Detecting malicious activities in Vehicular Ad hoc Networks (VANETs) is an important research field as it can prevent serious damage within the network and enhance security and privacy. In this regard, a number of approaches based on machine learning (ML) algorithms have been proposed. However, they encounter several challenges due to data being constantly generated over time; this can impact the performance of models trained on fixed datasets as well as cause the need for real-time data analysis to obtain timely responses to potential threats in the network. Therefore, it is crucial for machine learning models to learn and improve their predictions or decisions in real time as new data become available. In this paper, we propose a new approach for attack detection in VANETs based on incremental online machine learning. This approach uses data collected from the monitoring of the VANET nodes’ behavior in real time and trains an online model using incremental online learning algorithms. More specifically, this research addresses the detection of black hole attacks that pose a significant threat to the Ad hoc On Demand Distance Vector (AODV) routing protocol. The data used for attack detection are gathered from simulating realistic VANET scenarios using the well-known simulators Simulation of Urban Mobility (SUMO) and Network Simulator (NS-3). Further, key features which are relevant in capturing the behavior of VANET nodes under black hole attack are monitored over time. The performance of two online incremental classifiers, Adaptive Random Forest (ARF) and K-Nearest Neighbors (KNN), are assessed in terms of Accuracy, Recall, Precision, and F1-score metrics, as well as training and testing time. The results show that ARF can be successfully applied to classify and detect black hole nodes in VANETs. ARF outperformed KNN in all performance measures but required more time to train and test compared to KNN. Our findings indicate that incremental online learning, which enables continuous and real-time learning, can be a potential method for identifying attacks in VANETs.
Read full abstract