Joint timeliness and security provisioning for enhancement of dependability in Internet of Vehicle system

The Internet of Things has emerged as a wonder-solution to numerous problems in our everyday lives, such as smart homes and intelligent transportation. As an extension of the IoTs, the Internet of Vehicles (IoVs) also requires increasingly high security and timeliness. This article proposes a vehicle-assisted batch verification (VABV) system for IoV, in which some vehicles called auxiliary authentication terminal (AAT) are selected to assist the roadside unit for Basic Safety Message (BSM) verification. As a measure to enhance the timeliness performance for system dependability, comprehensive AAT selection strategies are designed. To overcome the security weaknesses of VABV system, a Sybil detection scheme based on Extreme Learning Machine is developed. For the evaluation of VABV system, the quantified Age of Information (AoI) is used as an integrated timeliness and security indicator. The proposed AoI indicator synthesizes the effects of BSM verification, re-verification for failure of some AATs, Sybil attack, and Sybil detection scheme. As illustrated by the simulation results, by employing AoI as a performance evaluation indicator, we can better and more intuitively design an AAT optimal selection strategy based on changes in AoI. Simultaneously, the performance of the proposed Sybil detection scheme can be evaluated more intuitively and effectively under different IoV scenarios based on AoI.


Introduction
The advance of IoT technology and the concept of smart cities facilitate the emergence of Internet of Vehicle (IoV). As the automobile industry and transportation network grow rapidly, vehicles provide us with increased conveniences. Nevertheless, our growing demand for a variety of vehicles leads to an increase in traffic accidents and congestion. 1 As a burgeoning paradigm, IoV is the combination of Vehicular Ad Hoc Networks (VANETs) and IoT. 2 Unlike VANETs, IoV utilizes a variety of technologies to enhance the network's properties, including machine learning, cloud computing, and behavior detection.
In order to coordinate the traffic flow effectively, the vehicles on the roads need to exchange messages with each other with on-board units (OBUs) mounted. The OBUs also enable vehicles to communicate with the roadside unit (RSU) nearby. In the IoV, messages can be approximately categorized into two types: safetyrelated messages and value-added messages with the Basic Safety Message (BSM) being the most significant one. 3 Typically known as heartbeat messages, the BSMs are proposed as the primary message set used by connected vehicle safety applications to constantly exchange data within the IoV network. Using real-time exchange of BSMs, safety applications are capable of detecting and identifying any potential hazards before they occur and can then alert drivers or begin vehicle control systems to respond to the situation. In addition, the BSM becomes obsolete as soon as it is used and is disposed of. 4 It is essential to note that BSMs contain much vital information such as the real-time velocity, location, and acceleration of the vehicle and are transmitted via the wireless channel in an open environment, therefore prone to several security threats. 5 This will jeopardize the benefits of such a message-exchange based system and may cause more chaos in traffic. Consequently, in addition to verifying the entities (i.e. vehicles or RSUs) that enter the IoV, the messages (i.e. BSM) must also be verified by the potential receivers in order to prevent attacks by impersonation, tampering, and so on. 6 In light of the above consideration, numerous researchers propose a variety of security schemes for entities and messages in IoV. The schemes for entities guarantee that entities in the IoV are legitimate, [7][8][9] while schemes for messages ensure the integrity of messages [10][11][12] with batch verification method adopted to improve the efficiency of verification. Specifically for message verification scheme, some ordinary vehicles are selected to help the RSU with message verification [13][14][15] to alleviate the computational pressure of RSUs. Throughout their previous works, they propose improved security mechanisms and either illustrate that their proposed mechanisms are low in overhead through comparison with other works or demonstrate that the security mechanisms are robust against cyber attacks through formal or informal security analysis. Nevertheless, formal and informal security analysis have the disadvantage of not being able to visualize the performance against cyber attacks of IoV. Furthermore, and most importantly, the aforementioned works all analyze IoVs in a qualitative manner instead of evaluating them in a unified manner. The ultimate goal of an IoV system deployment is to be able to provide satisfactory services to the users who are in it. In other words, vehicle users are not concerned with network latency, throughput, and packet loss of the current IoV system, which are the focus of much of current research. 14,16,17 What they care is whether the information they need to receive will arrive on time and be of high quality. In fact, in the current research on urban transportation systems, the question of whether a system can actually provide a satisfactory service to its users is increasingly being raised by researchers. Based on the concept of satisfying user needs, and in order to evaluate the performance of each subsystem of IoVs more comprehensively, various models are proposed to define ''Everything as a service (XaaS).'' Using this model, an evaluation system that evaluates many systems can bring together a comprehensive concept of the service content of each subsystem, including discussions of products, processes, data & information management, and security as a service. 18 Specifically, an IoV metric is anticipated that can be used to assess its performance in all aspects, particularly its timeliness and security to ensure that the system is able to meet the maximum possible user demand for the service.
In recent years, some works introduce the concept of dependability to IoT. The original concept of dependability can be briefly described as the capability of a system to provide users with trusted, reasonable, reliable, and correct services, or, in other words, the ability to ensure continuous and uninterrupted provision of critical services. 19 In Junior and Kamienski, 20 it is attributed by the authors that the two terms Dependability and Trustworthiness refer to the same concept that explains that the trustworthiness of IoT systems is largely determined by their ability to adapt and respond to what vulnerability flaws are present during their operational cycles. Based on a brief review of the current state of research, it can be concluded that the term Dependability is often restricted to the study of security performance in dealing with malicious network attacks under IoV scenarios. [21][22][23] It should also be noted that some studies on improving IoV trustworthiness confuse this concept with trust, by studying the trust value management of vehicles and only examining the reputation of each node in the IoV. In these works, reputation, through the acquisition, updating, and sharing of trust value, enables vehicles to evaluate each other's behavior and determine whether the other vehicle is malicious or has decreased reputation value as a result of malicious behaviors, and therefore cannot be trusted by other vehicles. [24][25][26][27] In our view, there are few description and studies of the real sense of dependability of IoV for urban transportation, and there is an absence of study of multiple quality requirements for data and information of IoV for vehicle users, not to mention the definition and quantification methods for dependability of the system as a whole. Similarly, we introduce the concept of dependability in our study of IoV networks. And in order to evaluate the IoV system from the perspective of dependability, it is therefore important for the proposed IoV system to satisfy the user's demand for quality of service, since it is an important medium for the BSM interaction between users of vehicles, when it comes to ensuring that the data quality of the BSM after transmission is up to user's expectations. From the perspective of the users, we then propose the concept of MIaaS (Message Interaction as a Service), based on the XaaS model, for evaluating dependable IoV systems, that is, evaluating whether the IoV system can provide the service to meet the users' demands in terms of BSM interaction among vehicle users. Beyond that, inspired by Wang et al., 28 using the Age of Information, the IoV system is analyzed quantitatively, allowing the system dependability to be uniformly described from the perspective of vehicle users.
The biggest difference of our work with existing related work is that we perform a true dependability analysis of IoV and analyze its properties from the perspective of vehicle users. We pay more attention to the quality of BSM that vehicle users will receive instead of merely considering the possible threats that IoV may face. The proposed IoV system is evaluated with an unified indicator named Age of Information (AoI), which identifies the freshness of BSMs clearly.

Contributions
In this article, our contributions are fourfold.
We analyze the shortcomings of the existing IoV research, and the concept of dependability is creatively introduced to unify the evaluation of IoV performance. A vehicle-assisted batch verification (VABV) system based on BSM interaction is proposed, and its dependability is discussed in terms of its system framework and the security basis for message signatures. In order to reduce the VABV system verification latency, we proposed a more comprehensive selection strategy for choosing vehicles that will serve as auxiliary authentication terminal (AAT). By taking data loss into consideration when assigning vehicles as BSM verifier, the distribution of AATs is utilized for optimal AAT selection strategy. Considering the possible security threats that may still exist in the VABV system, the Sybil detection scheme is proposed to enhance the security of the system. The machine learning method Extreme Learning Machine (ELM) is adopted to achieve fast detection. We utilize edge servers embedded in IoV to collect information from BSMs in vehicles and extract the characteristics of vehicle mobility patterns, which will then be used to detect Sybil nodes. The Sybil detection scheme includes BSM collection, BSM data preprocessing and Sybil detection.
The quantified AoI is adopted as the integrated performance indicator, which takes into account both the timeliness and security of the VABV system. Through AoI, the evaluation of the dependability of VABV system can be made more intuitive, and the coordination of VABV system can be improved through the inspection of AoI of VABV system.

Organization
The remainder of this article is structured as follows. Section ''Designed VABV system and corresponding dependability requirements'' introduces the security fundamentals and VABV system model, also the corresponding dependability requirements are described. In section ''Comprehensive AAT selection strategies for VABV system,'' the selection strategies for timeliness of BSM verification are depicted in details. The scheme against BSM generated by Sybil nodes is described in section ''Detection scheme against Sybil attacks for VABV system.'' Section ''Usage of AoI as the integrated indicator for VABV system'' describes the novel system evaluation indicator AoI and analysis of dependability for VABV system using AoI. Section ''Simulation and discussions'' showcases the simulation results and discussions, followed by the conclusion of this article in section ''Conclusion and future work.''

Designed VABV system and corresponding dependability requirements
The system structure under discussion is initially illustrated in this section. More crucially, the framework is used to explain the VABV system's dependability requirements. The examination of the security basics on which the VABV system is built follows. The latency model for BSM verification is then provided within the system model. Table 1 lists the notations that are utilized.

System model and dependability requirements
System model. The framework of VABV system is depicted in Figure 1. It can be seen that the VABV system consists of three parts: Trusted Authority (TA), Roadside Unit (RSU), and vehicles. Vehicles can be divided into auxiliary authentication terminals (AATs) and ordinary terminals (OTs).
Vehicles interact with each other in a VABV system via a BSM to implement applications such as collision avoidance and path planning. Before a vehicle sends a BSM, a cryptography-based signature of the BSM needs to be generated for ensuring the authenticity of the BSM. TA is regulated by government departments and is absolutely credible. It is responsible for the issue of system parameters in the Initialization phase before the whole system runs. At the start of the system, all vehicles in the network are ordinary terminals. After the AAT selection, some of OTs are selected as AATs and such vehicles are used to help the RSU in completing the BSM verification. RSU is established alongside the road or the intersection of roads. It is responsible for the selection of AATs, BSM verification, and validation of confirmation messages sent by the AATs. In the VABV system, the BSM of vehicles not verified by AATs will still be verified by RSU. Simultaneously, via a wired secure communication channel with the TA, the RSU receives system parameters from the TA and distributes them to all vehicles within its coverage area for generation of BSM signatures by the vehicles. The edge server connected to it is responsible for the Sybil detection. It first generates the corresponding steering state transition matrix (SSTM) of each vehicle through BSMs collected by RSU from the vehicles within the coverage of RSU. The driving characteristics of each vehicle are captured by the eigenvalues of SSTM. And based on the dissimilarity of driving features of benign vehicles and Sybil nodes, machine learning algorithms are used to identify Sybil nodes. The jth vehicle which serves as a mobile node that helps the roadside unit (RSU) for Basic Safety Message (BSM) verification p, q Two large prime numbers a, b Two parameters used in a non-singular elliptic curve E : y 2 = x 3 + ax + b mod p P Generator for q-order addition group G G All the points on curve E and infinity form an addition group RID i The real identity of ith vehicle  Dependability requirements. Based on the proposed VABV system, as the quality of BSMs has a great deal of influence on the functionality of this system, it is of critical importance to evaluate it in terms of BSM. In light of the characteristics necessary to initiate and function a VABV system smoothly and effectively, the dependability requirements for a VABV system can be summarized as follows: Timeliness: The effectiveness and reliability of the BSM exchange are of great importance; therefore, the verification of the BSMs must meet the criteria of timeliness. In short, the faster a vehicle user receives BSM, the more timely the driver can make better driving decisions based on the received, nearly real-time BSM in order to prevent traffic accidents, or for the IoV to better coordinate and manage vehicle flow. Information Security: The VABV system rests on reliable BSM exchange, which originates from the security of BSMs. Because of the open wireless environment of IoVs, they are vulnerable to cyber attacks. According to VABV system, the possible and fatal attacks can be concluded as BSM tampering and Sybil attack. Whether the vehicle is able to make the right decisions when driving is directly impacted by how accurate and reliable the information in the BSM is. This, in turn, impacts road safety. In this context, the security of information also contributes significantly to the dependability of the VABV system.

ECC-based batch verification
Based on the system's requirements for timeliness and information security, a cryptography algorithm needs to be chosen that are suitable to our system. The selection of the encryption algorithm must take into account not only the security strength of the algorithm but also the calculation time overhead which has to be minimized for message encryption and verification. Rivest-Shamir-Adleman (RSA), ECC, bilinear mapping, and so on are the most commonly used encryption algorithms on the IoVs. With respect to the RSA algorithm, 160-bit ECC and 1024-bit RSA have the same level of security; however, 160-bit ECC signatures and decryptions are considerably faster than RSA. 29 The cost of bilinear pairing operations and scalar multiplication operations is much higher than the cost of the scalar multiplicative calculations performed by ECC. 30 In addition, in some previous works, the Map to Point Hash function is used, which also evidently increases computation delay. 31 The upper part of Figure 2 illustrates how a high computational overhead encryption algorithm can result in multiple BSMs not being verified until after the expiration date has passed, resulting in their discard. Overall, the use of ECC as a secure foundation for our work can be more effective in meeting the system's needs for timeliness. All the messages must be encrypted with ECC and the RSU and AATs should verify these message signatures. In order to confirm the validity of multiple BSM signatures at the same time, we adopt the batch verification method based on ECC. The security process is briefly described as follows.
Elliptic curve cryptography. An elliptic curve E over a prime finite field F p can be defined by the cubic equation y 2 = x 3 + ax + b, where a, b 2 F p as well as the discriminant D = 4a 3 + 27b 2 6 ¼ 0. The set of all points P = (x, y) on E and an additional point at infinity O constitute an additive cyclic group G under the point addition law + explained by a tangent and chord method: Let P, Q be two random elements of the group G, l be the line that contains p, Q (tangent line to E if represents the line which connects R and parallels to the y-axis. We can define P + Q = R 0 2 E, where the line l 0 intersects with E on the point R 0 . Furthermore, the definition of a scalar multiplication is kP = P + P + P + ::: + P |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl ffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl ffl} k times . Definition 1. (ECDLP, Elliptic Curve Discrete Logarithm Problem). For a random number m 2 Z Ã q , given two elements P, Q of the group G such that Q = mP, the aim of ECDLP is to calculate out m.
Initialization. The TA sets up the system and generates the system parameters based on ECC encryption as fp, q, a, b, P, P pub , hg. Then the TA preloads these parameters into the vehicles' tamper resistant unit (TPD).
The generation of vehicles' pseudo-identity and message signature. When the vehicle constructs a message, it must sign it before sending it to ensure the authenticity. The TPD of the vehicle randomly chooses r i 2 Z Ã q and calculates the pseudo-identity . Then the TPD combines the message M i with the current timestamp T i and generates a signature. The signing result is where s is the system private key and M i is the BSM message generated by vehicle i with the concurrent timestamp T i representing the time M i is sent. Both the RSU and the vehicles acting as the verifier, that is, the AATs, receive the digital signatures s i corresponding to the different vehicles in its communication range as well as the original information M i to complete the batch verification. Finally, the TPD broadcasts fPID i , T i , M i , s i g.
The batch verification performed by RSU and AAT. After receiving fPID i , T i , M i , s i g, either RSU or the AAT needs to verify it to avoid from being misled. The batch size of AAT j is represented as N j . AAT j randomly chooses a small integer t with 10-bit-length and generates a set Then it checks whether the batch verification Eq. (1) holds. If the Eq.
(1) holds, it means that the batch verification succeed. Otherwise, there must be at least one invalid message within in the batch.
The establishment of the Eq. (1) indicates that no message is tampered with in the batch. The correctness of the above batch verification is given as follows Regarding the characteristics of batch verification as shown in the lower part of Figure 2, when there is at least one invalid signature in the batch (either tampered with or sent by a malicious vehicle itself), the verification of this batch will not pass and the invalid signature needs to be found with re-batch verification applied and then discarded. In this work, since the main type of attack we consider is the more threatening attack, in order to simplify the model, the case where the batch is re-verified because it contains invalid signatures inside is not considered for now.

Latency model
On the basis of aforementioned system model, the corresponding latency model is shown in Figure 3. According to Figure 3, the system verification latency consists of two parts: one is the latency on the verification by RSU and AAT and we record them as T j and T rsu , respectively; the other one is induced by the verification of confirmation message by RSU and we record it as T rc . Assume that the number of AAT is M. The time on the RSU is set as a standard, the system verification latency is The two parts of the latency model are described as follows: Latency from the RSU. The latency induced by the RSU consists of two parts: one latency T rsu is from the verification of BSMs came from the ordinary terminals, the other latency T rc is from the validation of verification confirmation messages came from the AATs. The verification latency T rsu is where T tran1 is the message transmission latency from ordinary terminal to the RSU and T rsu com is the calculation latency of the verification of BSMs. The terminal verified by the RSU is N r . Hence, according to Eq. (1), the computational cost of batch verification T rsu com is N r (T eccÀsm + T eccÀsmÀs + T eccÀpa + 2T h ) + 2T eccÀsm . The computational overhead of s Á P is T eccÀsm , the computational overhead of v i Á P is T eccÀsmÀs , the computational overhead of S + T , S 2 G and T 2 G is T eccÀpa , and the computational overhead of hash operation is 2T h . 10,32 In the batch verification, there also exists operation like s Á P, so it is defined as T eccÀsm . Since the operators of ECC are constants, we define T 1 = T eccÀsm + T eccÀsmÀs + T eccÀpa + 2T h and T 2 = 2T eccÀsm . Therefore, the verification latency induced by the RSU can be formulated as follows In order to validate confirmation messages from AATs, batch verification is conducted. Let the total number of AAT to be M, then T rc is calculated by Latency from the AAT. For the AAT, the latency consists of three parts. The first one is T tran1 which represents the transmission latency induced by the sending of BSMs from the original terminals to the AAT. The second one is T j com which represents the latency induced by the verification of BSMs on AAT. The last one is T j tran2 which represents the latency induced by the sending of confirmation messages from the AAT to the RSU.
For the verification latency of BSMs on AAT, the batch verification is also used. Let the batch size that the AAT j takes to be N j . Based on the computing capability of the RSU, the calculation latency that the AAT needs to spend is converted proportional to its own computing power, and is described as where f r and f j represent the computing resource allocated for the verification of BSMs of the RSU and AAT, respectively.
For the transmission latency induced by the sending of confirmation messages from the AAT to the RSU, the data transmission rate is set as R tran , the data length of the pseudo-identity is set as L PID , and the length of some extra information that is appended is set as L extra . Based on the format of batch information, we define that the length of confirmation packet is (½N j L PID + L extra )=R tran , and we use T 3 and T 4 to represent the former item and the latter one, respectively.
To sum up, the latency on the AAT is In the subsequent analysis and calculation, the transmission latency T tran1 and T tran2 are omitted since they are of a small order of magnitude compared with the calculation latency T rsu com and T j com .

Comprehensive AAT selection strategies for VABV system
In this section, the proposed AAT selection strategies are described. BSM interaction is improved by selecting a certain number of vehicles as AATs before the BSM verification process begins. The whole process of AAT selection is depicted in Figure 4.

Initial determination of the number of AATs
When the RSU needs auxiliary vehicles for message verification, the first step is to determine how many vehicles are required. To achieving this, enlightened by Wu et al., 14 where in an ideal IoV, all the ordinary vehicles have the same computing power for verification, the computing power of the ordinary nodes can be calculated by The verification of each AAT is equal and is recorded as T avg . Then the system verification latency can be simplified as T overall = maxfT avg , T rsu g + T rc . N avg is the batch size each AAT takes and is equal for each AAT. It is easy to see that only when T avg = T rsu the total latency could be minimized. In addition, all the ordinary terminals must be verified. Then this problem can be described as In an ideal IoV, the number of ordinary terminals verified by each AAT is the same. Eq. (9) indicates that the sum of the number of ordinary terminals verified by all AATs and the number of ordinary terminals verified by RSU is equal to the sum of all ordinary terminals in the system. Eq. (10) represents the condition that minimizes the total system verification latency. The goal of minimizing the total verification latency of the ideal IoV is described in Eq. (11). From the above, we can calculate out the estimated initial number of AAT The batch size of each ordinary terminal in this ideal IoV is Each AAT verifies the same number of signatures according to this value and the batch size remains unchanged once the number of ordinary vehicles is determined.

Ordinary terminal evaluation
It is expected that the verification latency of the system will be as low as possible, as well as that the communication between AATs and RSUs will become stable in order to reduce the likelihood of re-verification. 15 Therefore, distance and computing power of each vehicle should be assessed. However, these two factors may not be satisfied simultaneously. For instance, there may exist some vehicles with a short distance to RSU but has a poor computing power for verification, which may be not suitable to be AATs. Therefore, we need to evaluate all the vehicles in the IoV in an integrated way.
To evaluate each ordinary vehicles more precisely, we fuzz these two factors. The RSU can calculate the distance between itself and the vehicles with the aid of GPS. Let D(i) represent the distance between the RSU and the vehicle V i . R represents the maximum coverage of the RSU. Then we evaluate the distance of each vehicle by calculating D(i)=R which is defined as the distance evaluation indicator.
Next the computing power of each vehicle is described by calculating f (i)=f r which is defined as the computing power evaluation indicator.
By the time RSU calculates these two evaluation indicators for all vehicles in its vicinity, it will record and score them as shown in Table 2. On the basis of the vehicle's current condition, we can assign each vehicle within the system a score indicating its priority to be selected as an AAT.
We use a scoring criterion for the determination of the priority. The distance judgment (Short, Medium, Long) is scored (1,0.5,0) correspondingly, while the property judgment (Good, Moderate,Bad) is scored (1,0.5,0). Then the score for each vehicle V i can be calculated by where S d and S p represent the score earned in terms of distance and computing power, respectively, and v d and v p are the weighing factors for the two indicators satisfying w d + w p = 1. In our system, we set these two indicators based on the evaluation of computing power since we take the latency of verification as the prima issue. Concerning that when the computing power of vehicles are Good, we set w d and w p to 0.6 and 0.4, respectively, since the distance should be taken into more consideration to improve the communication quality between the vehicle and the RSU. By that analogy, w d and w p are set to both 0.5 when the computing power of vehicles are Moderate. And w d and w p are set to 0.3 and 0.7, respectively, when the computing power of vehicles is Bad. The final score for each type of vehicle is listed in the Table 2. Then the vehicles with a higher score will be chosen first. In the real IoV, if there is no vehicle with a higher score, the vehicles with lower scores will be selected as AATs. However, the lowest bound of score is set as 0.3. The ordinary vehicle scored equal to or less than 0.3 will not be selected even if there is no ordinary vehicles with score more than 0.3. If this happens in the real situation, the RSU will not initiate this AAT-aided verification system and the RSU will verify the messages by itself.

Distribution of AATs
During the verification cycle, if the communication overlap area between the assigned AATs is too large, a large number of redundant verification will be introduced (i.e. an OT verified by one AAT will also be verified by another AAT). The number of OTs verified by the RSU in this case rises, which in turn affects the total verification latency of the system. If the communication overlap area between assigned AATs is small, some assigned AATs may be located far from the RSU, resulting in poor communication quality with the RSU and introducing re-verification problems, which also introduces additional latency. Therefore, when selecting AATs, besides considering the performance of the vehicle itself, the distribution of AATs also needs to be considered.
Regarding this, we consider the model where a RSU is at the intersection and its communication range is R. The area covered by the RSU is divided into several grids. We assume that the specified area is divided into m 3 m grids, the AATs on this area are recorded in the vehicle set VS = fAAT 1 , AAT 2 , :::, AAT j g, where AAT i = fx i , y i , r i g is the coverage model of AAT i , (x i , y i ) is the coordinates of AAT i , and r i is the communication range of AAT i . In our study, we assume that the communication ranges of the vehicles are the same and the communication ranges of the vehicles are centered on the vehicle coordinates in a circular area of radius r. The grid point on the road is taken into account in this distribution model. The coverage area and overlap area of AATs are defined as follows: Network coverage indice. A probability associated with the grid point G(x, y) being covered by AAT i is as follows: P cover (x, y, AAT i ) where D(x, y, AAT i ) is the distance between the grid point G(x, y) and AAT i . If the grid point G(x, y) is within the communication range of any AAT, it could be assumed that this point is within the vehicle set. Therefore, the coverage ratio of the vehicle set can be calculated by: In this case, the network coverage index a can be calculated by where A r is the area of the intersection covered by the maximum communication range of the RSU.
Network redundant indice. We calculate the probability of a grid point G(x, y) being located in the overlap communication range where two or more AATs intersect and record this as the redundant network area.
For simplicity of calculation, we convert the highest coverage rate to the lowest uncovered rate, so that when the RSU chooses the AAT among ordinary vehicles, the following value is used which we call the distribution index j where k 1 and k 2 are the weight factor and k 1 + k 2 = 1, the value of j is between 0;1. The RSU continuously records the j to better coordinate the selection of AAT.

Detection scheme against Sybil attacks for VABV system
To enhance the security of the VABV system, in this section we analyze the security risks that may be present and propose a detection scheme that uses information contained within the BSM to detect abnormal nodes.

Vulnerability analysis
Sybil security threat in vehicular networks has attracted much attention in recent times. 33 The proposed system is equally vulnerable to such attacks. In Figure 5, the Sybil attack that may exist in VABV system is shown.
In VABV system, each vehicle is equipped with a TPD storing system parameters. Vehicles periodically broadcast signed BSMs. In order to guarantee the users' privacy, each vehicle has two pseudonyms PID 1 i and PID 2 i for BSM interaction instead of using their real identity RID i . However, using this pseudo-identity is vulnerable to Sybil attacks. There is a possibility that some original benign vehicles become malicious due to selfish personal reasons, such as trying to take priority for travel. In this situation, the security parameters stored in the TPD of malicious vehicles will be abused to launch Sybil attack. It is feasible for the malicious vehicles to launch this attack since the system private key s is stored in its TPD. Then it will choose multiple nonce to generate multiple fake pseudonyms fPID 1 fa , PID 2 fa , :::PID k fa g. These fake pseudonyms are used to act as virtual vehicular nodes. As shown in Figure 4, certain originally benign vehicles become malicious for selfish private reasons and cut off the communication between certain benign vehicles. They create virtual nodes and send false BSMs as virtual nodes, which increase the probability of traffic accident, thus achieving the purpose of launching Sybil attack.
To achieve the purpose of launching Sybil attacks successfully, malicious vehicles must calculate the ideal idle space on the road for virtual nodes generation. Due to the virtual nature of Sybil nodes, if they claim a geographic position occupied by an existing physical vehicle, they will be easily detected by other benign vehicles and the attack will not succeed. In addition, malicious vehicles must modify the BSMs that virtual nodes broadcast in order to make them more reasonable.
According to the above analysis, the attacking tricks used by malicious vehicles will be upon the BSMs from benign vehicles. Malicious vehicles will fabricate some unreal BSMs according to the BSMs from its neighbors.

Attack detection
In Gu et al., 34 a support vector machine (SVM)-based Sybil detection scheme is proposed, where the detection rate is relatively high; however, it suffers from high complexity. In addition, the accuracy of such a shallow learner is heavily dependent on feature extraction. 35 If the extracted features cannot effectively show the differences between vehicles well, the detection accuracy will likely be greatly reduced. In vehicular networks, due to the large amount of BSMs, detection scheme with relatively low complexity is needed. 36 To explore the potential of machine learning in this study and overcome the problems such as high complexity that will happen in traditional BP networks, the ELM is adopted. 37 The whole process of proposed Sybil detection scheme is shown in Figure 6. Since the purpose of virtual vehicles is to eliminate the safety of other benign vehicles, the steering states of benign and virtual vehicles should differ, which may not be judged intuitively. Hence, the detection of Sybil nodes can be equivalent to the measurement of difference of steering state.
Vehicle steering state description. In order to describe in great detail the transition of steering state of vehicles, a matrix should be used. A matrix is defined as a set of data indicative of the movement of the vehicle in a given period of time. According to the contents in BSM, the steering state transition matrix (SSTM) of vehicles from the time t 1 to t n is formulated as follows The above specific matrix H V i is constructed by time sequence. First the steering state description of V i at time t n is represented as a vector S i, t n ! = (s n, 1 , s n, 2 , s n, 3 , s n, 4 , s n, 5 , s n, 6 ), where s n, 1 is the time at t n , s n, 2 is the location of vehicle at t n , s n, 3 is the velocity of vehicle at t n , s n, 4 is the variation of velocity of vehicle between t nÀ1 and t n , s n, 5 is the acceleration of vehicle at t n , and s n, 6 is the variation of acceleration of vehicle between t nÀ1 and t n .
Vehicle steering state transition matrix preprocessing. From the formulation of SSTM, we can see that it is not suitable for direct analysis since the SSTM of each vehicle varies and the characteristic of them are not obvious at this dimension. Hence, the SSTM should be processed under dimension reduction by the calculation of each SSTM H V i . The details of SSTM preprocessing are described in Algorithm 1.
For each SSTM H V i , the transposed matrix of H V i is H T V i . Then H T V i is multiplied by H V i to generate a square matrix H O V i with the dimension of 6 3 6 since we use six attributes to describe the mobility of vehicle at a specific time. Then an eigenvalues calculation function is applied to H O V i . The direct calculation of eigenvalues may generate vectors with complex numbers, leading to inaccuracy of representation of mobility of vehicles. To solve this problem, the centering method of matrices is used, the essence of which is the translation of matrices. The mean value m j of each column j of H V i is calculated . l j (w:r:t:u j ) of matrix H O V i represents the characteristics of the original SSTM H V i . Also, it is of necessity to select out some eigenvalues that well depict the mobility characteristic of a vehicle, the suitability of which can be represented by the Energy (E) of the eigenvalues. A total Energy higher than 90% is considered suitable. 38 Hence, for each SSTM, once its eigenvalues are calculated out, Algorithm 1 traverses all its eigenvalues to fine the best eigenvalues, which are prepared for the subsequent Sybil detection.
Sybil node detection. The core of Sybil detection is ELM. An ELM network is characterized by a combination of random parameters set for hidden nodes of the Generalized Single-Hidden Layer Feedforward Networks (SLFNs). Using Moore-Penrose generalized inverse matrix, the output weights can then be determined analytically. It can be seen that the iteration is not needed in ELM, thus greatly reducing the time needed for model training.
The contents contained in the RSU from all the vehicles are collected, and the SSTM H V i is generated for each vehicle V i . Thereafter, the SSTM preprocessing algorithm is used to calculate the two high Energy Eigenvalues for each SSTM, which are regarded as appropriate for representing the mobility characteristics of each vehicle. In order to uncover the inherent relationship between vehicle mobility state and the corresponding eigenvalues, as well as distinguish mobility states that are specific to Sybil nodes, the ELM network is trained based on the eigenvalues. The outputs of SSTM preprocessing are used for the subsequent ELM network training, along with the target value.
Assuming that there are K distinct observations (x i , t i ), s.t.
x i = ½x i1 , x i2 , :::, x ik T 2 R k and t i = ½t i1 , t i2 , :::, t il T 2 R l . The superscript T represents the transpose of a matrix or vector. Once the activation function G(x) is determined, the basic SLFN with e o neurons in hidden layer can be mathematically defined as where j = 1, 2, :::, K, w i = ½w i1 , w i2 , :::, w ik T is the weight vector of i th neurons in hidden layer that is connected with input neurons. b i = ½b i1 , b i2 , :::, b il T is the weight vector of i th neurons in hidden layer that is connected with output neurons. b i is the corresponding bias vector. To achieve zero error meaning P e o j = 1 k s j À t j k = 0, that is, The vector w i and b are randomly set, then vector b can be calculated and is expressed mathematically by . . . . . .
Hence, the ELM training process is described as follows: 1. Choose activation function G(x) and number of nodes in hidden layer e o. In our network, sigmoid function is selected 2. Given training data x i and target value t i , the input weights w and the bias b are randomly set. 3. Calculate the output matrix H of hidden layer using G(x), w and b and x.

Determine the output weight vector
where H y is the Moore-Penrose generalized inverse of the matrix H.

Usage of AoI as the integrated indicator for VABV system
In VABV systems, the periodic transmissions of BSMs from vehicles are closely related to the system's dependability. The large BSM verification latency and hazardous attacks can cause havoc in the VABV system. Indicators of IoV traditionally used to evaluate IoV are not appropriate for evaluating timeliness and security performance synthetically. Therefore, the concept of the AoI is proposed to be used as a key indicator for VABV systems in order to quantify the dependability.

The analysis of AoI as indicator for evaluation of timeliness and security
According to the aforementioned analysis of dependability requirements of VABV system, the AoI is adopted to quantify the dependability of VABV system. First introduced into the area of research for vehicular networks in Kaul et al., 39 AoI is used to quantify the freshness of information at a destination node (i.e. a receiver vehicle) generated by the source node (i.e. a sender vehicle). To describe it in a more formal way, AoI in IoV networks can be defined as the time elapsed since the last successfully received BSM at the side of receiver vehicle which is generated at the sender vehicle. 40 Even if a fabricated BSM is received, the safetyrelated application cannot generate correct driving decision according to the contents in it. Hence, it cannot be considered a successfully reception of BSM. Any disturbance happens in VABV system will be reflected by the AoI. Hence, through AoI, we can better analyze the VABV system from the perspective of IoV users. For better understanding the AoI, Figure 7 illustrates a formation of AoI, denoted by AoI s, r (t), at the receiver vehicle r as a function of time when a nearby sender vehicle s sends the BSMs. Assuming that in one verification period each sender vehicle just send one BSM to the expected receiver vehicle, let t represents the generation time of BSM by the sender vehicle s, then AoI at the receiver vehicle r at the current time t 0 in the i-th verification period is calculated by As depicted in Figure 7, the curve of AoI i s, r can be described in Eq. (30), which is shown at the bottom of this page. AoI iÀ1 s, r is the final AoI of the last successfully received BSM verification cycle. Note that from the definition of AoI, the lower the value of AoI, the fresher the information. Also, the sending time of BSM makes no sense to the AoI. It is also noteworthy that AoI i s, r (t) is a zigzag-like curve with a slope of 1 during each BSM inter-reception intervals and is reset to (t 0 À t) in each time instance once the sender vehicle's BSM is successfully received by the receiver vehicle. It is evident from the Figure 7 that at t 2 (marked by the red dashed line) the sender vehicle sends a BSM; however, due to an attack or other causes, the receiver vehicle does not receive or cannot make a correct driving decision based on the received BSM. At this point, the receiver vehicle does not reset the AoI, but continues to rise it until at t 0 3 it successfully receives a BSM that can generate the correct driving decision, and then resets the value of AoI. As a result of the above rules of AoI accumulation, it can be seen that any disturbance to the system will increase the value of AoI and ultimately decrease the dependability of the system.
For the convenience of quantification, the area under the envelope of AoI is calculated. And in order to calculate in an easier way, the area of envelope curved by the AoI is divided into three parts: a polygon area S 1 , the trapezoidal area S i , i ø 2, and a triangular area S n = 1 2 A 2 n . Therefore, in a complete verification process in VABV system, the AoI calculated by the driving user can be denoted as The broadcast interval of BSM is given by Dt. t i + 1 À t i represents the inter-departure time between the adjacent successfully received BSMs and we denote it as B i . Then the calculation of S i is given by Considering that for a specific receiver vehicle r, it has < r N neighboring vehicles, that is, s 2 < r where N is the overall number of vehicles in the VABV system. Then the average AoI at a receiver vehicle r can be given by Eventually, the VABV system average AoI with N vehicles can be calculated as In VABV system, AoI s, r and AoI avg r represent the wholly and average dependability for a vehicle user in a specific time period, respectively. However, some instaneous disturbance will result in the fluctuation of AoI in some verification period. Whenever the disturbance disappears, the AoI drops down with the dependability of VABV system rehabilitating. In this situation, AoI s, r and AoI avg cannot precisely describe this phenomenon. In oder to analyze the instaneous dependability of VABV system, the peak AoI is defined as follows In a verification period, the peak AoI represents the time when the dependability of the VABV system is at its worse. The analysis of peak AoI can provide timely information about the effect some disturbances have on the VABV system.

The performance of AoI indicator on timeliness
The first issue that influences AoI is necessary BSM verification latency. In the above analysis of AoI, it is easily concluded that the value A i in AoI is equal to the VABV system verification delay, which is given by follows It is easy to find that the number and computing power of AATs influence the performance of AoI in each BSM verification cycle, which is closely related to the AAT selecting strategies.
Another issue that influence AoI is data loss. To make the verification system function better, the success of confirmation messages delivered to the RSU should be guaranteed. To achieve this, the distance of AATs to the RSU is considered, which can be reflected by the distribution of AATs. In Cui et al., 15 the authors think that the relatively short distance from the AAT to the RSU will provide a more reliable communication. Since the longer the distance between the AAT and the RSU is, the more path loss (PL) will be generated, which will affect the communication quality between them as well as the possibility of data loss. Hence, by the time some vehicles have been assigned to be AATs, the transmitting power P j of AAT j at the time of sending confirmation message should be recorded. And the estimated receiving power P r, j of AAT j at the RSU side is calculated by P r, j jdBm = P j jdBm + K j À a j where K j is related to the computing power of AAT and the interference and noise it endures. a j (d t 0 , d t ) is related to the power loss induced by the transmission distance D(i) described in the second part of section ''Comprehensive AAT selection strategies for VABV system.'' It is noteworthy that due to the mobility of IoVs, the distance to the RSU is changed during one verification cycle, d t 0 is the initial distance when verification starts, and d t represents the final distance once the same verification ends. However, with the small latency for verification, the difference between d t 0 and d t could be neglected.
The estimation value of receiving power for each AAT j is compared with the threshold value P r, th , the confirmation message sent by the AAT j with an estimation value smaller than P r, th will not be successfully received by the RSU.
If a confirmation message failure is reported on an AAT during each BSM verification cycle, the vehicles near that AAT that fails to deliver the confirmation message will be evaluated by the RSU and selected to complete the BSM verification for that BSM cycle in its place and to resend the confirmation message. Then the value A i of vehicle r within coverage of AAT fail in AoI is given by where AAT fail is original assigned AAT that failed to send the confirmation message to the RSU, T reÀas , T reÀtr , T reÀcom represent the latency induced by re-assigning another vehicle, re-sending new confirmation message and re-verifying BSMs to compensate for the failure of AAT fail , respectively. From the above analysis, we can infer that both verification for BSM and data loss ratio influence the performance of AoI by the variation of A i in each verification cycle. International Journal of Distributed Sensor Networks To sum up, the AoI performance with respect to the BSM verification in VABV system is where then token TK 1 indicates whether any sending failure of AAT fail happens in a verification cycle. TK 1 = 1 means some AATs fail to send confirmation message to the RSU and no such situation happens when TK 1 = 0.

The performance of AoI indicator on information security
In the first part of this section, we can infer that the quantitative factors that affect the VABV system AoI include A i and B i , of which A i is effected by the latency while B i is effected by whether the BSM can be successfully received and the correct driving decision can be made based on it. In order to analyze the VABV system from the perspective of BSM security, in this subsection, we first consider the calculation of the A i and B i of the VABV system under the Sybil attack. Then we consider the calculation of the A i and B i of the VABV system using ELM-based Sybil BSM detection.
AoI performance of VABV systems considering Sybil attacks. From the above analysis on Sybil attack that may happen in VABV system, we can infer that if a vehicle suffers a Sybil attack, the malicious node intercepts the BSM of the benign vehicle with which it would otherwise interact with a normal BSM, pretends to be real by forging a PID and furthermore fabricating a virtual node, and sends a fake BSM to it. Unless the attacked vehicle is able to take security detection measures in time, it may not receive the correct BSM for several consecutive BSM verification cycles, which will result in an incorrect driving decision, which will pose a significant risk to road safety. In this case, the B i will become larger due to the attack, resulting in a steep increase in the AoI curve for a certain period of time. Thus, in the case of a Sybil attack, the B i of the victim receiver vehicle r can be given by where T effect is the duration of the Sybil attack, during which the BSMs received by the vehicle are spurious. T recover is the time required for the vehicle to become aware of the Sybi attack and request to the RSU to disconnect communication with the virtual node of the Sybil identity and recover from the Sybil attack. Dt is the predefined BSM broadcast interval in IoV. d Á e is ceiling operation. Since the BSMs received when they are attacked by Sybil are spurious, it is meaningless to analyze A i at this time because it cannot be counted as a successful reception. Therefore, we only consider A i after the vehicle r has recovered from the Sybil attack, and at this time, the A i of the vehicle r will only be affected by the BSM verification latency and can be given by From the above analysis, it can be seen that if appropriate and efficient Sybil detection method is not adopted, the B i of the vehicle attacked by Sybil will be greatly affected, which in turn will affect the AoI performance of the whole VABV system, and the dependability of the VABV system will be significantly reduced. At the same time, as the vehicle under Sybil attack cannot receive the correct BSM, it cannot generate correct and reliable driving decision, which will pose a threat to road safety.
AoI performance of VABV systems considering detection scheme against Sybil attacks. By using Sybil BSM detection based on machine learning, Sybil attacks can be effectively countered and thus the dependability of the VABV system can be improved. However, there is a certain error in identifying Sybil BSM, and the unnecessary processing latency brought by it will likewise have an impact on the system AoI. Therefore, we also need to make a dependability analysis of the VABV system that utilizes Sybil detection. A Sybil detection parameter F r , D r ð Þis introduced, where F r stands for whether the vehicle r is actually attacked by Sybil launchers and D r stands for the detection results of the received BSM. F r = 1 means that the vehicle r is actually under Sybil attack and F r = 0 means the vehicle r is in normal condition. D r = 1 indicates the detection result is that some BSMs received by vehicle r are Sybil BSMs. D r = 0 indicates the detection result is that some BSMs received by vehicle r are all genuine and valid BSM. Based on Sybil detection parameter, we can summarize the B r iÀDe of vehicle r as Eq. (43) describes.
As described by the Eq. (43), based on the actual condition of the vehicle and the detection results, it can be divided into four scenarios, which correspond to the corresponding B r iÀDe . As for the first situation (0,0), the vehicle is in normal condition and the detection results are consistent with it. In this scenario, B r iÀDe is equal to the broadcast interval of the BSM because there is no Sybil attack causing the vehicle to fail to receive the BSM successfully. However, the detection latency will have an impact on A r iÀDe . In scenario (1,0), the vehicle is actually under Sybil attack and the detection result is not consistent with it, which can cause the vehicle to be affected by the Sybil attack for a longer period of time and not receive the correct BSM. At this point, the value of B r iÀDe is consistent with B r iÀSybil . In (1,1), the vehicle is actually suffering from Sybil attack and the detection result is consistent with it. Then the impact time of Sybil attack is negligible and the vehicle needs to do is to recover from the Sybil attack. At this point, the value of B r iÀDe is much smaller than B r iÀSybil . As for the last case (0,1), the vehicle is not under attack, but the wrong detection result causes that the vehicle will take unnecessary time to recover from the already nonexistent Sybil attack at this time, which increases the value of B r iÀDe needlessly. After recovering from the attacks, for a receiver vehicle r, its dependability parameters A r iÀDe can be given by where T De is the latency required for Sybil detection.
From the perspective of information security, the Sybil attack detection latency and the accuracy of detection are the two most significant factors that impact the dependability of VABV systems.

Simulation and discussions
In this part, we analyze the AoI performance with respect to Timeliness and Information Security based on simulations.

Simulation scenario and parameters setting
In order to evaluate the timeliness of the VABV system, the simulation is built on a scenario where the RSU is located at the junction. The coverage range of the RSU is set to a circular area with a radius of 1000 meters. We refer to Wu et al. 14 and get the execution time of the basic cryptographic operations shown in Table 3. As we describe in the section ''Comprehensive AAT selection strategies for VABV system,'' compared with RSUs, all ordinary vehicles will be classified into three categories with respect to their CPU frequency, that is, computing power. Assuming that the CPU frequency of RSU is 3 GHz, vehicles with CPU frequencies equal to, two-thirds of, and one-third of the computing power of RSU will be classified as Good, Moderate, and Bad, respectively. Therefore, in the simulated IoV, there are three kinds of ordinary vehicles with the computing power evaluated as Good, Moderate, Bad, and the computing power of them are set to 3 GHz, 2 GHz, and 1 GHz, respectively. In the IoV, 30% ordinary vehicles are with a computing power of 3 GHz, 40% of the ordinary vehicles are with a computing power of 2 GHz, and 30% of the ordinary vehicles are with a computing power of 1 GHz. The computing power of the RSU is set to 3 GHz and 2 GHz. Simulation of Urban MObility (SUMO) simulator is used to simulate traffic flows in an urban environment for the purpose of evaluating the information security of VABV system. In the simulation scenario, each Sybil attacker generates three Sybil nodes and sends BSMs in an attempt to launch attacks based on the traffic information it knows. The remaining simulation parameters used are listed in Table 4.

AoI performance of VABV system on timeliness
First, we analyze the relationship between the number of AATs and the system average AoI. As we analyze in  14 and take values to both sides around this number and analyze the variation of the system average AoI with the number of AATs). In Figure 8, for the different density of vehicles in simulated area, the system average AoI decreases first and then increases with the constant increase of the number of AATs. This changing trend occurs since with the assist of AATs for verification, the latency can be reduced to a certain degree as the pressure of verification is alleviated from the RSU. However, when the numbers of AATs increases continuously, the number of confirmation messages increases in each verification period, which makes the system average AoI increase accordingly. With different density of ordinary terminals simulated, we can see that the changing trends are similar. Hence, from the prospect of selection strategy on the number of AATs, we can find out the optimal number of AATs M opt that minimizes the system average AoI. Then the improvement of VABV system average AoI compared to the RSU-only BSM verification system is depicted in Figure 9. The higher the percentage improvement, the better the optimization performance of VABV system. We can see from Figure 9 that comparing to the RSU-only BSM verification system, the average AoI performance of the VABV system has been improved for a certain number of terminals. However, the improvement percentage of system average AoI varies for different number of terminals. When the number of terminals is relatively small, the RSU is capable for BSM verification, thus being not put under stress for BSM verification. Consequently, the average system AoI improvement is not apparent compared to the RSU-only verification system. However, when the number of terminals is high, the average system AoI improvement becomes increasingly evident. When the total number of vehicles is 200, the maximum system average AoI improvement percentage is 47.4 % in comparison with the RSU-only verification system, showing that the VABV system has a more significant performance improvement than the RSU-only system when the number of terminals is large. Next, the system verification latency and the data loss, both of which effect the A i , are combined to assess the benefit and loss of the selection strategy from the perspective of the distribution of AATs. Figure 10 is chosen simulation results of changes in system AoI from 0 s to 10 s under different settings of distribution index j which is described in Section ''Comprehensive AAT selection strategies for VABV system.'' We observe the variation of the system AoI with the AAT distribution index j for a fixed number of terminals N and number of AATs M. We can see from the Figure  10 the times of small-scale fluctuation in system AoI under different AAT distributions. Although a smallscale fluctuation in system AoI may not have severe consequences, a relatively small number of small-scale fluctuation can provide greater levels of BSM interaction quality for vehicle users. The times of small-scale  fluctuation decreases with the distribution index increases. The reason for this phenomena is that when j is small, which means that the vehicles selected as AAT distributes in a scattered manner and the communication overlap area between them is small. In this situation, some selected AATs are far away from the RSU. The computing resources of AATs can be fully used since there is less redundant verification. However, when transmission power of some AATs is insufficient, the RSU cannot receive the confirmation message sent by them in a verification period, resulting in a need for re-verification. On the contrary, when j is relatively high, the AATs are distributed in a concentrated manner, with the selection priority based on scoring system, it is less likely that the data loss happens since the distance from AAT to the RSU is more likely to be short, which guarantees the transmission of confirmation messages. Nevertheless, in this situation, as a large amount of computing resources of AATs are wasted, the average system AoI increases compared with the scenario with smaller j. From Figure 10, we can figure out the number of fluctuation times are 17, 16, 12, 9, and 5, respectively, while the system average AoI to be 78.9, 79.2, 79.6, 81.2, and 82.2, respectively. To find the optimal AAT distribution selection strategy, we calculate the ratio of the increase in the average AoI of the system for each distribution case to the decrease in the number of small-scale fluctuations and we mark this ratio as k. The value k for scenario j = 0:2, 0:4, 0:6, and 0:8 are 0.3, 0.1, 0.53, and 0.25 respectively, which means that when j = 0:4, minimal AoI increase in exchange for a decrease in the number of AoI fluctuations is achieved. Under this situation, the optimal AAT selection strategy from the prospect of distribution is let j to be 0.4 around.

AoI performance of VABV system on information security
In this subsection, the BSM security reflecting on AoI variation is analyzed. The attackers randomly launches a total of 100 attacks in the simulation scenario. The performance of aforementioned Sybil detection scheme is analyzed. Figure 11 is the chosen simulation results of system AoI under different Sybil percentage under the simulated scenario from 0 s to 10 s and 40 s to 50 s. In light of the analyses in section ''Usage of AoI as the integrated indicator for VABV system,'' the A i and B i of system AoI are related to Sybil attack and the performance of Sybil detection scheme, respectively. Large-scale fluctuations in the AoI can result in severe traffic accidents; hence, the VABV system is expected to have fewer instances of large-scale AoI fluctuation. From Figure 11, under the scenario where the total number of vehicles is 50 and the number of AATs is 8, we can see that with an increase in the number of Sybil nodes, the performance of the Sybil detection scheme improves since the fluctuation in the AoI is less frequent. However, the performance is relatively poor when the proportion of Sybil nodes is small in low traffic density scenario. This is consistent with the stated hypothesis in Li and Zhang. 43 Since in low traffic density scenario, the average headway distance between vehicles in not tightly restricted and the mobility patterns among them are not that similar, thus increasing the difficulty of identifying Sybil nodes. Also, the low traffic density provides malicious nodes with more options for generating virtual nodes, which reduces the accuracy for detecting Sybil BSMs. As a way to analyze the Sybil detection scheme reflected by AoI curve, the number of peak AoI violation times under different proportions of Sybil nodes are quantitatively compared. The number of peak AoI violation times is calculated without taking into account the effects of BSM verification latency or reverification by setting a peak AoI threshold of 400 and exceeding token of 1. When peak AoI in some verification cycles exceeds the preset threshold, the exceeding token will be set as 2. We can clearly figure out in Figure 12 the total number of peak AoI violation times under different proportions of Sybil nodes. During the operation time, with Sybil detection scheme, the  number of peak AoI violation times are 32, 23, and 14 when the proportion of Sybil nodes are 2%, 6%, and 10%, respectively. The times at which the peak AoI violation occurs decrease as the proportion of Sybil nodes increases. This implies that the proposed Sybil detection scheme performs better in scenarios with a high proportion of Sybil nodes, and that further optimization is needed to enhance the scheme's security performance in low-Sybil proportion scenarios.

Conclusion and future work
In this article, we proposed a novel vehicle-assisted IoV in which some vehicles are assigned for BSM verification. By more comprehensive AAT selection strategy, the efficiency and VABV system can be enhanced. By using machine learning-based Sybil detection scheme, the security performance of VABV system can be further enhanced. The AoI was proposed as an indicator to evaluate the VABV system from the prospect of timeliness and information security in a unified and intuitive way. The system average AoI and peak AoI were used to synthetically evaluate the dependability of VABV system, through which optimal AAT selection strategy can be made and performance of proposed Sybil detection scheme can be intuitively tested. For future work, we will apply the proposed dependability analysis method to more complex scenarios in IoV and make modification and optimization to the Sybil detection scheme to fit proposed VABV system better.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.