target node through the trust value generated by a single interaction while resisting malicious attacks, is still an urgent problem that remains to be solved.

In view of the above challenges, we propose a brand new VANET security model, called the double-layer blockchain-based reputation evaluation and management model (DBREMM), and based on this model, we designed a complete reputation update scheme, including:

(i)

We propose a new two consortium blockchain-based reputation update model for VANET. It consists of the cooperation between two blockchains and helps to achieve the security for VANET. In detail, an event chain is used for safety verification, real-time emergency response, and the after-action accountability of road events. A reputation chain is used to establish a recessive vehicle reputation network, and to realize the storage and query of historical reputation value and social measures of vehicle nodes;

(ii)

We design an improved Bayesian inference (BI) algorithm based on multi-factor measurements to calculate the local direct trust value of vehicle nodes. This algorithm can optimize the calculation method of trust values and objectively evaluate the observation content from multiple dimensions, so as to better realize the increase of trust values of a normal vehicle node and the rapid decline of a malicious vehicle node;

(iii)

We design an adaptive improved algorithm based on historical reputation difference. When calculating the indirect trust value of vehicle nodes, the measurement weight of each node is modified by the adaptive difference attenuation factor according to the comparison between the neighbor node and its own historical reputation value stored in the chain. The importance of historical reputation is amplified;

(iv)

In the process of reputation weighted fusion update, the attenuation factor is used to control the historical reputation weight and an adjustment factor is introduced into the social measurement. A security trust update scheme is proposed based on the number threshold and the fluctuation factor, which can resist an on-off attack and collusive attack.

2. Related Work

DBREMM is applied to the reputation management model of VANET based on the consortium blockchain. This study involves trust computation, reputation update, and management based on the blockchain.

2.1. Trust Computation

The current trust computation scheme, according to the adopted decision logic, can be divided into different approaches based on multi-weight fusion [10,13], Bayesian inference (BI) [14,15,16,17,18], the Dempster–Shafer (D-S) theory [14,19], fuzzy logic [20,21], and three-valued subjective logic (3VSL) [22,23,24,25], etc. Bayesian inference describes the uncertainty of data-centered modeling and reasoning based on probabilities and statistics [26], which is more suitable for the quantitative judgement of interactive trust in the VANET scenario.

According to how trust is calculated, it can be divided into direct trust [27] and a combination of direct and indirect trust [28]. In addition, social metrics [10,29,30] are also added based on driver behavior.

In [15], Zhang et al. proposed a trust management model based on the trustrank algorithm, which considers both local trust and global trust. Local trust is obtained by applying the Bayesian inference model to past interactions of vehicles. In the evaluation of the system model, new-user attacks, on-off attacks, and collusive attacks are considered.

Fang et al. [16] proposed a trust management model using Bayesian inference to prevent on-off attacks. The trust calculation combines weighted direct trust and indirect trust. The attack identification window is defined according to the interaction between the trustor and the trustee, and the vehicle’s credibility is judged according to the number of switches before reaching the highest and lowest scores. If the vehicle exceeds the predetermined threshold, it is marked as malicious. The model is simulated in MATLAB.

Talal et al. [17] proposed a blockchain-based decentralized trust model based on Bayesian inference, taking into account the quality of direct interactions between vehicles. It is mainly targeted at new-user attacks, based on punishment strategy to prevent malicious vehicles from gaining higher trust points by frequently leaving and joining the network. Meanwhile, an incentive scheme is proposed to encourage cooperation between vehicles. The scheme performance is analyzed in MATLAB.

In addition, the main calculation factors considered in the calculation are the weight quantization and threshold setting, that is, the determination of whether or not the vehicle is trustworthy according to the trust value calculated. The concept of weights is often applied when aggregating the trustee’s final trust score, where different contribution parameters are assigned different weights according to their contribution/importance in the final trust value calculation. The determination of the exact value of these weights is essential. In [13], two weight calculation methods of three parameters, involving similarity, familiarity, and grouping delivery ratio are proposed, and the simulation verifies that the results produced by the weight calculation methods are more accurate than using the mean value directly.

The threshold setting is designed to identify misbehaving entities in the IoV and detect malicious vehicles by adopting a preset stable threshold. In [31], the vehicle with a trust value greater than the threshold is a trusted vehicle, while a vehicle with a trust value lower than the threshold is a malicious vehicle. However, authors do not consider the dynamic characteristics of VANET. A fixed threshold cannot resist on-off attacks. In [32], Mahmood et al. proposed the adaptive threshold technology to effectively reduce the on-off attack. However, the trust management model is quite computer intensive and has efficiency issues.

2.2. Reputation Evaluation and Management

Due to the characteristics of blockchain, such as decentralization, irrevocability, traceability, transparency, autonomy, and anonymity, a group of scholars have proposed a reputation management model based on the blockchain to meet the implementation requirements of reputation security management in VANET.

In [23], Zhang et al. proposed an improved three value subjective logic (3VSL) algorithm, which combines the historical reputation value, historical interaction information, and interaction frequency of vehicle nodes to evaluate the reputation value of vehicles, and uses reputation threshold to identify malicious vehicles. However, this algorithm lacks relevant content and simulation for the integration of blockchain technology, and does not provide consensus on the use of the blockchain, which may have problems in implementation.

Wang et al. [33] designed a blockchain-based reputation evaluation model to solve security vulnerabilities and privacy issues on the autonomous vehicle social network, as well as to incentivize legal behaviors and content delivery of vehicles. In [34] the author proposed a blockchain-based vehicle network data reliability evaluation system. The reputation value is rated based on historical reputation. Both schemes adopt the PoW (proof of work) consensus, which is inefficient and there are obstacles in its implementation.

In [35], Yuan and Wang proposed a contract-based incentive mechanism for secure block verification that could encourage more miners to participate in block verification. A weighted subjective logic model is adopted to build a safe and efficient reputation management scheme and use an improved DPoS (delegated proof of stake) consensus to reduce collusion between stakeholders and mining candidates. The scheme prevents less than $\frac{1}{3}$ of malicious attackers. The disadvantage is that the accuracy of the weight allocation is not considered.

The development of a secure reputation management scheme helps to prevent the exchange of forged data and to eliminate sources that disperse such data, thus ensuring safe, reliable, and efficient traffic. Current studies can generally be divided into three categories [36]: (1) data-centric, emphasizes the authenticity of the exchanged information; (2) entity-centric, emphasizes the reliability of vehicle entity; and (3) hybrid model, considers both entity and data legitimacy. For reputation evaluation, considerations include interaction-based attributes, indirect trust of neighbor nodes, and the social metrics of the driver (as the decision-making authority).

For the data-centric model, Raya et al. [14] evaluated the trust level of the data by correlating the weight of the reports shared by the neighbor vehicle nodes that depends on the proximity of the vehicle to the time and location of the reported event. In the trust computation scheme, weight-based voting, Bayesian inference, and the D–S theory are compared. In [37], Gurung et al. evaluated the trust level of messages by considering content conflict and similarity as well as similarity of routing paths, and then assigned trust values to each message. The problem with data-centric reputation evaluation is the potential for delays and data loss in heavy traffic scenarios and poor performance when data are scarce.

For the entity-centric model, Sugumar et al. [38] classified vehicles as trusted or malicious nodes based on a predefined threshold during a trust assessment. In [39], a reputation score was obtained based on the fusion of the vehicle’s current trust, its level of cooperation, and the last-hop recommendation. The problem with entity-centric reputation evaluation is that it does not take into account the highly mobile characteristic of IoV, and the authenticity of information cannot be guaranteed.

For the hybrid model, in [40], Ahmad et al. evaluated the node and data trust under several attack scenarios. Malicious nodes can not only post fake trust ratings, but also falsify safety-critical information to deceive trusted vehicle trust. In [41], Oubabas et al. proposed to evaluate node trust and data trust to ensure the reliability of data exchange between entities and the authenticity of data transmitted by these entities. The final trust calculation was based on the weighted trust score of the vehicles’ cooperation with partners.

In [42], Fernandes et al. evaluated the authenticity and rationality of the local danger warnings based on the reputation of the vehicles. The proposed scheme designed a complete blockchain-based implementation scheme, with consensus using PoA (proof of authority) and provided simulation of the blockchain overhead. While meeting the requirements of effectiveness and latency, the proposed scheme can resist false injection attacks. This scheme uses an optimistic strategy, in which the nodes are initially considered to be trustworthy, so there are almost no defensive measures before committing any inappropriate behaviors. Therefore, the security of this scheme still needs to be considered in practical applications. In [43], Xu et al. designed a vehicle reputation evaluation system with reward and punishment mechanisms and conventional tax mechanisms, and implemented the system using Hyperledger Fabric. In this scheme, all tasks of updating reputation values are abstracted into three types of transactions, which have improved the performance in terms of effectiveness and throughput compared to existing solutions. At the same time, it effectively addressed the issues of on-off attacks and rational selfish behaviors. However, the above two schemes only evaluate the reputation of vehicle nodes through the trust computation and fusion between nodes, and evaluate the vehicle status based on preset thresholds, without considering the impact of historical reputation and social factors.

The above related work is summarized in

Table 1. Summary of the related works.

Reference	Decision Logic	Reputation Characteristics	Anti-Attack Capability
[14]	BI	I	Single Class
[15]	BI	I, H	Several
[16]	BI	I	Single Class
[37]	Simple weighting	I	Single Class
[38]	Simple weighting	I	Several
[39]	3VSL	I, H	Single Class
[42]	Multi-weight fusion	I	Single Class
[43]	Simple weighting	I	Several
DBREMM	Multi-factor BI	I, H, S	Several

I, H, S represents interactive trust, historical reputation, and social factors, respectively.

. We can see from the above summaries and Table 1 that there is not yet a complete secure reputation model covering trust calculation, reputation update, and management. In addition, as for reputation evaluation schemes, there is no solution that fully considers all reputation characteristics, such as historical reputation, interactive trust, and social factors. The DBREMM, proposed in this paper, implements a comprehensive evaluation and secure storage of event credibility and node credibility in trust calculation and reputation update and management. At the same time, improvements and innovations are made on the threshold and weight quantization selection, anti-attack capability, and other aspects of the existing trust computing schemes.

3. Basic Concept and Initial Settings

3.1. System Components

Firstly, we clarify our purpose again: to design a blockchain-based reputation management model that includes reliable updates, secure storage, and query of node reputation. The goal is to measure the reliability of vehicles in VANET through reputation, so as to ensure the safe transmission and sharing of data.

The secure scheme designed in this paper is based on a typical VANET network model, and we re-designed the model to suit the DBREMM framework under the data verification scenario. The framework is divided into four layers, from bottom to top, including a vehicle layer, network layer, blockchain layer, and superstructure layer. The system components include vehicle nodes, roadside units (RSUs), blockchains, superstructure, etc. These mobile nodes and infrastructure communicate with each other through communication methods, such as DSRC (dedicated short range communication), LTE (long term evolution), 4G, 5G, and beyond to achieve data sharing. The connection mode of each component is shown in Figure 1, and the detailed description of the components is as follows.

Vehicle layer and network layer: Vehicle node: Vehicles are equipped with an on-board unit (OBU), including advanced communication devices, wireless transmission modules and trusted execution environment (TEE). Vehicles are capable of communicating with other vehicles and RSUs, and have rational computing power to perform simple calculations. Calculations include detecting and reporting various road condition events and calculating the direct and indirect trust of targets based on received data. Meanwhile, vehicles can participate in a blockchain consensus as well as query the content on the blockchain. Any vehicle node has the possibility of breaking down or being controlled by an attacker.

RSU: RSUs are responsible for helping establish communication between all vehicle nodes under their coverage. They have sufficient computing power, network communication capabilities, and storage space, and they are well equipped with TEE. As the relay station of vehicle nodes and superstructures, the RSU is responsible for event collection and reporting, reputation update and management, and the coordination of block production of the event chain and reputation chain.

Blockchain layer: In DBREMM, there are two consortium blockchains used collaboratively, namely the event chain and the reputation chain. RSUs and some of the vehicles with spare computing power are pre-selected to participate in the consensus. As consensus in the consortium blockchain is based on votes, which means that in the consensus process, a branch of nodes verifies the content of the block and vote. It requires less computing power compared with computational proofs, such as PoW.

Upon completion of registration, each vehicle node and RSU can keep a ledger of the consortium blockchain separately (in part or in whole, depending on the node’s computing power), and any user can view non-private information on the chain and access services.

Superstructure layer: Including all kinds of infrastructures, application platforms, etc. In our model, it mainly includes:

TA: TA (trusted authority) is the superstructure facing the reputation chain. Its main responsibilities include two parts: first, initialization of the system. TA completes the registration of RSU and vehicle nodes entering the VANET network for the first time through secure channels (such as offline), and then generates public-private key pairs and digital certificates; secondly, completion of the reputation chain management. When the reputation of a vehicle node is below a certain threshold, it will be isolated by the TA and then be tested to check its safety state.

ERU: ERUs (emergency response units) refers to all superstructures that generate countermeasures and responses according to incidents reported by vehicles, including but not limited to public security bureaus, traffic bureaus, broadcasting stations, etc. ERUs can carry out real-time emergency responses and after-action accountability based on the detailed content of events on the event chain.

3.2. Threat Model

Assuming that the adversaries work as a group, driven by interests and rational in economic interests. Its purpose is divided into two types, to obtain its own economic interests by various means or to ruin the security of the system. Means include but are not limited to internal attacks, external attacks, malicious attacks, selfish attacks, etc. Depending on the means and purpose, common attacks against VANET include: false information injection, on-off attacks, new comers, Sybil attacks, collusive attacks, inconsistency attacks, network jamming, etc. [44,45]. In our model, the following three possible attack modes against the reputation model are studied.

(i)

direct attack: Adversaries show the same behavior as other normal vehicles in the first part of the activity cycle to accumulate reputation value. Following a certain point in time, they start to perform malicious behaviors;

(ii)

on-off attack: Adversaries alternately behave normally or maliciously throughout the activity cycle to confuse other vehicles and RSUs;

(iii)

collusive attack: Different from the first two attack modes that are marked by time, adversaries against a certain event or a certain vehicle act out by communicating each other’s status. The attack content not only includes giving lower trust scores to normal nodes, but also includes high trust values given from each other.

In the DBREMM, the trust value of the malicious node will decline rapidly after the malicious node commits evil. When the trust value of the node is lower than the preset threshold, the node will be detected by the TA, and then be immediately stored in the observation area, and its subsequent network activities will be rejected. Following a second verification, the TA will give a final result concerning whether the node is malicious or misjudged. Information about this node is retained permanently on the chain. In Section 5, we will describe in detail how the DBREMM detects and defends against those types of attacks.

3.3. System Operation

System initialization: Vehicle nodes that join the system for the first time submit their identity information to the TA. Upon validation, the TA issues a pseudonym, digital certificate, and generates a private-public key pair through an elliptic curve to complete the vehicle identity registration. The vehicle’s detail information is stored in the ledger of the blockchain in the form of {public key|pseudonym|network access time|reputation value|hash value|signed (public key|pseudonym|network access time|reputation value|hash value)} as a transaction.

Activities in the Network: The activities of the vehicle nodes in the network can be divided into four parts, including:

(i)

When a vehicle node observes events, such as traffic jams, traffic accidents, bad weather, etc., it records and broadcasts the event information to the RSU. Then RSU will broadcast the event content to the vehicle nodes near the target event for observing and verifying the authenticity of the event (if it is in a remote area without RSU coverage, it will be directly broadcast to the surrounding vehicles for cooperative verification);

(ii)

When the vehicle node receives the verification request to observe the target event, it may form several different observation reports with different speeds, distance, and other factors. The multi-factor is quantified as unified through cosine similarity, and then the direct trust is calculated through Bayesian inference. The detailed algorithm for the calculation of direct trust is given in Section 4.2;

(iii)

The vehicle node communicates cooperatively with other surrounding nodes, and the direct trust generated by other nodes for the event is regarded as indirect trust, weighted to obtain the overall indirect trust for the event. The details of the indirect trust computation are given in Section 4.3;

(iv)

Following the calculation of direct and indirect trust, the overall trust of the target vehicle is obtained by fusion, and then all of the information is summarized and reported to the RSU.

The activities of the RSU in the network can be divided into two parts, including:

(i)

When the RSU receives the event observation report uploaded by the vehicle node, it queries the vehicle nodes near the target area and makes requests for verification;

(ii)

Upon receiving the node trust of each cooperative certification vehicle and the calculated overall trust for the target vehicle, the historical reputation and social trust of the target vehicle are queried in the reputation chain and the new reputation value of the vehicle is obtained by integration. The event content and the reputation update content are recorded in the event chain and reputation chain, respectively. The specific algorithm will be given in Section 4.4.

Report format: Assume that the network predefined a set of mutually exclusive basic event structures $\Omega =\{e_1,e_2,\dots ,e_n\}$, each $e_i$ represents an event that can be detected by vehicles, and the report $W_i$ broadcast by the vehicle nodes can be expressed as a set of one or more basic events, denoted as $E_i$, and contain additional information of the vehicle’s state when it observed an event, such as timestamp $t_i$ and distance $d_i$. The complete report format is denoted as $W_i=\{E_i,t_i,d_i,\dots \}$.

Termination: No matter whether the vehicle node goes off automatically or is found to be a malicious node and forced to go off by the system, the RSU uploads the information from the vehicle node to the TA, and the TA revokes the key pair and the digital certificate of the node, and the node cannot participate in network activities any more. When a node wants to re-enter the network, it needs to re-register with the TA. Vehicle information will remain permanently in the reputation chain.

4. Design of the DBREMM

4.1. Global Description and System Specific Settings

In VANET, various types of information are exchanged in V2V and V2I, including traffic jams, road construction, accidents, collisions, weather alerts, etc. Due to the wireless and heterogeneous communication mode in VANET, information transmission can never be error-free. Therefore, many malicious attacks, including forgery, tampering, discarding, replay, etc., are difficult to distinguish from interference and noise. Quantifying the trust value of vehicle nodes is a good way to solve the data security problem of VANET. When vehicle nodes provide event reports, the trust value of nodes will be generated according to their report contents, which will be permanently stored in the reputation chain after being confirmed by consensus, and gradually accumulate into the historical reputation of the nodes. In special scenarios (for example, when traffic is heavy or in remote areas that lead to few interactions of nodes), the vehicle with the highest historical reputation can be directly selected to request for certain services. As trust is generated in a single interaction, it is not universal. In addition, the vehicle node is essentially controlled by human beings, so social factors should also be taken into account. Therefore, in our reputation evaluation model, the new global reputation $R_i^t$ is defined as:

$$R_i^t={\mu }_{dec}\times R_i^{t-1}+(1-{\mu }_{dec})\times T_i+{\mu }_{adj}\times R_i^{social}$$

(1)

where $R_i^t$ is the latest updated reputation value, $R_i^{t-1}$ is the accumulated reputation value of the previous period, $T_i$ is the quantized trust value obtained through the reporting event $W_i$, $R_i^{social}$ is the measure of social factors, and ${\mu }_{dec}$ and ${\mu }_{adj}$ are the quantized weight. Specific values and calculation methods of each function will be described in the corresponding sections.

Figure 2 and Figure 3 show the overall workflow and detailed framework of the reputation evaluation scheme processes to implement the DBREMM, respectively. The specific calculation process of direct trust and indirect trust is discussed in Section 4.2 and Section 4.3. Section 4.4 introduces the calculation of overall trust and the updating scheme of the reputation value, and Section 4.5 and Section 4.6 introduce the double-layer blockchain architecture and the process of storing information in the chain. Firstly, we define some qualifications and initial assumptions of the scheme as follows.

(i)

In our proposed system, the TA and RSU are trusted and will not be attacked. All digital certificates provided by the TA and information provided by the RSU are true and accurate;

(ii)

Each vehicle node has a unique pseudonym authenticated by the TA, as well as a key pair and digital certificate. In each communication between vehicle nodes and the RSU, the pseudonym of nodes has been authenticated. That is, in this paper, the entity security of nodes is not considered, but the data security of information given by the nodes is focused upon;

(iii)

Since the scheme designed in this paper is for VANET and does not emphasize specific usage scenarios, the difference of vehicles and the different type of each event are not set. The setting of various threshold values and weight factors mentioned in the subsequent formulas in this section are preset within a reasonable range without special settings.

The key notations used in this paper are listed in Nomenclature, at the end of the article. Other notations that have only been used a few times will be explained when they appear.

4.2. Direct Trust

When a specific vehicle $v_i$ observes a set of events, it forms $W_i$ and uploads it to the RSU, the RSU then broadcasts $R_i$ and invites nodes near the event location to cooperate for authentication. Vehicle node groups $\{v_j,v_{k1},\dots ,v_{kn}\}$ make many comparisons with the m observation results $W_j^m$ formed according to the event, and conduct quantitative fusion of the m results through the Bayesian inference algorithm to form direct trust from $v_n$ to vehicle $v_i$, which is denoted as $T_{ni}^{di}$.

Bayesian inference is a kind of decision logic. It uses Bayesian rules to evaluate the probability of the authenticity of specific assumptions based on evidence and information (called priori knowledge). As vehicles have high mobility and are equipped with high precision sensing equipment, vehicles will obtain a series of observation results formed according to the target event.These results can be seen as the priori knowledge and then the correct probability of the report can be calculated and the reliability of the target vehicle can be measured through the probability.

Meanwhile, due to the dynamic complexity of VANET, there are disadvantages of using traditional BI directly. In this section, an improved Bayesian inference algorithm based on a multi-factor measurement is proposed. As for $v_j$, multidimensional state information, such as position difference, velocity difference, acceleration difference, and time difference between $v_i$ and $v_j$ itself when generating reports should be taken into account when quantifying the trust value. The closer these statuses are, the more likely $v_j$ is to obtain accurate information about the event. On the basis of traditional BI, multi-dimensional status information are added into consideration.

Firstly, the N-dimensional state information of the vehicle is normalized by the cosine similarity formula, and the value is in [0,1], that is:

$$\mu (x,y)=cos\left(\theta \right)=\frac{{\sum }_{i=1}^n(x_i\times y_i)}{\sqrt{{\sum }_{i=1}^n{x}_i^2}\times \sqrt{{\sum }_{i=1}^n{y}_i^2}}$$

(2)

its value is in [0,1].

Then, for the credibility of report $W_i$ provided by node $v_j$ through m observations, that is, the supporting evidence of event $E_i$ in $W_i$, it can be calculated as:

$$F_m\left(E_i\right)={\mu }_m(v_j,v_i)\times s_m(v_j,v_i)$$

(3)

returns the value in interval [0,1], where $s_m(v_j,v_i)$ is the result of $mth$ observation and its value is {0,1}, and ${\mu }_m(v_j,v_i)$ is the cosine similarity.

It can be seen that m observations of vehicle $v_j$ are independent of each other and fall on the continuous interval [0,1]. Assuming that m observations are subjected to the normal distribution, from the perspective of $v_j$, the direct trust for $v_i$ can be expressed as the mean ${\pi }_{ji}$ of the normal distribution, and the value of ${\pi }_{ji}$ can be inferred by Bayesian inference, the specific process is as follows.

Following m interactions, we obtain the evidence set $F=\{F_1,F_2,\dots ,F_m\}$ subjected to the normal distribution, where mean ${\pi }_{ji}$ and variance remain unknown, its likelihood function can be written as:

$$f(F\mid {\pi }_{ji})\propto e^{{-\frac{1}{2{\widehat{\sigma }}^2/m}}^{{(\overline{F}-{\pi }_{ji})}^2}}$$

(4)

where $\overline{F}$ is the mean value of evidence set F, and ${\widehat{\sigma }}^2$ is the variance. Since the normal distribution is its own prior conjugate, we can take the normal distribution $N(d,s^2)$ as the prior distribution of the direct trust ${\pi }_{ji}$, where d and $s^2$ represent the mean and variance, respectively. The prior density distribution of the direct trust is the following:

$$g({\pi }_{ji}:d\mid s^2)\propto e^{-\frac{1}{s^2}{({\pi }_{ji}-d)}^2}$$

(5)

According to Bayesian inference, after enough interactions, the posterior distribution of ${\pi }_{ji}$ is proportional to the product of the prior distribution and the likelihood function, that is:

$$g({\pi }_{ji}\mid F)\propto g({\pi }_{ji}:d\mid s^2)\times f(F\mid {\pi }_{ji})$$

(6)

According to (4)–(6), the posterior density function of ${\pi }_{ji}$ is:

$$g({\pi }_{ji}\mid F)\propto e^{\frac{1}{2{\widehat{\sigma }}^2{s}^2/({\widehat{\sigma }}^2+m{s}^2)}{[{\pi }_{ji}-\frac{{\widehat{\sigma }}^{2}d+m{s}^2\overline{F}}{{\widehat{\sigma }}^2+m{s}^2}]}^2}$$

(7)

We can see that the posterior probability function is also a normal distribution, and the posterior mean is:

$$d_{ji}=\frac{1/s^2}{m/{\widehat{\sigma }}^2+1/s^2}d+\frac{m/{\widehat{\sigma }}^2}{m/{\widehat{\sigma }}^2+1/s^2}\overline{F}$$

(8)

The derivation of Bayesian inference under normal distribution can be referred to [46]. The posterior mean $d_{ji}$ is the value of direct trust ${\pi }_{ji}$. Here, the formula derivation of Bayesian inference under normal distribution is not developed. Once $v_j$ forms m observations, $W_j^m$ according to event $E_i$, the prior distribution of direct trust can be obtained by (2) and (3). Then, direct trust $T_{ji}^{di}$ of $v_j$ to $v_i$ can be obtained by (8).

4.3. Indirect Trust

Due to the characteristics of wireless transmission in VANET, there may be unavoidable noise and the sensor or firmware may suffer from faults, so the evaluation of the reliability of the target vehicle $v_i$ based on the direct trust may be biased or untrustworthy. To obtain the trusted trust value, $v_j$ can request the opinion of other nearby vehicles that verify the target events simultaneously, obtain their direct trust as the indirect trust of $v_j$, which is recorded as $T_{ji}^{in}$, and then the node trust is obtained by the weighted fusion.

To our knowledge, none of previous work considered the effect of historical reputation when computing indirect trust. That is, for $v_j$, if the historical reputation of $\{v_{k1},v_{k2},\dots ,v_{kn}\}$ is far lower than the historical reputation value of $v_j$ itself, the reference value of their opinions should be reduced, and vice versa. Therefore, in our scheme, we propose an indirect trust function based on the adaptive difference attenuation factor to increase the influence of the historical reputation. The equation of indirect trust computation is as follows:

$$T_{ji}^{in}=\frac{{\sum }_{y=1}^n{\theta }_y{T}_{k_{y}i}^{in}}{{\sum }_{y=1}^n{\theta }_y}$$

(9)

That is, $v_j$ can indirectly assess the reliability of the the report of $v_i$ using direct trust $T_{k_{y}i}^{de}$ from the vehicle group $\{v_{k}1,\dots ,v_{k}n\}$ after the weighted fusion. Where ${\theta }_y$ is the weight factor calculated according to the historical reputation difference between $v_j$ and $v_y$ from $\{v_{k1},\dots ,v_{kn}\}$:

$${\theta }_y=\left\{\begin{array}{cc}0\hfill & \gamma <R_j-R_y\hfill \\ \frac{1}{e^{4\times \mid R_j-R_y\mid }}\hfill & 0<\gamma <R_j-R_y\hfill \\ e^{2\times \mid R_j-R_y\mid }\hfill & R_j-R_y<0\hfill \end{array}\right.$$

(10)

where, $\mid R_j-R_y\mid$ is the absolute value of the historical reputation difference between two vehicles, and $\gamma$ is the threshold factor of the difference, which is used to control the upper limit. That is, when the difference between the reputation of vehicle $v_j$ and the historical reputation of vehicle $v_y$ is greater than the predetermined threshold $\gamma$, the opinion from this node can be completely discarded. The purpose of this step is to prevent low-reputation or malicious vehicles from gaining trust quickly by “ingratiating” high-reputation vehicles to join the verification. The threshold factor can change dynamically based on the number of cooperated nodes. The significance of using a logarithmic function in (10) is that the weight does not change linearly with the reputation difference. When the historical reputation of $v_y$ is greater than that of $v_j$, its weight is slowly increased. When the historical reputation is less than that of $v_j$, it quickly reduces its weight. The calculation method is subject to the idea of a “slowly accumulating and rapidly declining” reputation. The values of 4 and 2 are obtained after several attempts. They are obtained following the ideas that: (1) the value is significant enough to distinguish the influence of different historical reputations; (2) the different influences of those nodes that have less historical reputations need to be greater than those with more historical reputations. These values may not be perfect but they are enough to complete our algorithm. Upon calculating the threshold value allocated by each node through (10), indirect trust $T_{ji}^{in}$ of node $v_j$ towards $v_i$ can be obtained through (9).

4.4. Trust Fusion and Reputation Update

Once $v_j$ obtains $T_{ji}^{di}$, the direct trust obtained through its own observation of the event $W_i$ reported by $v_i$ and $T_{ji}^{in}$, the indirect trust obtained by fusing the opinions of other nodes, the node trust $T_{j}i$ of $v_j$ to $v_i$ can be obtained by calculating (11)

$$T_{ji}={\delta }_{di}\times T_{ji}^{di}+{\delta }_{in}\times T_{ji}^{in}$$

(11)

where ${\delta }_{di}$ and ${\delta }_{in}$ are direct/indirect weight factors and add up to 1. The assignment of the two values can change freely according to the actual application scenarios. Here, we simply set them each as $0.5$.

Upon obtaining $T_{j}i$, $v_j$ uploads the collaboration certification report $O_{ji}$ as a form of $\{S\left(v_i\right),S\left(v_j\right),W_i,T_{ji},\{v_{k1},\dots ,v_{kn}\}\}$ to the RSU. The RSU stores all of the cooperative authentication reports of $W_i$ returned within the specified time into event status list $C_{e}vent$ for the subsequent record in the event chain. In addition, the overall trust $T_i$ of $v_i$ by reporting $W_i$ is calculated by:

$$T_i=\frac{{\sum }_{j=1}^n{T}_{ji}}{N}$$

(12)

where $T_{ji}$ is the node trust of $v_j$ to $v_i$ and N is the total number of nodes.

When using overall trust for reputation updating, we specify two additional prerequisites:

(i) Quantities: There must be a sufficient number of collaborative certification reports, that is,

$$N⩾N_{thre}$$

(13)

The RSU can update the reputation of the nodes only if it receives the validation reports that exceed the preset quantity threshold.

The purpose of this step is to increase the difficulty of the reputation update, so as to prevent the possibility that malicious vehicle groups can quickly accumulate a reputation value through mutual praise in remote and other areas with sparse nodes through collusion;

(ii) Trust Convergence: The fluctuation threshold is set to prove the reliability of the node trust and prevent malicious vehicles from deliberately giving low or high scores. Once condition (i) is satisfied, the node trust scores need to meet the requirement that more than $1/3$ of all values fall within the following interval:

$$E\left(T_{ji}\right)\pm {\epsilon }_{flu}$$

(14)

where $E\left(T_{ji}\right)$ represents the expectation of the node trust scores received by all cooperating nodes, $\epsilon$ is the fluctuation threshold factor, its value can be quantified according to the event type, the required response speed and other factors. This step is to resist malicious events, such as on-off attacks or collusive attacks, and the inaccurate trust evaluation on the target node. Since the malicious nodes in the network are assumed to be no more than $1/3$ (we use MPoR consensus, which is based on PBFT, that can guarantee security when malicious nodes are less than $1/3$). As long as at least more than $1/3$ of node trust values are in the acceptable fluctuation range, the trust evaluation of the target node is reliable.

When meeting the above two additional conditions, all node trust values within the fluctuation range are selected, and invalid node trust values are filtered out. Then $T_i$ is calculated according to (12), which is the trust value $v_i$ obtained by reporting $W_i$.

Once $T_i$ is obtained, the RSU queries the social metric and historical reputation of $v_i$ on the reputation chain, and then completes the update of the reputation of all nodes, as follows.

According to (1), the reputation update of target node $v_i$ is:

$$R_i^t=\left\{\begin{array}{c}{\mu }_{dec}\times R_i^{t-1}+(1-{\mu }_{dec})\times T_i+{\mu }_{adj}\times R_i^{social}\hfill \\ ----meetcondition\left(1\right),\left(2\right)\hfill \\ R_i^{t-1}+2\times {\phi }_{path}+{\mu }_{adj}\times R_i^{social}\hfill \\ ----eventprovedtobetrusted\hfill \\ R_i^{t-1}-4\times {\phi }_{path}+{\mu }_{adj}\times R_i^{social}\hfill \\ ----eventprovedtobeuntrustworthy\hfill \end{array}\right.$$

(15)

where ${\mu }_{dec}$ is the attenuation factor that controls the degree of influence of the trust value during this period of the report on the reputation value. ${\phi }_{path}$ is the minimum step size for the adjustment of the reputation value, which is selected according to the accuracy. In this paper, we take ${\phi }_{path}=0.01$ for convenience in the calculation. $R_i^{social}$ is the measure of social factors, including but not limited to any kind of reward and punishment. ${\mu }_{adj}$ is the adjustment factor to adjust the influence of social factors according to time, calculating it as:

$$R_i^{social}=\left\{\begin{array}{c}x\in [-0.05,0.05]----firstassessment\hfill \\ x\pm 0.01\mid x\in [-0.05,0.05]----reassessment\hfill \end{array}\right.$$

(16)

$${\mu }_{adj}=-\omega \times ln(t-\tau +1)$$

(17)

$R_i^{social}$ has a wide range of choices when the node first enters the network, and can only fluctuate in a small range on the basis of the former value in the later assessment. ${\mu }_{adj}$ is inversely proportional to the difference of the last $R_i^{social}$ updating time $\tau$ and current time t, to control the time decline of social factors, $\omega$ is the adjustment factor according to the average social factors’ updating frequency, mainly the control of the value of ${\mu }_{adj}$ is in [0,1].

The reputation update method of all other cooperating nodes $\{v_i,v_{k1},\dots ,v_{kn}\}$ is as follows:

$$R_n^t=\left\{\begin{array}{c}{R}_n^{t-1}+{\phi }_{path}+{\mu }_{adj}\times R_n^{social}----meetcondition\left(1\right),\left(2\right)\hfill \\ R_n^{t-1}-2\times {\phi }_{path}+{\mu }_{adj}\times R_n^{social}----excludedbycondition\left(2\right)\hfill \end{array}\right.$$

(18)

where ${\mu }_{adj}$ is the minimum step size. If the node completes the whole process of collaborative verification and gives reliable interaction trust, it will be rewarded with a reputation value. In contrast, if an unreliable verification report is given, that is, if the difference between the trust value given and the expectation is too large, the reputation value will be reduced.

In addition, the reputation value obtained through cooperative certification has a reward ceiling that aims to require nodes to actively participate in the incident report, so as to obtain more reputation.

$$Total\left({\phi }_{path}\right)⩽Total{\left({\phi }_{path}\right)}_{max}$$

(19)

By (15) and (18), we can obtain the latest reputation of all vehicle nodes participating in event $W_i$. All reputation updates are saved in list $C_{reputation}$ and wait for the consensus and up-chain.

4.5. Content of Blocks

Upon reporting and verifying set of events $E_i$, all nodes generate reputation updates. The RSU obtains event status list $C_{event}$ and reputation update list $C_{reputation}$. Then, the RSU broadcasts $C_{event}$ and $C_{reputation}$ to all vehicles within its coverage range and sends a consensus request. Vehicle nodes with spare computing power respond to the consensus request and participate in the consensus.

In the DBREMM, we use two blockchains collaboratively and they are called the event chain and the reputation chain, which are used for different purposes, respectively:

(i)

Event Chain: Event chain stores the content of the event information as the form of status list $C_{event}=\{W_i,O_{ji},\dots O_{ki}\}$, including the first report node and report content, as well as all collaborative verification nodes, verification content, and trust conditions. $W_i$ is the report information, including the status of first report node $S_{vi}$ and event content $E_i$. $O_{ji}$ is the certification report, which was introduced in Section 4.4. $C_{event}$ is recorded as a transaction in the block. The purpose of the event chain is to record all of the events that have happened and the information of all of the vehicles that have participated in the observation of those events. The superstructure of the event chain is the emergency response unit, which is responsible for the emergency response, broadcast, and post-event accountability;

(ii)

Reputation Chain: Reputation chain stores updates of the reputation value, in the form of $C_{reputation}$, including the trust value and social measures (if they occurred during the period of time when the events occurred). $C_{reputation}$ is recorded in the block as a transaction in the form of $\{W_i,R_t,R_{\tau -1},R_{social}\}$. The superstructure of the reputation chain is the TA, which is responsible for controlling the vehicle nodes according to their reputation values, for example, after a period of time, it gives realistic rewards to the nodes that maintain a high reputation value. Moreover, it discovers whether nodes are committing evil and adds them to the observation area. If the node is determined to be malicious, its key pair and digital certificate are immediately revoked to prevent it from continuing to participate in the network.

4.6. Consensus and Up-Chain

Whether it is a block of either the event chain or reputation chain, the secure consensus protocol needs to be made before the chain is up-chained to ensure the security and reliability of the block content. At each preset fixed time slot, or after enough lists are generated, The RSU broadcasts the consensus request to vehicles under its coverage. Vehicles with idle computing power that reply on time will become the candidate miners. Following a certain predetermined secure consensus, the miners are selected securely. Then those miners up-chain the event status list $C_{event}$ and the reputation update list $C_{reputation}$ to the event chain and reputation chain separately. Finally, both newest chains are broadcast to every node in the network, and the nodes then update their own ledger.

In our model, we use the MPoR algorithm designed in our previous work to complete the consensus. The time overhead and the reliability and anti-attack capability of MPoR were proved. For the specific consensus process, please refer to the author’s previous article [47], as the information will not be repeated here.

5. Experimental Analysis

5.1. Basic Settings of the Simulation

The simulation parameters are reasonably configured according to the research objectives. The feasibility, effectiveness, and anti-attack capability of the algorithm are discussed and answered by analyzing the simulation data and experiments in detail. The experimental platform is GoLand2020 3.4 and MATLAB R2020b.The main parameters used in the simulation are shown in

Table 2. Parameters of the Simulation.

Parameter	Value
Number of vehicles N	200
Number of malicious vehicles	[10%, 40%]
Initial reputation value $R_n^1$	0.6
Rounds of simulation iterations	300
Minimum step size ${\phi }_{path}$	0.01
Ceiling of cooperative certification reward $Total{\left({\phi }_{path}\right)}_{max}$	0.2
Attenuation factor ${\mu }_{dec}$	0.3
Initial $R^{social}$ value	N∼(0, 0.03)
Period of $R^{social}$ reassessment	Every 5 iterations

.

5.2. Performance Comparison of the Decision Logics

Firstly, we study the performance of the multi-factor metric based Bayesian inference decision logic proposed in Section 4.2. In order to verify the validity of our scheme, we compare four types of decision logic commonly used at present, including majority vote (MV), most trusted vote (MTV), traditional Bayesian inference (TBI), and D–S theory (DST) [14]. There are two kinds of information in the experiment, namely, the trusted report and false report. The false report includes all untrustworthy reports, no matter if they are due to malicious or communication faults. We use the attack success rate (ASR) as the performance indicator, which is defined as:

$$ASR=\frac{\#offalsereportnon-detected}{total\#offalsereport}$$

(20)

That is, the rate at which the cooperative verification node can detect whether the report content is false. We compare the changes in the ASR under different percentages of false reports to verify the feasibility of the five decision logics. The results are shown in Figure 4.

The total number of reports is set to 200, and the average reputation of malicious vehicles is less than that of normal vehicles, that is, the average trust of false reports is less than that of trusted reports. The percentages of false vehicles ranges from $0\%$ to $100\%$. The experiment compares the variation of the ASR for each decision logic. As can be seen from Figure 4, when the false ratio is small, all decision logics can effectively resist false reports except MTR. MTR relies only on the report given by the node with the highest reputation. Therefore, even if the average reputation of malicious vehicles is relatively lower, the vehicles with the highest reputation still have the possibility of being malicious. Although the resistance of MTR to attacks is higher, overall, the ability to resist attacks is poor. As the attacker ratio increases, the performance of DST and MV decrease rapidly because both logics are based on most observation results, while logics based on BI are more resilient to false results. As for the DBREMM, due to the additional reference of the multi-factor metric in the calculation, normal vehicles are more sensitive to the report given by malicious vehicles. Compared to TBI, our scheme has a better accuracy in the logic decision of trust.

5.3. Reliability, Anti-Attack Capability, and Latency

In this section, firstly we will verify the accuracy of the DBREMM. Reputation needs to accumulate steadily over time, and bad behaviors can damage it quickly, that is “slowly accumulating and rapidly declining”. The accuracy of the scheme is determined by observing the reputation updates of the normal nodes and malicious/faulty nodes, respectively. In our experiment, we simulate 100 rounds of reputation iterations for two specific nodes. One node is a normal node that continues to behave well. The other node is a direct attack node that continues to commit evil. We observe the iteration of the reputation of the two nodes in the role of event reporter and cooperative node separately. The initial reputation value is set to 0.6, and the social measure is randomly assigned with a normal distribution of $N\sim (0,0.03)$, and it is updated after every five iterations. The comparison model is BTDS in [16], which is a trust management model that uses BI as well. The result is shown in Figure 5.

As shown in Figure 5, for the event reporter, the reputation of the normal node accumulates more slowly than that of the BTDS scheme, while for the malicious node, the reputation declines more quickly when committing evil. By comparing a normal node and malicious node, it can be seen that the DBREMM scheme has a better precision of “slowly accumulating and rapidly declining”. For the collaborator, the reputation changes more slowly than for the event reporters, because our scheme rewards and punishes event reporters more severely. As the scheme sets the ceiling of the accumulated reputation of the collaborative certification, the reputation of the collaborator will not rise after reaching $0.8$, and cannot continue to accumulate reputation through collaborative certification. The decline in reputation is not affected by the upper threshold of the collaboration. Although the decline is slower than that of the event reporter, it always falls to the same level eventually. In the calculation of the reputation, the DBREMM considers the measurement of social factors, and sets the adjustment factor based on the time for social factors, so the simulation curve has jagged fluctuations.

Then, we change the direct attack node to an off-off attack node and observe its performance under the DBREMM. The result is shown in Figure 6.

Figure 6 shows the reputation change curves of the on-off node, acting as reporter and collaborator, respectively. The node alternately performs normally and maliciously in network activities. It can be seen that under the DBREMM, the reputation value can accumulate normally when it performs normally, but once it starts to perform maliciously, its reputation declines more rapidly than that of BTDS. The greater the variance of reputation, the easier it is to be recognized by the network and respond in time. Meanwhile, due to the existence of a reputation weight factor in the DBREMM scheme, it will take more time and it will cost more to raise the reputation to the original level after it declines, regardless of whether it is for the reporter or collaborator.

The above two simulations mainly study the accuracy of the algorithm. In the actual application scenarios, when reputation accumulates or decreases to a preset value, different network behaviors will be triggered, including to convert the greater reputation into circulating currency and reset, or the node will be kicked out of the network. The main objective of the above experiments is to check whether the changes in the reputation of various types of nodes in the network can well reflect the behaviors of the nodes. Therefore, it can be seen that our scheme is feasible.

Moreover, to study the overall performance of the scheme, we verify the anti-attack capability of three types of malicious attacks mentioned in Section 3.2. Referring to the method in [48], the true positive rate (TPR) and the true negative rate (TNR) are used as comparison performance indicators, respectively, and are defined as follows.

$$TPR=\frac{\#ofrealnormalnode}{total\#ofnormalnodedetected}$$

(21)

$$TNR=\frac{\#ofrealmaliciousnode}{total\#ofmaliciousnodedetected}$$

(22)

We use AATMS [15], BTDS [16], and hybrid [29] as the comparison model. Hybrid considers the interaction trust and social trust of the nodes based on the VSN, but does not consider the influence of the historical reputation. AATM does not take into account the social factors. In the simulation, we set the number of vehicle nodes to 200, the initial reputation of all vehicles is set to 0.6, and the iteration rounds to 300. In each round, 10 vehicles were randomly selected as event reporters, and we randomly assign 19 cooperative certification vehicles to each event. Figure 7, Figure 8 and Figure 9 show the performance of the schemes under direct attack, on-off attack, and collusive attack.

Figure 7 shows the TPR and TNR of four schemes with different percentages of direct attack. Compared to the other three schemes, the DBREMM performs better in the comparison of TPR and TNR, especially in the case with fewer malicious nodes. Due to the attenuation factor in indirect trust computing and the threshold control of vehicle quantity and report quality in the fusion of trust, malicious vehicles can hardly damage the network under the DBREMM.

In Figure 8, the same result is obtained for the on-off attack (hybrid does not involve the defense against on-off attacks), which further verifies the anti-attack capability of the DBREMM.

Figure 9 shows the TPR and TNR of two schemes with different percentages of collusive attack (BTDS and hybrid do not involve a defense against a collusive attack). The DBREMM considers trust convergence in trust fusion and sets the defense threshold. Therefore, it can be seen that when the percentage of collusive nodes is 10–30%, the system is basically unable to be attacked. When the collusive node proportion is $30\%$, the performance of AATMS begins to decline, while the DBREMM can still maintain a good performance. The TNR of both schemes decreases when the proportion reaches $40\%$. However, in the follow-up of the DBREMM, the MPoR consensus protocol of our previous work is adopted. Through consensus, the defense against a collusive attack can be completed, which can compensate for the shortcomings of the reputation update scheme. The performance and simulation of the MPoR consensus protocol have been discussed in [47].

Finally, the latency of the DBREMM reputation evaluation processes and consensus are given in

Table 3. Latency of the DBREMM.

Vehicles	Trust Computation and Fusion *	Reputation Update	Consensus **
50	54.67	6.03	55.70
100	102.88	7.54	104.39
150	147.10	8.12	176.35
200	237.45	8.09	245.18

[*] Results in the table are measured in ms. [**] The proportion of nodes selected to participate in the consensus is $33\%$.

. The vehicle nodes reach from 0 to 200. It can be seen that the total latency of the DBREMM is maintained at the order of $0.1s$, which can basically meet the demand for high efficiency in VANET.

6. Conclusions

Aimed at the current security challenges of secure data interaction and reputation evaluation in VANET, we propose a secure reputation evaluation and management model DBREMM, that is based on a double-layer blockchain, which can be applied to various scenarios in VANET. The DBREMM is designed to enable secure data interaction by quantifying reputation. Firstly, the blockchain is divided into two cooperative chains, namely the event chain and reputation chain. Event chain is used for safety verification, real-time emergency response, and after-action accountability of road events. Reputation chain is used for establishing a recessive vehicle reputation network to realize the sharing, storage, and query of vehicle historical reputation values and social measurement factors. Meanwhile, in order to resist malicious attacks and realize secure data interaction, a complete set of reputation update schemes is designed, including direct trust calculation based on the multi-factor metric Bayesian inference, indirect trust calculation based on historical reputation value, and secure trust fusion and reputation updates based on the number threshold and fluctuation factor. Finally, through an experimental analysis, we prove the feasibility, effectiveness, and anti-attack capability of our scheme.

Meanwhile, due to the limitations of the author’s ideas and experimental conditions, there are still many shortcomings in this paper. For example, (1) In the experiment, the sparsity of interactions of vehicles was not considered. In actual VANET scenarios, the architecture and distribution of nodes vary greatly in different geographical regions and times. Therefore, demonstration of the applicability of the DBREMM in different scenarios is needed in the future. (2) In our model, which is similar to those in most existing articles, the assumptions about RSU security have been diluted. In practical scenarios, RSUs may also be attacked. Designing a solution for RSU security and conducting experimental verification can further improve the security of VANET. (3) The research in this article mainly focuses on theoretical model design, and performance evaluation relies on simulation experiments. Therefore, the availability of the model in actual communication scenarios and the delay in transmission were not considered. The solutions of these limitations are the future research directions of the authors.