Introduction
VANET is foundational to modern intelligent transportation systems. These networks enable vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication, aiming to enhance safety, optimize traffic management, and provide infotainment services. VANET has the potential to greatly enhance traffic flow and road safety by enabling real-time information transmission on traffic conditions, accidents, and road hazards.
However, these benefits come with substantial security challenges. The decentralized and open nature of VANET makes it vulnerable to various security threats. A major concern is the Denial of Service (DoS) attack, which can severely disrupt network functionality. One specific type of DoS attack in VANET is the black hole attack, where a malicious node absorbs all traffic directed toward it instead of forwarding it to the intended destination, causing communication breakdowns and network isolation. Such attacks can have serious consequences, including network unavailability and increased safety risks as critical information fails to reach its recipients.
Other significant threats include Sybil attacks, where a single malicious node creates multiple fake identities to manipulate network traffic, and wormhole attacks, in which adversaries create a low-latency link to disrupt routing and communication. These challenges highlight the need to secure VANET and ensure reliable real-time communication between vehicles and infrastructure, which is essential for safer and more efficient transportation.
Existing security frameworks struggle to provide effective intrusion detection while maintaining real-time performance in dynamic vehicular environments. Addressing these security challenges is crucial to maintaining the integrity, confidentiality, and availability of data within VANET, thereby ensuring the reliability and safety of the overall transportation system.
Intrusion detection systems have emerged as crucial in addressing VANET security challenges. IDS monitors network traffic, detects suspicious activities, and responds to potential threats in real time. Traditional IDS models, such as signature-based and anomaly-based systems, have been used in various network environments. However, the dynamic and distributed nature of VANET necessitates the development of specialized IDS that can effectively handle such characteristics. The limitations of traditional IDS models have driven the need for novel hybrid models that combine multiple detection techniques to provide adaptive and comprehensive security solutions for VANET.
Hybrid IDS leverages a combination of signature-based [1], anomaly-based [2], and heuristic detection methods to improve accuracy and reduce false positives. In this research, we propose a hybrid GRU-BiLSTM (GBiL) model for intrusion detection, incorporating trust assessment and optimized feature selection using particle swarm optimization (PSO). SMOTETomek data augmentation is employed to ensure balanced datasets. Simulations using NS-3, SUMO, and real-world urban network mappings from OpenStreetMap validate the model’s effectiveness. Collectively, these contributions offer a robust solution to enhance VANET security and support reliable autonomous transportation.
The key objectives of our research are as follows:
Develop a novel IDS for VANET using the GBiL model, integrating PSO for parameter optimization, advanced feature selection techniques, and SMOTETomek for data balancing, to accurately detect and mitigate attacks, enhancing network security and reliability.
Integrate the IDS with a trust detection module to dynamically assess the trustworthiness of VANET nodes based on real-time data, improving network reliability and reducing the impact of malicious nodes.
Conduct real-time simulations using NS-3 and SUMO with real-world urban network mappings from OpenStreetMap to evaluate the IDS’s effectiveness in detecting and responding to various attack scenarios, ensuring robust security in VANET environments.
Enhance the overall security framework of VANET by integrating advanced detection techniques, data augmentation strategies, and real-time trust assessment methodologies.
Set a benchmark for future research in securing autonomous transportation systems through optimized vehicular communication networks.
The remainder of this paper is structured as follows: Sect. 2 covers related works. The methodology and proposed framework are discussed in Sect. 3. Section 4 presents the experimental results. Finally, Sect. 5 concludes the paper and suggests directions for future research.
Related works
VANET faces substantial security challenges that must be addressed to ensure the safety of drivers and passengers. These challenges encompass availability, authentication, integrity, secrecy, non-repudiation, pseudonymity, privacy, mobility, data and location verification, access control, and key management. Among the most critical threats are blackhole attacks, which can lead to traffic accidents, suppression of genuine warnings, and dissemination of false alerts. These attacks compromise VANET service quality, degrading network reliability and complexity. Other significant threats include Sybil attacks, where a malicious node creates multiple fake identities to manipulate network traffic, and wormhole attacks, where adversaries establish low-latency links to disrupt routing and communication. Addressing these security concerns is vital to maintaining VANET integrity and ensuring the effective operation of Intelligent Transport Systems (ITS).
Intrusion Detection Systems employing machine learning techniques have been proposed in response to these challenges. Nagalakshmi et al. [3] developed IDS for blackhole detection in wireless ad hoc networks using six methods, including Random Forest classifiers, K-means clustering, support vector machines (SVM), and decision trees. They employed feature selection techniques like principal component analysis and random forest to improve detection rates. However, their work lacked exploration of various attack types and did not investigate the potential of deep learning models for reducing processing time.
Shafi et al. [4] introduced a Machine Learning and Trust-Based AODV Routing Protocol (ML-AODV) to tackle Flooding and Blackhole Attacks in Mobile Ad Hoc Networks (MANET). They leveraged trusted relay forwarders for path optimization, decreasing packet drop rates using Artificial Neural Networks (ANN) and SVM. However, the effectiveness of AODV-based methods in scenarios with high-speed traffic remains a limitation. Okeke et al. [5] integrated a secure AODV routing protocol with K-means clustering and particle swarm optimization (PSO) to improve VANET security against blackhole attacks. Their approach showed improved performance in simulations using the VeReMi dataset. In subsequent research, Okeke et al. [6] employed the Artificial Fish Swarm Algorithm combined with Trust-Based Reputation to pinpoint and isolate malicious nodes, efficiently mitigating blackhole attacks.
Abdulkadar et al. [7] proposed the LI-AODV routing algorithm to detect and eliminate blackhole attacks in VANET. They introduced a load-balancing technique called Hybrid Round Robin with Highest Response Ratio Next (HRRHRRN) to reduce average waiting times and increase network speed. Despite these advancements, scalability and performance in dynamic, real-time VANET environments were not fully addressed. Tobin et al. [8] developed a strategy to mitigate blackhole attacks by detecting, accusing, and blacklisting malicious nodes, assuming one malicious node and honest behavior from others. Simulations in NS-3 achieved a 100% detection rate with an average detection time of 5.84 s.
Baharlouei et al. [9] emphasized the importance of realistic simulation settings such as grid patterns, communication parameters, and mobility patterns in evaluating DDoS attack detection in VANET. Meanwhile, Masruroh et al. [10] employed the AOMDV routing protocol to analyze blackhole and rushing attacks in VANET, focusing on Quality-of-Service parameters like throughput and end-to-end delay. Sangi et al. [11] proposed a trust management and IDS approach for mitigating blackhole attacks in Vehicular Ad hoc IoT Networks (VA-IoT), assigning trust scores to vehicles and routing data through trusted nodes. Siddiqui et al. [12] examined the impact of blackhole and wormhole attacks in MANET-IoT by altering the AODV protocol within NS-3, simulating various node counts to evaluate attack effects on network performance.
Acharya et al. [13] proposed a method for detecting blackhole attacks in VANET using statistical modeling and machine learning to enhance road safety and reduce congestion. They highlighted the importance of Public Key Infrastructure (PKI) for message security and employed machine learning techniques like Naive Bayes and K-nearest neighbors to classify malicious vehicles. Dangat et al. [14] implemented a genetic algorithm-based approach to detect blackhole attacks in VANET using network metrics such as throughput and delay, achieving high accuracy and low false-positive rates. Kaur and Kumar [15] addressed DoS attacks in wireless sensor networks, proposing a methodology that balances ease of implementation with low power consumption and extended network lifespan.
Lyu et al. [16] introduced Trust-based Greedy Forwarding Routing (TGF) for secure VANET routing, integrating a trust model based on geographic location and node interactions to counteract blackhole attacks. Jan et al. [17] evaluated the impact of Sybil, wormhole, and blackhole attacks on MANET, focusing on the challenges posed by cooperative attacks in limited bandwidth and dynamic environments. Chaudhary et al. [18] analyzed the effects of blackhole attacks on AODV in MANET, highlighting performance degradation in metrics such as throughput and packet delivery.
Despite the progress made in VANET security, current frameworks often lack comprehensive mechanisms for detecting and mitigating a wide range of attacks in real time. Data imbalance is another challenge, leading to reduced detection accuracy. Additionally, most approaches do not integrate IDS with real-time trust assessment, limiting their ability to dynamically evaluate node trustworthiness. Finally, validation in real-world urban network scenarios is needed to ensure genuine scalability and effectiveness in practical applications [19].
Methods/experimental design
The system architecture diagram shown in Fig. 1 begins with the input dataset undergoing data preprocessing, followed by feature selection using Information Gain. Feature optimization is then performed with PSO, and data augmentation is achieved through SMOTETomek, culminating in the proposed GBiL Model. Concurrently, data metrics from a real-time simulation setup are fed into a trust detection module, which also receives input from the GBiL Model to accurately differentiate various types of attacks.
[See PDF for image]
Fig. 1
Architecture Diagram
The methodology used in this work to detect various attacks in VANET is based on building an intrusion detection system using a hybrid model called the GBiL model, which is made up of networks with bidirectional long short-term memory (BiLSTM) and gated recurrent units (GRU). This model is designed to capture the temporal dependencies and intricate patterns associated with these attacks. The process begins with feature extraction, where relevant features are selected to represent the network traffic data effectively. The Synthetic Minority Over-Sampling Technique (SMOTE) is used for data augmentation to make sure the dataset is balanced, correcting any imbalances in classes and improving the model's training procedure. PSO is then utilized to optimize the model parameters, refining the GBiL model for better detection performance. The IDS framework is rigorously tested through real-time simulations using NS-3 and SUMO, which incorporate real-world mapping data from OpenStreetMap to create a realistic urban network environment. This comprehensive approach allows for the validation of the IDS under various attack scenarios, demonstrating its efficacy in detecting and mitigating black hole, wormhole, and Sybil attacks, thereby enhancing the security and reliability of VANET.
Dataset
The dataset used for black hole and wormhole attacks is taken from E. A. Shams et al. [20] and mentioned as the CVI dataset. We have also generated an independent dataset—VA, from our real-time simulated environment that is given as input to our GBiL model to analyze the blackhole attack effect in the VANET. The simulation setup and dataset generation have been described in Section F.
Data preprocessing
Preprocessing has already been done on the CVI dataset. On the other hand, no processing is required for the dataset that is generated in real-time. The FlowMon file is first converted into CSV for additional analysis, and values such as Nan and missing values are then eliminated from the data.
Feature Selection Using Information Gain
Feature selection [21] is crucial for improving the model's performance by identifying a relevant subset of input features. Information Gain measures the reduction in entropy or uncertainty regarding the target variable when a feature is observed. Features with high information gain are deemed more informative and useful for the model.
Initially, we consider 27 features, including:
current_tx_packets
rx_duration
total_tx_packets
rx_pkt_interval
current_tx_bytes
rx_idle_time
total_tx_bytes
delay_sum
first_tx_packet
delay_avg
last_tx_packet
jitter_sum
tx_duration
jitter_avg
tx_pkt_interval
current_lost_packets
tx_idle_time
total_lost_packets
current_rx_packets
times_forwarded
total_rx_packets
duration
current_rx_bytes
throughput
total_rx_bytes
first_rx_packet
last_rx_packet
Through feature selection, this set is reduced to 16 features, eliminating those deemed less beneficial, such as current_tx_packets, total_tx_packets, current_tx_bytes, tx_pkt_interval, current_rx_packets, rx_packets, current_rx_bytes, rx_bytes, rx_pkt_interval, current_lost_packets and times_forwarded. We reduced complexity and overfitting by eliminating these variables, which enhanced the GBiL model's efficacy and accuracy by lowering data redundancy and noise. The model can now focus on the most pertinent information, significantly enhancing its predictive capabilities.
Feature Optimization using the Particle Swarm Optimization Technique
The optimization of features is conducted using the PSO [22] approach. PSO iteratively refines a group of particles to identify optimal solutions within the exploration domain. The primary goal of the PSO algorithm is to either maximize or minimize a fitness metric by adjusting the spatial coordinates and velocities of the particles based on their optimal positions and the best-known position of the swarm.
PSO typically converges faster than Genetic Algorithms (GA) due to its use of collective particle intelligence, making it ideal for dynamic environments like VANET, where timely decisions are critical. Furthermore, PSO involves fewer parameters (as shown in Table 1), simplifying optimization compared to GA. It also balances exploration and exploitation more effectively than simulated annealing (SA), adapting better to changes in the optimization landscape, which is crucial for real-time applications. When compared to ant colony optimization (ACO), PSO is more computationally efficient and easier to implement, avoiding the intensive pheromone-based simulations of ACO.
Table 1. PSO Parameters
Theoretical Variable | Description | Parameter value |
|---|---|---|
N | Number of particles | 20 |
T | Maximum number of iterations | 10 |
w | Inertia weight | 0.9 |
c₁ | Acceleration factor (cognitive) | 2 |
c₂ | Acceleration factor (social) | 2 |
r₁, r₂ | Random numbers | Generated using rand () function |
The optimization process in PSO can be mathematically represented using the below-given Eq. 1 and Eq. 2:
1
2
whereis the velocity of particle i in dimension d at time t + 1.
w is the inertia weight,
and are acceleration coefficients.
and are random numbers between 0 and 1,
is the best position of particle i in dimension d,
is the best position of the entire swarm,
is the current position of particle i in dimension d at time t.
In a VANET IDS, the initial feature set might include all available features before applying PSO,
for example, F= {f1, f2, f3, f4, f5, f6},
where
f1 is packet size
f2 is distance
f3 is vehicle position
f4 is timestamp
f5 is neighbor vehicle count
f6 is signal strength
Including undesirable features may lead to overfitting, redundancy, and longer computation times. After applying PSO, a fitness function is used to select only the most pertinent features, resulting in an optimal subset like X′= {f2, f3, f4, f6}. Removing unnecessary features enhances model performance while lowering dimensionality, computational cost, and noise. The key distinction is that the pre-PSO model uses all features, which may degrade accuracy, while the post-PSO model focuses only on relevant information, ensuring faster training and better generalization.
Data Augmentation
Data augmentation is essential in this research to address the imbalance between normal traffic data and underrepresented malicious attack data, which can hinder the performance of the Intrusion Detection System. To overcome this, we use SMOTETomek, a hybrid sampling technique combining the Synthetic Minority Over-sampling Technique (SMOTE) and Tomek links. SMOTE generates synthetic samples for the minority class, ensuring sufficient data for the IDS to learn from, while Tomek links clean the dataset by removing borderline instances between classes. This method balances the dataset and improves the model's ability to detect rare attack instances. In addition to the above, we have introduced adaptive data augmentation strategies by refining SMOTE through Adaptive Synthetic Sampling (ADASYN), which focuses more on difficult-to-learn minority class samples. While SMOTETomek helps by removing noisy borderline instances and balancing the dataset, ADASYN focuses on adaptively generating synthetic data for difficult minority class examples.
Hybrid Model Architecture-GBiL
This section introduces the GBiL Model (GRU – BiLSTM), a hybrid architecture to predict blackhole attacks in VANET. Our investigation identified limitations within existing fundamental deep learning models, including GRU [23], LSTM [24], and CNN [25]. Although GRU and LSTM are effective at capturing temporal dependencies in VANET data, CNN performs better with spatial data, which may not be suitable for VANET applications. This gap motivated the development of the novel GBiL Model.
The GBiL model integrates GRU and LSTM layers along with dropout and batch normalization techniques to enhance performance on sequential data, as illustrated in Fig. 2, and the hyperparameter values are shown in Table 2. The initial GRU layer efficiently captures dependencies while minimizing computational costs. Following this, dropout (0.3) and batch normalization layers prevent overfitting and stabilize training. The bidirectional LSTM layer processes data in both directions, improving context understanding. Each recurrent layer is followed by dropout and batch normalization for robustness. The model then proceeds to fully connected dense layers, comprising 128 and 64 units with ReLU activation, to capture complex representations while also integrating additional dropout and batch normalization to ensure regularization. To enhance the GBiL model’s performance, we employed a stratified k-fold cross-validation (k = 5) technique, ensuring that each fold retains a proportional number of observations for each target class [26].
Real-Time Simulation
[See PDF for image]
Fig. 2
Layers of Proposed GBiL Model
Table 2. Hyperparameters for GBiL Model (GRU – BiLSTM)
Hyperparameter | Value |
|---|---|
Number of GRU Layers | 2 |
Number of BiLSTM Layers | 2 |
Dense Layer Units | 128 (ReLU), 64 (ReLU), 2 (Sigmoid) |
Activation Function | ReLU |
Batch Size | 64 |
Learning Rate | 0.001 |
Dropout Rate | 0.3 |
Number of Epochs | 50 |
In VANET research, SUMO and NS-3 are frequently used in conjunction to simulate vehicular communication and mobility patterns. SUMO generates realistic road traffic scenarios, including vehicle movement, road networks, traffic lights, and intersections. Meanwhile, NS-3 simulates the wireless communication aspects of VANET, such as message dissemination, signal propagation, and network protocols.
OpenStreetMap
OpenStreetMap (OSM) [27] is a free, collaborative, and open-source geographic database created and maintained by volunteers across the world. It is an essential tool for getting thorough and precise map information, including minute details like traffic lights, junctions, and one-way streets. We used OpenStreetMap's capabilities to create a realistic and intricate network environment for our VANET simulations.
We specifically selected a region from downtown Orlando, Florida, for our research, as shown in Fig. 3, due to the availability of comprehensive OpenStreetMap data for this area. This strategic choice introduced complexities that closely mimic real-world scenarios, where traffic flow is not confined to simple grid structures. The detailed information provided by OpenStreetMap, such as one-way streets, enabled us to create a network environment that closely resembles the challenges faced in urban settings, facilitating a rigorous evaluation of our proposed Intrusion Detection System.
NetConvert
[See PDF for image]
Fig. 3
Part of Orlando Map in OpenStreetMap
The initial step in creating a road network compatible with SUMO from OpenStreetMap data involved utilizing the Netconvert utility [28], a powerful tool within the SUMO suite. Netconvert imports digital road networks from various sources, including OpenStreetMap, to generate road networks suitable for simulation and analysis with other SUMO tools. In this study, Netconvert processed the OpenStreetMap file to transform the map data into a SUMO-compatible network file. This conversion process includes several essential stages to ensure an accurate representation of real-world road infrastructure and traffic conditions. Initially, irrelevant elements from the OpenStreetMap data, such as objects not essential for VANET simulations, were removed using Netconvert. This action streamlined the network, enhancing computational efficiency while maintaining the quality of the simulation environment, as shown in Fig. 4. This process avoids problems from duplicated or conflicting junction information.
Simulation of Urban Mobility (SUMO)
[See PDF for image]
Fig. 4
Part of the Orlando Map after Removing the Obstacle
SUMO is a widely used traffic simulation software that models traffic scenarios in urban settings. It allows developers to create realistic traffic situations in conjunction with VANET simulation frameworks, incorporating factors, such as vehicle behavior, road infrastructure, traffic signals, and environmental variables. This integration facilitates the evaluation of VANET protocols, routing algorithms, and communication strategies under different traffic conditions and network densities. After generating a SUMO-compatible road network, we populated it with vehicular traffic patterns. To accomplish this, we utilized SUMO's randomTrips.py script, a robust tool designed for generating random trips within a specified network. This script offers a variety of options to control different aspects of the trip generation process, enabling users to customize the output to meet their specific needs. Table 3 outlines the parameters used to configure the real-time simulation environment.
Table 3. Simulation Parameters
Parameters | Values |
|---|---|
Simulation Area | Length: 2007 (meters) Breadth: 1014 (meters) |
Simulation Time | 1000 s |
Vehicle Placement/Movements | Random Starting Points on the map |
Total Nodes | 100 |
Routing Protocol | AODV |
Mac Protocol | IEEE 802.11p |
Data Rate | 250 kbps |
Network Traffic Model | CBR |
Packet size | 512(bytes) |
We began by defining the duration of the simulation, ensuring that the generated trips spanned a comprehensive time range. Next, we utilized the script's random number generator and probability distributions to create trips with varying start and end points, reflecting the diverse origins and destinations typically found in real-world urban environments.
However, the trips generated by randomTrips.py were only partially compatible with the previously created SUMO-compatible road network. To resolve this issue, we used SUMO's duarouter tool, which converts trip definitions into valid routes compatible with the specified network.
The duarouter tool played several essential roles in our workflow. It ensured that the generated trips were valid and feasible within the context of the road network, eliminating any trips that could not be routed successfully. Additionally, it addressed potential errors and inconsistencies that might have arisen during the trip generation process, further enhancing the reliability and accuracy of the resulting routes.
After executing the real-time VANET simulation in NS-3, network traffic data was logged using the FlowMonitor module, capturing critical metrics such as packet transmissions, delays, and losses. The raw FlowMonitor output, initially stored in an XML format, was parsed and converted into a structured CSV file using custom Python scripts, and the generated dataset was referred to as the VA dataset. This transformation enabled systematic feature extraction and preprocessing, facilitating the application of deep learning techniques for intrusion detection analysis.
Dataset Description
The real-time VA dataset was generated through a simulation environment using SUMO and NS-3 to replicate vehicular network conditions accurately. The network activity was recorded as a log file using FlowMonitor in NS-3. The generated log files were subsequently converted into CSV format, as mentioned in Sect. 3, enabling structured analysis.
The features from the VA dataset capture various network traffic parameters, including transmission and reception metrics like trans_pkts, recv_pkts, timing-related attributes such as first_trans_pkts, avg_delay, and performance indicators like avg_jitter, throughput. The VA dataset consists of two subsets: training (264,316 instances) and testing (163,336 instances), with each instance representing a network event characterized by 24 features. The training data consists of labeled network traffic events, where the model learns to differentiate between normal and attack patterns.
The testing data allows us to measure accuracy, precision, recall, and other performance metrics to ensure that the model can effectively detect blackhole attacks in real-time scenarios. This VA dataset is instrumental in evaluating the effectiveness of the proposed intrusion detection system in real-time VANET scenarios by reflecting both normal and blackhole attack behaviors. Through feature selection, we remove features that are considered to be less useful, including total_tx_bytes and current_rx_bytes, total_rx_bytes, current_tx_packets, current_tx_bytes, and current_tx_packets, which are common with the CVI dataset. Hence, our VA dataset has 24 features instead of 27 features, as in CVI. The features that are unique in our real-time simulation VA dataset include the following:
min_delay
max_delay
packet_loss_rate
5 Blackhole attack simulation in VANET
Given that the AODV (Ad hoc On-demand Distance Vector) routing protocol effectively discovers routes on demand and incurs less routing overhead, we chose it as the routing protocol for our research. The fundamental concept behind a blackhole attack in AODV involves a source node SSS sending out a Route Request (RREQ) packet to its neighboring nodes. Non-malicious nodes process and forward this packet to the target using the standard AODV protocol.
In contrast, malicious nodes can intercept the RREQ packet, modify the sequence number to the maximum value, and alter the hop count to 1. They then respond with a false Route Reply (RREP) packet back to the source node. Upon receiving the RREP packet, the source node mistakenly assumes that the path through the malicious node is the best route and establishes a connection accordingly. As a result, the malicious node receives the data packets sent by the source node over this channel and drops them, thereby disrupting communication.
Figure 5 depicts a Black Hole Attack in a VANET, where a malicious node (C) disrupts communication between nodes A and E. In this scenario, vehicles (nodes A, B, C, D, E, and F) communicate to share critical information. During the route discovery process, node A seeks a path to node E. Both nodes B and C respond with a Route Reply (RREP), but node C falsely claims to have the optimal path. Misled by C’s RREP, node A transmits its data through C. Instead of forwarding the data, node C drops all packets, creating a "black hole" where data disappears. This malicious behavior causes significant data loss by exploiting the trust-based nature of ad hoc routing protocols, leading node A to mistakenly trust node C as a legitimate route to E.
Trust detection module
[See PDF for image]
Fig. 5
Blackhole attack
In this module, we assess each node in the network based on its trust score. The trust score is calculated using Eq. 3, and the implementation is outlined in Algorithm 1.
3
Here, Ti(new) represents the updated trust value, while Ti(old) indicates the previously updated trust value. Initially, every node in the network is assigned a trust value of zero. The variable tg, denotes the trust gain value, which increases the node's trust value by tg when the GBiL model predicts normal behavior (where 0 indicates normal operation and 1 signifies a blackhole attack). Conversely, td, signifies the trust decay value that penalizes the node by reducing its trust value by td whenever the model predicts a blackhole attack. In our implementation, tg, is set to 1 and td is set to 3. We also define the trust value threshold range from -15 to + 15. If a node's trust value drops to -15, it will be flagged as an abnormal node.
[See PDF for image]
Algorithm 1
Trust Detection module
Results and discussion
This section provides an in-depth analysis of the performance of various deep learning architectures, including LSTM, GRU, CNN, and our proposed GBiL model, in detecting blackhole attacks within VANET. We will discuss the performance metrics, results from real-time simulations, and comparisons with existing state-of-the-art methods.
Performance Analysis
Our evaluation focused on four deep-learning architectures designed to handle sequential dependencies within the data. While LSTM and GRU are recurrent neural network (RNN) variants, CNN is a convolutional architecture traditionally used for image processing but adapted for sequential data analysis. The GBiL model combines elements of BiLSTM and GRU with semantic contextual attention mechanisms, significantly enhancing detection capabilities.
1 Confusion Matrices and Performance Metrics: Fig. 6 and Fig. 7 illustrate the confusion matrices for the proposed GBiL and CNN models, respectively. The primary performance metrics assessed were F1 score, accuracy, and precision, which provide a comprehensive understanding of each model's effectiveness in detecting blackhole attacks. The confusion matrix [29] for the proposed GBiL model indicates high accuracy, with true positive and true negative rates of 0.96 and 0.88, respectively, suggesting robust performance in classification tasks. The low false positive (0.04) and false negative (0.12) rates further emphasize the model's capability to minimize misclassifications.
[See PDF for image]
Fig. 6
Proposed GBiL Model
[See PDF for image]
Fig. 7
CNN Model
Conversely, the CNN model showed limitations in accuracy and F1 score, highlighting difficulties in capturing the sequential communication crucial for VANET data, even if it achieved acceptable precision scores. This implies that although CNNs excel in spatial relationships, they may not effectively discern the temporal patterns necessary for accurate blackhole attack detection.
Figure 8 and Fig. 9 present the confusion matrices for the GRU and LSTM models, respectively. The GRU model showed a true positive rate of 0.92 and a true negative rate of 0.86, with a false positive rate of 0.078 and a false negative rate of 0.14. Similarly, the LSTM model indicated a true positive rate of 0.93 and a true negative rate of 0.88, with a false positive rate of 0.07 and a false negative rate of 0.12. These results highlight the strong classification accuracy [30] of both models, but also reveal a notable discrepancy in generalization, particularly in LSTM, suggesting areas for further improvement.
Real-Time Simulation Analysis
[See PDF for image]
Fig. 8
GRU Model
[See PDF for image]
Fig. 9
LSTM Model
We ran four simulation scenarios in NS-3 with different numbers of malicious nodes (0, 10, 15, and 20) out of 100 total nodes to examine the effect of malicious nodes on VANET performance.
1 Accuracy and F1 Score Comparisons: The accuracy plot in Fig. 10 shows that the GBiL model with PSO optimization outperformed all other models, achieving an accuracy of 96.01%. This represents a significant improvement over the 93.42% accuracy of the GBiL model without PSO. The lower accuracies of CNN, LSTM, and GRU emphasize the superior effectiveness of the PSO-optimized GBiL model in achieving higher accuracy [31]. In Fig. 11, the F1 score comparisons reveal that the GBiL model with PSO achieved the highest F1 score of 95.75%, indicating higher reliability and accuracy compared to the GBiL model without PSO (93.49%) and the other models. This illustrates how PSO significantly enhances the F1 score of the GBiL model.
[See PDF for image]
Fig.10
Accuracy Plot with and without PSO
[See PDF for image]
Fig. 11
F1 Score Plot with and without PSO
2 Precision and False Alarm Rate: Fig. 12 presents the precision plot, highlighting the GBiL model with PSO achieving the highest precision at 96.44%, compared to 93.57% for the GBiL model without PSO. This indicates a superior ability to correctly identify positive instances. The CNN, LSTM, and GRU models exhibited lower precision scores, underscoring the enhanced precision resulting from PSO optimization in the GBiL model.
[See PDF for image]
Fig. 12
Precision Plot with and without PSO
Figure 13 illustrates the false alarm rates of all models. The LSTM model demonstrated the lowest FAR, making it the most reliable in minimizing false alarms. The proposed GBiL model also performed well, indicating strong potential for applications where reducing false positives is critical. Although GRU and CNN models were effective, further refinement is needed to achieve lower FARs [32].
[See PDF for image]
Fig. 13
False Alarm Rate of Proposed GBiL Model with Other Models
The comprehensive evaluation highlights the strengths and weaknesses of each model and underscores the importance of selecting appropriate architectures and techniques tailored to the intricacies of VANET data. The results support the use of hybrid techniques, such as the GBiL model, which combines advantageous components to enhance detection capabilities while ensuring the robustness and security of VANET communication.
Comparison of state-of-the-art methods
We compared our results with existing state-of-the-art methods, such as the Fuzzy Logic-based Intrusion Detection System with the Hidden Markov Model (HMM) [33] and the T-AODV trust-centric approach [34].
1 Fuzzy Logic-based IDS with HMM: This approach reported an average packet delivery ratio of approximately 91.4% and an average end-to-end delay of 26.6 ms, as illustrated in Fig. 14. However, the increased routing overhead from isolating malicious nodes presents limitations for real-time applications.
[See PDF for image]
Fig. 14
Comparison of state-of-the-art methods based on Packet Delivery Ratio
2 T-AODV Trust-Centric Approach: This method achieved a packet delivery ratio of 50% and an average end-to-end delay of 25 ms, as depicted in Fig. 15. Although it improves the security of the AODV routing protocol, the performance indicates significant trade-offs in efficiency.
[See PDF for image]
Fig. 15
Comparison of state-of-the-art methods based on Average End-to-End Delay
In conclusion, while existing approaches mitigate blackhole attacks in VANET effectively, they often incur higher routing overhead and performance-security trade-offs. The proposed GBiL model significantly improves packet delivery ratio [35] and end-to-end delay [36], achieving high accuracy in attack detection.
However, challenges remain regarding computational complexity due to its hybrid structure and the resource-intensive nature of PSO for feature optimization. Additionally, while the SMOTETomek method addresses imbalanced data, it also introduces risks of overfitting and increased training time. Future research should focus on enhancing scalability and integrating additional attention mechanisms to improve VANET security and reliability.
Conclusion and future work
The study introduces a novel hybrid intrusion detection system designed to combat blackhole attacks in VANET. The proposed novel GBiL model, which integrates gated recurrent units (GRU) and bidirectional long short-term memory (BiLSTM) networks, has shown significant effectiveness in detecting blackhole attacks, outperforming conventional deep learning models, such as CNN, LSTM, and GRU.
Key components of our methodology that enhance intrusion detection efficiency in VANET include feature selection and optimization, data augmentation, a trust detection module, and real-time simulations. The model's effectiveness was notably improved by leveraging PSO methods. Utilizing SMOTETomek to equalize class distributions enhanced the model's accuracy in identifying minority class instances. Evaluating the trust level of each node based on GBiL model predictions incorporated an additional layer of security. Conducting simulations with SUMO, NS-3, and OpenStreetMap data in realistic urban network environments generated a VA dataset that facilitated comprehensive evaluation. Empirical findings show that the GBiL model outperforms alternative deep learning architectures across various metrics, including accuracy, precision, recall, and F1-score. The proposed GBiL model demonstrates high performance with an accuracy of 96.01% and a false alarm rate of 0.04.
Despite the promising outcomes of our hybrid IDS model, several areas present opportunities for future research and advancement. Future work could focus on expanding attack coverage to identify and counteract other attack types in VANET, such as wormhole attacks, Sybil attacks, and DDoS attacks. Examining the scalability of the GBiL model for larger networks and increased traffic densities is crucial for practical implementation in diverse urban environments.
Integrating the IDS with edge computing might improve response times and reduce communication overhead in VANET. Designing a security framework that integrates the IDS with other security measures at various network strata would provide more comprehensive VANET safeguarding. Addressing these future research paths will refine the security, dependability, and feasibility of intrusion detection systems for VANET, ultimately contributing to safer and more effective intelligent transportation systems.
Acknowledgements
The authors thank Anna University for the utilization of GPU Systems in the Department of Computer Science and Engineering, College of Engineering, Guindy, and Loyola ICAM College of Engineering and Technology, Chennai for providing the various resources to complete this work. Also, we thank the anonymous reviewers for their valuable comments to improve this paper.
Author contributions
SG made substantial contributions to the conception and design of the work, TNA contributed to the conceptual framework and was involved in data analysis. DS supported both the design of the work and the interpretation of data. AXA was responsible for the acquisition of data, and provided critical revisions to enhance formatting. All authors have read and approved the final manuscript.
Funding
This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.
Availability of data and material
The data set used and analyzed during the current study is available from the corresponding author upon reasonable request.
Declarations
Competing interests
The authors declare that they have no competing interests.
Abbreviations
Vehicular Ad Hoc networks
Gated recurrent units
Bidirectional long short-term memory
Gated recurrent units & bidirectional long short-term memory
Particle swarm optimization
Synthetic minority over-sampling technique
Synthetic minority over-sampling technique combined with tomek links
Network simulator 3
Simulation of urban mobility
OpenStreetMap
Intrusion detection system
Vehicle to vehicle
Vehicle to infrastructure
Denial of service
Support vector machine
Machine learning and trust-based AODV routing protocol
Artificial neural networks
Black hole attacks
Hybrid round Robin with highest response ratio next
Ad hoc on-demand multi-path distance vector routing
Vehicular Ad hoc IoT networks
Mobile Ad hoc network-based internet of things
Mobile Ad Hoc networks
Trust-based greedy forwarding routing
Greedy perimeter stateless routing
Long short-term memory
Convolutional neural network
Rectified linear unit
Route reply
Route request
Recurrent neural network
False alarm rate
adaptive synthetic sampling
VANET attacks
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
1. Farooq, M. Mubashir Hassan Khan, “Signature-Based Intrusion Detection System in Wireless 6G IoT Networks”. J. Internet Th.; 2023; 4,
2. A.T. Assy, Y. Mostafa, A. Abd El-khaleq, M. Mashaly, “Anomaly-Based Intrusion Detection System using One-Dimensional Convolutional Neural Network”, The 14th International Conference on Ambient Systems, Networks and Technologies (ANT) 15–17, Leuven, Belgium (2023)
3. Nagalakshmi, TJ; Gnanasekar, AK; Ramkumar, G; Sabarivani, A. Machine learning models to detect the blackhole attack in wireless adhoc network. Mater. Today: Proc.; 2021; 47, pp. 235-239.
4. Shafi, S; Mounika, S; Velliangiri, S. Machine learning and trust based AODV routing protocol to mitigate flooding and blackhole attacks in MANET. Proced. Comput. Sci.; 2023; 218, pp. 2309-2318.
5. U. Okeke, C. Mbarushimana, "Strengthening Vehicular Ad-Hoc Networks (VANET) against Black Hole Attacks using Artificial Fish Swarm Algorithm and Trust Based Reputation," in 2023 International Conference on Electrical, Communication and Computer Engineering (ICECCE), (2023)
6. U. Okeke, C. Mbarushimana, "Enhancing Security in VANET Against Blackhole Attacks using AODV, K-Means Clustering, and PSO," in 2023 International Conference on Electrical, Communication and Computer Engineering (ICECCE), (2023)
7. Abdulkader, Z; Abdullah, A; Abdullah, MT; Zukarnain, ZA. LI-AODV: Lifetime improving AODV routing for detecting and removing black-hole attack from VANET. J. Theor. Appl. Inf. Technol.; 2017; 95, pp. 196-209.
8. J. Tobin, C. Thorpe, L. Murphy, "An Approach to Mitigate Black Hole Attacks on Vehicular Wireless Networks," in 2017 IEEE 85th Vehicular Technology Conference (VTC Spring), (2017)
9. H. Baharlouei, A. Makanju, N. Zincir-Heywood, "Exploring Realistic VANET Simulations for Anomaly Detection of DDoS Attacks," in 2022 IEEE 95th Vehicular Technology Conference: (VTC2022-Spring), (2022)
10. S. U. Masruroh, Y. S. Farghani, A. Kusdaryono, A. Fiade, R. A. Putri, L. A. Pratiwi, "Comparative Analysis of Testing Black Hole Attack and Rushing Attack on VANET (Vehicular Ad-Hoc Network) with AOMDV Routing Protocol," in 2022 International Conference on Engineering and Emerging Technologies (ICEET), (2022)
11. A.R. Sangi, L. Anamalamudi, S. Anamalamudi, A. Carie, M. Enduri, "A novel approach to minimize the Black Hole attacks in Vehicular IoT Networks," in Proceedings of the 2023 4th International Conference on Computing, Networks and Internet of Things, (2023)
12. M.N. Siddiqui, K.R. Malik, T.S. Malik, "Performance Analysis of Blackhole and Wormhole Attack in MANET Based IoT," in 2021 International Conference on Digital Futures and Transformative Technologies (ICoDT2), (2021)
13. A. Acharya, J. Oluoch, "A Dual Approach for Preventing Blackhole Attacks in Vehicular Ad Hoc Networks Using Statistical Techniques and Supervised Machine Learning," in 2021 IEEE International Conference on Electro Information Technology (EIT), (2021)
14. G. Dangat, S. Murugan, "Implementation of Genetic Algorithm for Detecting and Eliminating Blackhole Attack in Vehicular Ad-Hoc Network," in 2023 International Conference on Computational Intelligence and Sustainable Engineering Solutions (CISES), (2023)
15. T. Kaur, R. Kumar, "Mitigation of Blackhole Attacks and Wormhole Attacks in Wireless Sensor Networks Using AODV Protocol," in 2018 IEEE International Conference on Smart Energy Grid Engineering (SEGE), (2018)
16. J. Lyu, C. Chen, H. Tian, "Secure Routing Based on Geographic Location for Resisting Blackhole Attack In Three-dimensional VANET," in 2020 IEEE/CIC International Conference on Communications in China (ICCC), (2020)
17. Jan, M; Afsar, S; Mateen, A; Yasin, MQ; Safdar, B; Rehman, A. VANET routing Protocols: Implementation and Analysis Using NS3 and SUMO. Int. J. Adv. Trends Comput. Sci. Eng.; 2022; 10,
18. R. Chaudhary, P.R. Ragiri, "Implementation and analysis of blackhole attack in AODV routing protocol." Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies. 0975, 1–5 (2016)
19. Shobana, G; Arockia, XAR. Detection mechanism on vehicular adhoc networks (VANETs) a comprehensive survey. Int. J. Comput. Sci. Netw. Secur.; 2021; 21,
20. Shams, EA; Rizaner, A; Ulusoy, AH. Flow-based intrusion detection system in Vehicular Ad hoc Network using context-aware feature extraction. Veh. Commun.; 2023; 41, 100585.
21. Manderna, A et al. Vehicular network intrusion detection using a cascaded deep learning approach with multi-variant metaheuristic. Sensors; 2023; 23,
22. Desai, D; El-Ocla, H; Purohit, S. Data dissemination in VANET using particle swarm optimization. Sensors; 2023; 23,
23. ALMahadin, G et al. VANET network traffic anomaly detection using GRU-based deep learning model.". IEEE Trans. Consum. Electron.; 2023; 70, pp. 4548-4555.
24. Khan, A et al. Short-term traffic prediction using deep learning long short-term memory: Taxonomy applications, challenges, and future trends. IEEE Access; 2023; 11, pp. 94371-94391.
25. Arya, M et al. Intruder detection in VANET data streams using federated learning for smart city environments. Electronics; 2023; 12,
26. Shobana, G; Rayan, AXA. Evaluating multidimensional RSSI-based approaches for identifying Sybil nodes in VANETs to improve vehicle network security. Int. J. Ad Hoc Ubiquitous Comput.; 2024; 47,
27. R. Monga, D. Mehta, "Sumo (simulation of urban mobility) and osm (open street map) implementation." 2022 11th international conference on system modeling & advancement in research trends (SMART). IEEE, (2022)
28. Panigrahy, SK; Emany, H. A survey and tutorial on network optimization for intelligent transport system using the internet of vehicles. Sensors; 2023; 23,
29. Sehrawat, P; Chawla, M. Prediction and Analysis of Machine Learning Models for Efficient Routing Protocol in VANET Using Feature Information. Wirel. Pers. Commun.; 2024; 136,
30. Zabeeulla, M; Sharma, SK; Chauhan, SPS. Design and Modelling of hybrid network security method for increasing security in vehicular ad-hoc network. Meas.: Sens.; 2023; 29, 100878.
31. O.A. Qasim, et al. "The Effect of Vehicles Speed on the Performance of VANET Protocol." 2023 1st International Conference on Advanced Engineering and Technologies (ICONNIC). IEEE, (2023)
32. Upadhyay, P et al. An improved deep reinforcement learning routing technique for collision-free VANET. Sci. Rep.; 2023; 13,
33. Ravindran, S. Intelligent fuzzy logic based intrusion detection system for effective detection of black hole attack in wsn. Peer-to-Peer Netw. Appl.; 2024; 17, pp. 813-1829.
34. Honarmand, F; Keshavarz-Haddad, A. T-AODV: A trust-based routing against black-hole attacks in VANETs. Peer-to-Peer Netw. Appl.; 2024; 17,
35. Malik, A et al. Comprehensive taxonomy and critical analysis of mitigation approaches for black-hole and gray-hole security attacks in AODV-based VANETs. Comput. Electr. Eng.; 2025; 122, 109950.
36. Sunitha, D; Latha, PH. A secure routing and black hole attack detection system using Coot Chimp Optimization Algorithm-based Deep Q Network in MANET. Comput. Secur.; 2025; 148, 104166.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
© The Author(s) 2025. This work is published under http://creativecommons.org/licenses/by-nc-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Abstract
Vehicular ad hoc networks (VANET) are revolutionizing transportation by enabling real-time communication between vehicles and roadside infrastructure, enhancing safety and efficiency through the exchange of traffic updates, road conditions, and critical data. However, VANET faces significant security threats, including Sybil, black hole, and wormhole attacks, where malicious nodes manipulate network communication, leading to misinformation and disruptions. This research proposes a novel hybrid model, GBiL, integrating gated recurrent unit (GRU) and bidirectional long short-term memory (BiLSTM) to detect and mitigate such attacks. At the core of this architecture, an intrusion detection system (IDS) is combined with a trust detection module to assess the trustworthiness of network nodes using real-time data. The IDS employs a hybrid approach for efficient intrusion detection, leveraging particle swarm optimization (PSO) after feature selection. To ensure a balanced dataset, data augmentation is applied using SMOTETomek, a combination of Synthetic Minority Over-sampling Technique (SMOTE) and Tomek Links. Real-time simulations using NS-3 and SUMO with real-world mapping from OpenStreetMap validate the system’s effectiveness in a realistic urban network environment by generating a dataset called VANET Attacks (VA) dataset. This comprehensive approach strengthens VANET security against multiple attack vectors. The proposed GBiL model achieves high performance, with an accuracy of 96.01% and a false alarm rate of just 0.04%. This research significantly enhances VANET security by integrating sophisticated detection techniques, data augmentation, and real-time trust evaluations, establishing a robust foundation for more secure and reliable autonomous transportation through improved vehicular communication networks.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Details
; Nathan, A. Thillai 2 ; Sivakumar, Dhev Sabharish 2 ; Annie, R. Arockia Xavier 2 1 Loyola-ICAM College of Engineering and Technology, Department of Information Technology, Chennai, India
2 CEG Campus, Anna University, Department of Computer Science and Engineering, Chennai, India (GRID:grid.252262.3) (ISNI:0000 0001 0613 6919)