FAPMIC: Fake Packet and Selective Packet Drops Attacks Mitigation by Merkle Hash Tree in Intermittently Connected Networks

Delay/Disruption Tolerant Networks (DTNs) are a special category of IntermittentlyConnectedNetworks (ICNs). It has features such as long-delay, frequent-disruption, asymmetrical-data-rates, and high-bundle-error-rates. DTNs have been mainly developed for planet-to-planet networks, commonly known as Inter-Planetary-Networks (IPNs). However, DTNs have shown undimmed potency in challenged communication networks, such as DakNet, ZebraNet, KioskNet and WiderNet. Due to unique characteristics (Intermittent-connectivity and long-delay) DTNs face tough/several challenges in various research areas i.e bundle-forwarding, key-distribution, privacy, bundle-fragmentation, and malicious/selfish nodes particularly. Malicious/selfish nodes launch various catastrophic attacks, this includes, fake packet attacks, selective packet drops attacks, and denial-of-service/flood attacks. These attacks inevitably consume limited resources (persistent-buffer and bandwidth) in DTNs. Fake-packet and selective-packet-drops attacks are top among the challenging attacks in ICNs. The focus of this article is on critical analyses of fake-packet and selective-packet-drops attacks. The panoramic view on misbehavior nodes mitigation algorithms are analyzed, and evaluated mathematically through several parameters for detection probability/accuracy. This article presents a novel algorithm to detects/mitigates fake-packet and selective-packet-drops attacks. The proposed algorithm uses Merkle-Hash-Tree to detects the aforementioned attacks. The proposed algorithm added root hash along with all packets, when the malicious nodes drop packets or inject fake packets, the algorithm detects malicious nodes. Moreover, trace-driven simulation results show the proposed algorithm of this article accurately (enhanced detection-accuracy, enhanced packet delivery/packet loss ratios, and reduces false-positive/false-negative rates) detects malicious nodes which launch fake-packet and selective-packet-drops attacks, unlike previously proposed algorithms which detect only one attack (fake-packet or packet-drops at a time) or detect only malicious path (do not exactly detect malicious nodes which launch attacks). Furthermore, this article mathematically analyzed various scenarios to track exactly/position of various vehicular nodes.


I. INTRODUCTION
The emergence of intelligent-devices having short-rangewireless transmission capability has motivated the The associate editor coordinating the review of this manuscript and approving it for publication was Dongxiao Yu . development of infrastructure-less Adhoc-Networks for the last two decades. However, traditional end-to-end based routing/forwarding protocols for Adhoc-Networks are inefficient in a challenging network environment. Because, these types of Adhoc-Networks, suffer from frequent disconnection, sparse network density, scarce resources, limited device VOLUME 11, 2023 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ processing capability, and high susceptibility to security attacks. Such challenged type networks are commonly known as IntermittentlyConnectedNetworks (ICNs). There are various types of ICNs, Delay/Disruption Tolerant Networks (DTNs) are one of them [1]. DTNs are infrastructure-less Adhoc-Networks, where no end-to-end path between devices exists and disruption of nodes in the network occurs frequently [2]. DTNs are viable solution for applications suffering from intermittentconnectivity, long-delays, high-packet-error-rates, and highpacket-loss-ratios [3]. DTNs are primarily developed for planet-to-planet communication [4]. However, with advancement in wireless communication technology, DTNs have shown promising potential in emerging networks as well. Such as Vehicular-Ad-hoc-Networks (VANETs) [5], Underwater-Wireless-Sensor-Networks (UWSNs) [6], and special applications such as flood scenarios, rural area communication, and earthquakes, etc in which infrastructure is demolished due to a natural disaster [7].
With frequent disconnectivity of DTNs nodes, TCP/IP and other Adhoc-Networks protocols cannot be implemented in DTNs. That is why researchers put forward a special protocol known as bundle Protocol (BP) for DTNs. BP is used to routes/forwards a bundle in the network [8]. Moreover, BP countermeasures the challenging issues such as long/variable-delay, frequent-disruption, reliability, and communication among heterogeneous networks, by using permanent memory, custodian transfer, and convergence layer. DTNs nodes use StoreCarryForward (SCF) method to forwards packets from one node to another node [9]. The BP has the built-in capability to reliably forwards bundles/packets hop-by-hop and end-to-end. Where the convergence layer in DTNs architecture translates a bundle/packet to underline specific network architecture which is different from case to case.
FPA and selective packet drop attacks (SPDA) are catastrophic attacks. These types of attacks exhaust limited resources and spread bogus packets in the networks [31]. Researchers proposed algorithms for them however, proposed solutions have some issues. Some of the researchers proposed detection algorithms, which blacklist the previous nodes in the communication path. However, the previous nodes may not always be malicious. In few articles, FPA detection algorithms have been proposed but it cannot detect intruder nodes. Some algorithms detect FPA only but at the same time, a node acts maliciously and launches SPDA, which remains undetected. This article discusses in details the aforementioned issues in the motivation and problem statement section of this article.
To address the aforementioned issues this article proposed Merkle-Hash-Tree based algorithm which exactly detects/mitigates malicious nodes which launch both FPA and SPDA. In this algorithm, initially, every node shares a public key with all nodes including trusted authority (TA). Before transferring packets, every node creates a root-hash of all packets and appends the root-hash along with packets. Forwarding nodes sign packets with a private key and make a specific packet format. The working of the proposed algorithm is discussed in the contribution section of this article. The proposed algorithm significantly improves false positive/false negative rates. The proposed algorithm of this article not only detects FPA but also detects misbehavior nodes that launch SPDA. The proposed algorithm also improves detection accuracy and resource consumption which further enhances PDR and PLR. Following are the primary contributions of this article; * Detection and mitigation of FPA and SPDA by only one algorithm (The proposed algorithm detects both attacks). * Black-listing of malicious nodes which launch FPA and SPDA (unlike previously proposed algorithms, which is path detection algorithms).
* Mathematical Evaluation of proposed algorithms for detection accuracy and detection probability (Commonly all and particularly the proposed algorithm of this article). * Mathematical analyses provide theoretical idea to track various vehicular nodes (In future we will implement this idea to track the position of nodes in vehicular networks). * Cryptanalysis of previously proposed algorithms and the proposed algorithm of this article (this analyses highlight the cons of proposed algorithm, highlight clear idea for researcher to modify the algorithms in future).
The rest of the paper is organized as follows. Section II discusses related works on packet drop attacks and fake packet attacks. Section III discusses Motivation and Problem Statement. Section IV is related to the proposed algorithm FAPMIC. Section V is related to Mathematical Evaluation. Section VI discusses Simulation and results. Section VII is related to comparison, Followed by conclusions, and future works in the Section VIII.

II. REVIEW OF LITERATURE
Misbehavior nodes (Selfish and Malicious) are catastrophic for all types of ICNs specially DTNs, they exhaust network resources, such as buffer/memory, bandwidth, processing power, and energy resources (already outlined in this article). This section discusses existing/previously proposed algorithms which launch packet drops (misbehavior nodes that drop all packets and SPDA), and FPA. Researchers in article [32] proposed ''probabilistic misbehavior nodes detection scheme (PMDS)''. The proposed algorithm detects misbehaving selfish nodes, which launch packet drops attacks (not SPDA) in DTNs. In PMDS there are two phases, one is called the event generation phase and other is known as the auditing phase. In the first phase (event generation), every event that is delegation, contact, and packet forwarding of all nodes are recorded. In the second phase (auditing phase), TA collects all event information (which is generated in the first phase) from all nodes in networks. TA passes these information (event information) from the proposed PMDS algorithm to verify malicious nodes. TA checks fewer/low reputation nodes frequently and higher reputation nodes infrequently. Proposed PMDS is a reliable scheme for selfish node detection, however high cost and suitability (the proposed scheme is not suitable, and difficult to deploy in DTNs) of the algorithm in DTNs are the downside of the proposed scheme. Also, this paper does not consider SPDA.
Researchers in articles [33], [34] proposed a particular node (known as an observer node) to safeguard the network for misbehavior packet drop attacks. The proposed scheme assume, networks monitoring node has all public keys (one node in the networks is dedicated for monitoring purpose). In bundles communication, If the ''S'' node forward a message to ''R'' node, ''R'' make a trust-token known as ForwarderTrustToken (FTT) to ''S'' and ''S'' also sends a trust-token known as ReceiverTrustToken (RTT) to ''R'' (actually nodes save encounter-history record). Both nodes sign the Token with their private keys. The observer node also calculates a group bias to detects social selfish nodes (a particular group of selfish nodes that only drops packets of other group members not from its group) in a network that launch packet drops attacks. Researchers put forward a very efficient detection algorithm. However, monitoring based algorithms are hard to implement in ICNs ( due to intermittent connectivity). Also, this algorithm does not consider SPDA (this work/article considers a use case in which malicious nodes drop all packets).
Researchers in paper [35] proposed contact history based detection. The proposed algorithm detects and mitigates packet dropping attacks (Not have the ability to detects SPDA) in ICNs by using encounter-records. In this particular detection scheme, all nodes in the networks save their previous encounter-record. Nodes share their encounter-record with other nodes in the networks to detect and mitigate misbehavior nodes. The scheme detects an inconsistency in packets and misreporting of contact history (when attacker forge encounters history, proposed scheme detects). This work does not consider SPDA.
Researchers proposed reward based algorithms in [36] and [37]. The proposed algorithms detect misbehaving nodes through dedicated nodes known as OfflineSecurityManager (OSM) and VirtueBank (VB). In this scheme, OSM is a certificate authority, which issues/distributes certificates, while VB distributes credit/reward. In this algorithm when a node forwards a bundle/packet to an intermediate node, the sender node makes a ''BaseLayer''. This includes, IdentityOfNodes, ClassOfServic, AgreementPolicy, Time-ToLive (TTL), TimeStamp, SecurityCertificate, SenderSignature, and NextForwarderNodeID. The intermediate node makes multiple ''EndorseLayers'' (Encrypted ''BaseLayer'' is called ''EndorseLayer''). When the bundle is delivered to the destination, destination nodes collect information from layers (''BaseLayer'', ''EndorseLayers''), and forward it to ''VB''. The ''VB'' shares credit among those nodes which take part in the forwarding process. Although this is a very efficient scheme to tackle selfish nodes. This article has not been considered SPDA. Also, high processing costs and bandwidth consumption are the downsides of this algorithm.
Researchers in article [38] proposed a Watch-Dog based scheme to detect misbehaving nodes in DTNs. The proposed algorithm uses channel sensing methodology to detect packet doping misbehavior nodes (this article proposed an algorithm for packet drop attacks, however, the proposed algorithm does not detect SPDA). In this scheme when a relay node forwards a packet to an intermediate node, it keeps the packet/bundle in its storage. The relay node observes the communication channel for overhead. If the intermediate node forwards a packet to the destination, in this case the relay node compares the overhead of the communication channel to its buffer. According to the researchers, if the value of VOLUME 11, 2023 overhead matches (the algorithm assumes the intermediate node is benign or otherwise malicious. This particular node launch packet drops attacks). However, there is a probability that the intermediate node drops a bundle and forwards their own bundle, algorithm fails to detect the misbehavior node in this case. Also, there is possibility other nodes in networks (other than intermediate nodes) send messages, so in this case, there is overhead in the channel. The algorithm assumes that the intermediate node is benign, however, if the intermediate node is a misbehaving node (false negative). Although this is a very good scheme (difficult to deploy in wireless DTNs), however false positive/negative ratios are significantly high, which is the downside of this scheme. Moreover, this scheme keeps bundles in their storage after forwarding, which consume storage resources (DTNs have scarce resources), which is the downside of the proposed algorithm.
In the article [39] researchers proposed an iterative trust and reputation management system (''ITRM''). The scheme detects two types of misbehaving selfish nodes attacks. ''BadMounting'', in this type of attack, ''Rater (R)'' (Rater is a particular node in networks which gives rating/reputation to node) decreases the reputation of ''Service Provider'' ''(SP)''. The second category attack is known as ''BallotStuffing''. In this category of attack, ''R'' increase the reputation of ''SP''. On a positive note, in this particular scheme, the researchers derive an equation, which calculates nodes' reputation and inconsistency. The proposed scheme compares the threshold with inconsistency. If an inconsistency is less than the threshold, the algorithm assumes it is benign, otherwise misbehavior. This article also does not considers SPDA. In article [40] researchers proposed an improvement of the work in [39] by categorizing ''R'', based on the rating to ''SP'' (high, middle, low priority cluster). This gives a second opportunity for a node to prove that they are not misbehaving, unlike the existing scheme in article [39]. On a positive note, The false positive rates are significantly improved relative to ''ITRM''. Complexity of this scheme is also improved (From Linear to Cluster in this scheme, in ''ITRM'' complexity is linear to nodes).
Researchers in articles [41], [42], [43] discussed different schemes to cope with misbehaving nodes (IncentiveAlgorithm, ReputationAlgorithm, GameAlgorithm). Researchers discussed the impact of misbehavior nodes on bundle delivery ratios and bundle loss ratios. Proposed algorithms do not consider SPDA. Researchers in article [44] proposed ''watchdog'' based collaborative-trust-management-system, which detects misbehaving nodes in natural disaster scenarios. This research article does not consider SPDA. Researchers in work [45] proposed distributed algorithm ''GREAT'' (Global reputation estimation and analysis technique). ''GREAT'' detects multiple attacks (packet drops, BallotStuffing, Bad-Mounting). The complexity of reputation calculation makes it in-feasible for ICNs. Also proposed algorithm does not consider a group of selfish nodes which launch the SPDA.
Researchers of article [46] proposed a merkle-hashtree (hashes calculation binary tree) and trust value for malicious nodes detection. The proposed scheme detects the SPDA in Opportunistic Networks (OppNets), which is a particular category of ICNs. The proposed algorithm calculates root-hash and appends with all packets (appends in the packet header). Destination node compares appended root-hash value with calculated root-hash (receiving node again calculates root-hash). If not matched, thus the algorithm decreases the trust value of receiving packet path (Identify path and decrease the trust value of all nodes in the path). In the case of multiple nodes in the path, it decreases the trust value of all nodes, which may be some benign nodes. This is a downside of the proposed algorithm. This leads to high false positive and false negative rates.
Researchers in [47] proposed a scheme to detect misbehaving nodes, which are responsible for the SPDA. In this particular scheme researchers proposed ''HeaderField''. The proposed scheme mitigates misbehaving nodes by examining ''HeaderField''. The ''HeaderFiled'' is also known as ''IndicativeField''. ''IndicativeField'' is further subdivided into, ''IdentificationField'', ''FlagField'', and ''OffsetField''. Researchers proposed an efficient scheme, however, the cost of algorithm, high ratios of false positive, and false negative are the main problems of this algorithm. Researchers in article [48] proposed a hybrid scheme (reputation and trust) to detects malicious path and misbehavior nodes, which launch the SPDA. This scheme detects misbehavior nodes by using merkle-hash-tree along with reputation (calculate direct trust and indirect trust value). In this scheme, destination nodes compare the number of bundles with hashes, if equal, researchers assume, a node is benign otherwise misbehavior (The SPDA attack is detected). However, how the bundles are counted and compared in this scheme are not mentioned in this article. High processing cost, lack of centralized node (like TA), and false positive/false negative rates are the downside of the proposed algorithm.
In article [49] the researchers proposed an algorithm for mitigation of misbehavior nodes that drop some packets and includes brand new bogus packets instead of them. The researchers proposed a packet ''CreationTime'' to mitigate malicious nodes. In this scheme, researchers proposed that the destination node always monitors the packet ''Cre-ationTime''. If the packet ''CreationTime'' of all bundles are the same or nearly the same, researchers assume the node is benign (in this case no FPA is launched) or otherwise malicious (FPA is detected). On a positive note, the authors proposed a very efficient detection algorithm. However, if the malicious nodes create a fake bundle with genuine time, algorithm cannot detects such type of malicious node. This algorithm can detects fake packets but cannot identify malicious nodes (the actual source of attacks). The researchers in work [21], [22], [23] proposed a merklehash-tree to detect misbehavior nodes that launch the FPA. It calculates the root-hash value with merkle-hash-tree, and then appends the root-hash value with all bundles. The destination node recalculates root-hash, if it matches with appended hash then the algorithm assumes no attack is detected, otherwise destination node assumes the FPA is detected. In the case of multiple nodes/multi-hop nodes in the communication path, the proposed algorithm assumes the last node in the communication path is malicious which may or may not be malicious.

III. MOTIVATION AND PROBLEM STATEMENT
DTNs are vulnerable to large number of security challenges which are already outlined in this article. Specifically, the dynamic-topology of nodes and the use of open networks (wireless networks, which is open for anyone to sends packets) to forward bundles offer straightforward possibilities/chances for misbehavior selfish/malicious nodes to various attacks. For example, in DTNs, misbehavior nodes can spread a huge number of false-information/fakeinformation into the networks. If the benign nodes further propagate these fake-packets/bogus-packets, this attack creates huge amounts of forged information/fake-information to the network. Due to limited resources of DTNs nodes, the fake-information lay a critical problem for the operation of challenging ICNs/DTNs. Furthermore, misbehavior intruder nodes launch attacks to waste precious resources, and increase throughput (Selfish nodes drop other node packets to save their resources and forward only has own packets. Sometimes misbehaving nodes drop selective packets, not all packets). The research problems (tackle research issues) on DTNs security are more challenging than conventional networks like VANETS, MANETS, and WSN (because of the unique security challenges, which are already mentioned in this article) [50]. Different from other Ad-hoc networks, and TCP/IP-based networks, DTNs represent a new network protocol architecture (bundle protocol), therefore introducing new unique security research issues/loopholes.

A. LOOPHOLES OF EXISTING DETECTION ALGORITHMS
The FPA and the SPDA are very dangerous attacks, because the aforementioned attacks waste very important resources of DTNs, and spread bogus packets in the networks, which are already stated in this paper. The researchers proposed some efficient algorithms for them. However, the proposed algorithms have some issues which are followed as.
In some research papers, researchers proposed algorithms that blacklist the previous node in the communication path, however, the previous node may or may not be malicious. The detection accuracy of the proposed algorithms are not cent percent accurate. The rate of false positive/false negative is significantly high in the proposed schemes. According to the analytic studies of this paper, few researchers proposed algorithms that detect fake-information-packets and cannot detect the actual source of attacks (malicious nodes). Few researchers proposed algorithms that accurately detect malicious/selfish nodes which launch the FPA. However, sometimes selfish/malicious nodes launch the SPDA instead of the FPA. This article proposed an algorithm that detects exactly the misbehavior nodes which launch the FPA and the SPDA (One algorithm which detects both attacks). The rates of false positive and false negative are significantly improved in our proposed algorithm (because our algorithm can detect exactly misbehavior nodes that launch the FPA, unlike other research papers, which only detect the fake-information, but do not detect the malicious nodes). Table 1 summarized previously proposed algorithms (Detection Methodology and shortcoming of the previously proposed algorithms) which detect the FPA and the SPDA in ICNs. Few researchers proposed algorithms in which the destination nodes arrange packets based on the packet generation time, few researchers proposed detection algorithms which append root hash along with original packets. However, few research article proposed trust based methodology and packet header information based methodology to weed out malicious nodes. The proposed detection methodology along with loop holes are summarized in Table 1.

1) CRYPTANALYSIS OF THE PREVIOUSLY PROPOSED ALGORITHMS
As mentioned earlier in this article some of the shortcomings of previously proposed algorithms in Table 1. This section VOLUME 11, 2023 critically analyses existing proposed algorithms of the FPA and the SPDA detection/mitigation. Following are some of the possible attacks scenarios on the previously proposed algorithms of the FPA and the SPDA. a: ATTACK SCENARIO 1 Considers an attack scenario on the previously proposed algorithms [21], [22], [23]. According to the assumption of researchers, the proposed algorithms detect the FPA when at least one fake packet reached their destination. However, according to the critical studies of this paper, this is not the case. For example, if one particular node in the networks says node ''A'' forwards five messages to the destination node ''C'' via node ''B''. If four messages including one fake packet reached their destination. The destination verifies the root-hash value with Merkle-Hash-Tree, the root-hash will not be verified, but this is not because of one fake packet but due to one missing packet (maybe drop packet). So according to the findings of this article, the assumption of existing algorithms are not correct, Merkle-Hash-Tree only detects the FPA in situations where all the forwarding packets reach their destination.

b: ATTACK SCENARIO 2
Consider a second attack scenario on existing proposed algorithms [21], [22], [23]. Researchers proposed algorithms in which the sender node creates the root-hash with Merkle-Hash-Tree, when the packets reached to the destination, the destination verifies the root-hash with embedded root-hash in the packet header. For example, we have four messages, M1, M2, M3, and M4, the sender nodes calculate hashes of all messages, H1, H2, H3, and H4 respectively. Furthermore, H1, H2, and H3, H4 are concatenated to calculate H12 and H34 respectively. Then H12 and H34 are concatenated to derive parent root-hash H1234. The destination nodes also calculate hashes with this process to verify the root-hash value.
However, in the opportunistic networks, some packets reached their destination with delay (due to the intermittent connectivity and long delay). If the destination concatenates H1 with H3 and H2 with H4 and further derives root-hash so obviously this root-hash will be different from the previously calculated the root-hash value. In this case, the proposed algorithms assume malicious nodes launch the FPA, however, this is not the case. Actually, in previously mentioned articles, researchers did not mention how to calculate the hashes. Unlike these papers, this article proposed an algorithm in which a specific packet format (Packet Sequence Number (PSN)) is followed, sender and the destination exactly follow the same procedure and the same PSN for the hashes calculation and verification. c: ATTACK SCENARIO 3 Consider a third attack scenario on previously proposed algorithms [21], [22], [23]. If the malicious nodes launch both the FPA and the SPDA at the same time, the proposed algorithm detects only the FPA but do not detect the SPDA.
Consider a network in which one node, say node ''A'' forwards three packets to the node ''B'', and two packets to the node ''C'' which is destined for the node ''D''. The node ''B'' drops one packet and the node ''C'' modified one packet (FPA). When the destination verifies the root-hash, so the root-hash will not be verified due to one packet drop and one fake packet. The proposed algorithms only detect the node ''C'' which modified packet (FPA) but do not detect the node ''B'' (the source of packet drop attacks). d: ATTACK SCENARIO 4 Consider another attack scenario on previously proposed algorithms [21], [22], [23], [51]. If the malicious nodes drop one packet and forward all other packets to their destination (this attack is quite possible). When the destination node verifies the root-hash value so in this case the root-hash will not be verified with embedded root-hash in the packet header. The proposed algorithms assume the malicious nodes launch the FPA (modified the content of the message, which is an attack on the integrity of packets) but this is not the case. e: ATTACK SCENARIO 5 Consider an attack scenario on article [46]. In this scheme, the researchers proposed an algorithm that calculates the roothash (which is already mentioned in the literature review section of this article), if the root-hash is not verified so the proposed algorithm decreases the pre-calculated trust-value of all nodes in the communication path. Consider a possible novel attack scenario in which the malicious nodes launch the FPA. After launching attacks the malicious nodes safely change their path (Nodes are mobile in ICNs). Actually the malicious nodes aim is to launch the FPA and make a trick on the detection system, which decreases the trust-value of the honest nodes in the networks. In the future, all other nodes in the network do not trust those particular nodes in the same communication path. However in reality the nodes are benign in that particular communication path not malicious (a high false positive ratio).
f: ATTACK SCENARIO 6 Consider a colluding attack scenario (in which some misbehaving nodes launch attacks with collaboration) on previously proposed algorithms. When a malicious node ''A'' forwards a fake packet to another misbehaving node ''B'' in a different path. When the node ''B'' forwards that malicious packet to the destination, the destination node blacklist the transmission path of the node ''B'' (because previously proposed algorithms are path detection algorithms, which blacklist the last forwarder node). Which is not malicious (the destination decreased the trust-value of all nodes in that particular communication path).
Based on these observations/analyses this article concluded that researchers proposed some efficient algorithms to thwart malicious nodes which launch the FPA and the SPDA. However, every algorithm has its own merits and demerits. No perfect solution to these problems are proposed yet. This is still a big challenging issue in the DTNs. So it is urgent to propose an efficient algorithm to tackle this problem.

IV. FAPMIC: FAKE PACKET AND SELECTIVE PACKET DROPS ATTACKS MITIGATION BY MERKEL-HASH-TREE IN INTERMITTENTLY CONNECTED NETWORKS/PROPOSED SOLUTION
This article proposed an efficient algorithm that thwarts both FPA and SPDA in ICNs. The proposed algorithm significantly improves resource consumption, which ultimately enhances PDR, PLR, detection accuracy, and reduced false positive/false negative ratios (already mentioned in this paper).
In our proposed scheme this article makes the following assumptions: * The forwarder node should use Merkle-Hash-Tree to calculates the root-hash and then automatically adds them with every bundle. * Misbehaving nodes can drop some genuine/benign bundles (In the SPDA, malicious nodes do not drop all packets) and then inject new fake packet instead of them with brand new calculated hash value or modify the content of the packet to recalculate the root-hash value. * Our proposed algorithm only considers the SPDA (There are so many other categories of packet drop attacks). * For the SPDA one packet must be reached to the destination, and for the FPA all packets must be reached to the their destination.

A. SYSTEM MODEL 1) NETWORK MODEL
The network consists of thirty mobile nodes (10Cars, 10Pedestrian, 10Trams), communicating an adhoc fashion using Bluetooth. All nodes in the network have a unique key (identifier). This research works proposed that the network is loosely-time-synchronized (loosely-timesynchronized means any two nodes (A and B) are in the same time-slot any time). For the bundle authentication, this paper proposed an IdentityBasedCryptography (IBC). This paper proposed IBC, this is because of the light-overhead of IBC (ICNs have scarce resources, so IBC is suitable for ICNS). IBC generates (in IBC there is a key generator center) a valid private key for all nodes in the network from the node's identifier.

2) ADVERSARY MODEL/ATTACK SCENARIOS OF MALICIOUS NODES
Considera a FPA and a SPDA scenarios in Figure 1.  On the other hand, the node ''B'' forwards four packets, P1, P2, P3 and P4 to the node ''E'', which is destined for the node ''F''. The node ''E'' drops packet P4 and makes a new fake packet instead of P4 and forwards to the node ''G''. The node ''G'' sends all packets to the node ''F'' (the node ''G'' does not knows about the node ''E'' makes a fake packet of P4). In this scenario the node ''F'' received a fake packet/information (P4 is fake packet).

3) DEFENSE LINES AGAINST THE SPDA AND THE FPA IN FAPMIC
In this section, this article briefly states the defense mechanisms/methodology used to detects and mitigates the SPDA and the FPA. The first line of defense in our proposed algorithm is authentication/encryption. The benign nodes in the networks have their own valid cryptography-credential (Key). The nodes Sign (encryption with private key) all bundles/packets, so all other nodes in the network can authenticate the original forwarder of the bundles (a source that creates this message). Thus authentication discourages external malicious nodes (nodes that do not have a valid key) that inject unauthorized data from the outsides of the networks (outsides of the network means malicious nodes which do not have a valid key). Secondly, this authentication protects the integrity of packets (If some malicious nodes break this integrity, Our proposed scheme detects those nodes quite easily). The second line of defense in our proposed algorithm is the creation and sending of the merkle-root-hash along with the original packets (sender side). This root-hash (created with SHA1 Algorithm) value enables us to detect a SPDA and a FPA quite smoothly. On the receiver side, the receiving nodes compare the sender nodes' root-hash value with the calculated root-hash value (the receiver node again calculates root-hash value of all packets). The third line of defense in our proposed scheme is TA (Actually this is the action phase, this article calls this defense line because it exactly detects and blacklist the malicious nodes, which saves the network from future attacks).

B. WORKING OF PROPOSED ALGORITHM FAPMIC
This section discusses the working of the proposed algorithm of this article in detail. Before more discussion on the proposed algorithm, this article discusses the Merkle-Hash-Tree for clarity (FAPMIC uses Merkle-Hash-Tree to creates a root-hash).

1) MERKLE-HASH-TREE
In ICNs, the Merkle-Hash-Trees [21], [22] is one of the effective method to verify the integrity of the received packets. If one packet is either removed/dropped or modified/fake, the hash of its parent will change. This property of a Merkle-Hash-Tree enables us to detects a SPDA and a FPA.
A Merkle-Hash-Tree [51] is a binary-tree (Perfect binary or Complete binary both cases are possible) that starts with hashing every packet/bundle in DTNs. A Merkle-Hash-Tree uses a mathematical hash function (Hash function is one way, This article uses SHA1 for hashing) that takes a plan message/bundles and turns it into ciphertext (unique code). The resulting hashes of first-level are called the leaf of the Merkle-Hash-Tree. A pair of the leaf hashes are then concatenated (Concatenated with XOR) to derive the parent hash. A pair of parent hashes are concatenated to derive further parent hashes until the last level. The last level hash is known as root-hash which is used to check the integrity (authenticate) of all packets. In the case of a complete binary tree (a perfect binary tree, in which the number of hashes is even, and a Complete binary in which the number of hashes is odd), the odd hash is concatenated with itself to derive the parent hash. Fig 2 diagrammatically shows a Merkle-Hash-Tree. For simplicity this article considers four messages, M1, M2, M3, and M4, however in reality there are more than four packets (could be any number). In step one mathematical hash function (SHA1) are applied to M1, M2, M3, and M4 to create HASH1, HASH2, HASH3, and HASH4 respectively. Then HASH1 is concatenated to HASH2 and HASH3 is concatenated to HASH4 to create HASH5 and HASH6 respectfully. HASH5 and HASH6 are concatenated to make root-hash. Algorithm 2 is a root-hash calculation algorithm. Figure 3 is the specific packet format in our proposed algorithm FAPMIC. A source node (Sender node, the node ''A'' in our case in Fig. 1) adds the source id and final destination id (Receiver of Packets, the node ''F'' in our

3) INITIAL NETWORK SETUP PHASE
During the initial network setup phase, all nodes forward their public key to TA and all other nodes in the networks. TA also shares public key with all nodes in the networks.

4) FORWARDING PHASE
In this particular phase, all nodes in the communication networks make a unique packet with a specific packet format, which is mentioned in the packet format section of this paper. Source nodes calculate root-hash with Merkle-Hash-Tree and appends with every packet. When a particular node forwards a message to another node, they keep encounter history/encounter records (Encounter is the contact between two pair devices, in DTNs contact between devices is known as encounter). Encounter history is an effective method for encounter record keeping [52]. When a node encounter other nodes, all nodes save encounter history, this includes nodes IDs (identity of both nodes), a sequence number of packets, time stamp, and sending messages history list (i.e ''A'' forwards packet M1 to ''B'' and vice-versa), both nodes sign this records with private key, (forging this records is difficult because after forging or deleting records, Encounter records becomes inconsistent, either sequence number or encounter time), for more detail refer [52]. When a destination node receives packets it saves one copy of the received message in their database (Storage).

5) ATTACKS DETECTION PHASE
When the destination node received all receiving packets. The destination decrypt messages and recalculate the roothash value. The destination node compares the root hashes (Source hash which is included in the packet and with calculated hash), if both hashes are verified, the destination node/algorithm assumes there is no attack detected otherwise the destination node/algorithm assumes there is an attack, which is detected. If an inconsistency is found in the roothash value, the destination sends the original copy which is saved in their database to a TA, and reports that particular misbehavior node to a TA.
A TA collects encounter-history information from all nodes. Then starts to count the number of bundles, if the number of forwarding bundles and receiving bundles are equal (TA calculates this from encounter-history, how many bundles are forwarded to that particular node, and how many bundles that particular node received). Then TA assumes there is no a SPDA detected, otherwise a SPDA is detected. If the number of received bundles is not equal to forwarding bundles so TA detects a SPDA (from encounter-history TA exactly detects malicious nodes which launch a SPDA). If TA finds that no SPDA is detected, TA starts to decrypt messages with the original key of the source, and finds all those packets which are not decrypted by the original source public key (TA has all public key). If a packet is not decrypted with the source public key, it means a malicious node drops a packet (original packet) and adds a new fake packet instead of them, TA detects a fake packet. After this TA starts to continuously decrypt that packet with all nodes' public keys sequentially. The packet will be decrypted with at least one key. The TA blacklist the signer (node) of that key is a malicious node, actually, that particular node launches a FPA. The TA exactly finds the intruder node which launches a FPA. The TA forwards blacklisting information to all nodes in the networks about misbehaving nodes. Algorithm 1 is our proposed algorithm FAPMIC.

C. CRYPTANALYSIS OF FAPMIC 1) ATTACK SCENARIO 1
Consider an attack scenario on our proposed algorithm FAPMIC. If malicious nodes launch both a FPA and a SPDA at the same time, the proposed algorithm detects only packet drops attacks (do not detect a FPA, algorithm work in this manner). For example, a node X forwards three packets to a node Y and two packets to a node Z which is destined for a node T. A node Y drops one packet (packet drops attacks) and a node Z modified one packet (FPA). When the destination verifies the root-hash, so the root-hash will not be verify due to one missing packet (packet drops) and one fake packet. The proposed algorithm only detects a node Y which drops packets ( packet drops attacks) but does not detect a node Z (FPA). This is obviously the downside of our proposed algorithm (false negative, this attack is possible). In the future we will modify this algorithm for this type of attack. Consider an attack scenario on FAPMIC, a node W forwards a packet to a node K, and a node K forwards that packet to a node Y (the final destination is a node X). When a node K forwards a packet to a node Y, the packet is dropped due to some other reasons (memory overloading, Intermittent connectivity, or something else). In this case the TA blacklist a node Y (report a node Y is malicious). However, in reality, a node Y is not malicious (false positive (minor ratio), but this ratio is significantly reduced with a number of received packets, transmission range, buffer management, and processing capability).

3) ATTACK SCENARIO 3
Consider an attack scenario in which malicious nodes overloaded the buffer of the TA by flooding attacks [8], [9]. In this case, the TA will not detect attacks because our proposed algorithm FAPMIC detects attacks when the TA collects encounter history from all nodes (TA buffer is full, which cannot collects encounter history information (Single point of failure, all centralized based algorithms have this issue) this attack is quite possible (in the future we will propose an algorithm which handles this issue).

4) ATTACK SCENARIO 4
Consider a colluding attack scenario on FAPMIC. When malicious node D forwards a fake packet to another malicious node S in a different path. When a node S forwards that malicious packet to a destination, the destination node verifies the embedded root-hash value with calculated roothash, obviously the root-hash will not be verify. However, the proposed algorithm FAPMIC does not blacklist a node S (colluding attacks are not successful on FAPMIC) because the proposed algorithm search for the actual source node which launches the attacks (FAPMIC is a node detection algorithm not a path detection algorithm. Previously proposed algorithms are path detection algorithms). This type of attacks are not successful on our proposed algorithm FAPMIC.

V. MATHEMATICAL EVALUATION
This section aims to critically analyze the proposed algorithms (Generically all and particularly our proposed algorithm FAPMIC) for detection probability and detection accuracy. This section analyzed the proposed algorithms, which ascertain some certain flaws/shortcomings of the algorithms. However, before more discussion on these observations this paper considers/assumes some assumptions, which are followed as; All values of the constants used in the equations are based on observation/analyses (constants depend on multiple factors). The exact/accurate values of the constants and their accurate relationship with proposed parameters are beyond the scope of this paper (in the future we will make simulation-based analyses to find exact values of the constants with parameters). Table 2 shows parameters along with symbols used in the mathematical evaluation section. The detection probability and detection accuracy of the FPA and the SPDA depend on various factors (which are vary from case to case). This article analyzes some of the dependency factors (dependency factors of the detection probability and detection accuracy), which are discussed in this section.
The detection probability of the SPDA (DP) and detection probability of the FPA (DF) in our proposed algorithm are dependent on packets. The proposed algorithm detects packet drops attacks when at least one packet reach their destination out of the total packets (TPs). However, our proposed algorithm detects the FPA, when all packets are delivered to the destination. Mathematically, DP detected = 1Packet/TPs.
While TPs are the sum of genuine packets (GPs) and fake packets (FPs).
Eq. 4 and Eq. 5 clearly show that both attacks are detected only when either one FPs or GPs reached to the destination. In case of the packet drops attacks, all GPs and FPs are delivered to the destination, however, in case of the FPA when either fake packet or genuine packet reached to their destination (the proposed algorithm FAPMIC run in this manner when either genuine or fake packet reached to the destination so algorithm starts detection process). The detection probability of our proposed algorithm also depends on encounter-history (EHs). The proposed algorithm only detects the SPDA and the FPA when TA collects EHs information from all nodes (direct relation).
According to the findings of this article, EHs sharing/ collections depend on various factors, such as transmissionrange (TRs), node-mobility-speed (NMS), transmissiontrajectory (TTs), and node-storage-space (NSS), etc. According to the analyses of this article, EHs are directly proportional to TRs up to some certain limit which depend on the value of the constant.
In Eq. 8 K1 is a constant of proportionality, the exact value of a K1 depends on connectivity, TA/benign-nodes processing capability, and available buffer space. Eq. 8 does not imply that EHs collections are increased (unlimited increased) with TRs. In DTNs, connectivity, storage space, and processing capability have certain impact on EHs collections. TA collects EHs information from all nodes. Nodes are mobile in DTNs, when the TRs of the nodes are increased so the probability of EHs collections are also increased (there is a direct relation between TRs and encounters, which further improves the collection of EHs packets, the proof of this claim will be given in the Simulation and Results section of this paper).
According to the studies of this article, the probability of EHs sharing are directly related to NMS, because when the nodes move faster, it will increase PDR while decreasing the packet loss ratios (Because PDR is directly proportional to NMS, this will further enhance the probability of EHs sharing). For more details refer to [9].
When the nodes move faster, the probability of EHs are enhanced which further enhance the detection probability of the attacks. Where K2 is constant of proportionality, which depends on various factors, such as the movement direction of the nodes (when a node move with high speed, however, the direction of the movement is opposite to the TA, so in this case the probability of EHs sharing will be decreased), mobility model (MapBasedModel, RandomWayPoint, RandomWalk), and encounter (Contact with TA), etc. According to the findings, EHs sharing with the TA also depend on NSS (Directly related). NSS is one of the most important factor for EHs sharing. Because DTNs have scarce resources (buffer space, bandwidth). If the TA buffer space is full so drops ratios become high (nodes share EHs packets, however, EHs packets are lost due to the buffer overloading) [9]. Where K4 is a constant of proportionality, which depends on the encounter, packet size (PS), numberof-packet (NPs), and node packet processing capability [8], [9].
And according to analyses of this article, NPs depend on the number-of-nodes (NON) [8], [9]. NPs are directly related to NON [8], [9]. Where K7 is a constant of proportionality, which depends on the node packet generation capability and node packet sending capacity.
However, according to studies of this article, EHs sharing broadly depend on the TTs as well. EHs sharing and TTs have a direct relation with constant time K3. K3 is constant which depends on the encounter (contact with TA), the distance between nodes and TA, relative to the movement speed of TA and other nodes, TRs, node transmission speed, and direction of the packet flow, etc. EHs = K3*TTs.
For illustrations/analyses this article shows various cases/ scenarios of mobile nodes in the Cartesian-Plane. Fig. 4 shows various cases of the mobile nodes in Cartesian-Plane.

A. CASE1/SCENARIO1
Consider Case1 in Fig. 4, there are two nodes A, B, and TA. The TA collects EHs information from A and B. EHs collections depend on the distance between TA and nodes (which is proportional to TRs and TTs). To find the distance between node B and TA, this article considers the coordinates of the nodes in the Cartesian-Plane. The abscissa (X-Coordinate) of the TA is x2, and the ordinate (Y-Coordinate) is y2. While the X-Coordinate of B is x3 and Y-Coordinate is y3. According to the distance formula, the distance (D1, distance always positive/absolute) between TA and B will be calculated as follows.  The TA only collects EHs information from B with a specified distance, which depends on TRs, relative speed of TA and B. Assume TA and B move toward each other with a constant speed (S). According to the law of physics, covered distance will be calculated as follows.
Putting the value of Eq. 15 in Eq. 16 From Eq. 17 every one can easily calculate the required moving speed of a node per unit of time.

B. CASE2/SCENARIO2
In the scenario2 of Fig. 4, the TA is located at a specific position on the Cartesian-Plane and the node is located in another specific position on the straight line (L1). The distance between the TA and the A will be calculated through a specific formula of mathematics (Distance of Point with respect to a line). Equation of the straight line is given by the following formula (according to the rules of analytic geometry, generally straight line equation).
The Coordinate of the TA are x2, y2, putting the coordinate of the TA in Eq. 18 and dividing with the which is the required distance of point with respect to a line (distance between TA and node A). Putting the value of Eq. 19 in Eq. 16 we get the required speed for nodes.
Putting the coordinate of the node A (x1,y1) in L1 (Eq. 18) we get the position of point (coordinate, which is actually the node position/location) with respect to a line. If the value of the line after putting the coordinate of the node A is greater than zero so the node A lies above the line, if zero, node A is on line, and if less than zero so the node A is below the line (According to the rules of mathematics). Also, the distance between the TA and the node A can be calculated through slope (steepness). If the line between the TA and the node A (ST-line) make an anticlockwise angle with the TA (θ ). So the slope of the ST-line will be calculated as follows.
Putting the value of Eq. 15 and Eq. 19 in Eq. 22 we get.
Eq. 23 easily finds the value of Tanθ, if the value of the D1 and the D2 are known. Conversely, the value of θ will be the Tan inverse of the D1 by D2 (D1/D2). Also according to the theorem of mathematics Tan θ is equal to Sinθ by Cosθ. So the Eq. 23 becomes, From Fig. 4 case1 Sinθ and Cosθ will be calculated as follow.
C. CASE3/SCENARIO3 In the scenario3 of Fig. 4 there are two nodes, the TA and the node C. The node C moves towards the TA, and the TA moves upwards (Perpendicular to the node C). There are various method to find the slope (steepness, which is equal to rise by run) of the given line (Slope of line is very important because the slope gives a clear idea about line, the lines are perpendicular or parallel). The coordinate of node the C and the TA are x3, y3, and x4, y4 respectively. In method one we can finds the slope of the line2 (S2) from the coordinates of the node C and the TA.
In the case of line3 (L3), we know only the coordinates of the TA, so we can calculate the slope of the L3 from the line equation (general equation). Let the general equation of the L3 is, Eq. 28 can be written as (divide all terms by b), The slope-intercept form of the general straight line equation is, where m in Eq. 30 is the slope of the line and c is the y-intercept of the line, compare Eq. 30 and Eq. 29 to get the slope of L3 (S3).
If the product of slopes of the two lines are -1 (minus one) so the lines are perpendicular or if the slopes of both lines are equal, so the lines are parallel (According to the rules of Analytic Geometry).
Putting the values of the Eq. 34 in the Eq. 35 we get,

D. CASE4/SCENARIO4
In the scenario4 of Fig. 4 there are two nodes, the TA and the node D. Both the nodes are moving in the same direction (parallel to each other). Relative speed and distance between the nodes are calculated from the slopes (Slope can be calculated with the same procedure mentioned earlier in this article). If the slopes of both lines are the same, this imply that the lines are parallel (According to the rules of analytic geometry). If the lines are parallel so the distance between the nodes can easily be found with a position of a point with respect to a line (Eq. 19).

E. CASE5/SCENARIO5
In the scenario5 nodes are moving in the same direction on the horizontal-axis. The slope of this line will always equal to zero (According to the rules of coordinate geometry, if the nodes move through horizontal-axis the slope will be zero (because y-coordinate is always zero, zero divided by something gives us always zero) and if the nodes move in perpendicular-axis slope will be undefined (because the x-coordinate is zero in this case. Something divided by zero gives us undefined (infinite functional value)). This is a very important result for the researchers to guess the movement direction of the nodes). For EHs collections the relative speed of the nodes are very important in this case. If the relative speed of both nodes are the same and both nodes (TA, E) are within TRs of each other, so the TA can collects EHs from the required nodes otherwise not.

F. CASE6/SCENARIO6
Consider the nodes in Fig. 4. There are two nodes, the TA and the node F, which move towards each other (Same trajectory), the slope of the nodes will be zero like the scenario5. The TA can easily collects EHs information in this case, which depend on other factors (Buffer space, processing power of the TA, etc). The Detection Accuracy (DAC) of our proposed algorithm depends on encounters (contacts), Inter-Contact-Time (CT), Contact-Duration (CD. If nodes encounter but encounter time is very low so the probability of packet sharing is low), and NPs. DAC are inversely related to CT (nodes that meet after a long time) and directly proportional to NPs [9], [53]. NPs are directly related to NON, which is already mentioned in this article. Consider our proposed algorithm FAPMIC, the FAPMIC does not detects misbehavior nodes until the encounters of the TA and other nodes in the networks (TA collects EHs information from all nodes in the networks). If misbehavior malicious/selfish nodes meet frequently with the TA, this imply short CT, which obviously enhance the detection probability (high detection probability) otherwise the detection probability is low. However, if the number of nodes in the network is high, then the probability of the attack detection will be high (If we keep all other parameters constant).
where K8, K9, and K10 are constants of the proportionality, depending on a mobility strategy (towards each other, moves in the opposite direction, moves parallel, or moves perpendicular to each other), mobility model, and nodes storage space. If the nodes in the networks meet frequently (encounter frequently) however, CD (duration of encounter time is not enough for a packet transmission and packet receiving) are low (low), so definitely it will significantly affect the DAC. Consider a scenario in which some nodes encounter other nodes, however, the duration of encounter is not enough (low/less) so obviously there is the possibility in which the nodes do not share an EHs bundles/packets and also the probability of the packets drops will be high in this particular case). From these observations (studies) this article concluded that the DAC is related to the communication area of the nodes (Area). The area maybe a triangle, square, circle, rectangle, and may be something else (zig-zag area, which is more probable in the communication that is why this article chose the integral area because we can find the zig-zag area very easily by the theorem of definite integral (there are two types of integral, definite and indefinite integral), we can also calculate square, circle, etc quite easily with the theorems of mathematics) According to analyses of this article the DAC is inversely related to the integral communication area.
where P1 and P2 are two specific points in the Cartesian-Plane (any two points in the communication area). P1 and P2 are lower-bound/lower-limit and upper-bound/upper-limit VOLUME 11, 2023 of the communication area receptively. In the Eq. 41 K11 is constant. According to the studies of this article, the value of K11 depends on mobility-pattern/mobility-model, NMS, TRs, and buffer-capacity. The ''x'' is an integer in the above equation. The value of the ''x'' varies from scenario to scenario. The value of the ''x'' depends on the scenario (which type of scenario, how many nodes are in the scenario, and mobility model, etc), and the walking speed of the nodes in the scenario. The Eq. 41 implies that if the nodes are deployed in a small communication area (like a small cluster area, this paper simulates a scenario with ClusterMovementModel, which has a small area to prove this claim in the Simulation and Results section of this paper), this will improve the DAC and the detection probability (if the communicating nodes are deployed in a small area, so it will increase the value of the encounters, which further enhance the PDR and the detection probability. The proof of this claim will be given in the Simulation and Results section of this article).
In the Eq. 41 K11 is a mobility constant (this article calls this mobility constant), according to the findings of this paper, K11 is directly proportional to the DAC, if a node moves toward each other in the same line (opposite direction, mentioned in mathematical evaluation section) and inversely proportional, when nodes move in the same direction. We can easily solve Eq. 41 by the fundamental theorem of calculus. According to the fundamental theorem of calculus, (Area upper-limit (which is P2 in our case) -Area lower-limit (which is P1 in our case)). Let the function of the integral area is f(x) then according to the fundamental theorem of the calculus, area will be calculated as follow,

G. MATHEMATICAL MODEL
This section aims to derive mathematical functions (relations) for the Hit-ratio and Mis-ratio of the proposed algorithm (to find the probability of the algorithm for detecting and undetected fake packets in the networks). Let F P be the probability that there exists one bogus packet (fake packet) in the networks, so the probability of the fake packet in the network will be calculated as follows, Let A hr (Hit-ratio) be the probability of an algorithm to detects the fake packets. Let A mr (Mis-ratio) be the probability of one fake packet which is undetected in one hop (surviving fake packet).
Let B mr be the probability of one fake packet that remains undetected in all hops (AH. There are multiple hops in the networks).
Let C mr be the probability of N packets remaining undetected in all hops.
The Eq. 47 clearly shows that undetected fake packets (Mis ratio) exponentially grow (up to some certain limit) with NPs and malicious hops (in which malicious nodes exist). Put the value of the Eq. 47 in the Eq. 45 we get, The probability of the total fake packets (TFPs) will be the sum of the detected (Hit-ratio) and undetected (Mis-ratio). From the Eq. 44 and the Eq. 45, Put the value of the Eq. 48 in the Eq. 49 we get, From the Eq. 52 anyone can find the TFPs, the detected packets, and undetected packets (it depends, if we find either hit-ratio or mis-ratio, we can easily calculate TFPs in the networks). Taking the logarithm of both sides of the Eq. 52 we gets,

VI. SIMULATION AND RESULTS
This paper has evaluated the performance of our proposed algorithm FAPMIC for the misbehaving nodes detection in ICNs through various evaluation techniques. Evaluation is done with the help of simulation. This paper simulates the proposed algorithm FAPMIC in the Opportunistic Network Environment (ONE) [54] simulator, ONE is specially designed for the ICNs (DTNs). This paper compared the proposed algorithm FAPMIC with previously proposed algorithms. Simulation is carried out on various metrics (parameters) given in the Table below. Table 3 shows the parameters-list for our proposed algorithm FAPMIC (Same simulation parameters setup with previously proposed algorithms).

A. EVALUATION-METRICS
Simulation is evaluated based on various proposed metrics rigorously, which are followed as.

1) PDR AND PLR
It is the ratio between delivered bundles to the total generated bundles. If the number of delivered bundles are DB and the total generated bundles are TGB then PDR and PLR will be measured as follow.

2) LATENCY
A specific amount of time required from the creation of bundles to delivery to the destination is known as latency (this paper calculates average latency in the simulation).

3) PACKET-AVERAGE-BUFFER-TIME (PABT)
PABT is the duration of time that packets spend in the memory. PABT is an important parameter to judge the efficiency of all algorithms because PDR/PLR and detection of misbehaving attacks depend on PABT (Our proposed algorithm detects attacks when the TA collects EHs, which need space in the buffer, that is why this article considers PABT).

4) TOTAL ENCOUNTERS (TEs)
TEs are the total-numbers-of-encounters (contact/meeting) of all nodes in the simulation.

5) DETECTION ACCURACY
The Detection Accuracy is the ratio of misbehaving nodes' attack packets that are accurately detected out of all the attack packets.

6) DETECTION DELAY
The average amount of time required to detects the first malicious packet/malicious node.

7) WASTED TRANSMISSION (WT)/BANDWIDTH CONSUMPTION
It is the average amount of wasted transmission (wastage of bandwidth) in the simulation times. If the total relayed bundles/packets are TRPs, the total aborted bundles/packets are TAPs (This includes both forwarder side and receiver side aborted bundles), the total forwarder-side aborted packets TFAPs, and the total receiver-side aborted packets are TRAPs. The size of the bundles in Kb are (SPs) then the the total bandwidth consumption will be calculated as follow, WT = ((TRPs) + (TAPs)) * (SPs))/1000.
In the above equation 1000 directly convert packets from kilobytes to megabytes. In the Eq. 57, TAPs includes those bundles/packets which are suddenly aborted after the relay phase. Actually, TAPs consume the transmission (bandwidth), however, this article does not consider these bundles in the packet drops. According to the analyses of this article aborted bundles are divided into two broad categories/types. Such as forwarder-side aborted and receiverside aborted bundles. TAPs in the above equation are forwarder-side aborted packets (This article only considers this simulation case. This article considers various packet sizes, however, for demonstration purposes this article shows wasted transmission results with packet size being 20K constant (Multiply our simulation results with 35 to convert it to 700K packet size)). If TAPs are receiver side aborted then Eq. 57 will become WT = ((TRPs) + ((TFAPs) -TRAPs) * (SPs))/1000).

8) FALSE POSITIVE
Categorizing benign nodes as malicious nodes.

9) FALSE NEGATIVE
Categorizing malicious nodes as innocent nodes.

B. SIMULATION RESULTS
This article rigorously checked the proposed parameters by various methods/tests. Results gained for the proposed algorithm FAPMIC is discussed as follows.

1) EXPERIMENT 01
This paper in ''experiment 01'' evaluated/tested PDR, AL, WT, PABT, and TEs for the nodes mobility models, such as RandomWalkModel (RWM), RandomWayPointModel (RWP), and ClusterMovementModel (CMM) to evaluates our proposed algorithm FAPMIC for the SPDA. Fig. 5, Fig. 6 and Fig. 7 demonstrate testing results of the PDR of routing protocols with RWM, RWP and CMM respectively. Just for the demonstration purposes this paper only shows testing results of two routing protocols i.e Epidemic and SparyAndWait in RWP and CMM. This article simulates routing protocols without malicious nodes (normal scenario), a scenario with malicious nodes (malicious nodes  Simulation results clearly show, PDR is decreased (In all simulating routing protocols) while the PLR is increased (For demonstration purposes this paper shows testing results of PDR due to page limitation. Everyone can easily calculate PLR from these results (formula given in this paper)). This is because of malicious nodes which launch the SPDA. Experimental results clearly illustrate, the ratios of PDR is improved with our proposed algorithm FAPMIC because the FAPMIC detects and blacklists misbehavior nodes that launch SPDA. This ultimately enhanced PDR and PLR ratios.
From experimental results, this research works observed that due to the SPDA, approximately 9 to 25 percent, 9 to 29 percent, and 02 to 18 percent PDR decreases with RWM, RWP, and CMM respectively. Simulation results clearly show  that approximately 3.3 to 12 percent (RWM), 6 to 16 percent (RWP), and 02 to 10 percent (CMM) PDR is improved due to our proposed algorithm. Experimental results clearly demonstrate that SprayAndWait is mostly affected while FirstContact is less affected due to the misbehavior nodes attacks. Because SprayAndWait spray packets then wait some certain times, the proposed algorithm does not detect malicious nodes in the wait-time. FirstContact forwards only packets to the FirstContacted node (sends fewer packets) and the probability of the detection is high that is why FirstContact is less affected due to the SPDA. Fig. 8, Fig. 9 and Fig. 10 shows ''Experiment 01'' results of average latency (AL) of routing protocols with various transmit ranges. Mobility-Model are RWM, RWP, and CMM respectively in the aforementioned figures.
Simulation results clearly show that AL is high when no malicious attacks, and the graphs become down when the malicious nodes launch attacks. This is because some packets are dropped, which are not delivered to the destination (More packets are created but fewer packets are delivered to the destination due to the SPDA, which is why graphs suddenly down). Simulation results clearly show that the proposed algorithm improved AL (The proposed algorithm graph is above malicious graphs it seems AL is dis-improves but in reality, this is an improvement because the proposed algorithm detects malicious nodes and enhances PDR which is why AL is high). Fig. 11, Fig. 12 and Fig. 13 shows      launch attacks, they drop some packets which are subtracted from the relayed packets. That is why it consumed a small amount of bandwidth than the normal scenario. Simulation results clearly show a higher bandwidth consumption in our proposed algorithm than in malicious scenarios (Because the proposed algorithm blacklist the malicious nodes which launch the SPDA). When WT is high it implies some certain malicious nodes are blacklisted, which improve the ratios of PDR, this ultimately implies a higher bandwidth consumption. Fig. 14, Fig. 15 and Fig. 16 shows simulation results of packet-average-buffer-time (PABT) of various routing protocols with RWM, RWP and CMM respectively.
Simulation results show that PABT is high when there are no malicious nodes. When some malicious nodes launch the SPDA, so drop ratios become high which is why some packets do not reach their destination. This spends fewer times in the buffer, which is why PABT is decreased in malicious scenarios. Testing results clearly demonstrate that VOLUME 11, 2023   the proposed algorithm FAPMIC improved PABT with all routing protocols. Because FAPMIC detects misbehavior nodes and stops the SPDA to some certain extent. That is why packets spend more time in the buffer. Simulation results clearly show that PABT with RWM is high for RWP and CMM. Because in RWP models, nodes randomly move in all direction that is why the probability of the number-ofencounter with the nodes are high, which improve PDR and PABT. PABT of CMM is a little bit less than RWP because in CMM transmission areas are very small (small clusters), so it sends a lot of packets (due to buffer overloading packets being dropped in CMM). Simulation results also clearly proved that the PABT of SparyAndWait is high relative to other routing protocols (The EpidemicRouter continuously floods packets which is why PABT is less). Because SprayAndWait sprays and then waits sometimes that is why the PABT of the SprayAndWait is high. Fig. 17 shows testing results of total-encounter/contact (TEs) with various transmit ranges (For the demonstration purpose this paper only mentioned results of RWM (RWP and CMM shows similar results)). Simulation results clearly show that TEs are increased with transmission range. This ultimately enhanced PDR (due to high numbers of encounters) and attack detection probability (This is the prof of the claim of this article, which is already mentioned in the Mathematical Evaluation section of this article). Fig. 18, Fig. 18 and Fig. 20 illustrate the testing results of TEs with simulation-time with RWM, RWP, and CMM respectively. Experimental results demonstrate that TEs are higher in CMM relative to RWM and RWP (the reason for this is already mentioned in this article). Simulation results clearly proved that TEs are increased with TRs.
From simulation results this article concluded that due to SPDA, PDR and AL is decreased while PLR is increased. Moreover, PABT is decreased due to the SPDA. It is also observed from simulation results that RWP is mostly affected while CMM is least affected in term of PDR. This article also concluded from simulation results that TEs is increases with transmission range, which further improve PDR.

2) EXPERIMENT 02
In ''experiment 02'' this article calculated the DAC, detection delay, and false positive/false negative ratios with various strategies (tests) of the FAPMIC. Fig. 21 (TRs=10) and Fig. 22 (TRs=20) show simulation results of the DAC of the SPDA and the FPA of routing protocols with a number of packets (Just for the demonstration, this paper only  shows experimental results of RandomWayPoint mobility model, however, ClusterMovement model further improved the DAC, due to a high number of encounters, this fact is mentioned already in this article in Fig. 20). Simulation results show that the DAC of DirectDelivery is high relative to other protocols. This is because DirectDelivery forwards packets directly to a final destination, which obviously enhances the DAC. The DAC of the FirstContact is little bit below than the DirectDelivery because the FirstContact forwards messages to the first contacted nodes. Actually, messages are delivered with at least two hops (that is why accuracy is low). The DAC of the SprayAndWait is minimum, because the SprayAndWait wait some certain times after the spray phase, which obviously takes some time to deliver the messages to the destination (Attacks are not detected in the FAPMIC when at least one packet and all packets did not reach the destination in the SPDA and the FPA respectively). The DAC of the EpidemicRouter is a little bit higher than the  SprayAndWait, because the EpidemicRouter flood packets, due to this flooding, the probability of the packets' delivery to the destination is enhanced, which further enhances the the DAC.
Testing results illustrate that the DAC of the SPDA is a bit higher than the FPA. Because the SPDA is detected in the the FAPMIC when at least one packet reaches its destination unlike the FPA detection (FPA detected only when all packets are delivered to the destination). The experimental results clearly illustrate that the DAC is enhanced with the TRs (Almost 5 to 8 percent improvement in the DAC from TRs=10 to TRs=20). Because it is already stated in this article that the TRs are directly proportional to TEs, PDR increases with the TEs, this further improves the DAC. Fig. 23 illustrates simulation results of the detection delay of the SPDA and the FPA of routing protocols with the NPs. Simulation results clearly demonstrate that the detection delay of the DirectDelivery is high among all simulated protocols. The DirectDelivery forwards packets directly to the final destination, which obviously consumes long times (because of disruption/disconnectivity, that is why the detection delay is high). The Detection delay of the FirstContact is a little bit below than DirectDelivery because  the FirstContact sends packets to the first encounter node (packets reach the destination in at least two hops). Thus, packet delivery to the destination is the responsibility of that particular first contacted node (Due to the sparse nature of DTNs, it takes significant time for the packets to be delivered to the destination). The detection delay of the SprayAndWait is moderate because SprayAndWait waits significant times after the spray phase. The detection delay of the Epidemic is a little bit lesser than the SprayAndWait because the Epi-demicRouter flood packets. The EpidemicRouter forwards more packets among all simulated protocols, which enhances TEs, TEs further improve PDR, and this further improved the DAC and detection delay. Furthermore, the results clearly illustrated, the detection delay of the SPDA is a little bit higher than the FPA (the reasons are already mentioned in the simulation results of the DAC). Fig. 24 demonstrates the false positive ratios in our proposed algorithm FAPMIC for various routing protocols with NPs. The simulation results clearly indicated that the ratios of the false positives are sequentially decreasing with the NPs. The simulation results demonstrate that the false positive of the DirectDelivery (packet drops ratios are low in DirectDelivery) is minimum and the Epidemic (packets drops ratios are high in Epidemic) is higher among all simulated routing protocols.
The reason behind false positive ratios in our proposed algorithm FAPMIC is due to the packet drops (drops due to some other reasons (buffer overloading), not because of the malicious nodes). Considers an attack scenario in which malicious nodes drop selective packets. When the destination nodes verify the root-hash, if the root-hash does not verify, so the destination report that particular node to the TA. The TA collects EHs information and counts the number of packets. If the forwarding packets are not equal to receiving packets, then TA finds those malicious nodes from the EHs that drop packets. Considers an attack scenario, the node ''A'' forwards packet to the ''C'', and the ''C'' forwards that packet to the ''D'' (final destination is the ''E''), the ''D'' drops that packet, but the packet is dropped due to some other reasons (memory overloading, or something else). In this case the TA blacklist the node ''D'' (reports the node ''D'' is malicious), however, in the reality, the node ''D'' is not malicious (false positive, but this ratio is significantly reduced with a number of received packets which depend on TRs, node processing capability and buffer management). Simulation results clearly show that false positive ratios of the FPA is a little bit less than the SPDA (fewer chances of false positive because algorithm detects the FPA only when all packets reach their destination). Considers a second attack scenario, in which malicious nodes (one node drops and one node inject a new fake packet) drop and inject a fake packet. When the destination nodes compare the roothash, which obviously is not matched. After reporting to the TA (TA runs in the previously mentioned detection process). The TA blacklists packet dropping malicious node and leave fake packet attacker node (algorithm run in this manner. False negative). However, these types of attacks happened very rarely. The false negative ratios of our proposed algorithm is almost zero (almost negligible in the simulation results) with all routing protocols, that is why this article not shown results here to just save space (this article shows simulation results of false negative rate in comparison with previously proposed algorithms in the comparison section).
From simulation results this article concluded that DAC of DirectDelivery is high and minimum in SprayAndWait. From simulation results this article observed that DAC is enhance with TRs. From simulation results this article concluded that detection delay of DirectDelivery is high among all routing protocols. Moreover, the experimental results indicates that the ratios of false positive is decreasing with NPs. It is also observed from simulation results that the ratios of false positive of DirectDelivery is low while Epidemic have high.

A. DETECTION ACCURACY
This article compared various research articles (with various tests) with our proposed algorithm FAPMIC for the DAC. Fig. 25 shows simulation results of the DAC of previously proposed article [48] (Reputation) and the article [46] (Trust) with FAPMIC (With same simulation setup [48] and [46]). Testing results clearly illustrate that the DAC decreases with the number of malicious nodes in [48] and [46] with simulation times. The simulation results demonstrate the DAC is improved with simulation times. The simulation results of our proposed algorithm FAPMIC clearly shows that the DAC is initially enhanced with some malicious nodes and then starts to decline. This is because, our proposed algorithm detects malicious nodes when the TA collects EHs from all nodes. When the number of misbehaving malicious/selfish nodes are increased, the probability of the packet collections (NON is directly proportional to TEs, which further enhanced the PDR and the DAC) are increased which improve the DAC. However, when the number of malicious nodes cross some specific limit (number of malicious nodes increase) so the DAC starts to decline because the EHs collection capability of the TA starts to decline (due to the memory overloading, some packets drop, the packets processing capability of the TA declined, so therefore the TA needs some certain time to collects all EHs packets). The simulation results indicate that the DAC of our proposed scheme is better than [48] and [46]. Fig. 26 shows comparison results of the FAPMIC with previously proposed article [51] (PIDMIO) for the FPA DAC (With the same simulation setup as PIDMIO, TRs 10). The simulation results of PIDMIO clearly shows up-anddown graph (like a zigzag path) when the number of malicious nodes are increased (no clear indication that the DAC either decreases or increases with intruder nodes). The simulation results clearly demonstrate that our proposed algorithm FAPMIC improved the DAC (initially below/lesser than PIDMIO because in our scheme, the TA collects EHs packets which depends on encounters, then after some time the graph becomes stable when the TA collects EHs from various nodes) as compared to PIDMIO. It is also clear from experimental results that the DAC is increases with the number of malicious nodes (this article already mentioned up to some certain limit the DAC are increased then starts to decreases).   [23] (DAPCA) for the FPA DAC (With the same simulation setup like DAPCA). Testing results clearly demonstrate that DAC is decreases with malicious nodes in the DAPCA. From experimental results this research works concluded that the DAC of our proposed algorithm FAPMIC is increases with number of malicious nodes then starts to decreases (reasons are already mentioned in this article). Simulation results clearly indicate that our proposed algorithm FAPMIC performs better than the DAPCA in EpidemicRouter and FirstContact (DAPCA, DAC of SprayAndWait is better than FAPMIC).

B. FALSE POSITIVE AND FALSE NEGATIVE
This article compared simulation results of false positive rate (the SPDA) of article [46] (Trust) with our proposed algorithm FAPMIC (with same simulation setup, this article shows results of Epidemic). Article [46] only shows results of false positives (that is why this article compared results of FAPMIC only with article [46]). The simulation results show that, false positive rate is increased (Unlike in the Trust-Based-Algorithm in which false positive rate is decreased with misbehavior nodes) with misbehavior nodes in the FAPMIC (Reasons for this are already mentioned in the simulation results of this article in Experiment 02). The simulation results clearly indicate that the ratios of false positives of the FAPMIC is better than article [46] when the number of malicious nodes are below seventy percent (seventy percent is a very high percentage, the probability of malicious nodes above seventy percent is very rare (low)).  The simulation results clearly demonstrate that our proposed algorithm FAPMIC reduced/enhanced the number of false positives relative to the DAPCA. The simulation results also show the false negative rate of the PFA relative to the FAPMIC. The simulation results clearly show that the false negative rates increases with the number of malicious nodes in the PFA. The simulation results also demonstrate that the false negative ratios of our proposed algorithm FAPMIC is almost zero (Reasons for this are already mentioned in the simulation results of Experiment 02).

C. MISCELLANEOUS PARAMETERS
This research work demonstrates various parameters in the simulation and results section of this article. The simulation results show that our proposed algorithm FAPMIC enhanced resources consumption, this enhancement further improved the PDR, PLR, PABT, WT, AL, and TEs. The experimental results of the aforementioned parameters are not shown in the previously proposed articles. That is why this paper does not compared the aforementioned parameters (not possible to compare). However, this is already illustrated in the simulation section of this article, that the algorithm FAPMIC improved the aforementioned parameters. Table 4 summarizes the achievements/contributions of this article relative to the previously proposed algorithms in this security domain. In Table 4 FPAD is the fake packet attack detection, SPDAD is the selective packet drop attack detection, DD is the detection delay, FP is the false positive, FN is the false negative, NE is the number-of-encounters and PR is the probabilistic results (+ in the table means researchers show that particular parameter in the paper and -means researchers did not show that particular parameter in the paper).

VIII. CONCLUSION AND FUTURE WORKS
The focus of this research works on misbehavior node mitigation in ICNs, which launch various attacks. Moreover, these attacks further degrade/demolish the network performance. The malicious nodes often launch various attacks, the goal of the misbehavior nodes are to mainly drop packets or inject bogus-packets/fake-packets to degrade the network operations. We further concluded from the simulation results that due to the aforementioned attacks, delivery ratio decreased while packet loss ratios increased. Also, the misbehavior nodes overused scarce resources (consumed buffer, bandwidth), created the nodes unavailability, and disseminated the fake packets. This article presented an algorithm FAPMIC, which mitigates the SPDA and the FPA. The simulation results clearly demonstrate that an algorithm FAPMIC mitigates misbehavior malicious/selfish nodes, and save limited resources of the DTNs. This further improved the delivery ratios, loss ratios, DD, DAC, and reduced the FP, and the FN rates. This paper concluded from the experimental results that the TRs are directly proportional to the number-of-encounter (contacts), which further improved the PDR, DAC, DD, FP, and the FN ratios.
From the simulation results this article concluded that due the SPDA, all previously proposed routing protocols are affected, however, the SprayAndWait are mostly and the FirstContact is least affected. This is because our proposed algorithm detects attacks when the nodes share EHs packets with the TA. SprayAndWait waits some certain times after the spray phase, that is why in this idle time the proposed algorithm does not detects the malicious nodes. FirstContact forwards packets to only the first contacted node (the packet is delivered to the destination with at least two hops), so the probability of the detection is high, which is why the attacks have minimum effect on the FirstContact. This paper also analyses from testing results that the DAC is enhanced with the NPs (FAPMIC detects attacks when the nodes share more EHs packets), also the DAC is increased with the NON up to some certain limit (NON is directly proportional to the NPs) then starts to decreased (because when malicious nodes cross some certain limit, which sends more packets and the TA cannot collects all packets, that is why the DAC starts to decline). From the simulation results, this article observes the rate of FP is decreased with the NPs and increased with the number-of-malicious nodes.
This article also launches various theoretical attacks on previously proposed algorithms/FAPMIC. This cryptanalysis clearly show loopholes on previously proposed algorithms and FAPMIC as well. These analyses (mathematical analyses and cryptanalysis of this article) hopefully will improve the design of the detection algorithms in the future.
Hopefully, this article will further motivates the researchers' interest in this security domain and further highlight the following directions for investigation.
* Proposed an algorithm/method which detects a particular misbehavior node, which launches the SPDA and the FPA at the same time. * Proposed distributed-based detection algorithm which overcomes a single point of failure of the centralizedbased detection algorithms. * Exact relationship (quantitative-based analyses/ simulation-based analyses) of the parameters and constants used in the mathematical evaluation section of this article. * Artificial-intelligence-based algorithm that detects bogus bundles and intruder nodes that inject bogus bundles into the networks. * Mathematical system which track the position of all nodes in vehicular networks.