The paper presents an approach based on a combination of Reputation, Trust, and Game Theory to ensure secure data transfer in distributed networks of unmanned autonomous vehicles. Trust and Reputation-based approaches have gained popularity in computer networks to improve their security. The existence of \soft" attacks, when the initiator of the attack is a legitimate agent, and traditional means of protecting information are powerless, it is possible to use methods based on trust. Using Game Theory approaches in cybersecurity allows optimizing intrusion detection and network security systems. In this paper, we reviewed the foundations of Trust and Reputation-based models, and Game Theory approaches in computer systems and attempts of its implementations in distributed network security and communication protocols. We described the operating conditions of a group of AVs, elaborated an apparatus for calculating the indicators of Trust and Reputation, and presented an approach based on a combination of Game Theory with Trust and Reputation. To validate the e ectiveness of the proposed approach a custom software simulator was developed. Experiments with a group of AVs driving through the intersection was conducted. The results showed that a combination of Trust, Reputation and Game Theory allows more e ective detection of bogus data, transmitted by the agents in a system.
With the development of global technological progress, robotic systems are beginning to be applied in various areas of human life. Auto manufacturers are actively researching the development and integration of AVs on the roads of our cities. Small unmanned aerial vehicles (drones) have become widespread in everyday life and can be used for a variety of purposes: from searching for missing people to farming. One of the main advantages of AVs is the ability to perform complex, dangerous and monotonous for humans' organism tasks. To perform some tasks, it is more promising to use groups of fully autonomous robots capable of functioning without a human-operator and more e ciently performing tasks distributed in the area.
Each robotic device can be represented as a combination of physical and
information components, called the cyber-physical system [
In some social networks, online stores and e-commerce applications, user reputation rating systems have gained popularity. The presence of a reputation indicator implies the existence of certain generally accepted norms and rules of behavior on a resource. Violation of such rules and norms by the user will lead to a decrease in the indicator of his reputation, as well as to a decreasing trust to him from other users. For example, if one of the sellers of the online store selling a product that has characteristics di erent from the declared ones, or the delivery time did not correspond to the expected one, it is less likely that buyers will want to buy goods from him if there are other sellers who are more trustworthy.
Depending on the sources, interpretations of Trust and Reputation (T&R)
may vary slightly. The content of these concepts goes deep into antiquity, with
the advent of the rst groups of people and the interaction between them, those
concepts also appeared that can now be described as T&R. The work [
Reputation is de ned as an opinion about the intentions and norms of a
particular agent, based on the history of his behavior and interactions with him
[
To use the approach based on T&R in information systems, it is necessary
to formalize and take into account quantitative indicators of T&R and data
on observations and assessments. This can be especially relevant in
decentralized networks, where there is a lack of network infrastructure and the nodes
interact directly with each other. Such networks are called peer-to-peer (P2P)
networks [
In the case of AVs, VANETs allow transmitting data from one vehicle to
another and to the transport infrastructure objects. Such data transfer can be
used by the Intelligent Transport System (ITS) to build optimal routes,
generate informational and emergency messages warning of bad weather conditions,
construction and maintenance road works, and etc. Papers o ering T&R-based
data security techniques may o er di erent approaches to calculating these
metrics. For example, the authors of [
In [
Kim and Viksnin in [
To verify the reliability of the data, two approaches are proposed in the
papers: objective and subjective. In the second case, the nodes rely on the opinion
of other nodes to form a trust indicator. In [
Game theory is a branch of mathematical economics that studies the resolution
of con icts between players and the optimality of their strategies. It is widely
used in various elds of human activity, such as economics and management,
industry and agriculture, military and construction, trade and transport,
communications, etc [
One of the tasks of Game Theory implementation in the eld of cybersecurity
is to optimize the actions of the security administrators in network systems. In
the context of Game Theory, this task can be formalized as follows: there are two
coalitions: defenders (administrators) and attackers; the goal of administrators
is to minimize damage to the system by optimally distributing tasks among
themselves, and the goal of the attackers is to exploit the system. Considering
the di erent behavior of attackers, it is possible to identify such strategies for
the behavior of administrators (both for a coalition and for each administrators),
in which, regardless of the attackers strategy, the damage to the system will be
minimal. One of the approach was described in the [
In [
In [
The described papers on T&R and Game Theory approaches show the expediency of applying such approaches in the areas related to distributed networks and automated systems. We have already published works on the results of applying T&R in the group of AVs, and we believe that re ning this approach using Game Theory fundamentals will help to achieve better results. 3
There are various types of attacks on data transferred between agents in the
system. Attacks can be both passive when the attacker does not directly in
uence the system, or active when an unauthorized modi cation of information
assets, system properties, and its state occurs during the attack. As a means of
counteracting these malicious attacks, various defenses can be used. However,
there are some attacks when agents already authorized in the system, which
were initially considered legitimate, begin to transmit inaccurate data due to
the failure of the sensors or unauthorized interference with the hardware and
software components. Using these improper data to optimize group actions can
lead to a decrease in the e ciency of the system, and in the case of groups of
AVs, it can lead to a tra c accident. Such attacks on context data integrity are
called \soft" attacks in the literature [
To counter \soft" attacks on multi-agent systems, a T&R approach that has
gained popularity in the eld of e-commerce can be used [
First of all, it is necessary to describe the limitations, assumptions, and operating conditions of the system to which the described calculus can be applied to calculate the T&R indicators of the agents. The group of AVs can be described as a set E = fe1; e2; : : : ; eng of agents. The process of system functioning can be described as a discrete process, and accordingly consists of many states T = ft0; : : : ; tendg, where t0 is the initial moment, and tend is the endpoint in time. At each moment of time, the agents transmit to each other data on their location and state of the surroundings. Agents obtain these data using on-board sensors. These data are necessary for further planning and optimization of group actions, the description of which is beyond the scope of this paper. As an assumption, we consider the transfer of data between agents in ideal conditions, that is, without loss and interference.
The transmitted data can be either correct or bogus. In the rst case, the data re ects the actual (real) location and environment characteristics of the agent ei at the time of transmission tj . In the second case, the data is incorrect and does not re ect the real characteristics of the agent ei at the time of the data transfer tj . The data may be bogus due to breakdown, failure of the sensors or malicious interference with the software and hardware components of the agent ei.
To identify agents that transmit bogus data, we propose the following procedure based on T&R assessment. Each of the group agents has an indicator of T&R. The assessment is based on the transmitted data veri cation at each time moment t by other agents. To describe our approach, we need to introduce three indicators: Truth, Trust, and Reputation. 4.1
T ruth - an indicator that displays a subjective correctness assessment of the transferred data by other agents. Correctness is determined using the sensors of agents and can be described as (1).
T rutht = ftrt (data); (1) where T rutht is the evaluation of data at the time t, data is the data to be evaluated, ftrt is the evaluation function of T ruth at the time t.
Reputation (R) is an indicator based on a retrospective of the T ruth assessment of each agent. It can be described as (2).
Rt = frt (T rutht) = frt (ftrt (data)); (2) where Rt is the reputation value at the time t, frt is the evaluation function of R at the time t.
T rust is an indicator characterizing a subjective assessment of agent behavior by other agents. It is calculated based on a combination of T ruth and R and can be represented as (3).
T rustt = ftrustt (Rt 1; T rutht) = ftrustt (frt 1 (ftrt 1 (data)); ftrt (data)); (3) where T rustt is the indicator of T rust at the time t, ftrustt is the function of evaluating T rust at the time t.
As a limitation, each of the above indicators is in the range of [0; 1]. However, in the process of functioning of the system, situations may arise when none of the agents has the opportunity to assess the correctness of the data transmitted to them. For example, such a situation may arise in the t0 time moment (initialization of the system), when agents are distributed over the area and they do not have a retrospective assessment, or when a new agent joins the group. As an assessment mechanism in such situations, we propose using the approach based on the Game Theory described below. 4.2
In the context of Game Theory, a game will be understood as a confrontation between two agents: G - a trusted agent that receives data, and U - an agent that transfers data. Players have two strategies. For agent G: strategy 1 - trust to the agent U , and strategy 2 - do not trust to the agent U . For agent U : strategy 1 transmit correct data, and strategy 2 - transmit bogus data. In order to consider the game in normal form and express it through the payment matrix, payments when the players win/lose can be designed.
Since agent G cannot con rm or refute the data at the time of its receipt, it is necessary to consider the risk of losing reliable data. For this, it is necessary to introduce the concept of the value of data. Let datai 2 DAT A be the kind of information existing inside the system. Then 9 v(datai) : v(datai) 6= v(dataj ); i 6= j is the maximum value of the data i. We consider the fact, that the value of data decreases with time, and it is necessary to introduce the concept of the value of data at time t. Let 9 tf : 0 < tf t be the time point for receiving data, then 9 v(datai; tf ; t) : v(datai; tf ; t) v(datai) is the value of the data i at the time t. It can be calculated by the equation (4).
v(datai; tf ; t) = v(datai) kdatai (tf ; t); (4) where kdatai (tf ; t) is the function of relevance of the data i at time t.
We consider k(tf ; t) 6= 0 as long as the agent cannot refute the data, therefore, we chose an exponential function of the form ax, presented in (5) for calculating the actuality of the data.
kdatai (tf ; t) = (adatai )t tf ; (5) where adatai 2 (0; 1). Therefore, kdatai (tf ; t) 2 (0; 1].
Based on the foregoing, agent's payo function G can be described by the equation (6).
8v(datai) > > ><0 x = 1, y = 1 x = 1, y = 2 >v(datai; tf ; t) x = 2, y = 1 > >:v(datai; tf ; t) x = 2, y = 2 fG(x; y) = ; (6) where x; y is the number of agents' G and U strategies.
For the agent U , the biggest gain will be the the value T ruth(datai) = 1 of the agent G, in the case when the agent U lied, and minimal - when the agent G has trust to U , and U provided him with correct data. To denote the wins of the agent U , we introduce the payo function, presented in (7). fU (x; y) = 8 1 > > ><1 >0 > >:0 x = 1, y = 1 x = 1, y = 2 x = 2, y = 1 x = 2, y = 2 ; (7) where x; y is the number of agents' G and U strategies. In the Table 1 the payment matrix of the game is represented.
We assume that the agent U is rational in its actions with respect to G. Let us consider the resulting winnings. It can be seen from the Table 1 that the game has Nash equilibrium, namely, the outcome when agent U chooses strategy 2, and agent G chooses strategy 2. In this case, the equilibrium exists because agents cannot increase their winnings when the opponent does not change strategies.
Consequently, the agent U , if he is an intruder, will prefer to lie, since his winnings will uctuate from 0 to 1, but not from -1 to 0. In turn, the agent G needs to understand that he will not receive the maximum win, no matter what strategy U agent chooses, the winnings will be stable. Thus, the authors formed the third condition for the formation of T ruth indicator - in the case when it is not possible for the agent to verify the information personally or by asking other trusted agents, the agent must not be trusted and T ruth(datai) = 0. To validate the e ectiveness of our Game Theory approach implementation in a group of AVs, custom software simulator was developed. In the simulator, the movement of vehicles through an intersection was imitated. The intersection scheme is represented in Fig. 1. It has the following properties: { software testing ground is divided into equal sectors, and each sector has its unique number; { software testing ground size: 10 10 sectors; { software testing ground has 4 roads: two vertical (oncoming and passing) and two horizontal (oncoming and passing).
The experiment was conducted with a group consisted of 3 vehicles (agents): one of them was a saboteur and provided incorrect data to the other agents. The communication in the group was organized in the following way: { depending on a situation, the saboteur can either transmit correct of bogus data; { legitimate agents also can provide others with bogus data in case of technical problems; the probability of technical fail occurrence was set as 0.1; { the initial value of agent reputation (R) was equal to 0.5; { the agent that had the R value equal or less than 0.25 was considered as a saboteur and blocked from the group communication; such threshold was set because of the short communication period in the intersection; { the information transmitted by one vehicle could be assessed only if this vehicle was visible to one of the trusted agents; the vehicle can detect others if they are located in one of the 8 adjacent sectors around it.
For the experiment, we decided to use a group of three AVs. Since one AV can detect objects in 8 sectors around itself, in order to ensure the correct operation of the T&R-based method, three members of the group are enough on this software testing ground. An increase in the number of group participants at the intersection will lead to the possibility of using agent's own observations, rather than relying on the proposed method.
Experiment setup: { the experiment had 1000 independent tests; { during each test, the movement of the vehicle group through the intersection was analyzed.
Results assessment: { to assess the obtained results, 4 parameters were calculated:
True Positive (TP) - case when the AV was a saboteur and it was classi ed as a saboteur; False Positive (FP) - case when the AV was not a saboteur but was classi ed as a saboteur; True Negative (TN) - case when the AV was a legitimate agent and was classi ed as a correct agent; False Negative (FN) - case when the AV was a saboteur and was classi ed as a legitimate agent. { based on these values, a classi cation parameter Accuracy was calculated, as in (8).
Accuracy =
T P + T N T P + F P + T N + F N (8)
The comparative analysis between 2 models was performed: { model with standard T&R-based approach; { model with T&R and integrated Game Theory approach.
The average results after 1000 independent tests are represented in Fig. 5. Our T&R and Game Theory approach contributed to the increase of saboteur detection accuracy: it is possible to note that the Accuracy parameter raised by 0.1. Moreover, implementation of Game Theory provided a signi cant increase in TP agent classi cation cases and helped to reduce FN rate values. However, the rise of FP errors and decrease of TN rate was noted. The reason of these deviations is that the Game Theory approach does not give an opportunity to set up a median T ruth level not only to saboteurs but also to legitimate agents. 6
This article was prepared with the nancial support of the Ministry of Science and Higher Education of the Russian Federation under the agreement No. 07515-2019-1707 from 22.11.2019 (identi er RFMEFI60519X0189, internal number 05.605.21.0189). 1:94 1:27 without Game Theory
with Game Theory 0:89 0:2 TP
0:73 0:06
FP 0:8 In this paper, we proposed an approach based on a combination of Trust, Reputation, and Game Theory fundamentals to secure communication in a group of unmanned vehicles. In addition to traditional attacks on data in distributed networks, there are also \soft" attacks when legitimate agents broadcast bogus data, which may be due to technical problems or unauthorized malicious access to the agent's hardware and software. The paper describes the characteristics and assumptions of a group of unmanned vehicles in which the implementation of the presented model is possible. To validate the e ectiveness of the presented approach in a group of unmanned autonomous vehicles, we developed custom software simulator. Simulator allows to imitate traversal of the intersection by a group of AVs and communication between them. Despite the fact that the classication accuracy of saboteurs, transmitted bogus data, increased by 0:1, using of the T&R in a combination with Game Theory approach allowed to signi cantly increase the True Positive and reduce False Negative values.