A Classification of Misbehavior Detection Schemes for VANETs: A Survey

In today’s era, thinking of Vehicular Ad-hoc Network as a midrib for the leaf of academic, social, corporate, and economic activities will not be erroneous. To avoid any panic situations like road accidents, heavy traffic jams, etc., the timely availability of correct information is obligatory. The presence of malicious nodes within the network will ruin the dream of establishing a safe, secure, and accident-free vehicular network. This objective can be fulfilled only when malicious nodes within the network are identified correctly, and respective actions are taken at the right time. Therefore, there is a great requirement for efficient and intelligent misbehavior detection techniques to deal with such situations. Vehicular networks are very prone to numerous attacks, such as Sybil attacks, unauthorized access, etc. due to their dynamic nature. The main goal of this study is to discuss and bundle various available misbehavior detection schemes and respective solutions to cope with harmful attackers in the network. We have categorized different misbehavior detections on the criteria of architecture, approach, node-centric, and data-centric. The subcategorization is also given within the paper. One section of this paper focuses on the role of machine learning techniques in misbehavior detection as an emerging foot strap for further enhancement. A comparative analysis of various misbehavior detection schemes is also conducted based on performance measures like accuracy, False Positive Rate, Recall, Precision and F-measurement. Finally, the paper concluded by discussing open issues and various research challenges associated with misbehavior detection in the Vehicular Ad-hoc Network.

Representation of vehicular Ad-hoc network [3] With rise in wireless technologies, traditional VANETs are transferring to IoV (Internet of Vehicles). Internet of Vehicles represents the network of vehicles in which each vehicle is embedded with sensors and technologies responsible for establishment of connection as well as information exchange between these devices. Due to this transformation, there is a boom of connected devices and the network is always at the risk of attacks. Moreover, automation is another prominent factor which makes the network unsafe and vulnerable to countless security threats. Such issues motivate authors to provide groundwork to the researchers related to VANETs, security and privacy issues and their solutions for further breakthrough [48]. In most of cases, the technologies considered for communication are wireless. Therefore, energy management with security solutions is also a big challenge to the researchers on the ground of IoV. Secure Anti-Void Energy-Efficient Routing (SAVEER) Protocol is one of example to establish secure communication between sensor nodes with the criteria of efficient usage of energy. To prevent the network from internal and external attacks, this protocol uses cheap chain-based authentication and encryption methods [49]. The novel contribution of the present work is that it provides research support and foundation to upcoming researchers to select and identify the appropriate procedure to detect malicious nodes and their extraction methods from the network. Also, this study introduces how machine learning approaches are broken into the field of vehicular networks and help to classify a node as malicious or not. The security and privacy goals of VANETs work for reliability, location privacy, and non-repudiation. These goals can be achieved through authentication, unlink ability, and traceability. With the achievement of these goals, VANETs ensure features of integrity, anonymity, and revocation [1][2][3].
Also, this paper contributes in the following ways: 1. This paper presents numerous misbehavior detection schemes in detail and categorizes them into various domains based on architecture, approach, node-centric and datacentric schemes. It provides a platform with better understandability for researchers for further growth in the area of misbehavior detection for VANETs. 2. Recently, machine learning techniques have been seeking attention in every field of research. The paper gives a brief description of how potential features of machine learning are helpful for dealing with the issues of misbehavior detection and mitigation in VANETs. 3. The discussion of open issues and research challenges provides new perspectives on how to address issues concerning misbehavior detection in VANETs.
The remainder of the paper is structured as follows: Sect. 2 discusses a general approach to misbehavior detection and mitigation. Section 3 classifies various misbehavior detection schemes. Section 4 represents a survey of misbehavior detection schemes in VANETs. Section 5 signifies the role of machine learning techniques for misbehavior detection in VANETs. Section 6 shows a performance analysis of various misbehavior detection schemes. Section 7 discusses open issues and research challenges. Section 8 draws out the conclusion of this study.

A General Approach to Misbehavior Detection
The term "Misbehavior Detection" has significant value in the area of vehicular networks. Whenever any abnormality or suspicious activity is seen in the nature of any vehicular node, it is termed as Misbehavior Detection. In vehicular networks, the objective of the Misbehavior Detection System is to monitor traffic flow and any abnormalities within vehicle patterns, and to notify suspicious or abnormal events to network administration as soon as possible. One of the core tasks of the misbehavior detection system is the analysis of system configuration and vulnerabilities. A misbehavior detection system works intending to find out faulty nodes within the network [4]. The reason behind any kind of misconduct can be classified as intentional conduct and unintentional conduct. Intentional misconduct is responsible for creating confusion within the network, disturbing the regular network flow, and, secondly, disagreements about the utilization of resources for other network participants. The main reason behind unintentional misconduct is the presence of faults within sensor nodes of the network [5]. A general 4-step process of misbehavior detection at local and global level is discussed. These process steps are as follows [6] (Fig. 2).
(i) Misbehavior detection at local level-with the help of a cooperative intelligent system, copes with misbehavior detection due to attackers present within the network. (ii) Reporting of misbehavior detection-a report is forwarded to Misbehavior Authority. (iii) Misbehavior detection at global level-an inspection is done by Misbehavior Authority and it invokes the cancellation of a misbehaving entity. (iv) Misbehavior reaction-an appropriate measure is chosen to protect the system from misbehavior.

Different types of VANET Misbehavior
The way "how to deal with malicious conduct?" mainly depends on the type or nature of attacks. The identification of misconduct is the only possible way to run the appropriate security measures. The attackers of VANET are grouped as insiders, outsiders, active, passive, malicious, and rational. This classification of attackers is according to the nature or Fig. 2 General approach for misbehavior detection [7] type of misconduct. It is very necessary to handle any act of misbehavior as well as the responsible node to route a network successfully. Insider attackers are selfish nodes within the existing network, whereas outsider attackers are intruders who are responsible for disruption of the overall functioning of the network. Passive attackers are attackers who attack the confidentiality aspect of security, whereas active attackers can broadcast and access signals or packets within the network for fake data generation. Rational attackers are predictable attackers who are used to destroy network entities or assets. Malicious attackers are responsible for potential losses in the network in terms of cost and services [8][9][10][11]. These attackers breach various security aspects like confidentiality, integrity, authenticity, availability, etc., by attacking VANETs. Table 1. given below, summarizes some dangerous attacks on the security aspects of VANETs.

Classification of Misbehavior Detection for VANETs
The schemes of misbehavior detection are broadly classified as Architecture-based, Approach-based, Node-centric, and Data-centric misbehavior detection mechanisms for VANETs. The architectural based misbehavior detection techniques utilize individual nodes as a misbehavior detection system, exchanging of alert messages, division of the network into subgroups, and a head is assigned to each subgroup, etc. The Approach based misbehavior detection techniques mainly inspect the working nature of the network as well as its variation with time [4]. The Node-Centric misbehavior detection techniques deal with specific nodes with the help of digital signatures to differentiate the network nodes reliably [35]. An improvement can be made to node-centric techniques by selecting some nodes as observer nodes. These schemes require hardware with high-speed processing power to make fast and accurate decisions. The main concern of Data-Centric approaches is the connection between messages to examine the data transmission among network nodes to detect any kind of misbehavior [37]. To achieve this purpose, these schemes use safety beacons and alert messages. In doing so, these schemes mitigate the extra overhead of additional messages. The Classification of various Misbehavior Detection Schemes in different domains is shown with the help of Fig. 3.

• Architecture based Misbehavior Detection
Architecture-based misbehavior detection mechanisms can be sub-categorized as Centralized, Cluster, Decentralized, Distributed, Co-operation, and Collaboration based misbehavior detection mechanisms. Due to the characteristics of cooperation, nodes of the network do not hesitate to share their detection experiences with each other. Recent misbehavior detection techniques rely on nodes' collaboration. The distributive approach of the detection system provides an efficient, scalable way for a collaboration-based detection system. Cluster-based misbehavior detection systems consider features like mobility and network vulnerability at the early stage of cluster formation [14].
• Approach-based Misbehavior Detection: Approach-based misbehavior detection mechanisms can be subcategorized as Signature and Anomaly-based misbehavior detection mechanisms. Anomaly-based mechanisms use training data sets to examine the overall behavior of the network. If any kind of fault is observed, it gives an alarm about GPS spoofing Nodes are fooled by producing false information regarding their locations Authentication A machine learning probabilistic cross-layer intrusion detection system with more than 90% accuracy is proposed [44] Position faking Attacker falsify their positions and creates additional vehicle identifier to restrict the reception messages to other nodes Authentication Machine Learning (ML) techniques are used on VeReMi dataset to detect the misbehavior [38] Trust models used to detect misbehaving nodes and ML techniques are used to compute trust metrics [39] Eavesdrop-ping Attacker can deflect communication as well as stealing of password and important data is also possible Confidentiality Concept of blockchain is used to protect information from tampering. Also, hotbooting technique is used to accelerate learning speed [45] Worm hole attack An overlay tunnel is formed on wireless channel for communication interception Nonrepudiation A three phased Worm-Hole-Detection protocol is proposed. These phases enables authentic nodes to avoid wormhole link and establish routing path between connected vehicles [46]  and anti-attack algorithm is used to detect this fabrication in communication [47] the happening of a malicious act. Whereas, Signature-based mechanisms keep a keen observation on the malicious patterns of the act as well as malicious acts that happen due to these patterns. The use of signature-based mechanisms is useful in the case of known and outsider attacks. But the major problem with these mechanisms is the overhead raised due to the process of signature updating, and secondly, these mechanisms are incapable of detecting new attacks [4]. • Node-Centric Misbehavior Detection: Node-centric mechanisms can be subcategorized as behavioral and Trust-based misbehavior detection mechanisms. Behavioral mechanisms observe the behavior of network nodes instead of information sent by these nodes. These mechanisms inspect whether a node behaves in a well-mannered approach or not. Whereas, Trust based mechanisms determine the chances of misconduct due to a node in the future. These are further grouped as: Direct trust and Indirect trust. In the mechanism of Direct trust, nodes rely on the concept of sharing information at a mutual level among the nodes. In case of Indirect trust, nodes calculate the probability of future misconduct depending on the analysis of past and present behavior patterns of a node [5,35]. • Data-Centric Misbehavior Detection: Data-centric mechanisms can be sub-categorized as Event and Context-based misbehavior detection mechanisms. Event-based misbehavior detection mechanisms deal with happening of events like emergency brakes, traffic congestion, etc. Moreover, these are application-specific. Whereas, Contextbased misbehavior detection mechanisms can detect attacks caused due to false information or false events [12,13]. These are further graded as: Mobility-based, Plausibility, and Consistency-based mechanisms. Mobility-based mechanisms mainly focus on vehicles' mobility patterns for behavioral analysis of drivers [36]. These mechanisms are the usual mechanisms to detect misconduct at the local level. In contrast to event-based mechanisms, mobility-based mechanisms are considered superior as these mechanisms detect attacks at a very early stage. Plausibility-based mechanisms follow a well-known specific data model from the real world for detection of any doubtful event.
Consistency-based mechanisms are used to examine any kind of uncertainties in the data received from many independent resources.

Misbehavior Detection Schemes for VANETs
This section summarizes various misbehavior detection schemes classified based on various domains, as stated in the previous section.

Architecture based Misbehavior Detection Schemes
• In the Ensemble-based Hybrid Context-Aware (EHCA) model [12], recent mobility information is obtained from adjacent vehicles to evaluate spatial and temporal attributes. Based on this analysis, a dynamic reference context is built and online updating is done. The suggested model analyzes cooperative behavior as well as the mobility data of the vehicle to obtain different characteristics that are capable of identifying a broad spectrum of misbehavior attacks. Integration of multi-faceted classification schemes facilitates this hybrid model to identify a broad range of misbehaviors directed at VANET mobility data. The model encompasses six major phases: The first phase is the Data Collection phase, in which information about mobility is exchanged between neighbouring vehicles. The sensors of the vehicles are surrounded by numerous noise types, which makes precise data difficult to collect. Kalman Filter algorithms have been used to efficiently retrieve information from the sensors accompanied by dynamic and heterogenic sounds. Features Derivation phase is the second phase. After receiving information about the mobility of neighbouring vehicles, the data-centric and the behavioural-based feature set are derived. In each data set obtained in the previous phase, two data-centric categories of features are derived, namely, the consistency and The plausibility-based features have been derived as described below. The communication range-based feature f v i cr(k) of vehicle (v i ) at k time duration is determined in terms of Euclidean distance between sender and receiver as below: Here, v = stores the record of all neighbouring vehicles for the communication range-based feature. p(x, y) = Position of the vehicle drives the receiver feature. p i (x i , y i ) = the position of vehicle v i that sent the mobility messages.
The third phase is Context Representation phase. During this phase, a Hampel filterbased adaptive approach uses the temporal and spatial attributes of the derived features to construct references for dynamic context. The fourth phase, Multifaceted Vehicles Evaluation, employs a Hampel filter-based z-score method to analyze vehicles in terms of their divergence from the dynamic context reference in terms of derived multi-dimensional attributes.
The fifth phase is the Ensemble Learning Based Classifiers, in which ensemble learning-based classifiers are trained using the outputs of the second, third, and fourth phases. Outputs of previous phases are used as input features. In the sixth phase, outputs of the classifier in fourth and fifth phases are aggregated using a weighted average-based method, and a final decision is produced. EHCA-MDS model is robust and stable during heterogeneous noise conditions and under unreliable connectivity. The results demonstrate that they are capable of making a trade-off between accuracy and memory. On average, the EHCA-MDS (HCA-MDS) model's overall efficiency has increased by 10% and is 37% more efficient than the data-centric model (DCA-MDS) (Fig. 4).
• CAMDS [13] is a context-aware misbehavior detection scheme that is based on sequential analysis of vehicle movement. The approach incorporates adaptive consistency and plausibility models with the objective of identifying false CAMs messages effectively. The Kalman filter method is employed to track data in this scheme, and innovation errors are used to develop a model for assessing temporal consistency for each neighboring vehicle. Further, the spatial consistency assessment model is constructed by using the Hampel filter. Similarly, the reference models for the plausibility evaluation are built online and updated immediately with the Hampel filter, using the neighbour information. Finally, if its consistency and plausibility differ a great deal from the con- Fig. 4 Proposed model for EHCA scheme [12] text reference model, the message is identified as a suspect. CA-DC-MDS is a fourstage procedure that considers uncertainty information while making decisions. In context acquisition, an algorithm is used to gather context information to measure accuracy and uncertainty. In the second stage, context sharing, information is shared with other vehicles. During the third stage, which is context assessment, each vehicle constructs a reference model for context representation by extracting plausibility and consistency. In the last misbehavior detection phase, messages are assessed and compared with recent context references. Moreover, if the score assigned to a new message deviate from the context reference, it is treated as misbehavior. A 73% decrease in the false alarm rate was achieved in the proposed context-aware software while a 37% increase in the detection rate was achieved. CA-DC-MDS works autonomously in a privacy-protected environment in real-time.CA-DC-MDS can successfully detect a considerable number of context-unaware attackers that manipulate context information without considering context situation. However, because of the high correlation between context data and the attacker's data, an attacker with context awareness can still modify context information without being identified (Fig. 5). • MA-CIDS is a distributed ensemble learning-based misbehavior-aware on-demand collaborative intrusion detection system [14]. This means local IDS classifiers are trained individually by vehicles using random forest algorithms. Locally trained classifiers are shared with neighbouring vehicles on-demand, thereby reducing communication over- 1 3 head. The model comprises four major phases. The first phase is the individual IDS construction phase. During this phase, each subject vehicle develops its own local IDS classifier utilizing data collected by monitoring and auditing the activities of neighbouring vehicles as well as its own network activities. Data preprocessing is accomplished by deleting incomplete records followed by encoding and standardization of categorical data. Important features are identified and selected using a feature selection algorithm. Every vehicle then segregates obtained and preprocessed information into two groups for training and testing the local model. An ensemble of local classifiers is constructed using a random forest algorithm (machine learning algorithm). Among several algorithms, Random Forest (RF) is chosen for its robustness with noisy data and decent compatibility even with nonlinear data such as VANET. Lastly, testing datasets are used to assess the output of trained local or individual IDS classifiers. The metadata for the locally-trained classifier is the performance assessment metrics such as F1 score, precision, recall, and accuracy. Neighbouring Classifiers and Metadata Exchanging phase is the second phase. Cooperation between neighbouring vehicles is established in this phase. A demand-sharing approach is proposed to avoid overhead coordination. In this process, cooperation is established among neighbouring nodes. In one-hop communication, a vehicle connects with the surrounding vehicles, and every vehicle shares the trained classifier and the metadata with the surrounding vehicles. An on-demand sharing strategy is proposed to avoid overhead coordination. An on-demand IDS classifier sharing algorithm is used by one-hop communication vehicles to replace locally qualified IDS classification devices and their metadata. It is on-demand because vehicles send a request for collaboration when the output of their classifier falls below a specific threshold. The algorithm avoids misbehaving vehicles as it transmits several sharing requests in a short duration. Each vehicle decides its requirements for the collaboration and updating of its IDS classifiers. The collaborative IDS classifier's performance in phase 4 serves as the basis for any IDS model amendments. If required, a message for cooperation is transmitted by the car. Each vehicle in the surrounding area receives a collaboration request from the subject vehicle and uses an on-demand IDS classifier sharing algorithm to determine whether or not to reply by utilizing an IDS classifier trained locally and metadata. Neighbouring Misbehavior Evaluation is the third phase. Each vehicle evaluates received local IDS classifiers from neighbouring vehicles using its own local testing dataset. The recall r test(i) , the precision p test(i) , and F1 score f test(i) are attained by evaluations of the neighbouring classifier IDS i on the corresponding vehicle's local test dataset. The recall r test(i) , and the precision p test(i) , are used as the penalty values for neighbouring classifiers of vehicle i in positive and negative instances respectively. F1 score f test(i) is used as misbehavior indicator. Neighbouring classifiers namely the recall r neighbor(i) , and the precision p neighbor(i) are ranked by every vehicle by multiplying the claimed performance. In the end, Box-plot is used to summarize any statistical variable without understanding its underline distribution to identify misbehaving vehicles. Collaborative IDS Construction is the fourth phase. Here, construction of a collaborative IDS classifier is described. In the first step, each vehicle constructs an ensemble-based classifier by using a set of collaborators C neighbor received in the previous phase. Then, each classifier is given a pair of weights w i ( p i , r i ) determined in the previous phase, where p i represents weight if an instance is normal or negative, and r i is considered when an instance is abnormal (intruder). Finally, ensemble classifier outputs as explained below: where, D f = final decision given by ensemble MA_CIDS, d i = classifier's decision as received from vehicle ip i = classifier's weight sent by vehicle i when d i = 0 , r i = classifier's weight by the vehicle i when d i = 1.
It is observed and verified by results that the MA-CIDS model performs better than the existing model in terms of effectiveness and efficiency for VANET (Fig. 6).
• The AECFV intrusion detection system [15] is an efficient and accurate intrusion detection system developed to protect the network from the worst conceivable attacks on VANETs. AECFV is well suited to the characteristics of VANETs, which include high node mobility and quick topology changes. AECFV is equipped with two primary detecting systems and (3) Architecture of MA-CIDS model [14] 1 3 The key elements of anomaly-based SVM detection techniques are features extraction, training process and classification process. The rules-based decision technique collects the output from the LIDS or/and GIDS rule-based detection. Local decision-making technique is capable of determining the confidentiality of monitored vehicles and test the reliability of LIDS judgment. It computes cluster members' reputations and forwards information to RSU for final decision. At Global Decision System (GDS), every integrated RSU has the potential of aggregating the reputations of every vehicle v j forwarded by the CHs.
Consequently, it then determines the Trust level (TL) of every vehicle v j , and categorizes them according to their TL in a curated list. The vehicle v j 's aggregated reputation (Arep i,j ) can be calculated as: where, n ′ = number of good reputations and m ′ = number of bad reputations.
Different security features of AECFV include node authentication, communication privacy, secure localization etc. The detection framework of the AECFV is capable of identifying the most dangerous attacks possible on VANETs such as wormhole, black hole, selective transmission, replication of packets, resource depletion, and Sybil attacks. The results of simulations show that AECFV outperforms existing frameworks with respect to the precision of attack detection and time taken.
• In the position-based cooperative Sybil attack detection security protocol [16], Sybil attacks are detected locally in a cooperative manner by vehicles. Attacks are monitored using the communication characteristics and GPS locations of the vehicles that transmit the safety signals. In addition, in a smart attacker case, where a malicious vehicle can modify the communication range to prevent detection, the collusion scenario of the malicious vehicles is also taken into consideration. A vehicle should be as fast as possible and have a low packet loss ratio in comparison to other vehicles. When a vehicle arrives unexpectedly around a group of vehicles, they can detect an attack. An attacker may be rational, proactive, and thrifty from the inside. The attackers on the inside are legitimate VANET users. While rational attackers strike for their own gain, active attackers transmit data via a wireless channel. Parsimony dictates that an attack using a few malicious nodes is more likely to occur than an attack involving collaboration across multiple nodes. To ensure the anonymity of vehicles, the authors employed group signature techniques such as the short group signature. In addition to detecting routine Sybil attacks, this protocol detects smart attack scenarios and provides protection against collusion. This protocol has mainly three phases. During the Probing phase, vehicles continue to deliver periodic safety-related broadcasts every 300 ms within the communication range of 300 m. In this protocol, geographic information is broadcasted by the vehicles with indexes of nearest M vehicles in sequence.
In the Confirmation phase: vehicles are employed on the opposite side of the suspect vehicle (S), and vehicles opposite the S-vehicles are defined as O-vehicles. S-vehicles use their private key SK i in case of any anomaly and signs index for suspect vehicles.
Then warning messages and corresponding partial signatures are sent on the control channel periodically. In the meantime, the S-vehicle just before the suspect vehicle and the S-vehicle immediately behind the suspect vehicle gather the current geographical details of the suspect vehicle to warn others. In the Quarantine phase: after the identi- fication of the vehicle, S-vehicle in front and behind position, Sybil node is quarantined by piggybacking its latest information and corresponding completes its safety-related message. Sometimes, in case of regular attacks, fake geographic information is broadcasted for the Sybil node when any malicious vehicle launches an attack. However, a more intelligent attack may decrease the communication range in order to rationalize the Sybil node's behaviour expression. Numerous legal vehicles can be combined to create a more sophisticated scenario to evade detection or frame some benign vehicles.
In an exceptional situation, if all benign vehicles are framed up, malicious vehicles can overtake local communications. • The authors [17] proposed a mechanism to prevent broadcast storms that could control network message congestion. The proposed Intrusion Detection System uses a traffic model to identify rogue nodes and detect anomalies by applying statistical techniques. IDS is trained using the VANET model. Not only does each vehicle transmit its speed and location, but also the calculated flow value. As a result, vehicles calculate traffic flow parameters using the Greenshields model in conjunction with the density and average speed of other vehicles. The flow is a global characteristic that each vehicle determines independently, and it should be quite similar for vehicles sharing similar traffic conditions in close proximity. Vehicle sends information about its speed, average flow, calculated density, and location details to other vehicles. Each vehicle also calculates its average flow value, which provides an excellent traffic estimate in or out of its vicinity. In case of any emergency, all the vehicles after the incident will apply breaks, and flow values will decrease. Every vehicle sends its Flow AVG , which for other vehicles becomes a Flow Rcvd . If the Flow value obtained from one vehicle does not match the VANET model, the data is rejected, and the vehicle's ID is reported. However, once the data agree, the receiving node validates the data by comparing it to its calculated values (Fig. 7).
If the values do not conform to flow parameters of the node (Speed and Density), the values are omitted and sent to the sender ID. The following two flow values are calculated: Fig. 7 Model for host based intrusion detection system [17] Data collection is accomplished in a cooperative manner using Greenshield's model. After comparing data from all neighbouring nodes, if there is a significant disparity between calculated and received values, some parameter values are collected, and the node is monitored. The t-test is conducted once adequate samples have been collected. If the t-test value falls into the acceptance zone, then data is accepted and otherwise rejected. In case of rejection, the node is flagged and the attack is referred to as an Information Attack; successive values are rejected from that node, and other users are notified of the type of attack via a message. A common technique, hypothesis testing, is used to test data correctness. Null and alternative hypotheses are proposed for the VANET model. These hypotheses will be tested in host IDS and are given below: H 0 = Accept Received data (in case of Honest Node). H a = Reject Received data (in case of Malicious or Rogue Node and false data).
Simulation under certain conditions like density, a number of rogue nodes have been carried out. Evaluation metrics like false positive rate, True Positive (TP) rate, and the detection time are computed. The proposed IDS is independent of infrastructure and performs excellently. This model does not require flooding the network with congestion warnings and information flows very gracefully. During a false emergency message, the illusion of collision is created by reducing the speed and flow of vehicle. However, identification of the vehicle sending the low value can be done easily. This application layer IDS performs better in dynamic and fast-moving networks and utilizes a cooperative information exchange mechanism. However, it would be very difficult to detect an attack if rogue nodes gradually increase (or decrease) the value of their parameters and launch the attack after some time.
• A game theory-based model [18] has been developed for the interaction of legal and malicious users in a strategic manner that follows those repeated graphical games that have incomplete information. In the proposed model, the network consists of selfish nodes whose main focus is personal benefit. The issue is exacerbated by malicious users who seek to damage the network and increase costs for legitimate users. Initially, legitimate users are not aware of other types of users. Here, two instantiations have been used to show the model's expressive power and tractability. As per the model, users are provided with two options: C (Cooperate), and D (Defect). Once every user gets a payoff depending upon his neighbours' actions and his actions, every user has to choose their actions. Here, the payoff can be considered as a measure of personal benefit. So, R i (a i |t i ) represents the payoff of user i , where a i and t i are i 's action and type, respectively. The payoff of i is denoted by R i (a i a j |t i t j ) when j is i 's neighbour. Where, a j and t j are j 's action and type, respectively. Thus, i 's payoff can be written as follows: When there is case, i 's payoff does not depend on neighbour types, In this instantiation, two salient points have been mentioned. Firstly, Good users receive the same costs and benefits regardless of whether they collaborate with Good or Bad users. Secondly, Good users' unresponsiveness towards other players suggests that They only consider neighbours' possible upcoming actions and do not bother about their type. It means an Increased cost-benefit ratio for Good users results in a reduced payoff for Bad users. Intuitively, Good users become more demanding in such a case, making it more difficult to counteract Bad users' bad behaviour. It has been mentioned that no such gametheoretic modeling of malicious users has been previously published.

Approach based Misbehavior Detection Schemes
• Edge computation-based anomaly detection (EVAD) is a computational anomaly detection based on the fusion of edge-based sensor data [19]. In this, multiple sensors are organized into a ring architecture to improve performance and reduce computation overhead. The key components of EVAD (anomaly sensing module) are integrated with edge computing devices, which improve the performance and privacy of anomaly detection. Edge Computing is the technology of moving computations to edge devices of network. Here, downstream data symbolizes cloud services, while upstream data represents the Internet of Things (IoT). EVAD is an anomaly-detection system for vehicles in real time that analyses various correlations between several in-vehicle sensors using Fourier transformation. It comprises four modules. EVAD connects via the Diagnostic Interface on-board to the Controller Area Network (CAN) bus; monitors and buffers messages in the Data Collection Module. In the second module, which is the Model Generation Module, EVAD chooses appropriate pairs of sensors based on the previous data t in order to create a general model of a correlation ring for a target vehicle. The Cloud Server supports this module and involves three steps. The first step is to identify correlation between sensors by calculating the Pearson Correlation Coefficient as: where, n = length defined for re-sampled sequences X and Y , X = standard deviation of X and Y = standard deviation of Y.
In the second step, the computation overhead can be minimized by calculating the correlations associated with the sensors in the correlation ring. The identification process can be carried out with as many correlations as possible within a short time and resources because the computational complexity of the correlation ring is minimal. Finally, every node is reviewed twice by the ring architecture, which increases EVAD accuracy. In the last step, initially, sensor data is transferred to the frequency domain from the time domain using Fourier transformation. The Power Spectral Density (PSD) is formulated as given below: where, i = windows index, = corresponding frequency, Ƒ[*]= Fouier transforming and j = unit imaginary number.
In the Anomaly Detection Module, EVAD simultaneously analyses the time correlation of various sensors and the PSD in a specific frequency range. Time-efficient identification in this module can ensure that CAN bus data will not be stacked. In the end, Anomaly Detection Module passes the results to EVAD in the Result Submission Module. If the vehicle is in normal condition, the EVAD automatically transmits data to the cloud server. Otherwise, EVAD initiates the warning and immediately transmits the status via the edge computing system to the cloud server. EVAD can conserve many resources, such as energy and bandwidth, by transmitting the required data. EVAD will secure the confidential data of users during the anomaly detection process. Meanwhile, EVAD uses periodic acknowledgement (ACK) to validate the connection of cloud servers and edge computing devices. The best part of EVAD is that-it is attributed to advantages of pairwise correlation, frequency domain analysis, ring structure as well as edge computing. In contrast, frequency domain analysis is not thought to be a good approach in the case of anomaly detection. N A and N B are two nodes whose intersection can be evaluated by predicate intersect() which tests the particular rectangles at level i. If the rectangles are overlapping, the predicate will return a '1'; otherwise return a '0'. The decision about the intrusions is based on claims made by more than one vehicle for the same position at one time. Intrusion certainty and trust values are used to predict intersection possibilities.
Overall Intrusion certainty is calculated by using the following formula: where, probability of an intrusion is denoted by c intrusion and c intrusion = 1 If s reaches N.
A trust value is used to give a rating to intersecting nodes as benign or malicious. A passive response model flags the vehicle, which has implausible mobility behavior. This plausibility model has been proposed to detect errors at the level of information source and it identifies attackers along with attacks. Trustworthy vehicles drive-through and false congestion-through can be effectively detected by the proposed model. An attacker can be identified using precise positions and trust model. Moreover, virtual drive-throughs can be used to detect opposite attacks (Fig. 8).
• The authors proposed a scheme to mitigate the DoS attacks caused by both internal as well as external attackers against signature-based authentication [24]. DoS Attack Model contains trusted authority (TA), infrastructure units like roadside units (RSU's), and vehicles having communicating devices. To sign the message, TA provides the required credentials. This scheme has two phases that help in controlling DoS attackers in VANETs. First phase is the Entity Authentication phase. During this phase, the Hash-based Message Authentication Code (HMAC) is computed with shared secret key and attached to the sent message. After authentication of the HMAC, the recipient assumes the sender to be genuine and then checks the validity of signatures. The message is written in the following format: where, M i = message to be transmitted by the vehicle i th , σ i = message signature of M i , HMAC kg = HMAC computed using the secret key kg, E i = message hash of M i , ID i = i th vehicle's identity and T i = i th vehicle's message timestamp. As all vehicles have GPS, synchronized timestamps are considered as T i . The work proposed is aimed at communicating with unicast, ECDSA is used to produce a signature, the symmetrical shared secret key is determined based on the ECDH. S AB is shared key of user A and B, and can be calculated using the following equation: where (Pr a , Pu a ) and (Pr b , Pu b ) are private and public key pairs for A and B, respectively.   [24] It is assumed in the work that the public keys and their related credentials have been accessed safely, and they are not susceptible to attacks. HMAC signature is used to authenticate communicating entity, and, in this way, outside attackers are identified.
The second phase is the Detection of Inside Attackers phase. Although the recipient finds the sender legitimate by successful HMAC verification, there is always a high chance that the signature will fail. To alleviate this, every vehicle maintains a detection table and blacklisted table to detect and identify insider DoS attackers.
The mechanism can control DoS attacks from both inside and outside attackers with least computational complexity. The system only aims to reduce DoS attacks if the attackers saturate the system with fake signatures. However, the technique is not as effective when the attacker floods the system with false information and legitimate signatures.
• Authors proposed [25] ID-based authentication framework which uses a self-generated pseudonyms identifier and has a privacy-preserving mechanism for VANETs. The framework aims to present an effective method for privacy-preserving authentication mechanism in terms of communication, storage and transmission overhead. Instead of real-world IDs, self-defined pseudonyms are used without exposing vehicle privacy.
The Regional Trusted Authority (RTA) preloads an ID pool of regional Road Side Units (RSU) in a vehicle for authentication. The RSU ID pool does not need to be updated or replenished until the RSU ID is changed or improved.
During Protocol Initialization, vehicle RTA-based registration is done on certain prefixed parameters for authentication. Each vehicle uses pseudonyms as an identifier to secure communication without compromising privacy. At the same time, a hash value for each vehicle is created and preserved in the hash value table.
Instead of real-world IDs, pseudonyms of vehicles are created for privacy-preserving authentication. The pseudonym for each vehicle is defined in the following form: where Pseudo-Random Number Generator generates RandomNo. H(ID v ) = a hash value obtained from real-world ID of vehicle.HR = registered home region of entity. RSU c = present corresponding RSU's ID.
Information is broadcasted periodically by RSUs. RTAs and RSUs function in a temper-proof manner and trustfully. This framework functions adaptively each time when any vehicle desires to have new authentication for itself or others. It is based on ECC and RSA signatures, which makes it more authentic while preserving privacy. RTAs and RSUs require very little storage. This framework is very efficient as it requires very little computational complexity. It is reusable with new IBS and IBOOS schemes.

Node-Centric Misbehave Detection Schemes
• Authors purposes a solution for intelligent malicious behavior using adaptive detection threshold [21]. For Trust Establishment in Vehicle-To-Vehicle (V2V), two metrics for inter-vehicular are evaluated. Direct trust means local knowledge-based evaluations, whereas indirect trust is the direct trust among two vehicles that relies on other vehicles' opinions on the honesty of the participating vehicles. Following relevance factors can be used to adapt V2V trust levels: Direct and indirect trust evaluations are denoted by DT (i,j) and IT (i,j) respectively, #int is the number of interactions. DT (i,j) is the direct trust generated by a vehicle using legal L (i,j) and malicious M (i,j) actions.
Recommendations of one-hop neighbours are used to calculate indirect trust. Two fields, i.e., neighbour identity and beacon sender's opinion about the neighbours are modified in the format for the beacon messages to prevent affecting communication bandwidth.
Let set of direct neighbours of v i are Neigh v i . The following equation illustrates how the indirect trust of vehicle v j is measured by a vehicle v i .
where, IT (i,j) corresponds to the partnership of the recommenders' (k) direct trust DT and their opinions in regard to vehicle v j , number of recommenders is denoted by N. An adaptive threshold is used for every neighbour in place of using only one fixed detection threshold. Let corresponds to the evaluation difference old and new trust.
Depending on the change in node behavior, the equation given below summarizes the detection threshold adaptation After simulation, observations show that this method has a high detection ratio (more than 80%) even in the presence of intelligent malicious attackers due to adaptive detection threshold. However, detection presence falls (20%) in the presence of dishonest vehicles. This trust-based scheme is very good for detecting attackers who keep adapting their behavior to escape exclusion (Fig. 9).
• The authors suggested a trust evaluation model [26] which is focused on the information of location and verification in an NLOS state. To assess their confidence levels, the scheme includes a trust attribute. This framework suggests attributes for VANET that will help in building confidence among the vehicles by using results of location verification of neighbouring vehicles and overcoming the impact of moving vehicles that prevent clear communication. The process of Secure Trust Model is completed in the following steps: For each attribute, here ( i ) are normalizing factor. For every node, where weights ( w i ) are linked to the attribute values, and weighted average approach has been used to measure a trust value by using the following formula: Evaluation metrics like neighbourhood awareness and location verification, message delivery success rate and security attack resilience are used for simulation.
Following Security measures have been analyzed for assessing the model: (1) Confidentiality and authentication of messages should be maintained.  Fig. 9 Representation of dishonest behavior in intelligent way [21] In NLOS conditions, it becomes difficult to differentiate between a misbehaving node and an obstacle-blocked node. The proposed trust model overcomes the effect of NLOS and uses location information for evaluation. Resultantly, this improves the response of the vehicle in its proximity (Fig. 10).

Data-Centric Misbehave Detection Schemes
• The authors [20] introduced a data-centric misbehavior detection approach. To gain access to some specific lane, sometimes vehicles transmit wrong information. False data and the transmitter must be detected efficiently to avoid accidents. The primary purpose of entity-centric misbehavior detection is to locate and penalize a misbehavioral node, whereas data-centric misbehavior detection identifies false data. Every node can determine whether the information received is accurate or incorrect using data-centric MDS. The decision is based on consistent reporting and the estimated position of the vehicles in recent messages and new alerts. Network with three lanes and one-way traffic is considered. The network is composed of Ɲ nodes. n i denotes vehicles nodes.
There are a Master Authority (MA), Certification Authorities (CA) C i and road side units (RSU).
Among the various message kinds, only two are used: alert and beacon. Vehicles' safety is ensured by alert messages M A ∈ Ϻ. It has five tuples.
where, p it ∈ P i is the node n i 's pseudonym that generated the alert at time t ∈ T, T ∈ T is the type of alert, L j ∈ L is the event E j 's location for which the alert was generated, t ∈ T is the alert message sent time, l it ∈ L is the node n i 's location generated the alert at t time.
When the neighboring node sends alert message, receiving node relays it to all nearby nodes and RSUs.
where,M R denotes the relay alert tuple, p it ∈ P i is the node n i 's pseudonym that generates the relay alert at time t ∈ T, at which MR was sent. Relayed alert message is M A ∈ Ϻ.
Beacons specify location of the vehicles. It is denoted by B and has three tuples. 10 Proposed secured trust model [26] where, p it ∈ P i is the node n i 's pseudonym at beacon sent time t ∈ T. l it ∈ L is the node n i 's location generated the alert at t time.
Threshold time F T is a period of freshness, after which message becomes stale and the node at receiving end discards it. The location of the node and the position of the event are calculated for a new message that, if found contradictory, then also, the message is discarded and no action is taken on the alert. Node considers the alert if the positions are correct. It then checks the type of alert and prepares to take action. Incorrect location information is detected using timestamps. Group associations and voting schemes do not affect the approach, which makes it immune to Sybil attacks. After the misbehavior is identified, a penalty is imposed to discourage the selfish behavior rather than revoking secret credentials of node, thus reducing the expense of communication (bandwidth) and computation (cycles).
• Authors proposed a central evaluation scheme based on misbehavior detection systems to identify and remove attackers from the network running on vehicles and roadside units [22]. To ensure the long-term functionality, the suggested central scheme uses trust and reputational knowledge presented in misbehavior reports. The scheme intends to provide a foundation for automatic misbehavior detection because it pays special attention to flexibility, scalability, and practicality. Internal attackers who generate ghost vehicles by forging messages are focused on this scheme. As this adversarial model is relatively general, a misbehavior detection and evaluation framework is applied with the intent to detect a wide area of location-based attacks. Such malicious behavior is referred to as Sibyl attack. Detection of inconsistencies is possible in local misbehavior detection systems, but it has minimal root cause recognition possibilities. Also, the local system of neighbouring nodes finds it difficult to distinguish between the originator and attacker node. So, central evaluation scheme is more likely to exclude misbehaving nodes from the VANET for long-term. A number of vehicles V travel in a zone that simulates a ghost vehicle a ∈ V in (0,., n) time frame. The attacker can modify ghost vehicles pseudonym easily. A local MDS, functioning on the observer node ovs ∈ V can detect all inconsistencies I obs generated by ghost vehicle a when another vehicle overlaps thea 's occupied location. Equation indicates the maximum number of local detections.
On the other hand, a central framework of misbehavior evaluation may acquire knowledge that multiple pseudonyms (e.g., a ′ , a ′′ ) are related to the same node a . Inconsistencies in every timeframe (0,….,n) are taken into consideration by the central evaluation, whereas ovs can find inconsistencies only while being in a 's communication range.
It can be observed by contrasting above equations that central assessment method can process more misbehavior detections as compared to local system: I a ≥ I (obs,a � ) . Misbehavior Evaluation Authority (MEA) works on backend infrastructure. MEA separates ∑ obs I (obs,a � ) + I (obs,a �� ) + I (obs,a ��� ) , obs ∈ V this trust information into trust and confidence as independent elements. Misbehavior report (MR) is used to transmit information from MEA's network nodes concerning potential misbehavior. The report includes a list of observed misbehavior (e.g., overlaps of nodes, unexpected position jumping), the reporter's pseudonym ID, the overlapping nodes, and their trust statements, and the list of the reporter's nearby nodes. Once received at central MEA, each MR's signature is verified against the pseudonym certificates' Public Keys. In a second step, the signature of CAMs tests the proof of overlap. The central misbehaviour evaluation seeks to identify an attacker among a collection of nodes that have actively or passively overlapped. On the basis of misbehaviour reports received from network nodes, the majority of benign reporters can be accurately identified by the central Misbehavior Evaluation Authority. It also prevents cooperative attacks when false reports are provided to arbitrarily blame benign nodes. Cooperative attacks also require considerable effort as they require a temporal and spatial context. The small internal report structure supports the scalability and efficiency of the proposed mechanism. Whenever a network node autonomously identifies misbehaviour, a report is generated and sent to the infrastructure whenever an access point becomes available. There is no need to transmit additional messages among network nodes via an ad-hoc connection. The central evaluating authority, therefore, needs no permanent delivery of position reports. Both factors boost the stability and performance of the system.
• REST-Net [27] is a new kind of Intrusion Detection System for VANETs which has been introduced to overcome different issues of authenticity challenges. Here, a dynamic detection engine is used to check any kind of attack by using plausibility checks for message verification. The detection engine validates beacons broadcast before and after warning message. Then plausibility checks are given as dynamic rules sets. In addition, REST-Net uses adaptive alert levels to reduce driver interruptions while detecting most threats and cancel messages after an intruder's detection. The design involves constrained attacker as well as unbounded attacker. Constrained attackers try to gain an advantage by faking up messages, while unbound attackers' fake identities of privileged vehicles like the police. In REST-Net, ADAS can detect fake Messages by assessing Beacon data. It is a rule-based IDS because it works by defining invalid actions of users. Plausibility checks, message revocation schemes, and adaptive warning levels are the main components of REST-Net. REST-Net validates both Beacon broadcasts and performs plausibility checks at pre-validation and post-validation stages. In general, both static and dynamic rules are attributed to two types of events and explain invalid actions incompatible with their corresponding events. Extended plausibility tests permit pre-validation and post-validation in contrast to static rules and (necessarily) do not rely on specific events. An IDS's main challenge is to alert or discard warning messages only when there is a reasonable probability of an attack, as IDSs do not typically achieve a 100% detection rate. For this function, REST-Net employs adaptive warning levels to consider various conditions. The adaptive warning levels for REST-Net are based on adaptive plausibility checks and parameterization of rules. Adaptive plausibility checks make situational judgments that usually lead to low error rates and hence less disturbance for the users. • In comparison, rules can be parameterised to choose an appropriate trade-off between true negatives and true positives. The REST-Net requires an attacker identification feature to remove false data. This function is especially crucial in case of a strong opponent like the unbounded attacker. K A of is a private key of Message M A ; Cert A is a public key certificate with attacker's vehicle A , Message text is illustrated by X and T is the timestamp.
R v is the revocation Message used by vehicle V to detect anomalies in M A .
Revocation Messages comprise a hashed value of the contradicting Message h(M A ) they refer to and a new Message X v , may have any reason for revocation: • Human assistance • Identity revocation noticed • Posterior IDS revelation Authors claimed that REST-Net is the first IDS for VANETs featuring a pre-and postevent validation detection engine; adaptive rules; adaptive level of warning; and agile method of detecting malicious messages. REST-Net provides a fast detection rate, adaptive warning levels to avoid driver's interruptions. To further improve its detection rate, the authors propose to merge REST-Net with the preceding IDS modules of different OSI layers. Table 2. Given below describes various charcteristics of different schemes discussed in this work.

Role of Machine Learning (ML) in Misbehavior Detection for VANET
Today, machine learning is a major research area in domain of misbehave detection for VANET. Machine Learning can be seen as the backbone for establishing future safe and secure noble vehicular systems. Due to highly dynamic environment such as varying network topologies, vehicle densities, etc., vehicular networks are very prone to various attacks, as discussed earlier. Machine Learning has the ability to adapt changes and uncertainties within the environment. Also, Machine Learning can automate decision-making regarding traffic control, network security, etc. With numerous of its potential characteristics, machine learning brings a new revolution in misbehave detection for vehicular networks. Some recent machine learning-based misbehave detection techniques for VANET are explained in the following section. The purpose of enlightening the concept of machine learning in Vehicular Ad-hoc Networks is to develop the generalization ability and classification of data for future to point out a node as authorized or unauthorized node. Machine learning in misbehavior detection for VANET has not been reviewed at a broad level. But results worked out by several researchers show that these techniques are outperforming in this field. Also, many issues, like security, complexity of method etc., resist the researchers from exploring machine learning techniques exhaustively [28].
Trust Aware Support Vector Machine-based Intrusion Detection System (TSIDS) [29] is developed to authorize a value of trust among vehicles to present within the network. This intrusion detection system considers a combined approach of random data selection and Support Vector Machine-based data analysis. The basic idea of this mechanism lies in the fact that each node knows its core action of plan in the forward step. The proposed model utilizes the three basic module components as prescribed in [30]. The destructive or malicious nodes within the network are characterized as behaving in a responsive way, maintaining the high network performance. During the data collection to find a specified pattern of destructive nodes, the parameters like packet drop rate, transfer delay, and transfer interval are chosen. These parameters affect network throughput significantly. During the analysis phase, Support Vector Machine is used to train and test the data. Within the given framework, two possibilities, as presence or absence of destructive nodes with normal and corrupted outputs, are considered during the analysis. Finally, a trust value score is used as decision maker to find out the destructive nodes. This score value is periodically updated as well as broadcasted to avoid future intrusion. The best aspect of proposed technique is that it does not create any packet overhead. Multiple Misbehavior Detection in VANET [31] is developed to analyze numerous misbehaviors in Vehicular Ad-hoc Networks. In this regard, a machine learning-based security framework is designed to detect any misbehavior within the network. The principal objective of this framework is to identify any happening of disorderly conduct in the system. Features like count of packets delivered, dropped, node speed-deviation, etc., are used to classify any misbehave conduct. Relevant attributes and patterns are used to differentiate an authorized node from a malicious node. The best part of this framework is that classification is considered for binary (single) as well as multi-class level in order to detect a particular class of misbehavior conduct. But the proposed framework is incapable of identifying that particular culprit node that is responsible for misconduct.
Plausibility checks and ML for Misbehavior Detection in VANET [32] is proposed to apply the concept of machine learning approaches in the scenario of vehicular networks to categorize different misbehaviors. K-Nearest Neighbours and Support Vector Machine are used as classification algorithm. The idea of plausibility check is introduced to classify a node as a legitimate or malicious node. The proposed scheme does not present a comparison of classification techniques, but rather presents a comparison on plausibility checking using machine learning techniques. The best part of the given scheme is that it shows a significant improvement in the maintenance of Precision and Recall as two important estimators of quality of service in vehicular networks. And, the best possible way to achieve this is integration of machine learning concepts and plausibility checks (Fig. 11).
Artificial Neural Network-based misbehavior detection model for VANET [33] is designed to show a remarkable improvement in comparison of other existing baseline models for misbehavior detection. The machine learning-based proposed model is mainly divided into four components, namely; data-acquisition, sharing, analysis, and decision making as last one. To detect misbehavior, historical data sets which contain normal, as well as attacker data, are used to train the classifier. The main advantage of using this historical data is that it does not require any further analysis. The algorithm, namely the Fig. 11 Detection and classification flow graph for proposed system [32] feedforward and the backpropagation, is used to train the classifier as part of an artificial neural network. The proposed model is capable of detecting misbehavior locally as well as timely. The best thing about this misbehavior detection model is the fact that it is a perfect one that can be implemented in real-time scenarios for vehicular networks (Fig. 12).  [6,[12][13][14]. A vehicle transmitting messages can be malicious or authentic. The performance metrics False Positive Rate (FPR), Recall, Accuracy, Precision, and F-measure, are used for analysis of various algorithms given in [6,[12][13][14]. The performance metric Accuracy defines the rate of positive detection of misbehavior. False Positive Rate measures the rate of falsepositive detection of misbehavior. Recall measures rate of correctly identified misbehaving messages out of total received misbehaving messages. F-measure defines the harmonic mean that is a trade-off between Recall and Precision. The metric Precision measures the proportion of messages correctly marked as misbehaving out of total marked messages.

Performance Analysis Misbehavior Detection Schemes
In Fig. 13, we have compared the Accuracy of various algorithms as stated above, and the results show that Accuracy is highest in MA-CIDS(RF) i.e., 97% and lowest in MLP-D1 i.e. 64%. Figure 14  Identification of attacker vehicle in which it denies the real traffic congestion scenario is also a challenging issue that must be resolved out Mitigating DoS attacks in VANETs [24] Signature based pre-authentication process with the benefits of one-way hash chain as well as group rekeying scheme is used

Mitigates DoS attacks effectively
The issue how to deal with insider attackers in case of DoS attacks can be considered ID-based authentication framework for VANETs [25] For authentication purpose ID-based and ID-based online/offline signature schemes are used. Privacy preservation is achieved with the help of pseudonym instead of real world IDs Reusability is one of the advantage of proposed framework for security and performance purposes Concepts of data consistency and availability can be worked out Used a dynamic detection engine in association with plausibility checks and adaptive warning levels This is the first IDS having a detection engine with pre and post validates, adaptive rules and warning levels Merging with previous IDS for different OSI layers to enhance its detection ratio 1 3 MA-CIDS (RF) and lowest i.e., 30%. in Bissmeyers' ECT-MDS. The overall analysis of all the methodologies shows that a single algorithm performance with all the parameters is not significantly achieved. This means that there is a certain trade-off. But the MA-CIDS(RF) performance is better among all other algorithms.

Open Issues and Research Challenges
An extensive study and research work has been done in the area of misbehavior detection in vehicular networks. But there are so many research issues which have not been tackled at level of satisfaction or remain unexplored till now. Some of them are discussed briefly in the following section [28,34]. Dynamic Nature of Vehicles: The mobility of vehicles is a big challenge to establish a secure vehicular communication network. The dynamic change in the topology of vehicular networks can trigger the problems of network congestion, flooding of useless data, denial of service attacks, etc. As a result, this will lead to conduct of misbehavior in the network. So, respective measures should be considered before the implementation of vehicular networks on the real ground.
Security Enhancement and Improvement: With technological advancement, Vehicular Ad-hoc Network can be considered as basic infrastructure for real-time applications such as transportation systems, etc. VANET is one of the research areas which requires higher security orientation. In today's time, a minute mislead can be proven as a catastrophic condition. An extensive investigation requires insight into security issues due to the dynamic With the help of machine learning, a prominent level of security has been attained in vehicular networks. But special care is required, especially in the case of ML techniques, as there is always a chance of producing useless and unexpected data. Implementation within Real Scenario: Numerous misbehavior detection techniques are analyzed in the field of vehicular networks but most of them lack in implementation in realtime scenarios. Simulation work in integration with real-time is the only way to determine the success or failure of a particular misbehave detection technique within the network.
Integration with New Platforms: Technologies are changing day by day. Misbehavior detection should be capable of adapting to new technological changes while maintaining the security features within the network. These security features have a significant value in the process of implementation of secured vehicular networks. Therefore, there should always be scope for integration with emerging platforms.
Behavioral Analysis as Anomaly Detections: In real life, we cannot deny the possibilities of any kind of malicious crack due to the anti-social personalities around us. Special attention should be given to the behavior analysis of drivers in terms of profile examination and exhaustion detection. Machine learning techniques can be very helpful in this direction with collection and classification of information like drivers' physiological signals, vehicular information, etc. for analysis.
Communication Overhead: Most of the techniques use digital signatures and certificates with each packet of communication to authorize the communication as secured communication. This can lead to communication overhead. To avoid this situation, the concept of compact certificates can be taken into consideration. Moreover, techniques like gossiping, data aggregation, etc. can be preferred to resolve the issue of communication overhead of security messages for the establishment of vehicular networks.
Issues of Privacy: The issues of privacy deal with the private information of vehicles and users, etc. Privacy issues within a vehicular network are as important as security issues. Some of the researchers have worked on these issues by making use of pseudonyms. But some extra measures and concerns are required in this regard for the successful implementation of a vehicular network in the real world.
Provision of Anti-theft Security Features: Most of the schemes related to misbehavior detection have focused on security and privacy issues of communication. The security issues in terms of resisting activities like unauthorized access to vehicles, attacks on the internal control systems of vehicles, etc. are not explored at a satisfactory level. Some major concerns should be taken into consideration to add these anti-theft security features while exploring the functioning of vehicular networks.

Conclusion
The present paper highlights the importance of misbehavior detection schemes to improve the safety and driving conditions of the vehicular environment. Today, VANET applications cover a broad range of real-life as well as social platform activities. The vulnerabilities of VANETs can be considered a direct threat to life. The classification of various misbehavior detection schemes provides a guide to deal with the specific issue of security concern. Also, this study shows that machine learning techniques are proven very efficient for detecting and preventing misbehaviors in VANETs. As the outcome of this paper, future researchers will be able to identify the malicious nodes, specific threats or attack and choose a remedial strategy to throw malicious nodes outside the network for a specific application. Moreover, discussion about open issues and research challenges creates a wide scope for inquisitive about misbehavior detection in VANETs. The results worked out with the help of parameters like accuracy, recall, precision, false-positive values and F-measure values show that a single algorithm performance with a level of satisfaction cannot be achieved.
Funding This research received no external funding.
Data Availability Data sharing is not applicable to this article as no datasets were generated or analysed during the current study.
Code Availability Code sharing is not applicable to this article.

Conflicts of interest
The authors declare no conflict of interest.