Trust-Aware Five-Class Multinomial Logistic Regression for Packet-Dropping Mitigation in Mobile Ad Hoc Networks

A Mobile Ad Hoc Network (MANET) is a collection of mobile devices that autonomously establish a communication network without centralized control or pre-existing infrastructure [1]. Without relying on fixed infrastructure, it enables decentralized, self-organizing wireless communication among mobile nodes, such as smartphones, sensors, or vehicles [2]. This dynamism makes MANETs ideal for dynamic environments such as disaster recovery, military actions, and also Vehicular Ad Hoc Networks (VANETs), and Internet of Things (IoT)-based smart city applications [3]. MANETs take advantage of node mobility and peer-to-peer routing to produce ad-hoc, short-lived self-forming topologies for quick operations in deprived infrastructure and low resource situations, unlike traditional wired or infrastructure-based wireless networks that use a well-planned topology [4]. But their open wireless environment, dynamic topology, and the absence of centralized authority, controlled transmission power, and restricted computation all make them highly vulnerable to malicious attacks [5]. One such malicious attack at the network layer is packet dropping attacks, such as black hole [6] and gray hole [7] attacks, which break the communication by deliberately discarding packets.

Moreover, packets are also dropped accidentally due to resource limitations and network characteristics such as buffer overflow and/or energy depletion [8]. These dropped packets will further diminish the network performance. This degeneration complicates the separation between malicious and unintentional packet dropping actions in the network [9]. Drop packets in MANET have a significant detrimental impact on vital performance parameters. It decreases the packet delivery ratio (PDRatio) and limits the network’s capability to deliver data. The overall data transfer rate is further lowered due to the reduced throughput. Furthermore, dropping packets will add latency to communication. These kinds of problems undermine the dependability of mission-critical applications [10].

These types (black hole and gray hole) of attacks exploit the properties of the MANET routing protocol’s vulnerabilities [11]. The routing protocols, such as reactive, proactive, hybrid, and resource-aware, assume that other nodes cooperate for forwarding packets, but the packet dropping nodes exploit it. With a black hole attack, all the packets are dropped by nodes in a malicious manner to prevent network conversation from taking place [12]. Gray hole attack is the selective packet dropping in which detection is difficult to service [13].

At the same time, some non-malicious nodes in the network inadvertently drop packets due to reasons such as buffering and energy exhaustion [14]. These drops can be interpreted as malicious packet-dropping activity, such as a black or gray hole. Thus, existing packet-dropping detection systems are prone to producing false positives, as they misidentify non-malicious packet drops as malicious packet drops. Ultimately, the performance of the network degrades.

The available packet drops mitigation mechanisms in MANETs, such as credit-based [15], reputation-based [16], and acknowledgment-based, suffer several problems. Adoption of credit-based platforms requires the use of hard-to-deploy tamper-resistant hardware measures. Reputation-based approaches often can't differentiate malicious and non-malicious packet drops accurately, which leads to frequent false positives. At the same time, the protocols that use acknowledgment, like CACK [17], add excessive messages to confirm packet delivery. This increases overhead and still can't accurately detect the packets that drop due to system faults (unintentional drops) like energy or buffer issues [18]. Machine learning (ML) based intrusion detection systems (IDS), such as those using support vector machines (SVM) and random forests (RF), cannot classify different types of packet drops accurately, especially if the dataset is dominated by diverse drop patterns [19]. Although cryptographic frameworks enhance network security, they require high computational power, which is impractical for resource-constrained MANETs [20]. Collectively, these drawbacks of these existing solutions indicate the need for enhanced security strategies for MANETs.

To overcome the issues of existing systems, this study comes with a trust-based lightweight ML system to detect and prevent the malicious and non-malicious packet drops in MANETs. The proposed framework uses multinomial logistic regression (MLR) [21] to categorize the node behaviour into different packet dropping categories like black hole, gray hole, buffer overflow, and energy depletion. This classification helps to identify exact packet dropping behaviours of nodes, i.e., either malicious or non-malicious. The framework studies from NS-2 [22] trace files and extract network characteristics, packet-related information, and network performance, like packet delivery, queue utilization, and residual energy. Extracted information contributed to computing the trust value, and it is dynamic. Further, this trust value is used for route computation; this leads to increasing reliability by avoiding malicious nodes. Therefore, the proposed framework extends the network performance by packet delivery improvement, decreasing false positives, and increasing efficiency in decentralized MANETs.

The contributions in the study include 1. A five-class multiple linear regression classifier for the detection of dropped packets 2. Dynamic trust-based scoring 3. Integrating classification and trust into the Ad hoc On-Demand Distance Vector (AODV) protocol for secure routing.

The paper is organized as follows: Section 2 provides background, Section 3 reviews related work, Section 4 defines the problem, Section 5 details the proposed framework, Section 6 presents performance evaluation and discusses findings, and Section 7 concludes with future directions.

The security of MANETs against packet-dropping attacks has been researched extensively, with trust-based detection mechanisms, ML-based IDS, secure routing protocols, and hybrid frameworks.

3.1 Trust-based detection mechanisms

A trust-based mechanism tracks node behaviour rapidly and estimates the nodes' reliability against packet-dropping attacks. Existing works, such as CONFIDANT [24] and CORE [25], leverage positive and negative reputation scores computed on direct and indirect observables to mitigate forwarding nodes for malicious activities. Alerts are used in CONFIDANT to disseminate the reports of misbehaviour, whereas in CORE services, they are not provided to uncooperative nodes. However, the static scoring strategies cannot differentiate between unintentional and malicious drops and may cause false positives on dynamic MANETs. More advanced trust models use multi-metric evaluations considering packet forwarding rate, end-to-end delay, and residual energy [18]. A reputation-based scheme to defend against packet dropping attacks, but it cannot adapt quickly to changing topologies and is not temporally adaptive. Credit-based approach Termi-nodes project [26] encourages cooperation with a virtual currency, yet they necessitate tamper-resistant hardware, which adds to the complexity of the deployment. These methodologies underline the demand for dynamic, lightweight trust systems that would be resilient to the resource limitations and diverse behaviours of MANETs.

3.2 Machine learning approaches

Various ML methods have been widely used to detect black and gray hole attacks in MANETs using behaviour pattern analysis. The training algorithms, such as SVM, RF, and k-nearest neighbours (k-NN), use properties of nodes like packet delivery fraction (PDF), routing overhead, and node characteristics to label the nodes as non-malicious or malicious. To illustrate, in the survey by Hassan et al. [19], ensemble classifiers have been shown to perform with great accuracy when tested with NS-2 simulation data to detect malicious nodes. More recently, deeper learning techniques such as networks have been used to effectively process data sequences, capture temporal correlations between the behaviour of nodes, and expose complex attacks. Federated learning (FL) is an advanced version of these techniques, which allows decentralized training of the model, keeping data privacy and enhancing the detection accuracy in the distributed MANET scenarios.

However, MANET constrains resources, making ML-based IDS less effective in MANET. Models used for fishing out attackers, like RF and SVM, do not have enough granularity to distinguish intentional packet dropping from adversaries versus unintentional due to resource limitations, thus they incur high false positive rates (FPR) [19]. The problem is further confounded and made worse by the unbalanced nature of the dataset, where the benign traffic overwhelms the findings of malicious activities, resulting in biases toward the majority class and undermining detection accuracy. Additionally, models such as Long Short-Term Memory(LSTM) are computationally expensive and require large amounts of training data, making them less suited for energy-constrained MANET nodes and real-time applications. Thus, scalable and adaptive ML models are essential to handle dynamic topologies and evolving security threats in MANETs.

3.3 Secure routing protocols

Secure routing schemes are proposed to embed the security mechanisms into the routing operations to defend against packet-dropping attacks. Security extensions of AODV [27, 28] used cryptographic authentication or trust-based path selection. A digital signature is embedded into AODV to authenticate route discovery by the source. Further, enhanced AODV to choose reliable paths according to the trust scores, assuming trusted certificate authorities (CAs), but it is not applicable in decentralized MANETs. It highlights the importance of incorporating security mechanisms into the routing protocols, as cited by Desai and Jhaveri [29], to ensure data confidentiality, integrity, and availability in MANET.

However, these methods face problems with non-centralized and resource-limited MANETs. Although cryptographic methods are promising, they are inefficient regarding low battery life and bandwidth, and cause network partitioning and low data throughput. Furthermore, trust-based protocols such as Trust-AODV and conditions need to have trusted CAs, which do not apply to completely decentralized environments. Also, these schemes have difficulty distinguishing packets lost by malicious attack and packet drops occurring naturally due to resource limitations, and thus, selective drops in gray hole attacks cannot be detected. Solutions to these challenges will require innovative approaches in network design, security, power management, and resource management that will increase the efficiency of such small-scale MANETs.

3.4 Hybrid and emerging approaches

Hybrid approaches for securing communication in infrastructure-less networks integrate trust evaluation, ML, and routing mechanisms. Work by Shafi et al. [30], a trust model that combines ML and trust-based methods, aims to mitigate black hole and Flooding attacks in MANETs, as reviewed by Hemalatha et al. [31], who concluded that the method relies on excessive parameters for route determination. However, its binary decision cannot distinctly discriminate between the malicious and dignified packet-dropping nodes. Another hybrid scheme [32] employs clustering and trust-based routing but still faces a high computational cost, which limits scalability. Clustering algorithms combined with trust-based routing introduce significant overhead due to maintaining cluster structures, evaluating trust metrics, and exchanging information between nodes.

Utilizing multi-objective particle swarm optimization (PSO) combined with adaptive acknowledgement and predictive trust evaluations offers a comprehensive solution for the security issues in MANETs. It makes theoretical research and practical countermeasures introduced against MANET security problems, such as black hole and gray hole attacks, feasible in real-world deployments [19]. Work by Kavitha et al. [32] implements Intruder Detection and Isolation based on PSO for feature optimization and Neural Networks for classification; in which trust feature computation is developed in the trust framework, which would help the misleading intruder nodes performing malicious acts to be identified effectively. Another work by Thanuja and Umamakeswari [33] suggested a mixed method utilizing PSO and trust-based routing to improve path selection and find the malicious nodes operating as black hole and grey hole attacks to make the MANET routing protocols more reliable. Nevertheless, these methods are subject to a resource-constrained MANET.

Although PSO and Neural Network-based methods are tailored for better computational complexity, they still put a lot of pressure on the nodes with the constraints on battery life and bandwidth, which may cause network split and decreased data throughput. Furthermore, these approaches face difficulty in identifying malicious packet drops and unintentional losses caused by resource limitations, leading to false positives, especially in recognizing the selective packet-dropping behaviours of gray hole attacks. The datasets are mostly imbalanced, so these imbalances lead to biased detection boundaries, causing IDS classifiers to fail to capture low-frequency attack behaviours, resulting in affecting their reliability in MANETs.

Recent studies in MANET security have focused highly on the importance of adaptive, lightweight algorithms that do not compromise routing protocols to enhance the security of network parameters like Throughput, PDR, and Latency. A survey by Hassan et al. [19] explains that many existing solutions lack the multi-class differentiation, like types of packet drops, including gray and black hole attacks vs drops due to system faults. The survey noted that systems operate independently of the routing protocols, resulting in the absence of real-time integration, which prevents systems from reacting immediately to routing changes. It pointed out binary classifiers, such as SVM and RF, for a lack of granularity, which often misclassify unintentional and intentional drops, classifying unintentional drops as attacks. The survey also explains that when ML detection operates independently, it cannot provide instant feedback to routing protocols. This type of independence introduces latency, but high complexity ML methods cannot be implemented in resource-less environments like MANETs.

These methodologies show that security solutions for MANET networks should be lightweight, multi-class detection. They should also integrate easily with routing protocols. The proposed framework uses the lightweight MLR for classifying the nodes into 5 categories: normal, black hole, gray hole, buffer overflow, and energy depletion, providing high accuracy in classification and low computational cost on ARM Cortex-M-based device platforms. Simulation parameters considered in this work are carefully constrained in terms of energy, memory, processing latency, and queue length so that the simulation emulates an ARM Cortex-M-based device platform.

3.5 Research gap

Existing solutions exhibit several limitations: 1) Most systems majorly focus only on malicious drops or trust management, but ignore drops due to system faults like energy depletion or buffer overflow. 2) Several binary classifiers used by several ML models are insufficient for classifying the reasons for packet drops. 3)Cryptographic protocols and neural networks are computationally expensive, making them unsuitable for resource-limited MANET networks. 4) Static values cannot adapt to changing network conditions. 5) ML detection runs separately from routing protocols, causing delays in reacting to malicious behaviour in the network. In this paper, MLR is extended with dynamic trust scores and secure adaptive routing to resolve these voids. The proposed solution achieves scalability, low overhead, and high detection accuracy for MANET security.

This section describes a methodology that combines trust with ML to detect and reduce packet drop behaviour in MANETs. Further, the proposed methodology addresses both malicious and non-malicious drops, ensuring secure routing even in dynamic, resource-constrained network conditions. It combines three main components: a five-class MLR classifier, a dynamic, reputation-based trust model, and the AODV routing protocol. The system produces accurate detection results, adapts to real-time, and is efficient.

5.1 System architecture

The framework has four layers that are linked to each other, as shown in Figure 1. Each layer addresses an essential part of reducing packet drops in MANETs. These layers collect data, find features, classify behaviours, calculate trust, and guide routing decisions.

Figure 1. Architecture trust integrated machine learning (ML) framework

5.1.1 Simulation and data capture layer

This layer leverages the NS-2 simulator to model MANET scenarios. It uses input from a controlled environment to generate realistic packet transmission logs under black hole and gray hole attacks, as well as resource-limited conditions. The simulated network includes 30 to 100 nodes in a 1000 m × 1000 m area, following the Random Waypoint mobility model; nodes travel at velocities between 0 and 20 m/s. This model represents node mobility patterns and generates frequent topology changes, forcing distributed routing and security to adapt. The reactive routing protocol over User Datagram Protocol (UDP) is used for Constant Bit Rate (CBR) traffic because of its reactivity and low overhead. Nodes between the source and destination overhear packets within their radio range and document them in trace files (.tr) for later analysis.

Table 1. Behavioural thresholds for node classification

Note: packet delivery ratio (PDRatio).

The documented trace file contains detailed packet-level details like timestamps, node, rem_energy, and also event types like sent, received, or dropped. Python scripts analyse these trace files to derive features of nodes like queue occupancy, energy occupancy, PDR, and classify them into normal, black hole, gray hole, buffer overflow, and energy depletion using heuristic thresholds, as shown in Table 1. Each simulation runs for 100 seconds to ensure simulations are run for 100 seconds, and outcomes are averaged over several runs to ensure there is enough data for robust analysis to ensure accountability of node mobility and traffic patterns.

5.1.2 Feature extraction and pre-processing layer

This layer reads raw simulation and converts it to derive a set of features. These features help in identifying whether packet dropping is malicious or non-malicious. These are ten specific features that can describe how nodes perform; they include packet drop rate (PDR), packet delivery ratio (PDRatio), packet forwarding rate, queue utilization, residual energy, energy per packet, traffic intensity, hop count, routing overhead, and packet arrival/departure rates. These attributes capture not only the performance features (PDR and delay) but also the resource limitations (queue utilization and residual energy), leading to better behavioural analysis. Normalisation of the features to z-score to maintain equilibrium amongst the numerical and fair contribution from each feature (e.g., PDR percentage vs. joules for energy).

$Z=\frac{x-\mu }{\sigma }$       (1)

In Eq. (1), $x$ is the value for a feature, $\mu $ is the mean, and $\sigma $ isthe standard deviation across all nodes of that feature. All thesefeatures are standardized by the normalization standard scale. (zero-mean, unit variance), which guarantees MLR Classification stability. Simulation statistic thresholds are used for behaviour classification, which distinguishes between normal and malicious behaviour.

5.1.3 Classification and trust layer

Each node $i$ in the network is assigned with reputation score by the model, i.e., reputation $score{{R}_{i}}\left( t \right)\in \text{ }\!\!~\!\!\text{ }\left[ 0,1 \right]$. This score indicates the node’s reliability (less chance of failure) based on observed behaviour. Trust values are dynamically updated based on node behaviour and network dynamics. Two different trust score updating mechanisms are incorporated: one for active nodes and another for inactive nodes in the network. These two distinct approaches ensure reliable nodes get a higher trust value, balancing encouragement while mitigating inactivity or unreliability.

For active nodes, the dynamic trust model computes reputation scores using reinforcement based on their packet forwarding performance, which is computed using Eq. (2).

${{R}_{i}}\left( t+1 \right)={{R}_{i}}\left( t \right)+\alpha \left( {{S}_{i}}\left( t \right)-{{R}_{i}}\left( t \right) \right)$         (2)

In Eq. (2), ${{R}_{i}}\left( t \right)$ is current reputation score and ${{S}_{i}}\left( t \right)\in \left[ 0,1 \right]$ is the behaviour score derived from the MLR classifier’s output, reflecting metrics like PDR and queue utilization, and α$\in \left[ 0,1 \right]$ is a learning rate (set to 0.1 in simulations). If a node successfully forwards packets $\left( {{S}_{i}}\left( t \right)>{{R}_{i}}\left( t \right) \right)$, its trust score increases, incentivizing cooperation.

For inactive nodes, trust exponentially decays to avoid old reputation from affecting routing. Inactive nodes that are not actively forwarding packets require a mechanism to prevent stale trust scores, as prolonged inactivity indicates either constrained resources or potential malicious intent. For inactive nodes, the trust score is updated by Eq. (3).

$R_i(t+1)=R_i(t) e^{-\lambda \Delta t}$        (3)

In Eq. (3), where, $\lambda >0$ controls the decay rate (set to 0.05 in simulations), and $t$ measures elapsed time since the last activity. It is designed to reduce the trust score of nodes that are not forwarding packets (inactive nodes), capturing a potential reduction in reliability. Eqs. (2) and (3) combining work to update trust dynamically, rewarding active forwarding and decaying inactive nodes to match the rapidly shifting structure of MANETs.

Nodes are categorized based on trust thresholds: malicious $({{R}_{i}}\left( t \right)<0.3),$ uncertain $(0.3\le {{R}_{i}}\left( t \right)<0.5)$, or benign $\left( {{R}_{i}}\left( t \right)\ge 0.5 \right).$ Such a trust mechanism, which changes over time and is tolerant to the ever-changing network topology as well as the nodes' behaviors of MANET. These empirically set thresholds balance sensitivity to misbehaviour against tolerance of transient resource shortfalls (the threshold values are chosen to minimize false positives).

5.1.4 Trust-aware routing engine

The trust scores are combined into the AODV routing protocol to compute secure and trustworthy routing. The cost of a path is minimized on the routing measure.

$Cost\left( P \right)=\underset{i\in P}{\mathop \sum }\,\left( 1-{{R}_{i}}\left( t \right) \right)$          (4)

In Eq. (4), subject to ${{R}_{i}}\left( t \right)\ge 0.5$, ensures only reputed nodes participate in routing, where nodes with a trust level lower than the threshold are not eligible to participate in forwarding data packets. It distinguishes between malicious or non-malicious packet drop nodes to improve the network reliability and packet delivery.

5.2 Design assumptions

The proposed work makes the following assumptions, which allow for practical deployment in MANETs:

1. Dynamicity of the Environment: MANETs are characterized by a high rate of topology changes because nodes are allowed to move in and out of shared range, which requires an adaptive security regime.
2. Variability in the Behaviour: Every node can misbehave, e.g., black hole, gray hole, or drop packets unintentionally caused by being out of energy and full buffer, at any time, so the detection should be reliable alternatively.
3. Local Resource Monitoring: Each node maintains a local status of energy (in joules) and buffer usage. This results in low overhead feature extraction with no central control.
4. Implementation of IDS: The scenario placing the IDS node is implemented, which retrieves traffic distribution faithfully and according to IP-based protocols.
5. Sustainable Attacker: Attackers act sustainably during training, but the system must cope with dynamism at run-time, accounting for natural variability.

These assumptions also satisfy the nature of many MANETs, which are decentralized and lack energy resources; feasibility can be proved in different cases.

5.3 Design considerations

To handle these challenges of MANET, the framework has the following focus:

1. Efficient Computation: Algorithms leverage linear-time feature extraction and constant-time trust updates designed with low-power processors such as ARM Cortex-M in mind. Classification and trust calculations require less than 10 ms per node, making resource usage minimal.
2. Liveness: Trust scores and node classifications are updated continuously, enabling rapid routing decisions. This is very important for dynamic topologies in which node behaviour and network status change rapidly.
3. Flexibility: Exponential trust decay (Eq. (3)) adapts to new behaviour of nodes and does not base routing on stale trust evaluations, which would influence the routing decision.
4. Scalable: The modularity of the design means that it can go from 30 to over a hundred nodes, and this could be extended to hundreds or thousands of nodes for more challenging MANETs, as in IoT or tactical scenarios.

These reasons make the framework feasible in the resource-constrained and dynamic MANETs while maintaining high performance.

5.4 Key goals

The proposed work aims to achieve the following key objectives:

1. Behaviour Characterization: Identify malicious and unintentional behaviours accurately. This will avoid false positives while sustaining network reachability.
2. Dynamic Trust Assessment: Compute and dynamically update trust values for each node by considering current performance and historical trust values.
3. Secure Route Selection: Use trust scores to direct AODV so that paths must be selected via high-trust intermediary nodes.

These objectives address significant deficiencies in existing MANET security techniques that must be applied to transmit mission-critical information while at the same time achieving good performance.

5.5 Improvements over existing techniques

The framework provides significant advantages compared with existing approaches.

1. Multi-class Classification: Unlike standard AODV, resource-aware routing (RAR), and binary classification (malicious versus normal), this scheme makes use of MLR for live-class classification. It can detect more packet-dropping behaviours and minimize false positives by identifying unintentional loss from malicious behaviour.
2. Real-Time Trust: Real-time updating of trust scores differs from those derived by static models like CONFIDANT and CORE, allowing for more responsive trust assessments.
3. Closest Routing Integration: Unlike other stand-alone ML-based detection systems, in this architecture, classification is merged with AODV routing. This makes trust scores instantly enforceable with such approaches on the route selection, unlike secure key agreement (SKA)protocols that are overhead-heavy.
4. Low-cost Complexity: The lightweight nature of the system contrasts with heavy-duty cryptographic protocols and could be applied on IoT-grade devices.

These enhancements lead to better resilience and efficiency, and can easily be used for variable MANETs.

5.6 Dataset creation

The dataset was generated by NS-2 simulation in 1000 m x 1000 m networks containing from 30 to 100 nodes. It uses the random waypoint mobility model to simulate real node movement. Routing is managed according to the AODV protocol, and CBR traffic is transmitted over UDP so that it imitates active MANET communication behaviour. The scenarios consist of both misbehaviours, such as black hole and gray hole, and failure reasons like buffer overflow and energy depletion, to consider different causes of packet loss. Every case is simulated for100 seconds to provide sufficient data for evaluation. Intermediate nodes running in promiscuous mode receive all the traffic in their radio range. This produces trace files (.tr) that log packet-level details. These files, however, are processed by custom Python scripts to obtain node-dependent metrics such as PDRatio, queue usage, and energy. They also attach behavioural labels using heuristic thresholds (Table 1). Such an approach generates a stable, annotated data set to train and test the MLR classifier in dynamic environments reflecting malicious as well as non-malicious activities.

5.7 Feature engineering and preprocessing

Feature engineering is important to identify the behaviour pattern that separates different causes for dropping packets. The features available in the system are at most 10 node-specific attributes:

5.7.1 Packet drop rate

In Eq. (5), packet loss ratio is computed to detect black hole (nearly all lost, PDR > 90%) and gray hole (selective drop, PDR 30 to 60%).

$PDR=\frac{Packet~Dropped}{Packet~Received}$        (5)

5.7.2 Packet delivery ratio

In Eq. (6), Packet Delivery is measured, showing that packets are successfully delivered with the comparison of cooperative (high PDRatio) and non-cooperative nodes (low PDRatio).

$PDRatio=\frac{Packet~Delivered}{Packet~Sent}$          (6)

5.7.3 Residual energy level

Eq. (7) detects inadvertent drops caused by energy depletion (REL< 25%) by normalizing current energy against initial capacity.

$REL=\frac{Current~Energy}{Initial~Energy}$       (7)

5.7.4 Other features

Additional context for behaviour analysis is provided by packet forwarding rate, queue utilization (which identifies buffer overflow at >85%), energy per packet, traffic intensity, hop count, routing overhead, and packet arrival/departure rates. Z-score standardization (Eq. (1)) is used to normalize features to guarantee uniform scaling and avoid biases in MLR classification caused by different units (e.g., percentages vs. joules). To reduce misclassification and guarantee strong behaviour differentiation, behavioural labels are assigned using empirical thresholds (Table 1) that are obtained from simulation analysis.

5.8 Classification via multinomial logistic regression

The MLR model uses the softmax function to classify nodes into five classes (normal, black hole, gray hole, buffer overflow, energy depletion).

$P\left( y=k|X \right)=\frac{exp\left( w_{K}^{T}X \right)}{\mathop{\sum }_{j=1}^{K}exp\left( w_{j}^{T}X \right)}$        (8)

In Eq. (8), ${{W}_{k}}$ represents weight vector for class k, $x$ represent feature vector, and $K~=~5$. This equation produces class-wise probabilities and sums them to 1, ensuring multi-class classification. The model minimizes regular cross-entropy loss.

$L=-\sum_{i=1}^N \sum_{k=1}^K y_{i k} \log \left(P\left(y=k \mid X_i\right)\right)+\lambda \sum_{k=1}^K\left\|W_k\right\|_2^2$      (9)

In Eq. (9), ${{y}_{ik}}=1,$ if node $i$ belongs to class $k$, else 0, and $\lambda =0.01$ controls $L2$ regularization to prevent overfitting. The first term addresses the errors in classification, while the second enhances generalization of the model by constraining weight magnitudes.

Stochastic gradient descent (SGD) is used for performing optimization as seen in Eq. (10).

${{W}_{k}}\leftarrow {{W}_{k}}\leftarrow \eta \nabla L$        (10)

With a decaying learning rate η = 0.01. This iterative update converges with optimal weights, which enable efficient and accurate classification in resource-constrained environments.

MLR has been selected because it aligns with the technical and practical requirements of MANET. In contrast to binary classifiers (SVM, RF…) that cannot calculate the non-hypothesis probability of a label directly, MLRs can be used as a multi-class classifier (5 different behaviours are separated: normal, black hole, gray hole, buffer overflow, and energy depletion). This also gives us precisely the granularity we needed; it can reduce the number of false positives by accurately detecting unintentional dropouts and thus prevents isolating (good) nodes. And keep connected to the network. MLR has a linear computational complexity in the feature dimension that makes it suitable for real-time operation on resource-constrained devices, such as ARM Cortex-M processors, unlike neural networks that require big computational resources. Class-specific weight vectors of the models will easily integrate with trust-based routing since classification probabilities directly inform behaviour scores ${{S}_{i}}\left( t \right)$ in Eq. (2). MLR's transparency via interpretable weights and probabilities also allows for easier debugging and decision-making in dynamic environments. In this paper, MLR balances accuracy, efficiency, and adaptability to assure robust performance under MANET conditions, enabling applications in tactical, vehicular, and IoT networks.

5.9 Algorithmic framework

Implementation is carried out through four algorithms, each addressing a specific function. Each algorithm is shown below as pseudocode along with its purpose, impact, and relationship to equations.

Algorithm 1 processes raw trace files to extract 10 features to capture comprehensive network and resource dynamics in MANETs. Only PDR, PDRatio, queue utilization, and REL are used for heuristic labelling based on thresholds (Table 1). All features are normalized and included in the feature vectors for the MLR classifier.

Algorithm 2 computes dynamic trust scores, reflecting node reliability in real-time. Eq. (2) balances historical and current behavior, ensuring stability and responsiveness, while Eq. (3) decays trust for inactive nodes, preventing outdated reputations from affecting routing. This algorithm mitigates risks from malicious or unreliable nodes, supporting secure routing decisions.

Algorithm 3 enhances AODV by integrating trust scores into route discovery and selection. It filters out low-trust nodes (${{R}_{i}}\left( t \right)$ < 0.5) and selects paths minimizing Eq. (4), ensuring secure and reliable routing. This tight integration improves responsiveness compared to stand-alone detection systems.

Algorithm 4 classifies node behavior in real-time using MLR, leveraging Eq. (10) for probabilistic multi-class prediction. It informs trust score updates (Algorithm 2) and routing decisions (Algorithm 3), ensuring context-aware security.

5.10 Routing integration

The MANET is mathematically represented as Graph G = (V, E), where V represents nodes and E represents communication links, shown in Figure 2. The routing objective minimizes the path cost, $Cost\left( P \right)=\underset{i=P}{\mathop \sum }\,\left( 1-{{R}_{i}}\left( t \right) \right)$ subject to ${{R}_{i}}\left( t \right)$ < 0.5. The cost function favours the nodes with high trust for routing, making sure forwarding is trustworthy. $Cost\left( P \right)$ maintains network performance in dynamic topologies by balancing path efficiency and trustworthiness by aggregating trust deficits.

Figure 2. Mobile Ad Hoc Network (MANET) scenario with nodes and communication (depiction of simulation)

5.10.1 Integration with Ad hoc On-Demand Distance Vector routing protocol

The AODV protocol is extended to make it trust-aware, guaranteeing secure routing.

1. Route Request (RREQ): The source node broadcasts an RREQ packet to which every intermediate node appends its trust score ${{R}_{i}}\left( t \right)$. Every node with ${{R}_{i}}\left( t \right)$ < 0.5 discards the RREQ packet so that untrusted nodes cannot participate in route discovery.
2. Route Reply (RREP): The destination node sends back the RREP if and only if all nodes in the proposed path satisfy ${{R}_{i}}\left( t \right)$ ≥ 0.5. This condition guarantees path reliability.
3. Routing Decision: Among the multiple RREPs, the source node chooses the path that gives the minimum value to Eq. (4). This is the path that provides a good balance between trust and efficiency.
4. Dynamic Trust-Based Routing: When the trust of a node goes below 0.5, the routes are invalidated, and rediscovery takes place in order to exclude unreliable nodes.
5. Route Maintenance: After route failures due to mobility or changes in trust, new route discovery is conducted by excluding low-trust nodes to maintain network security. The integration here ensures routing decisions based on current trust assessment values for more security and reliability in dynamic MANETs.

5.10.2 Routing process

The trust-based routing algorithm enhances the performance of AODV by incorporating trust scores and classification of MLR in every phase of route discovery, selection, and maintenance. It ensures that only the trustworthy nodes involved in routing effectively reduce the influence of malicious (black hole, gray hole), and the undesired (buffer overflow, energy starvation) packet drops. The approach is proactive, and it provides a lightweight (by leveraging Algorithms 2-4) and dynamic (i.e., adaptive and reactive to the dynamic MANET topology) solution against power attacks. The next part will detail the routing process, with an emphasis on technical details, logic, and real-world implications.

5.10.3 Route discovery (Route Request)

1. Route Discovery: When a source node $'s'$ wants to communicate with a destination node $'d'$, it initiates route discovery by flooding the network with an RREQ packet. In conventional AODV, the RREQ packet includes a hop count and sequence number to differentiate between new routes. Proposed work includes trust scores ${{R}_{i}}\left( t \right)$ from Algorithm 2 into the RREQ packet header. Each intermediate node $i$ which receives the RREQ, performs the following activities:
2. The trust value (${{R}_{i}}$) on a node, either active or inactive, is verified by using Eq. (2) and Eq. (3), respectively. If ${{R}_{i}}\left( t \right)<\tau =0.5$, this is an untrustworthy (malicious or uncertain node) and it discards the RREQ, preventing itself from participating in that route. It makes explicit use of Algorithm 3 to ensure that unreliable nodes are filtered out as soon as possible in the discovery process.
3. Trust Score Propagation: If ${{R}_{i}}\left( t \right)$ ≥ 0.5, the node inserts its reputation value in the RREQ packet and broadcasts it to neighbour nodes (from Algorithm 3). By performing this, it ensures the destination will receive a list of trust scores for all nodes over each path that is possible.
4. Dynamic Update: Trust scores are real-time updated via Algorithm 2, which is based on MLR classification of the sensor nodes by Algorithm 4. The MLR model is by using Eq. (10), which classify the behaviour of nodes according to, say, PDR to give trust scores that reflect up-to-date behavioural states; hence, a node turning into a node of gray hole attack commands reduced having ${{R}_{i}}\left( t \right)$ and therefore low ${{S}_{i}}\left( t \right)$ protocol (IP protocol traffic). This ensures that only nodes classified as benign-that is, ${{R}_{i}}\left( t \right)$ ≥ 0.5-participate in route discovery and minimize the chances of malicious nodes advertising false routes, such as black hole nodes advertising optimal paths. Inclusion of trust scores at RREQ packets creates hardly any extra overhead because each of them is a single floating-point value, thereby making this approach suitable for resource-constrained MANETs.

5.10.4 Route Reply

The destination node $'d'$, on receiving an RREQ, checks the trust value of the proposed path.

1. Path Trust Validation: The destination extracts the trust scores of all nodes in the path from the RREQ packet. It checks that all nodes satisfy ${{R}_{i}}\left( t \right)\text{ }\!\!~\!\!\text{ }$≥ 0.5. If any node has ${{R}_{i}}\left( t \right)$ < 0.5, the RREQ is discarded, ensuring that the path excludes malicious or uncertain nodes.
2. RREP Generation: If the path is a valid one, it generates the RREP packet at the destination node containing a list of node IDs along with their trust value. The reverse path RREP is returned back towards the source node $'s'$. Intermediate nodes transmitting the RREP will have to recheck their trust score so that it is above the threshold in their specificcase (taking into consideration potential changes in its behaviour from the moment of sending RREQ until forwarding a received RREP).
3. Handling Multiple Paths: In a dynamic MANET network, the destination often receives several RREQ packets from various paths. It creates an RREP for all valid paths (with ${{R}_{i}}\left( t \right)$ ≥ 0.5 on every node) such that the source can select the preferred path.

This step guarantees that only reliable paths are taken into account, taking advantage of the MLR classifier to classify abnormal behaviors (black hole and gray hole) from unintended drop actions while avoiding false positive decisions that might discard legitimate nodes.

5.10.5 Routing decision

Multiple RREPs describing a valid path to the destination are sent to the source node $'s'$. The process of selecting it can rely on other requirements like efficiency and trust.

1. Calculating Path Cost: Eq. (4) is used by the source to calculate the cost for each path $P,$ i.e., $Cost\left( P \right)=\underset{i=P}{\mathop \sum }\,\left( 1-{{R}_{i}}\left( t \right) \right)$. This cost isa sum of trust deficit affecting the nodes in the path, lower value is better (Trustworthy path, i.e., having higher ${{R}_{i}}\left( t \right)$). For example, a path with nodes having trust scores $\left[ 0.9,\text{ }\!\!~\!\!\text{ }0.8,\text{ }\!\!~\!\!\text{ }0.95 \right]$ has a cost of $\left( 1-0.9 \right)+\left( 1-0.8 \right)+\left( 1-0.95 \right)=0.35$, while a path with scores $\left[ 0.6,\text{ }\!\!~\!\!\text{ }0.5,\text{ }\!\!~\!\!\text{ }0.7 \right]$ has a cost of $1.2$, favouring the former, shown in Figure 3.

Figure 3. Mobile Ad Hoc Network (MANET) scenario path with nodes having trust scores

2. Best Path Selection: Source selects the path $P$ with minimum cost. Hop count (calculated from RREP) metrics are used to differentiate costs andminimize latency in the case of equal cost alternatives.
3. Adaptive Decision Making: The classification with MLR through Algorithm 4 steers the continuous adaptive trust scores using Algorithm 2. A route is discarded, and the source is forced to consider other alternatives if any node has a trust score lower than 0.5 through its path selection (due to new gray hole behavior as identified by Eq. (10)).
4. This decision-making process has been designed to provide the optimum compromise between trustworthiness and efficiency, guaranteeing reliable packet transmission in the face of malicious or resource-limited nodes.

5.10.6 Dynamic trust-based routing

Routing flexibility is ensured through ongoing trust monitoring in the framework:

1. Trust Score Monitoring: After selecting a path, trust scores are updated periodically using Eq. (2) for active nodes and Eq. (3) for inactive nodes. The MLR classifier runs in real-time, analyzing features like PDR and REL to update behavior scores ${{S}_{i}}\left( t \right).\text{ }\!\!~\!\!\text{ }$For example, a node initially classified as normal may be reclassified as energy-depleted if its REL drops below 25%, reducing its trust score.
2. Invalid Route: If the value of ${{R}_{i}}\left( t \right)$ gets below 50% at a node on the active path, the route is invalidated. This rapidly removes malicious or unreliable nodes by re-executing route discovery.
3. Low Overhead: Real-time adaptation is possible in resource-constrained MANETs because trust updates and MLR classifications are lightweight, finishing in less than 10 ms/node on ARM Cortex-M devices.
4. In MANETs, where topology and node reliability change quickly, this dynamic approach guarantees that routing decisions take into account the most recent node behaviors.

5.10.7 Route maintenance

Failures brought on by mobility, shifts in trust, or interruptions in the link are addressed by route maintenance:

1. Failure Detection: A node becomes malicious and sends a Route Error (RERR) packet to the source node if it detects a link failure because of mobility or a trust score drop below 0.5.
2. New Route Discovery: Using Algorithm 3, the source starts a new RREQ in accordance with the trust-aware procedure. The new path is reliable because nodes with ${{R}_{i}}\left( t \right)$< 0.5 are eliminated.
3. Proactive Monitoring: To identify behavioral shifts, IDS nodes feed data to the MLR classifier while continuously monitoring traffic in promiscuous mode. A gray hole node that selectively drops packets, which lowers its trust score and starts a route discovery.

By adjusting to behavioral (trust) and physical (mobility) changes with minimal overhead, this maintenance procedure guarantees network resilience.