UNION: A Trust Model Distinguishing Intentional and Unintentional Misbehavior in Inter-UAV Communication

,


Introduction
Various applications emerged with the introduction of Flying Ad Hoc Networks (FANETs), including shipment of goods, home package delivery, crop monitoring, agricultural surveillance, and rescue operations [1].Unlike traditional Mobile Ad Hoc Networks, FANET applications are generally unicastbased mainly due to energy restrictions [2].
FANETs nodes are Unmanned Aerial Vehicles (UAVs) that collaborate with each other in ad hoc mode through a Line-of-Sight (LoS) link to exchange data packets.However, they can also communicate with fixed ground stations, with an air traffic controller, or through a Non-Line-of-Sight (NLoS) link with a satellite-aided controller (see Figure 1).
The problems involved in these communications are mostly related to packet loss because of both the lack of security and the unreliability of wireless communication links [3].
Many solutions have been proposed to secure inter-UAV communications.They are mostly targeting the different security services, including authentication and access control [4], data integrity and availability [5], and privacy [6].Unlike the proposed solutions for other security services, availability insurance solutions suffer from the high error ratios in the detection process, as they do not differentiate between intentional and unintentional dishonesty of nodes.
Furthermore, the attacks against service availability are generally related to packet drops and Denial of Service (DoS).Both kinds of attacks can be faced using either cryptographic techniques [7] or trust management techniques [8].Cryptographic techniques are the best solution against outsider unauthorized entities, but these techniques are known to require high computation overhead and consume much energy, becoming a problem for current commercial UAVs [9].On the other hand, trust management, which is an alternative security approach dealing with insider authenticated attackers, introduces less computation and energy requirements than cryptography [10], thus being considered a more appropriate option.
In this paper, we propose a new context-aware trust-based solution called  to distinguish between intentional and unintentional dishonesty in FANETs.Our proposal establishes trust among the different UAVs, while simultaneously measuring the network and energy conditions of neighboring UAVs.Thus, if an UAV has insufficient memory, battery, or a bad communication link, thus being mostly unable to properly receive/forward packets, it will not see its trust levels decrease, and any packet drops will be considered as unintentional misbehavior (see Figure 2).Moreover,  also uses the computed trust and context-related metrics to ensure an efficient inter-UAV packet delivery.
The rest of the paper is organized as follows: in the following section, we present an overview of the main attacks that can be launched against inter-UAV communication, together with the network-related packet loss reasons.Furthermore, this section also provides a summary of the cryptographybased and trust-based inter-UAV communications.Afterwards, we detail our proposal in Section 3 and propose a new trust-based context-aware inter-UAV packet delivery strategy in Section 4. In Section 5, we present the simulation setup and discuss the obtained results compared to three existing works.Finally, Section 6 provides some concluding remarks and discusses the possible research directions.

Background and Related Works
Existing commercial UAVs are vulnerable to several basic security attacks, which may clearly cause inter-UAV network disruption in the context of FANETs.In fact, similarly to all Mobile Ad Hoc Networks, different kind of attacks can be launched against FANETs, including the following: (i) Replay attack: in this attack, the dishonest UAV records the routing messages of legitimate nodes and resends these messages at later times, thereby building suboptimal routes or causing route loops.
(ii) Position-based replay: same as the previous attack, the dishonest UAV records the routing messages of legitimate nodes and resends them to another location, again building suboptimal routes or causing route loops.
(iii) Position-based replay and gray holes: in this kind of attack, a pair of attackers, linked via a fast transmission path (tunnel), forward routing messages between two distant nodes, thus building a route that goes through the attacker that selectively drops packets.(iv) Flooding: it consists of the continuous broadcast of route requests towards nonexisting destinations, thus consuming network resources such as bandwidth.
(v) Path diversion: its main principle is forging routing messages generated by legitimate nodes (e.g., tampering the metric), thereby building suboptimal routes or causing route loops.
(vi) IP impersonation: in this case the attacker performs IP spoofing and, as a result, it can generate and propagate corrupted information on behalf of other nodes.
(vii) Black hole: this type of attacker does not collaborate on network operations, dropping all packets for both malicious and selfish reasons (e.g., battery saving).
The situations for which the existing security solutions do not distinguish between intentional and unintentional misbehavior are the ones related to the last category of packet dropping.This situation can occur for many reasons besides the intentional ones.Table 1 summarizes the main unintentional packet dropping reasons that an intermediate UAV may experience.
As we mentioned above, the existing security solutions do not distinguish between intentional and unintentional dishonesty.These solutions are generally classified into cryptography-based and trust-based solutions.

Main Existing Cryptography-Based Solutions.
Existing security solutions for FANETs are generally falling under this category.We find that only a few ones have been specifically developed to establish trust in FANET environments.
In [11], the authors consider a game theoretic approach to avoid jamming attacks on the communications channel by computing optimal strategies within the scope of an UAV swarm.In their discussion, they have considered two approaches that are used to derive the necessary conditions to reach the saddle point strategies of the players.
In [12], a spatial secure group communication (SSGC) problem is introduced, and it deeply investigates an analytical framework for multiple UAVs.A distributed method is proposed to solve the problem, which analyzes the spatial group size, the upper bound for group members, and the stability.In particular, the communications range and the relative position are also investigated to form a closed group.The feasibility of this proposal is demonstrated with an application scenario.However, this proposal suffers from a huge communications overhead.
Different security threats for UAVs systems are analyzed, and a cybersecurity threat model has been proposed in [13].A detailed security threat analysis is done which provides an edge to researchers, designers, and users by identifying vulnerabilities in UAVs systems, thereby helping to identify the most appropriate countermeasures.
In [7], the authors examined the cybersecurity issues associated with drone-assisted public safety networks where sensitive or critical information can be transmitted between networks.However, the authors did not propose any clear contribution.
In [14], the authors present a new secure routing protocol called SUAP (Secure UAV Ad Hoc Routing Protocol).The proposal ensures message authentication and provides detection and prevention of wormhole attacks.SUAP is a reactive protocol using public key cryptography, hash chains, and geographical leashes.However, the size of the exchanged authentication messages and the required computation power are the main drawbacks of this work.
Sharma and Kumar [15] presented an opportunistic network formation strategy using cross layer design applicable to FANETs.The service layer security of FANETs is used in the presented network model to provide parameterized input to a neural setup.The proposed design offers effective utilization of resources, high data delivery ratio, and efficient service coordination with lower delay to secure the service.Despite its efficiency for standard application services, the delay introduced by the neural network remains unacceptable when safety issues must be addressed.

Main Existing Trust-Based Solutions.
Most of the existing trust-based solutions for FANETs were initially proposed for MANETs [16,17] and VANETs [18,19], where only a few ones are specific to FANETs.
In a previous work, we proposed a trust-based energyefficient distributed monitoring technique for FANETs.In this proposal, UAVs trusting each other, and moving with similar mobility patterns, distribute monitoring tasks among themselves to save more energy.However, same as all the existing solutions, this solution does not distinguish between intentional and unintentional misbehavior [20].
In [8], the authors analyzed the requirements for efficient UAV communications, identifying the similarities and the differences between MANETs and UAV-based networks and protocols.They also discussed the various trust-based protocols and management schemes that can be used in UAV networks.
As we mentioned above, all the existing solutions from both categories are prone to suffer from the high packet loss ratios that are inherent to FANETs.To overcome these problems, in the following sections, we detail our proposal called ; it is able to sustain the desired security level while providing awareness of network conditions, thereby helping in minimizing the error ratios associated with detecting actual attacks.

UNION Details: Trust Computation and Unintentional Misbehavior Identification
To avoid signalling as malicious those UAVs who have unintentionally dropped some packet, our modular trust model illustrated in Figure 3 works as follows.
It first estimates the buffer occupation, energy, and mobility patterns of the UAVs and simultaneously computes the trust of these UAVs without considering the above three conditions.Afterward, if the system detects that any nearby UAVs have unintentionally dropped packets, it adds a trust correction factor  to the overall inter-UAV trust computation that we call (, ), thus resulting in a final evaluation index called .The latter is compared to a predefined detection threshold DTH bellow which UAVs are considered dishonest.Algorithm 1 summarizes this process.Notice that the  factor can be dynamically adjusted using the UAVs residual energy, the duration of disconnection periods, or the buffer size.
In the following section, we first start by establishing the inter-UAV trust, and we then show how the context-related metrics are estimated.(,) ) in a specific time period   .Every UAV continuously monitors the network to evaluate the honesty of nearby UAVs.The overall trust (, ) is then computed by combining both interaction-based and recommendation-based trusts.We also use factors 1 − 1/(# + 1) and 1/(# + 1) in such a way that the more direct interactions we have, the more we consider the interaction-based trust compared to the recommendation-based one, and vice versa.Since UAVs may be in the range of each other several times, over several time periods, we consider the average direct/indirect evaluation during these periods.The global inter-UAV trust is computed using

Interaction-Based Trust (Direct).
The interaction-based trust ( (, )) of an UAV  that is evaluated by another UAV  is calculated as the ratio of the forwarding actions    (,) to the total number of actions (both drops and forwards    (,) ) during   .Therefore, the interaction-based trust is calculated in the following way: The factor 1 − 1/(   (,) + 1) is used in such way that several packet forwarding actions are required in order to increase the interaction-based trust.This ensures the trust property usually known as the "hard to win, easy to lose" rule.

Recommendation-Based Trust Computation (Indirect).
In our proposal, the inter-UAV exchanged recommendations (indirect trust) are sent together with the exchanged data messages.To favor the opinions sourced by UAVs considered as trusted, the received recommendation (Rec) sourced by an UAV  concerning the behavior of UAV  (Rec   (,) ) is combined with the direct trust of the recommender  during a time period   , as described in during   , ∀ ∈ {trusted direct neighbors of } . (3)

Unintentional Misbehavior Identification.
To distinguish between unintentional dishonesty from the intentional one, in this work we study three metrics, which are (i) drops due to the limited free buffer space and data freshness, (ii) drops due to lack of energy, and (iii) drops due to the mobility patterns of the selected forwarder.The following sections detail how we estimate the current condition of each considered metric.

Unintentional Misbehavior for Queuing and Packet
Freshness Reasons.To evaluate the buffer condition and to decide if an UAV is unintentionally dropping packets because his buffer is full, we compute the average number of received packets (RP  ) and transmitted packets (RP  ) during a time period   .In addition, we use factor  to give more importance to the latest period, as it is the most recent and relevant period to consider.Equations (4) show how the average number of received and transmitted packets is computed, respectively.
Afterwards, based on the average number of received/ transmitted packets, the average number of queued packets is computed as follows: Finally, the average waiting time of a packet within the queue of UAV  can be estimated used   () =   () Given a buffer size of   , neighboring UAVs can decide whether UAV  will unintentionally start dropping packets or not.If the number of queued packets multiplied by the standard packet size is equal to the buffer size of , it means that the buffer is full, and so  will be dropping all received packets.In addition, if the average waiting time for the buffer of  is longer than the packet remaining life time, the packet will be also dropped.Otherwise, neither the queue nor packet freshness are causing drops by the UAV .Algorithm 2 summarizes this process.

Unintentional Misbehavior for Energy Reasons.
Besides the engine-related energy consumption, we have three communication-related cases causing energy depletion: (i) energy consumption due to operating in promiscuous mode, (ii) energy consumption associated with packet reception (ERP), and (iii) energy consumption related to packet transmission (ETP).Various energy models consider the energy consumption of the promiscuous mode equal to ERP, including "MEDUSA-II," designed to be ultra-low power, and "Rockwell's WINS model," representing a high-end sensor node equipped with a powerful StrongARM SA-1100 processor from Intel.For instance, in MEDUSA-II, and for any data rate, the node's ERP is 22.20 mW, and 22.06 mW is the power consumed in promiscuous mode, whereas in Rockwell's WINS the ERP is 751.6, and 727.5 mW is the power consumed in promiscuous mode [21,22].It is clear that, beside the device features, the ERP energy consumption is almost always equal to the one of the promiscuous mode.For the sake of simplicity, we assume in this work that the promiscuous mode consumption is equal to ERP, and the total communication-related energy is given by the following equation: When a node sends or receives a packet, the network interface of the node decrements the available energy according to the specific network interface card characteristics, the packets' size, and the used bandwidth.The following equations represent the energy used (in Joules) when a packet is transmitted (see (8)) or received (see (9)); notice that packet size is represented in bits [23]: ERP  = 230 * 5 *  2 * 10 6 .
Note that, when a packet is transmitted, a percentage of the consumed energy represents the radio frequency (RF) energy.This energy is used for the propagation model in −2 to determine the energy level detected by the neighbors' interface nodes upon packet reception, allowing them to consequently determine if packet reception was successful or unsuccessful.
Given an initial energy of   , neighboring UAVs can decide whether the UAV  will unintentionally start dropping packets or not.If   −  is less than the minimum required communication energy represented by a predefined ℎℎ, then UAV  will not be able to communicate, and it will start dropping packets.Algorithm 3 summarizes this decision process.

Unintentional Misbehavior for Mobility Reasons.
To evaluate UAV mobility and decide if an UAV is unintentionally dropping packets, we compute a link stability index  (LSI (,) ).This index is derived from the work in [24].A modification was needed to tailor the stability coefficient to our purposes.In the original work, it was used as a metric, and so its value can be any positive real number, with lower values indicating a better link stability.To compare the link stability to the trust value, we defined LSI in order to have values between 0 and 1, which represent the worst and best values, respectively.
In (10),  max is the maximum allowed distance between nodes, which corresponds to the transmission range;  avg , is the average distance between nodes  and  computed over the time they remain within transmission range.(, ) is the age of the link between  and , also referred to as link duration. max is the maximum age reached by a link from the subject node point of view. , ( , ) is the expected residual lifetime of the link between  and , which is computed over a statistical basis, as in [24], being defined as follows: Vector [] stores the observed links age, and element [] represents the number of links with age equal to .
Finally, Algorithm 4 allows estimating the possibility of drops due to mobility.If LSI = 0 it means that there is no radio link between UAVs  and  and, hence,  will consider that the packet loss in this case is due to mobility-related problems.Otherwise, the better the link is, the fewer mobility-related drops are there.

Context-Aware Inter-UAV Communication
Unicast data delivery is the basis of various FANET applications, including real-time event reporting through video streaming and traffic conditions estimation.However, to have stable and permanent communication links, different factors should be taken into account.In this work, we mainly target the selection of the most trusted and stable path while achieving a load balance among the network's nodes.
We assume that packet headers include an additional field containing the selected next forwarder identity within the exchanged packets themselves.
The next forwarder for data messages (NF) is selected using the previously computed inter-UAV trust, link stability index, distance, and UAV residual energy.This way, we are able to minimize both the propagation delay and the packet loss ratio with respect to the UAVs energy.
For every neighbor , UAV  associates a score  (,) representing a balance between the different factors, as shown in where {, . . ., } is the set of neighbors for UAV .
Finally, Algorithm 5 summarizes the inter-UAV data packet forwarding process.
When UAV  receives a data message forwarded by another UAV, it first checks whether it was selected as the next forwarder for that packet.If so, it continues the forwarding process.Otherwise, the processing that follows depends on the application type, thus being outside the scope of this paper.Afterward, if the data packet sender had a higher honesty index than the predefined honesty threshold, the current UAV selects the next forwarder and transmits the message to it.Otherwise, if  considers  as an untrusted UAV, the message will be dropped.

Performance Evaluation
To evaluate the proposed solution, simulations are conducted using the NS-2.35 simulator.UAVs are moving within a 5 km 2 area with a height from the ground varying in the range of [20,50] meters.In addition, UAVs move within that area following the 3D random waypoint mobility model [25].Our simulations were made using 10 source vehicles, a packet size of 256 bytes, and a rate of 4 packets per second.Our experiments are run 15 times to achieve a degree of confidence of 95%.
The remaining simulation parameters are summarized in Table 2.
Below, we first discuss how the evaluation period   is chosen.Second, we show the obtained detection and error ratios of , which are also compared to the one of  [20].Afterward, we present the resulting end-to-end delay and packet loss ratios achieved by our proposal.Finally, we show the intentional and unintentional dishonesty detection compared to  and identify the main reasons provoking unintentional dishonesty situations.We also compare our proposal against  [26] and - [27] trust models proposed, respectively, for MANETs and VANETs.Nodes in both  and - are also moving in 5 km 2 area, using random waypoint mobility model for  and Vanetmobisim-based 5 * 5 grid mobility for -.

Selecting Adequate Evaluation Periods (𝑡 𝑥
).We studied the obtained detection performance for various periods using 100 UAVs where 20% of them are dishonest.Figure 4 shows that, for periods exceeding 35 seconds, detection performance remains nearly the same.Thus, for the experiments that follow, we used a value of   = 35 seconds.This value can also be dynamically adjusted based on the number of interactions or the number of neighboring UAVs.

Detection Performance of UNION Compared to RPM, CATrust, and T-CLAIDS.
In this part, we present obtained detection performance of our proposal .Figure 5 shows the detection ratios of  when varying the number of UAVs for dishonesty ratios of 15% and 25%, respectively.It shows that  offers high detection ratios, exceeding 87% when 25% of the UAVs are dishonest.When having a more realistic dishonesty ratio (15%), the detection performance is nearly optimal.Furthermore, for a 25% dishonesty ratio, we find that  outperforms both  by more than 15% and  by around 5% for high density cases (see Figure 6), whereas  offer similar performance as -.
Regarding the false positive ratio, Figure 7 shows the generated positive error ratio for both  and  when varying the UAV density.The curves of the chart evidence that, unlike , , and -, our proposal introduces a low error ratio, and this is mainly due to the accurate detection reached when distinguishing the intentional and unintentional misbehavior of UAVs.

Packet Delivery Performance of UNION Compared to RPM, CATrust, and T-CLAIDS.
In this section, we present the delivery performance of  compared to , , and - through the end-to-end delay and packet loss ratio.Through the use of our honesty-based context-aware forwarder selection strategy,  clearly outperforms , , and - in terms of packet loss ratio.Furthermore, the loss ratios became negligible for a high UAV density, offering multiple trusted forwarding choices (see Figure 8) As a result of the reduced packet loss ratio, Figure 9 shows that, except for low density cases which are prone to cause network fragmentation, our proposal offers an acceptable  delivery delay, clearly outperforming the ones which achieved other compared proposals.

Distinguishing Intentional and Unintentional Misbehavior
Using UNION.Last but not least, in this section we study how context awareness is able to improve the performance of  in terms of reducing the positive error ratios, thereby allowing us to differentiate between intentional and unintentional misbehavior in an effective manner.
Figure 10 shows the correct and wrong detection ratios for both  and .We can see that, unlike ,  can clearly reduce the detection of unintentional misbehaving UAVs thanks to its context estimator, thereby ensuring that mostly detection decisions are correct.
Finally, we studied the most significant reasons associated with packets drops besides the security-related ones.Figure 11 shows that, for low density cases, the main reason for packet dropping is the limited size of the UAVs' buffer, and the packet freshness.The latter is just a result of network fragmentation, as an UAV should keep packet in its buffer until it finds an adequate forwarder node.In other cases, the packet becomes too old, and it is dropped because of its TTL.On the other hand, for high density scenarios, the main reason for packet dropping is UAV mobility.Finally, we find that energy is prone to cause stable packet dropping ratios, which are mainly related to the length of flight missions more than anything else.

Conclusions and Future Work
Ensuring the desired security with the minimum possible errors is a major concern in all Mobile Ad Hoc Networks.In this paper, we proposed a novel trust-based context-aware solution that is able to differentiate between intentional and unintentional misbehavior in FANETs.In addition, our proposal called  takes advantage of the different computed metrics to choose the best packet forwarders.This way, it is able to offer reliable inter-UAV communications.
Our trust-based context-aware inter-UAV communication solution can be used for various realistic applications such as rescue operations, where uncertified personal UAVs can help in delivering instant information about natural catastrophes like earthquakes, volcanoes, obstructed roads, or even car accidents in rural areas.UNION can also be beneficial for different commercial applications such as on path data delivery, and UAV-based cloud solutions.
Simulation results evidence our proposal's performance at ensuring high detection ratios with a reduced number of false positives, low packet loss ratios, and low end-to-end delay, clearly outperforming a previous solution ().
As future work, we plan to introduce a lightweight access control strategy to be able to respond to outside attackers.We also plan to develop a technique by which we can scan and protect sensitive areas from unauthorized UAVs.

Figure 5 :
Figure 5:  detection performance for different dishonesty ratios.

Figure 8 :Figure 9 :
Figure 8:  packet loss ratio compared to , , and - in the presence of 25% dishonest UAVs.

Figure 10 :Figure 11 :
Figure 10:  intentional and unintentional dishonesty detection compared to  in the presence of 25% dishonest UAVs.