Song Luo,Lianghai Lai,Tan Hu,Xin Hu

DOI: https://doi.org/10.7717/peerj-cs.2108

2024-06-13

PeerJ Computer Science

Abstract:With the development of technology, more and more devices are connected to the Internet. According to statistics, Internet of Things (IoT) devices have reached tens of billions of units, which forms a massive Internet of Things system. Social Internet of Things (SIoT) is an essential extension of the IoT system. Because of the heterogeneity present in the SIoT system and the limited resources available, it is facing increasing security issues, which hinders the interaction of SIoT information. Consortium chain combined with the trust problem in SIoT systems has gradually become an important goal to improve the security of SIoT data interaction. Detection of malicious nodes is one of the key points to solve the trust problem. In this article, we focus on the consortium chain network. According to the information characteristics of nodes on the consortium chain, it can be analyzed that the SIoT malicious node detection combined with the consortium chain network should have the privacy protection, subjectivity, uncertainty, lightweight, dynamic timeliness and so on. In response to the features above and the concerns of existing malicious node detection methods, we propose an algorithm based on inter-block delay. We employ unsupervised clustering algorithms, including K-means and DBSCAN, to analyze and compare the data set intercepted from the consortium chain. The results indicate that DBSCAN exhibits the best clustering performance. Finally, we transmit the acquired data onto the chain. We conclude that the proposed algorithm is highly effective in detecting malicious nodes on the combination of SIoT and consortium chain networks.

computer science, information systems, artificial intelligence, theory & methods

Khaled Alanezi,Shivakant Mishra

2023-08-20

Abstract:Modern IoT (Internet of Things) environments with thousands of low-end and diverse IoT nodes with complex interactions among them and often deployed in remote and/or wild locations present some unique challenges that make traditional node compromise detection services less effective. This paper presents the design, implementation and evaluation of a fog-based architecture that utilizes the concept of a digital-twin to detect compromised IoT nodes exhibiting malicious behaviors by either producing erroneous data and/or being used to launch network intrusion attacks to hijack other nodes eventually causing service disruption. By defining a digital twin of an IoT infrastructure at a fog server, the architecture is focused on monitoring relevant information to save energy and storage space. The paper presents a prototype implementation for the architecture utilizing malicious behavior datasets to perform misbehaving node classification. An extensive accuracy and system performance evaluation was conducted based on this prototype. Results show good accuracy and negligible overhead especially when employing deep learning techniques such as MLP (multilayer perceptron).

Cryptography and Security

Javaid, Nadeem

DOI: https://doi.org/10.1007/s11276-023-03648-3

IF: 2.701

2024-02-09

Wireless Networks

Abstract:The presence of the malicious internet of things (IoT) devices in wireless sensor networks (WSNs), in the underlying work, is identified using a private blockchain and interplanetary file system (IPFS) based system. In the proposed model, the registration of IoT devices is being done via the IoT device manager. After registration, the IoT devices send a request to get services from the IoT device manager. At this stage, authentication is performed through a machine learning technique, known as logitboost (LB), which helps in identifying the IoT devices as malicious or legitimate. A verification report is forwarded to the IoT device manager upon detection. If the IoT device is found to be acting maliciously, it is penalized and vice versa. Thus, ensuring the IoT device manager provides the required service only to the legitimate IoT device. The data used in the proposed work is taken from the WSN dataset (WSN-DS), which is balanced via the synthetic minority oversampling technique. Additionally, the miner nodes' verification is performed via verifiable byzantine fault tolerance (VBFT). Also, IPFS is used to store the transaction data being shared between the IoT devices. The simulation results show that VBFT surpasses the proof of authority consensus mechanism by 15–20% in terms of transaction throughput. Furthermore, the LB classifier is found to surpass decision tree, nearest centroid, quadratic discriminant analysis and weighted average ensemble by 2%, 24%, 71%, 5% in terms of accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Maimoona Bint E. Sajid,Sameeh Ullah,Nadeem Javaid,Ibrar Ullah,Ali Mustafa Qamar,Fawad Zaman

DOI: https://doi.org/10.1155/2022/7386049

2022-01-18

Wireless Communications and Mobile Computing

Abstract:In this paper, a blockchain-based secure routing model is proposed for the Internet of Sensor Things (IoST). The blockchain is used to register the nodes and store the data packets’ transactions. Moreover, the Proof of Authority (PoA) consensus mechanism is used in the model to avoid the extra overhead incurred due to the use of Proof of Work (PoW) consensus mechanism. Furthermore, during routing of data packets, malicious nodes can exist in the IoST network, which eavesdrop the communication. Therefore, the Genetic Algorithm-based Support Vector Machine (GA-SVM) and Genetic Algorithm-based Decision Tree (GA-DT) models are proposed for malicious node detection. After the malicious node detection, the Dijkstra algorithm is used to find the optimal routing path in the network. The simulation results show the effectiveness of the proposed model. PoA is compared with PoW in terms of the transaction cost in which PoA has consumed 30% less cost than PoW. Furthermore, without Man In The Middle (MITM) attack, GA-SVM consumes 10% less energy than with MITM attack. Moreover, without any attack, GA-SVM consumes 30% less than grayhole attack and 60% less energy than mistreatment. The results of Decision Tree (DT), Support Vector Machine (SVM), GA-DT, and GA-SVM are compared in terms of accuracy and precision. The accuracy of DT, SVM, GA-DT, and GA-SVM is 88%, 93%, 96%, and 98%, respectively. The precision of DT, SVM, GA-DT, and GA-SVM is 100%, 92%, 94%, and 96%, respectively. In addition, the Dijkstra algorithm is compared with Bellman Ford algorithm. The shortest distances calculated by Dijkstra and Bellman are 8 and 11 hops long, respectively. Also, security analysis is performed to check the smart contract’s effectiveness against attacks. Moreover, we induced three attacks: grayhole attack, mistreatment attack, and MITM attack to check the resilience of our proposed system model.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zain Abubaker,Nadeem Javaid,Ahmad Almogren,Mariam Akbar,Mansour Zuair,Jalel Ben-Othman

DOI: https://doi.org/10.1016/j.comnet.2021.108691

IF: 5.493

2022-02-01

Computer Networks

Abstract:In this paper, a blockchained Beyond Fifth Generation (B5G) enabled malicious node detection model is proposed for the Internet of Sensor Things (IoSTs). Moreover, a secure service provisioning scheme using cascading encryption and feature evaluation process is also proposed for the IoSTs. The presence of malicious nodes causes severe issues in the localization and service provisioning, which discourages new entities to join the network. Therefore, it is very important to establish trust between all entities by detecting and removing such nodes. The proposed B5G enabled malicious node detection model uses federated learning for the detection of malicious nodes. The federated learning uses Support Vector Machine (SVM) and Random Forest (RF) classifiers to detect the malicious nodes. The malicious nodes are classified on the bases of their honesty and end-to-end delay. Moreover, the service provider nodes provide services to each other and get the reward. However, the service provisioning in the IoSTs has many issues like a repudiation of service providers as well as the clients. The feature evaluation and cascading encryption mechanisms are used to solve these issues. The digital signature in cascading encryption ensures the non-repudiation of the service provider. On the other hand, feature evaluation of service ensures that the client cannot repudiate about actually demanded services. Moreover, the conformance of services is also ensured by the feature evaluation process. The simulation results show the effectiveness of our proposed non-repudiation model. The SVM and RF classifiers are compared in terms of accuracy, precision, F1 score and recall. The accuracy, precision, F1 score and recall of SVM are 79%, 1, 0.8795 and 0.78, respectively. On the other hand, the accuracy, precision, F1 score and recall of RF classifier are 95%, 0.92, 0.96 and 1, respectively. The results show that RF has better accuracy than RF in malicious nodes detection.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Serin V. Simpson,Y. Ravi Raju,K. Bhanu Rajesh Naidu,Gopika Venu

DOI: https://doi.org/10.1007/s41870-023-01467-5

2023-09-13

International Journal of Information Technology

Abstract:This study presents SECURE TRUST, a novel blockchain-enabled trust and reputation system designed to address the growing security risks associated with the proliferation of IoT devices. By leveraging blockchain technology, our system effectively evaluates the reliability of nodes in IoT networks and mitigates harmful activities. Our approach employs smart contracts to facilitate collaborative detection and mitigation of malicious behavior among nodes. Furthermore, we integrate a trust and reputation system that assigns trust ratings to nodes based on their past interactions and behavior. Our system is compatible with various hardware platforms and utilizes open-source software components. Extensive testing demonstrates that our proposed approach reliably detects and reduces security risks caused by malicious nodes, offering robust protection against unwanted activities.

Shice Zhao,Hongshan Zhao,Jingjie Sun

DOI: https://doi.org/10.1049/smt2.12160

2023-09-17

IET Science Measurement & Technology

Abstract:Currently, a large number of monitoring sensors are introduced into the power grid. However, the traditional trust models commonly used for edge‐side security management are weak in detecting large‐scale malicious interactions and collusion attacks. For that, a lightweight and anti‐collusion trust model combined with nodes' dynamic relevance for the power IoT is proposed. A large number of monitoring sensors are introduced in the power grid. However, the traditional trust models commonly used for edge‐side security management are weak in detecting large‐scale malicious interactions and collusion attacks. For that, a lightweight and anti‐collusion trust model combined with nodes' dynamic relevance for the power Internet of Things (IoT) is proposed. Firstly, a global trust management system is constructed according to the working mechanism of sensors in the power grid. After that, trust feedback and contact frequency of the devices are combined to build an adaptive dynamic weight vector based on relevance volatility. Fluctuations in trust values are reduced and the trust difference between normal and malicious nodes is widened. An anti‐collusion algorithm based on contact set awareness is also designed to effectively detect collusion attacks. The checksum local broadcast is established in the trust model to counteract the risk of intelligent terminal failure. The results show that the trust model achieves 100% accuracy of node discrimination when the maximum proportion of malicious nodes is 20% in a 50‐node network scale. In addition, the calculation time of the overall model is 211 ms and the memory consumption is 161 kb, which is suitable for power IoT sensor networks.

engineering, electrical & electronic

Bo Wang,Wei Liu,Zhao Tian,Wei She,Qi Liu,Jian-Sen Chen

DOI: https://doi.org/10.1109/ACCESS.2019.2902811

IF: 3.9

2019-03-18

IEEE Access

Abstract:The Internet of Things (IoT) has been widely used because of its high efficiency and real-time collaboration. A wireless sensor network is the core technology to support the operation of the IoT, and the security problem is becoming more and more serious. Aiming at the problem that the existing malicious node detection methods in wireless sensor networks cannot be guaranteed by fairness and traceability of detection process, we present a blockchain trust model (BTM) for malicious node detection in wireless sensor networks. First, it gives the whole framework of the trust model. Then, it constructs the blockchain data structure which is used to detect malicious nodes. Finally, it realizes the detection of malicious nodes in 3D space by using the blockchain smart contract and the WSNs’ quadrilateral measurement localization method, and the voting consensus results are recorded in the blockchain distributed. The simulation results show that the model can effectively detect malicious nodes in WSNs, and it can also ensure the traceability of the detection process.

Engineering,Computer Science

M. S. Gowtham,M. Vigenesh,M. Ramkumar

DOI: https://doi.org/10.1002/ett.4938

IF: 3.6

2024-01-31

Transactions on Emerging Telecommunications Technologies

Abstract:Abstract The Mobile Ad Hoc Network (MANET) depending on dynamic distributed topology presents several challenges such as decentralized infrastructure. In MANET, each node act as a host as well as a router to exchange packet. From Source to destination, the MANET nodes offer the ability of transmission to send, receive, and route traffic. Moreover, the presence of selfish nodes or malicious nodes in MANETs significantly degrades network performance. Identifying and isolating such nodes poses a formidable challenge. Consequently, this research introduces a security model founded on the principles of an Artificial Immune System (AIS) to detect and defend against Selfish Node (SN) attacks. This research work employs the principles of AIS to categorize a node's behavioral state based on the Mature Context Immune Antigen Rate (MCIAR). Subsequently, a hybrid protocol named Reliable History‐dependent Resource Conscious Clustered and Defensive AODV (RRCC‐DAODV) is introduced to detect Selfish Nodes (SNs) and counteract their attacks. Within the RRCC algorithm, the identification of selfish nodes relies on both Trust Value (TV) and Residual Energy (RE). Additionally, the proposed DAODV protocol incorporates the V‐detector algorithm to enhance defense mechanisms against potential attacks. The simulation of the proposed model is carried out in NS3. The proposed mechanism achieves a detection ratio of 94.05%. The simulation outcomes demonstrate the excellence of the implemented system. This superiority is observed when compared to other standard protocols, as indicated by the parameters of throughput, residual energy, packet delivery ratio, and delay.

telecommunications

Ibbad Hafeez,Markku Antikainen,Aaron Yi Ding,Sasu Tarkoma

DOI: https://doi.org/10.1109/tnsm.2020.2966951

2020-03-01

IEEE Transactions on Network and Service Management

Abstract:IoT devices are notoriously vulnerable even to trivial attacks and can be easily compromised. In addition, resource constraints and heterogeneity of IoT devices make it impractical to secure IoT installations using traditional endpoint and network security solutions. To address this problem, we present IoT-Keeper, a lightweight system which secures the communication of IoT. IoT-Keeper uses our proposed anomaly detection technique to perform traffic analysis at edge gateways. It uses a combination of fuzzy C-means clustering and fuzzy interpolation scheme to analyze network traffic and detect malicious network activity. Once malicious activity is detected, IoT-Keeper automatically enforces network access restrictions against IoT device generating this activity, and prevents it from attacking other devices or services. We have evaluated IoT-Keeper using a comprehensive dataset, collected from a real-world testbed, containing popular IoT devices. Using this dataset, our proposed technique achieved high accuracy (≈0.98) and low false positive rate (≈0.02) for detecting malicious network activity. Our evaluation also shows that IoT-Keeper has low resource footprint, and it can detect and mitigate various network attacks—without requiring explicit attack signatures or sophisticated hardware.

Daniele Canavese,Luca Mannella,Leonardo Regano,Cataldo Basile

DOI: https://doi.org/10.3390/s24020590

IF: 3.9

2024-01-18

Sensors

Abstract:The Internet of Things (IoT) is rapidly growing, with an estimated 14.4 billion active endpoints in 2022 and a forecast of approximately 30 billion connected devices by 2027. This proliferation of IoT devices has come with significant security challenges, including intrinsic security vulnerabilities, limited computing power, and the absence of timely security updates. Attacks leveraging such shortcomings could lead to severe consequences, including data breaches and potential disruptions to critical infrastructures. In response to these challenges, this research paper presents the IoT Proxy, a modular component designed to create a more resilient and secure IoT environment, especially in resource-limited scenarios. The core idea behind the IoT Proxy is to externalize security-related aspects of IoT devices by channeling their traffic through a secure network gateway equipped with different Virtual Network Security Functions (VNSFs). Our solution includes a Virtual Private Network (VPN) terminator and an Intrusion Prevention System (IPS) that uses a machine learning-based technique called oblivious authentication to identify connected devices. The IoT Proxy's modular, scalable, and externalized security approach creates a more resilient and secure IoT environment, especially for resource-limited IoT devices. The promising experimental results from laboratory testing demonstrate the suitability of IoT Proxy to secure real-world IoT ecosystems.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Subhash Mondal,Subinoy Mukherjee,Suharta Banerjee

DOI: https://doi.org/10.1007/978-981-16-4435-1_30

2021-08-03

Abstract:Internet of Things is the most promising technology that is trying to transform the way in which we live and is expected to seamlessly get integrated into our environment. However, securing the IoT devices from attacks is the prime concern for researchers today. Securing IoT systems from malicious attacks is the most challenging task as attacks like DoS or DDoS are distributed in nature. In this paper we have proposed an architecture based on ML that will identify the malicious nodes which in turn will provide pre-authentication and access control, thus preventing unauthorized access of IoT resources. We have mainly emphasized on the trade-off between time, memory, and accuracy of ML algorithms for achieving better performance.

Noshina Tariq,Muhammad Asim,Farrukh Aslam Khan,Thar Baker,Umair Khalid,Abdelouahid Derhab

DOI: https://doi.org/10.3390/s21010023

IF: 3.9

2020-12-22

Sensors

Abstract:A multitude of smart things and wirelessly connected Sensor Nodes (SNs) have pervasively facilitated the use of smart applications in every domain of life. Along with the bounties of smart things and applications, there are hazards of external and internal attacks. Unfortunately, mitigating internal attacks is quite challenging, where network lifespan (w.r.t. energy consumption at node level), latency, and scalability are the three main factors that influence the efficacy of security measures. Furthermore, most of the security measures provide centralized solutions, ignoring the decentralized nature of SN-powered Internet of Things (IoT) deployments. This paper presents an energy-efficient decentralized trust mechanism using a blockchain-based multi-mobile code-driven solution for detecting internal attacks in sensor node-powered IoT. The results validate the better performance of the proposed solution over existing solutions with 43.94% and 2.67% less message overhead in blackhole and greyhole attack scenarios, respectively. Similarly, the malicious node detection time is reduced by 20.35% and 11.35% in both blackhole and greyhole attacks. Both of these factors play a vital role in improving network lifetime.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jaydip Sen

DOI: https://doi.org/10.5013/IJSSST.a.12.04.04

2013-02-20

Abstract:A mobile ad hoc network (MANET) is a collection of autonomous nodes that communicate with each other by forming a multi-hop radio network and maintaining connections in a decentralized manner. Security remains a major challenge for these networks due to their features of open medium, dynamically changing topologies, reliance on cooperative algorithms, absence of centralized monitoring points, and lack of clear lines of defense. Protecting the network layer of a MANET from malicious attacks is an important and challenging security issue, since most of the routing protocols for MANETs are vulnerable to various types of attacks. Ad hoc on-demand distance vector routing (AODV) is a very popular routing algorithm. However, it is vulnerable to the well-known black hole attack, where a malicious node falsely advertises good paths to a destination node during the route discovery process but drops all packets in the data forwarding phase. This attack becomes more severe when a group of malicious nodes cooperate each other. The proposed mechanism does not apply any cryptographic primitives on the routing messages. Instead, it protects the network by detecting and reacting to malicious activities of the nodes. Simulation results show that the scheme has a significantly high detection rate with moderate network traffic overhead and computation overhead in the nodes.

Cryptography and Security,Networking and Internet Architecture

Andy Reed,Laurence Dooley,Soraya Kouadri Mostefaoui

DOI: https://doi.org/10.3390/s24175581

IF: 3.9

2024-08-31

Sensors

Abstract:The pernicious impact of malicious Slow DoS (Denial of Service) attacks on the application layer and web-based Open Systems Interconnection model services like Hypertext Transfer Protocol (HTTP) has given impetus to a range of novel detection strategies, many of which use machine learning (ML) for computationally intensive full packet capture and post-event processing. In contrast, existing detection mechanisms, such as those found in various approaches including ML, artificial intelligence, and neural networks neither facilitate real-time detection nor consider the computational overhead within resource-constrained Internet of Things (IoT) networks. Slow DoS attacks are notoriously difficult to reliably identify, as they masquerade as legitimate application layer traffic, often resembling nodes with slow or intermittent connectivity. This means they often evade detection mechanisms because they appear as genuine node activity, which increases the likelihood of mistakenly being granted access by intrusion-detection systems. The original contribution of this paper is an innovative Guardian Node (GN) Slow DoS detection model, which analyses the two key network attributes of packet length and packet delta time in real time within a live IoT network. By designing the GN to operate within a narrow window of packet length and delta time values, accurate detection of all three main Slow DoS variants is achieved, even under the stealthiest malicious attack conditions. A unique feature of the GN model is its ability to reliably discriminate Slow DoS attack traffic from both genuine and slow nodes experiencing high latency or poor connectivity. A rigorous critical evaluation has consistently validated high, real-time detection accuracies of more than 98% for the GN model across a range of demanding traffic profiles. This performance is analogous to existing ML approaches, whilst being significantly more resource efficient, with computational and storage overheads being over 96% lower than full packet capture techniques, so it represents a very attractive alternative for deployment in resource-scarce IoT environments.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ahmad Almadhor,Ali Altalbe,Imen Bouazzi,Abdullah Al Hejaili,Natalia Kryvinska

DOI: https://doi.org/10.1038/s41598-024-76016-6

IF: 4.6

2024-10-18

Scientific Reports

Abstract:Due to the rising use of the Internet of Things (IoT), the connectivity of networks increases the risk of Distributed Denial of Service (DDoS) attacks. Decentralized systems commonly used in centralized security systems fail to adequately prevent potential cyber threats in IoT because of the issues of privacy and scaling. The method proposed in this study seeks to remedy these facts by employing Explainable Artificial Intelligence (XAI) together with Federated Deep Neural Networks (FDNNs) to detect and prevent DDoS attacks. Our approach is thus to use federated learning models that are to be trained on distributed and dissimilar sources of data without compromising on the privacy aspect. FDNNs were trained over three rounds with information from three client gadgets incorporating pre-processed datasets of various types of DDoS attacks. Additionally, for feature selection, we integrated XGBoost with SHapley Additive exPlanations (SHAP) to improve model interpretability. The proposed solution can be considered to be quite robust, privacy-preserving, and highly scalable for the detection of DDoS attacks on the IoT network. The results shown on the server side indicate that this approach accurately detects 99.78% of DDoS attacks with a precision rate as high as 99.80%, recall rate (detection rate) going up to 99.74% and F1 score reaching 99.76%. They emphasize that FL-based IDSs are strong enough to cope with cybersecurity challenges in IoT, thus offering hope for securing modern network infrastructures against ever-growing cyber threats.

multidisciplinary sciences

Aboulfazl Dayyani,Maghsoud Abbaspour

DOI: https://doi.org/10.1049/cmu2.12734

IF: 1.345

2024-02-02

IET Communications

Abstract:This research introduces the SybilPSIoT method based on signed networks and the web of trust. SybilPSIoT receives a set of benevolent nodes (e.g. producing companies) to determine node labels. It also uses game theory and the smart contract‐based access control system to prevent creating new Sybil things. Sybil attacks are a very serious challenge in social networks including, the Social Internet of Things (SIoT). This paper introduces the SybilPSIoT method, in which a hybrid prevention and detection decentralized approach is proposed in SIoT based on smart contracts. The owner adds his objects to the smart contract. However, hostile owners can create Sybil things. This paper formally presents a model that uses a signed SIoT network with objects and identifiers as network nodes and information about the type of nodes (acknowledgers). Assuming the relationship between the edge marks between nodes and the node type, the proposed method uses trust paths between verification and desired nodes using a Bayesian inference model and structural balance patterns to judge the target node in these paths. It also uses game theory to control access owners to prevent Sybil from creating new things based on a cost‐benefit function. Based on the analysis method, a validating effect proportional to the path length on the target object was presented. This method was compared with the most novel available methods; the results from this comparison depict the scalability and effectiveness of the proposed method for large networks.

engineering, electrical & electronic

Shahram Behzad,Reza Fotohi,Jaber Hosseini Balov,Mohammad Javad Rabipour

DOI: https://doi.org/10.48550/arXiv.2003.00870

2020-02-24

Networking and Internet Architecture

Abstract:MANETs (Mobile Ad-hoc Networks) is a temporal network, which is managed by autonomous nodes, which have the ability to communicate with each other without having fixed network infrastructure or any central base station. Due to some reasons such as dynamic changes of the network topology, trusting the nodes to each other, lack of fixed substructure for the analysis of nodes behaviors and loss of specific offensive lines, this type of networks is not supportive against malicious nodes attacks. One of these attacks is black hole attack. In this attack, the malicious nodes absorb data packets and destroy them. Thus, it is essential to present an algorithm against the black hole attacks. This paper proposed a new approach, which improvement the security of DSR routing protocol to encounter the black hole attacks. This schema tries to identify malicious nodes according to nodes behaviors in a MANETs and isolate them from routing. The proposed protocol, called AIS-DSR (Artificial Immune System DSR) employ AIS (Artificial Immune System) to defend against black hole attacks. AIS-DSR is evaluated through extensive simulations in the ns-2 environment. The results show that AIS-DSR outperforms other existing solutions in terms of throughput, end-to-end delay, packets loss ratio and packets drop ratio.

Kanwal Rashid,Yousaf Saeed,Abid Ali,Faisal Jamil,Reem Alkanhel,Ammar Muthanna

DOI: https://doi.org/10.3390/s23052594

2023-02-26

Abstract:Modern vehicle communication development is a continuous process in which cutting-edge security systems are required. Security is a main problem in the Vehicular Ad Hoc Network (VANET). Malicious node detection is one of the critical issues found in the VANET environment, with the ability to communicate and enhance the mechanism to enlarge the field. The vehicles are attacked by malicious nodes, especially DDoS attack detection. Several solutions are presented to overcome the issue, but none are solved in a real-time scenario using machine learning. During DDoS attacks, multiple vehicles are used in the attack as a flood on the targeted vehicle, so communication packets are not received, and replies to requests do not correspond in this regard. In this research, we selected the problem of malicious node detection and proposed a real-time malicious node detection system using machine learning. We proposed a distributed multi-layer classifier and evaluated the results using OMNET++ and SUMO with machine learning classification using GBT, LR, MLPC, RF, and SVM models. The group of normal vehicles and attacking vehicles dataset is considered to apply the proposed model. The simulation results effectively enhance the attack classification with an accuracy of 99%. Under LR and SVM, the system achieved 94 and 97%, respectively. The RF and GBT achieved better performance with 98% and 97% accuracy values, respectively. Since we have adopted Amazon Web Services, the network's performance has improved because training and testing time do not increase when we include more nodes in the network.