Evaluation of Attack and Recovery in USFC: A Dependability View

Abstract

The integration of service function chains (SFCs) and unmanned aerial vehicles (UAVs) lays a crucial technological foundation for achieving efficient, reliable, and adaptive future airborne service networks. Service functions (SFs) in the SFC will be deployed on UAVs; this type of SFC is called unmanned aerial vehicle-based service function chains (USFCs). However, due to the combined effects of open hardware and software architectures, exposed communication links, and complex mission environments, UAVs have become ideal targets for attackers. Once a vulnerability is successfully injected into a UAV, data from the SFs running on it will be stolen, seriously threatening the dependability of the USFC. Therefore, it is necessary to conduct a quantitative evaluation of the USFC dependability to provide insights for further improving its dependability. This paper develops a USFC dependability evaluation model based on a semi-Markov process (SMP) to capture the dynamic interaction between attacker behavior and USFC system recovery behavior. The dependability of the USFC is comprehensively evaluated from two perspectives: availability and security. Extensive numerical analysis experiments are conducted, and the results not only demonstrate the changing trends of various dependability metrics under different parameters but also show parameter combinations for synergistic optimization among metrics.

1. Introduction

The integration of service function chains (SFCs) and unmanned aerial vehicles (UAVs) provides flexible service deployment and management capabilities for dynamic, resource-constrained aerial network environments [1,2,3]. By virtualizing network functions and orchestrating them into dynamically deployable SFCs, UAVs can serve as mobile edge computing (MEC) nodes, enabling on-demand allocation and intelligent scheduling of network service in space–air–ground-integrated networks [4,5,6]. This convergence not only supports low-latency and high-dependability service recovery and migration mechanisms, but also significantly enhances task completion rates, energy efficiency, and Quality of Experience (QoE) through trajectory optimization, resource collaboration, and intelligent decision-making [7,8,9,10]. It is particularly applicable to scenarios with stringent real-time and dependability requirements, such as emergency communications, disaster response, and smart cities. Therefore, the synergy between SFCs and UAVs lays a crucial technological foundation for realizing efficient, reliable, and self-adaptive future aerial service networks.

When receiving a USFC request, the service functions in the SFC will be deployed to UAV under the condition that constraints are satisfied. In this paper, we refer to this type of SFC as an unmanned aerial vehicle-based service function chain (USFC). Different deployment strategies may deploy different SFs from the same USFC to different UAVs. However, due to the combined effects of open hardware and software architecture, exposed communication links, and complex mission environments, UAVs have become ideal targets for attackers. Once a vulnerability is successfully injected into UAV, the data of the SFs running on it will be stolen, severely threatening the dependability of the USFC. Therefore, it is necessary to conduct a quantitative evaluation of USFC to provide a theoretical basis for further improving USFC dependability. Existing studies mainly focus on SFC deployment strategies in UAV and the dependability of UAV networks, but the following questions remain in evaluating USFC dependability:

• How can the dynamic interaction between attack and recovery behaviors be characterized to improve the accuracy of USFC dependability assessment?
• How can the trigger time of recovery behaviors corresponding to different attack phases be determined to further improve USFC dependability?
• How can the correlation between system parameters and USFC dependability assessment metrics be established to identify key factors affecting USFC dependability improvement?

To address the aforementioned questions, this paper develops a semi-Markov process (SMP)-based USFC dependability assessment model to capture attacker behaviors and USFC system recovery behaviors, thereby analyzing USFC dependability from the perspectives of availability and security. The specific contributions of this paper are as follows:

• This paper constructs a dependability analysis model for USFC, which captures the system behavior from the perspectives of attacker attacks and system defenses. Specifically, it finely characterizes different stages of an attack and the recovery behaviors triggered at each stage. This model can analyze the dependability of USFC composed of any number of SFs, effectively overcoming the problem of model insolvability caused by increasing system size.
• This paper derives calculation formulas for availability and security metrics, which can characterize the complex relationships between the trigger times of different recovery behaviors and various metrics. These formulas help to comprehensively analyze the dependability of USFC, providing a theoretical basis for subsequently identifying the parameter settings corresponding to optimal dependability.
• This paper performs extensive numerical analysis experiments to verify the effectiveness of the proposed model and formulas. The experimental results not only demonstrate the changing trends of various dependability metrics under different parameters but also show the parameter combinations corresponding to the synergistic optimization among metrics.

The remainder of this paper is organized as follows: Section 2 analyzes the existing related work. Section 3 describes the model constructed in this paper and the derived formulas. Section 4 introduces the experimental results. Section 5 summarizes the entire paper and discusses future work.

2. Related Work

This section analyzes the existing studies focused on SFC deployment strategies in UAV and the dependability of UAV networks. He et al. [11] utilized an improved online deep reinforcement learning (DRL) technique to investigate the online joint optimization of SF deployment and trajectory planning in multi-UAV-enabled MEC. The algorithm supports both single-agent and multi-agent scenarios, effectively maximizing the number of accepted requests while minimizing costs. Wu et al. [12] studied the adaptive QoE-aware SFC orchestration problem in UAV networks by leveraging DRL and the fuzzy analytic hierarchy process. The research incorporated the Markov decision process to capture dynamic network state transitions, and the proposed algorithm optimized user QoE, energy consumption, and task completion rate while enhancing training stability. Wang et al. [13] utilized particle swarm optimization technology to investigate the embedding and migration problems of SFCs in UAV networks, and constructed a revenue model integrating service quality, resource utilization, and migration cost. Simulations showed that the algorithm outperforms baseline strategies in terms of resource efficiency and long-term revenue, providing a new method for flexible network management of UAV networks. Liang et al. [14] utilized hierarchical hybrid DRL technology to jointly optimize SF deployment and UAV trajectory planning in multi-UAV-enabled MEC. Simulations verified the effectiveness of the algorithm in reducing energy consumption and requesting acceptance costs, providing a solution for efficient service provision in multi-UAV-enabled MEC. Yang et al. [15] proposed an efficient and low-delay SFC recovery method for the space–air–ground-integrated aviation information network by leveraging SF migration and virtual link redirection technologies. Experiments verified that it performs excellently under different resource redundancy levels and attack types and has more advantages in SFC recovery rate and delay compared with existing methods. Note that our work can analyze the USFC availability and security, which complements these studies to help service providers deliver better USFCs.

Kharchenko et al. [16] utilized the queuing theory and Markov chain techniques to model and evaluate the dependable service of UAV fleets in smart cities. The study formulated modeling principles and developed assessment models, which were verified through delivery cases to achieve a high probability of successful service delivery, providing theoretical support and practical guidance for the reliable deployment and parameter optimization of UAV fleets in smart cities. Kliushnikov et al. [17] utilized the multi-state system theory and probability analysis methods to establish reliability models for multi-state UAV-based monitoring systems considering mission efficiency degradation. The model expands the range of effective operating states and takes mission success probability (SPF) and efficiency as core indicators, providing an evaluation basis for critical infrastructure monitoring. Silva et al. [18] utilized continuous-time Markov chain techniques to quantify the dependability of enhancing mobile cloud computing with unmanned aerial vehicles (UAVs) as data bridges. The proposed base model and extended models identified key factors through sensitivity analysis, significantly reducing downtime and improving availability, thus providing an effective quantification method for enhancing the availability and reliability of aerial computing systems. Wang et al. [19] utilized constraint-based model repair technology and the Markov decision process to address the assurance of multiple mission objectives in UMEC systems. This method encodes mission objectives as constraints and generates compliant strategies, providing reliability guarantees for high-risk scenarios such as disaster response. Xu et al. [20] utilized multi-state Markov processes, matrix analysis, and Monte Carlo methods to propose a reliability model for master–supporter UAV networks considering failure dependencies and designed an adaptive redundancy allocation scheme. Experiments verified that the master–supporter architecture is superior in most scenarios, providing a reliability-guaranteed solution for UAV swarm applications. Note that our study can evaluate the USFC dependability, which complements these studies to provide a more comprehensive dependability analysis for UAV networks.

Analytical models have been used to evaluate system dependability. Mauro et al. [21] conducted an availability model for SFC. Zhao et al. [22] analyzed the impact of software aging on SFC dependability. Kharchenko et al. [23] evaluated the availability and cybersecurity of systems by combining Markov models and semi-Markov models. Li et al. [24] focused on assessing the effectiveness of software rejuvenation techniques from availability and reliability perspectives. Parmender et al. [25] focused on the repairable system with a cold standby unit and proposed an SMP-based reliability evaluation model. The authors in [26] assessed the reliability of systems with performance sharing mechanisms under the condition that the time interval between events follow a non-exponential distribution. These studies ignored the resource consumption, failure, and recovery behaviors of the system and did not conduct a comprehensive dependability analysis in terms of availability and security. These studies require further improvement in system behavior capture and indicator design. Specifically, they neglected the dynamic interaction between attack and defense behaviors and offered a relatively singular perspective on dependability analysis. Our work effectively addresses these shortcomings, evaluating USFC dependability from multiple dimensions including security and availability.

Table 1. Comparison of the existing works discussed in Section 2.

Ref.	System Characteristic		Attacker Behavior	Defense Behavior	Solution Technique		Metric
	Component Heterogeneity	Recovery Trigger Interval			Analytical Model	Simulation	Availability	Security Risk	Mean time to Compromise
[11,12,13,14]	√	×	×	×	×	×	×	×	×
[15]	√	×	√	√	×	×	√	×	×
[16]	×	×	√	√	√	×	√	×	×
[17,19]	×	×	×	×	√	×	×	×	×
[18,25]	×	×	×	×	√	×	√	×	×
[20]	×	×	×	×	√	√	√	×	×
[21]	√	×	×	×	√	×	√	×	×
[22,24]	√	√	×	×	√	√	√	×	×
[23]	×	×	√	√	√	√	√	×	×
[26]	×	×	×	×	√	√	×	×	×
Ours	√	√	√	√	√	√	√	√	√

summarizes the comparison of the existing works.

3. System Description and Modeling

This section first describes the process of a USFC system being attacked and the corresponding recovery behavior, then constructs the dependability assessment model based on system behavior and finally performs the dependability analysis.

3.1. System Description

In the USFC system considered in this paper, SFs from USFCs are deployed on UAVs in the MEC. During the operation of USFC, whether the UAV or the SF is attacked, the dependability of the USFC will be affected. This paper simplifies the multi-stage attack (cyber kill chain) [27] into the following three stages:

(1)

The attacker uses the vulnerability of the target node to gain access to the node.

(2)

The attacker successfully implants malware into the target node.

(3)

The attacker steals data through the malware on the target node.

The cyber kill chain has seven stages (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives), but we abstract it into three stages to amplify the interaction details between the attacker’s attack behavior and the system’s defense behavior. However, this does not mean that other stages are ignored. Rather, we incorporate other stages into these three stages. Specifically, stage 1 includes reconnaissance, weaponization, and delivery. Stage 2 includes exploitation, installation, and command and control. Stage 3 represents actions on objectives. Next, this paper describes the impact of multi-stage attacks on USFC dependability by depicting the SF behavior shown in Figure 1. Initially, after the USFC request arrives, all SFs are deployed to the UAVs in the USFC system. During SF operation, the following situations may occur:

(1)

If one SF in the USFC is exploited, the recovery operation will be triggered after a period of time.

(i)

During the recovery from the exploited state, this SF may be infected. If this SF is detected to be infected, the recovery operation will be triggered after a period of time.

(a)

During the recovery from the infected state, the data in this SF may be exfiltrated. If the data is exfiltrated, the repairing and restarting operation will be triggered immediately.

(b)

During the recovery from the infected state, if other SFs are exploited by the attacker, all SFs will be restarted immediately.

(ii)

During the recovery from the exploited state, if other SFs are also exploited by the attacker, all SFs will be restarted immediately.

(2)

If the SFs in the USFC are not exploited by the attacker, the USFC execution is complete.

3.2. Dependability Assessment Model

Based on the analysis of SF behavior, we use an n-tuple index $(q_1,q_2,q_3,\dots ,q_n)$ to represent the state of the USFC system composed of n SFs. Here, $q_n$ denotes the state of the ith SF. The behavior of each SF is abstracted into the following seven states:

• Perfect (State P): In this state, SF can run normally and efficiently.
• Exploitation (State E): In this state, attackers can exploit the vulnerability to gain access to the target node, facilitating subsequent attacks. The SF running on this node is exposed to the risk of being attacked.
• Infection (State I): In this state, attackers implant malware into the target node. Data on the SF running on this node is at risk of being stolen at any time.
• Exfiltration (State F): In this state, attackers use implanted malware to steal SF data; that is, SF data is compromised.
• Recovery (State R): In this state, SF is restarted.
• Recovery from the exploitation state (State RE): In this state, operations to recover from the exploitation state are ready to be triggered.
• Recovery from the Infection state (State RI): In this state, operations to recover from the infection state are ready to be triggered.

Therefore, there are a total of $7^n$ system states, of which (4n + 3) are meaningful. The system state space is $S=\{S_0,S_1,S_2,S_3,\dots ,S_{4n+2}\}$.

Table 2. Meaningful system states and their corresponding security risk and availability.

No.	System State	Description	Security Risk	Availability
$S_0$	$({\mathrm{P}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{P}}_n)$	All SFs can run normally.	Safe	Available
$S_{4n+1}$	$({\mathrm{R}}_1,{\mathrm{R}}_2,{\mathrm{R}}_3,\dots ,{\mathrm{R}}_n)$	All SFs are restarted.	Unsafe	Unavailable
$S_{4n+2}$	$({\mathrm{F}}_1,{\mathrm{F}}_2,{\mathrm{F}}_3,\dots ,{\mathrm{F}}_n)$	USFC data is compromised.	Unsafe	Unavailable
$S_{n+i}$	$({\mathrm{E}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{P}}_n)$…$({\mathrm{P}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{E}}_n)$	One of the SFs in the USFC is in an exploitation state.	Loss security risk	Available
$S_i$	$\left({\mathrm{RE}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{P}}_n\right)\dots ({\mathrm{P}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{RE}}_n)$	One of the SFs in the USFC is preparing to perform recovery from the exploitation state.	Loss security risk	Available
$S_{3n+i}$	$\left({\mathrm{I}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{P}}_n\right)\dots ({\mathrm{P}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{I}}_n)$	One of the SFs in the USFC is in an infection state.	High security risk	Available
$S_{2n+i}$	$\left({\mathrm{RI}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{P}}_n\right)\dots \left({\mathrm{P}}_1,{\mathrm{P}}_2,{\mathrm{P}}_3,\dots ,{\mathrm{RI}}_n\right)$	One of the SFs in the USFC is preparing to perform recovery from the infection state.	High security risk	Available

lists the meaningful system states and their corresponding security risk and availability. The cumulative distribution functions (CDFs) of the transition times between system states are listed in

Table 3. CDFs of transition times between system states.

Variable	Definition	Distribution
$F_{\mathrm{r}\mathrm{h}}\left(t\right)$	The CDF of the time to restart all SFs.	General
$F_{\mathrm{f}\mathrm{h}}$(t)	The CDF of the time to repair and restart all SFs.	General
$F_{\mathrm{e}\mathrm{p}i}\left(t\right),F_{\mathrm{m}\mathrm{p}i}\left(t\right)$	The CDF of the time to infect the ith SF.	General
$F_{\mathrm{e}\mathrm{r}i}\left(t\right),F_{\mathrm{m}\mathrm{r}i}\left(t\right),F_{\mathrm{p}\mathrm{r}i}\left(t\right){,F}_{\mathrm{q}\mathrm{r}i}\left(t\right)$	The CDF of the shortest time to exploit other SFs.	Exponential
$F_{\mathrm{e}\mathrm{m}i}\left(t\right)$	The CDF of the trigger time interval for the ith SF to recover from the exploitation state.	General
$F_{\mathrm{m}\mathrm{h}i}\left(t\right)$	The CDF of the recovery time from the exploitation state of the ith SF.	General
$F_{\mathrm{p}\mathrm{f}i}$$\left(\mathrm{t}\right),F_{\mathrm{q}\mathrm{f}i}$(t)	The CDF of the time to exfiltrate the ith SF data.	General
$F_{\mathrm{q}\mathrm{h}i}$(t)	The CDF of the recovery time from the infection state of the ith SF.	General
$F_{\mathrm{p}\mathrm{q}i}$(t)	The CDF of the trigger time interval for the ith SF to recover from the infection state.	General
$F_{\mathrm{h}\mathrm{e}i}$(t)	The CDF of the time to exploit the ith SF.	Exponential

.

Based on the system states and transition times between system states, we establish the dependability analysis model, as shown in Figure 2. To aid understanding, Figure 2 focuses on illustrating the relationships between the various parts of the model. The complete dependability analysis model is shown in Figure A1 of Appendix A. In this figure, the gray lines represent the process of an attacker gaining access to the target node. The green lines represent the process of an attacker infecting the target node. The dark gray lines represent the process of an attacker stealing SF data. The blue solid lines represent the process in which one node in the system has been exploited by the attacker and other nodes are also exploited. The orange lines represent the process of preparing to trigger recovery operation from the exploitation state. The yellow lines represent the process of preparing to trigger recovery operation from the infection state. The blue dashed lines represent the recovery operation. This model can be used to analyze the availability, the probability of the security state and security risk of a USFC composed of any number of SFs. To better understand this model, we use a dependability analysis model for a USFC composed of two SFs as an example, as shown in Figure 3. The system starts in state $({\mathrm{P}}_1,{\mathrm{P}}_2)$. After running for a period of time, an attacker may launch an attack on SFs in the USFC. At this time, the system will enter state $(\mathrm{E},\mathrm{P})$, or $(\mathrm{P},\mathrm{E})$. Here, the state the system enters is determined by comparing the shortest time required for an attacker to gain access to each SF, which does not mean that an attacker can only attack one SF at a time. Subsequently, after a fixed time interval, the SF will trigger the recovery operation, and the system will enter state $\left(\mathrm{R}\mathrm{E},\mathrm{P}\right),\mathrm{o}\mathrm{r}(\mathrm{P},\mathrm{R}\mathrm{E})$. If the SF completes recovery, the system will enter state $(\mathrm{P},\mathrm{P})$. If the SF is injected with malware during the recovery process, the system will enter state $(\mathrm{I},\mathrm{P})$, or $(\mathrm{P},\mathrm{I})$. If the attacker exploits a vulnerability to gain access to other SFs during the recovery process from the exploitation state, the system will enter $(\mathrm{R},\mathrm{R})$. When the system is in state $(\mathrm{I},\mathrm{P})$, or $(\mathrm{P},\mathrm{I})$, after a fixed time interval, the SF will trigger a recovery operation and the system will enter state $(\mathrm{R}\mathrm{I},\mathrm{P})$, or $(\mathrm{P},\mathrm{R}\mathrm{I})$. If the SF completes recovery, the system will enter state $(\mathrm{P},\mathrm{P})$. If SF data is compromised during the recovery process, the system will enter state $(\mathrm{F},\mathrm{F})$. If an attacker exploits a vulnerability to gain access to other SFs during the recovery process from the infection state, the system will enter state $(\mathrm{R},\mathrm{R})$. When the system is in state $\left(\mathrm{R},\mathrm{R}\right),$ all SFs in the system are restarted and the system then enters state $(\mathrm{P},\mathrm{P})$. Alternatively, when the system is in state $(\mathrm{F},\mathrm{F})$, all SFs in the system are repaired and restarted, and the system then enters state $(\mathrm{P},\mathrm{P})$. Based on this model, we further develop a dependability analysis model with absorption states, as shown in Figure 4. The complete dependability analysis model with absorption states is shown in Figure A2 of Appendix A. This model considers that no recovery operation is performed when the system is unavailable.

In our model, each UAV is treated as a static network node. This simplification is reasonable for the dependability metrics we are interested in and provides a conservative benchmark for USFC dependability limits. The reasons are as follows:

• First, the execution time of a USFC is typically much shorter than the time intervals between adjacent waypoints in a typical UAV operation. For example, a USFC instance might complete in a few seconds, while UAV’s position change can take tens of seconds to minutes. Therefore, the relative displacement during USFC execution is negligible.
• Second, the dependability metrics we analyze are steady state and not instantaneous. While mobility introduces transient fluctuations in link quality, the long-term average of node-level dependability is still primarily determined by the attack behavior and recovery process.

Third, our static assumption provides a conservative estimate of the metrics we are concerned with when mobility does indeed impact dependability. By assuming static conditions, we implicitly consider the best-case scenario regarding link stability. Any dependability degradation caused by mobility only reinforces our conclusion that a robust USFC design is necessary.

3.3. Dependability Analysis

This paper aims to evaluate the dependability of the USFC from two aspects: availability and security. Specifically, availability metrics include steady-state availability and the probability of the unavailable state. The security metrics include the mean time to exfiltration (MTTE), the probability of security state, low security risk, and high security risk. Unlike classical reliability theories that focus on general system failures, this paper explores security failures caused by adversarial behavior. Therefore, we use MTTE as a security metric to quantify a system’s ability to withstand data breaches. MTTE is similar to the mean time to compromise, commonly used in the cybersecurity literature [28]. To solve for these metrics, we first construct the transition probability matrix given in Equation (1).

$$\left(\begin{array}{ccccccccccccccc}0& \cdots & \cdots & \cdots & p_{S_0{S}_{n+1}}& \cdots & p_{S_0{S}_{2n}}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0\\ p_{S_1{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_1{S}_{3n+1}}& 0& \cdots & p_{S_1{S}_{4n+1}}& 0\\ \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots \\ p_{S_n{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{n+1}{S}_{4n}}& p_{S_n{S}_{4n+1}}& 0\\ 0& p_{S_{n+1}{S}_1}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{n+1}{S}_{3n+1}}& 0& \cdots & p_{S_{n+1}{S}_{4n+1}}& 0\\ \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots \\ 0& \cdots & 0& p_{S_{2n}{S}_n}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{2n}{S}_{4n}}& p_{S_{2n}{S}_{4n+1}}& 0\\ p_{S_{2n+1}{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{2n+1}{S}_{4n+1}}& p_{S_{2n+1}{S}_{4n+2}}\\ \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots \\ p_{S_{3n}{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{3n}{S}_{4n+1}}& p_{S_{3n}{S}_{4n+2}}\\ 0& \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{3n+1}{S}_{2n+1}}& 0& \cdots & \cdots & \cdots & 0& p_{S_{3n+1}{S}_{4n+1}}& p_{S_{3n+1}{S}_{4n+2}}\\ \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots \\ 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0& p_{S_{4n}{S}_{3n}}& 0& \cdots & 0& p_{S_{4n}{S}_{4n+1}}& p_{S_{4n}{S}_{4n+2}}\\ p_{S_{4n+1}{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0\\ p_{S_{4n+2}{S}_0}& 0& \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & \cdots & 0\end{array}\right)$$

(1)

where the elements in the matrix are given in Equations (2)–(14). In these formulas, $S_{\ast }$ represents the system state number, and its relationship with the system state is listed in Table 2. i and j are the indices of system state, corresponding to states $S_i$ and $S_j$, where $1\le i\le n$ and $j\in B=\left\{j\right|j\ne i,1\le j\le n\}$. To better understand this matrix, we present the transition probability matrix in Equation (15) for analyzing the dependability of USFC consisting of two SFs.

$$p_{S_0{S}_{i+n}}={\displaystyle {\int }_0^{\infty }\underset{j\in B}{\Pi }(1-F_{\mathrm{he}j}(t))d{F}_{\mathrm{he}i}(t)}$$

(2)

$$p_{S_i{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}i}(t))(1-F_{\mathrm{mr}j}(t))}d{F}_{\mathrm{mh}i}(t)$$

(3)

$$p_{S_i{S}_{i+3n}}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}i}(t))}(1-F_{\mathrm{mr}j}(t))d{F}_{\mathrm{mp}i}(t)$$

(4)

$$p_{S_i{S}_{4n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}i}(t))}(1-F_{\mathrm{mp}i}(t))d{F}_{\mathrm{mr}j}(t)$$

(5)

$$p_{S_{i+n}{S}_i}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{ep}i}(t))}(1-F_{\mathrm{er}j}(t))d{F}_{\mathrm{em}i}(t)$$

(6)

$$p_{S_{i+n}{S}_{i+3n}}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}i}(t))(1-F_{\mathrm{er}j}(t))}d{F}_{\mathrm{ep}i}(t)$$

(7)

$$p_{S_{i+n}{S}_{4n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}i}(t))(1-F_{\mathrm{ep}i}(t))}d{F}_{\mathrm{er}j}(t)$$

(8)

$$p_{S_{i+2n}{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}i}(t))}(1-F_{\mathrm{qr}j}(t)d{F}_{\mathrm{qh}i}(t)$$

(9)

$$p_{S_{i+2n}{S}_{4n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}i}(t))}(1-F_{\mathrm{qf}i}(t)d{F}_{\mathrm{qr}j}(t)$$

(10)

$$p_{S_{i+2n}{S}_{4n+2}}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}i}(t))}(1-F_{\mathrm{qr}j}(t)d{F}_{\mathrm{qf}i}(t)$$

(11)

$$p_{S_{i+3n}{S}_{i+2n}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}i}(t))}(1-F_{\mathrm{pr}j}(t)d{F}_{\mathrm{pq}i}(t)$$

(12)

$$p_{S_{i+3n}{S}_{4n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}i}(t))(1-F_{\mathrm{pq}i}(t))}d{F}_{\mathrm{pr}j}(t)$$

(13)

$$p_{S_{i+3n}{S}_{4n+2}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pq}i}(t))}(1-F_{\mathrm{pr}j}(t)d{F}_{\mathrm{pf}i}(t)$$

(14)

$$\left(\begin{array}{ccccccccccc}0& 0& 0& p_{S_0{S}_3}& p_{S_0{S}_4}& 0& 0& 0& 0& 0& 0\\ p_{S_1{S}_0}& 0& 0& 0& 0& 0& 0& p_{S_1{S}_7}& 0& p_{S_1{S}_9}& 0\\ p_{S_2{S}_0}& 0& 0& 0& 0& 0& 0& 0& p_{S_2{S}_8}& p_{S_2{S}_9}& 0\\ 0& p_{S_3{S}_1}& 0& 0& 0& 0& 0& p_{S_3{S}_7}& 0& p_{S_3{S}_9}& 0\\ 0& 0& p_{S_4{S}_2}& 0& 0& 0& 0& 0& p_{S_4{S}_8}& p_{S_4{S}_9}& 0\\ p_{S_5{S}_0}& 0& 0& 0& 0& 0& 0& 0& 0& p_{S_5{S}_9}& p_{S_5{S}_{10}}\\ p_{S_6{S}_0}& 0& 0& 0& 0& 0& 0& 0& 0& p_{S_6{S}_9}& p_{S_6{S}_{10}}\\ 0& 0& 0& 0& 0& p_{S_7{S}_5}& 0& 0& 0& p_{S_7{S}_9}& p_{S_7{S}_{10}}\\ 0& 0& 0& 0& 0& 0& p_{S_8{S}_6}& 0& 0& p_{S_8{S}_9}& p_{S_8{S}_{10}}\\ p_{S_9{S}_0}& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\\ p_{S_{10}{S}_0}& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0\end{array}\right)$$

(15)

By solving $\mathrm{V}=\mathrm{VP}$, we can obtain $V_{S_i}$. Then, we calculate the sojourn time in each state, which is given in Equations (16)–(22).

$$h_{S_0}={\displaystyle {\int }_0^{\infty }\prod _{j^{\prime }=1}^m(1-F_{\mathrm{he}{j}^{\prime }}(t))dt}$$

(16)

$$h_{S_i}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}i}(t))(1-F_{\mathrm{mr}j}(t))(1-F_{\mathrm{mh}i}(t)})dt$$

(17)

$$h_{S_{i+n}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}i}(t))(1-F_{\mathrm{er}j}(t))(1-F_{\mathrm{ep}i}(t)})dt$$

(18)

$$h_{S_{i+2n}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}i}(t\left)\right)(1-F_{\mathrm{qr}j}(t))(1-F_{\mathrm{qh}i}(t)})dt$$

(19)

$$h_{S_{i+3n}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}i}(t)\left)\right(1-F_{\mathrm{pr}j}(t))(1-F_{\mathrm{pq}i}(t)})dt$$

(20)

$$h_{S_{4n+1}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{rh}}(t\left)\right)}dt$$

(21)

$$h_{S_{4n+2}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{fh}}(t\left)\right)}dt$$

(22)

To better understand the formulas derived in this paper, we provide Equations (23)–(59) for analyzing the dependability of USFC consisting of two SFs.

Table 4. Definitions of notations used in Equations (23)–(59).

Notation	Definition
$F_{\mathrm{r}\mathrm{h}}\left(t\right)$	The CDF of the time to restart the first and second SFs.
$F_{\mathrm{f}\mathrm{h}}$(t)	The CDF of the time to repair and restart the first and second SFs.
$F_{\mathrm{e}\mathrm{p}1}\left(t\right),F_{\mathrm{m}\mathrm{p}1}\left(t\right){/F_{\mathrm{e}\mathrm{p}2}\left(2\right),F}_{\mathrm{m}\mathrm{p}2}(t)$	The CDF of the time to infect the first/second SF.
$F_{\mathrm{e}\mathrm{r}1}\left(t\right),F_{\mathrm{m}\mathrm{r}1}\left(t\right),F_{\mathrm{p}\mathrm{r}1}\left(t\right){,F}_{\mathrm{q}\mathrm{r}1}\left(t\right)$ $F_{\mathrm{e}\mathrm{r}2}\left(t\right),F_{\mathrm{m}\mathrm{r}2}\left(t\right),F_{\mathrm{p}\mathrm{r}2}\left(t\right){,F}_{\mathrm{q}\mathrm{r}2}\left(t\right)$	The CDF of the shortest time to exploit the other SF.
$F_{\mathrm{e}\mathrm{m}1}\left(t\right)/F_{\mathrm{e}\mathrm{m}2}\left(t\right)$	The CDF of the trigger time interval for the first/second SF to recover from the exploitation state.
$F_{\mathrm{m}\mathrm{h}1}\left(t\right)/F_{\mathrm{m}\mathrm{h}2}\left(t\right)$	The CDF of the recovery time from the exploitation state of the first/second SF.
$F_{\mathrm{p}\mathrm{f}1}\left(t\right),F_{\mathrm{q}\mathrm{f}1}\left(t\right)/F_{\mathrm{p}\mathrm{f}2}\left(t\right),F_{\mathrm{q}\mathrm{f}2}\left(t\right)$	The CDF of the time to exfiltrate the first/second SF data.
$F_{\mathrm{q}\mathrm{h}1}\left(t\right)/F_{\mathrm{q}\mathrm{h}2}\left(t\right)$	The CDF of the recovery time from the infection state of the first/second SF.
$F_{\mathrm{p}\mathrm{q}1}\left(t\right)/F_{pq2}\left(t\right)$	The CDF of the trigger time interval for the first/second SF to recover from the infection state.
$F_{he1}\left(t\right)/F_{he2}\left(t\right)$	The CDF of the time to exploit the first/second SF.

lists the meanings of the notations used in the formulas.

$$p_{S_0{S}_3}={\displaystyle {\int }_0^{\infty }(1-F_{he2}(t))}d F_{he1}(t)$$

(23)

$$p_{S_0{S}_4}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{he}1}(t))d F_{\mathrm{he}2}(t)}$$

(24)

$$p_{S_1{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}1}(t))(1-F_{\mathrm{mr}2}(t))}d{F}_{\mathrm{mh}1}(t)$$

(25)

$$p_{S_1{S}_7}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}1}(t))}(1-F_{\mathrm{mr}2}(t))d{F}_{\mathrm{mp}1}(t)$$

(26)

$$p_{S_1{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}1}(t))}(1-F_{\mathrm{mp}1}(t))d{F}_{\mathrm{mr}2}(t)$$

(27)

$$p_{S_2{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}2}(t))(1-F_{\mathrm{mr}1}(t))}d{F}_{\mathrm{mh}2}(t)$$

(28)

$$p_{S_2{S}_8}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}2}(t))}(1-F_{\mathrm{mr}1}(t))d{F}_{\mathrm{mp}2}(t)$$

(29)

$$p_{S_2{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mh}2}(t))}(1-F_{\mathrm{mp}2}(t))d{F}_{\mathrm{mr}1}(t)$$

(30)

$$p_{S_3{S}_1}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{ep}1}(t))}(1-F_{\mathrm{er}2}(t))d{F}_{\mathrm{em}1}(t)$$

(31)

$$p_{S_3{S}_7}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}1}(t))(1-F_{\mathrm{er}2}(t))}d{F}_{\mathrm{ep}1}(t)$$

(32)

$$p_{S_3{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}1}(t))(1-F_{\mathrm{ep}1}(t))}d{F}_{\mathrm{er}2}(t)$$

(33)

$$p_{S_4{S}_2}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{ep}2}(t))}(1-F_{\mathrm{er}1}(t))d{F}_{\mathrm{em}2}(t)$$

(34)

$$p_{S_4{S}_8}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}2}(t))(1-F_{\mathrm{er}1}(t))}d{F}_{\mathrm{ep}2}(t)$$

(35)

$$p_{S_4{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}2}(t))(1-F_{\mathrm{ep}2}(t))}d{F}_{\mathrm{er}1}(t)$$

(36)

$$p_{S_5{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}1}(t))}(1-F_{\mathrm{qr}2}(t)d{F}_{\mathrm{qh}1}(t)$$

(37)

$$p_{S_5{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}1}(t))}(1-F_{\mathrm{qf}1}(t)d{F}_{\mathrm{qr}2}(t)$$

(38)

$$p_{S_5{S}_{10}}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}1}(t))}(1-F_{\mathrm{qr}2}(t)d{F}_{\mathrm{qf}1}(t)$$

(39)

$$p_{S_6{S}_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}2}(t))}(1-F_{\mathrm{qr}1}(t)d{F}_{\mathrm{qh}2}(t)$$

(40)

$$p_{S_6{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}2}(t))}(1-F_{\mathrm{qf}2}(t)d{F}_{\mathrm{qr}1}(t)$$

(41)

$$p_{S_6{S}_{10}}(t)={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qh}2}(t))}(1-F_{\mathrm{qr}1}(t)d{F}_{\mathrm{qf}2}(t)$$

(42)

$$p_{S_7{S}_5}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}1}(t))}(1-F_{\mathrm{pr}2}(t)d{F}_{\mathrm{pq}1}(t)$$

(43)

$$p_{S_7{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}1}(t))(1-F_{\mathrm{pq}1}(t))}d{F}_{\mathrm{pr}2}(t)$$

(44)

$$p_{S_7{S}_{10}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pq}1}(t))}(1-F_{\mathrm{pr}2}(t)d{F}_{\mathrm{pf}1}(t)$$

(45)

$$p_{S_8{S}_6}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}2}(t))}(1-F_{\mathrm{pr}1}(t)d{F}_{\mathrm{pq}2}(t)$$

(46)

$$p_{S_8{S}_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}2}(t))(1-F_{\mathrm{pq}2}(t))}d{F}_{\mathrm{pr}1}(t)$$

(47)

$$p_{S_8{S}_{10}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pq}2}(t))}(1-F_{\mathrm{pr}1}(t)d{F}_{\mathrm{pf}2}(t)$$

(48)

$$h_{S_0}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{he}1}(t))(1-F_{\mathrm{he}2}(t))dt}$$

(49)

$$h_{S_1}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}1}(t))(1-F_{\mathrm{mr}2}(t))(1-F_{\mathrm{mh}1}(t)})dt$$

(50)

$$h_{S_2}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{mp}2}(t))(1-F_{\mathrm{mr}1}(t))(1-F_{\mathrm{mh}2}(t)})dt$$

(51)

$$h_{S_3}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}1}(t))(1-F_{\mathrm{er}2}(t))(1-F_{\mathrm{ep}1}(t)})dt$$

(52)

$$h_{S_4}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{em}2}(t))(1-F_{\mathrm{er}1}(t))(1-F_{\mathrm{ep}2}(t)})dt$$

(53)

$$h_{S_5}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}1}(t))(1-F_{\mathrm{qr}2}(t))(1-F_{\mathrm{qh}1}(t)})dt$$

(54)

$$h_{S_6}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{qf}2}(t))(1-F_{\mathrm{qr}1}(t))(1-F_{\mathrm{qh}2}(t)})dt$$

(55)

$$h_{S_7}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}1}(t))(1-F_{\mathrm{pr}2}(t))(1-F_{\mathrm{pq}1}(t)})dt$$

(56)

$$h_{S_8}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{pf}2}(t))(1-F_{\mathrm{pr}1}(t))(1-F_{\mathrm{pq}2}(t)})dt$$

(57)

$$h_{S_9}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{rh}}(t))}dt$$

(58)

$$h_{S_{10}}={\displaystyle {\int }_0^{\infty }(1-F_{\mathrm{fh}}(t))}dt$$

(59)

$p_{\ast }$ can be obtained by solving $\underset{t\to \infty }{\lim }{k}_{\ast }\left(t\right)$. For example, $p_{S_0{S}_3}=\underset{t\to \infty }{\lim }{k}_{S_0{S}_3}\left(t\right)=\mathrm{P}\mathrm{r}\{s^{\prime }=S_3,T\le t|s^{\prime }=S_0\}$, where $k_{S_0{S}_3}\left(t\right)$ is the probability that an attacker can gain access to the first SF. $p_{S_3{S}_7}=\underset{t\to \infty }{\lim }{k}_{S_3{S}_7}\left(t\right)=\mathrm{P}\mathrm{r}\{s^{\prime }=S_7,T\le t|s^{\prime }=S_3\}$, where $k_{S_3{S}_7}\left(t\right)$ is the probability that an attacker implants malware into the first SF. $p_{S_7{S}_{10}}=\underset{t\to \infty }{\lim }{k}_{S_7{S}_{10}}\left(t\right)=\mathrm{P}\mathrm{r}\{s^{\prime }=S_{10},T\le t|s^{\prime }=S_7\}$, where $k_{S_7{S}_{10}}\left(t\right)$ is the probability that an attacker uses implanted malware to steal data from the first SF.

Based on the derived formulas, we first prove the aperiodicity of the embedded discrete-time Markov chain.

Proof. 

Consider state $(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})$ in the model for analyzing the dependability of a USFC consisting of three SFs. It can return to itself in five steps via the path $(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})\to (\mathrm{R},\mathrm{R},\mathrm{R})\to (\mathrm{P},\mathrm{P},\mathrm{P})\to (\mathrm{P},\mathrm{P},\mathrm{E})\to (\mathrm{P},\mathrm{P},\mathrm{I})\to (\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})$ ($p_{(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})(\mathrm{R},\mathrm{R},\mathrm{R})}\ast p_{\left(\mathrm{R},\mathrm{R},\mathrm{R}\right)\left(\mathrm{P},\mathrm{P},\mathrm{P}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{P}\right)\left(\mathrm{P},\mathrm{P},\mathrm{E}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{E}\right)\left(\mathrm{P},\mathrm{P},\mathrm{I}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{I}\right)\left(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I}\right)}=0.000743>0$) or in six steps via the path $(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})\to (\mathrm{F},\mathrm{F},\mathrm{F})\to (\mathrm{P},\mathrm{P},\mathrm{P})\to (\mathrm{P},\mathrm{P},\mathrm{E})\to (\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})\to (\mathrm{P},\mathrm{P},\mathrm{I})\to (\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})$($p_{(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I})(\mathrm{F},\mathrm{F},\mathrm{F})}\ast p_{\left(\mathrm{F},\mathrm{F},\mathrm{F}\right)\left(\mathrm{P},\mathrm{P},\mathrm{P}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{P}\right)\left(\mathrm{P},\mathrm{P},\mathrm{E}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{E}\right)\left(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I}\right)\left(\mathrm{P},\mathrm{P},\mathrm{I}\right)}\ast p_{\left(\mathrm{P},\mathrm{P},\mathrm{I}\right)\left(\mathrm{P},\mathrm{P},\mathrm{R}\mathrm{I}\right)}=0.000106>0$). Since gcd(5,6) = 1, this state is aperiodic. □

In addition, the proposed model has a finite number of system states, all states are interconnected, and $\underset{t\to \infty }{\lim }{F}_{\ast }\left(t\right)=1$. Therefore, the proposed model is effective.

Finally, we can derive the formulas for calculating the dependability metrics. By accurately modeling small-scale USFC and discovering patterns, we derive the formulas that reveal the correlation between the number of SFs in the USFC and the various metrics. These formulas can be extrapolated to USFC systems of other sizes, and thus, avoiding the computational bottleneck of state space explosion. In addition, the computational complexity of evaluating the proposed metrics is $O(n\ast C)$, where C is the computational complexity of integrals. It can be seen that the computational complexity is linearly related to n. Therefore, the approach proposed in this paper can be used to evaluate the dependability of large-scale USFC.

(1)

The steady-state availability: $A=1-{\displaystyle \raisebox{1ex}{$(V_{S_{(4n+1)}}{h}_{S_{(4n+1)}}+V_{S_{(4n+2)}}{h}_{S_{(4n+2)}})$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\sum }_{i=0}^{4n+2}{V}_{S_i}{h}_{S_i}}$}\right.}$.

(2)

The probability of the unavailable state: $U={\displaystyle \raisebox{1ex}{$(V_{S_{(4n+1)}}{h}_{S_{(4n+1)}}+V_{S_{(4n+2)}}{h}_{S_{(4n+2)}})$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\sum }_{i=0}^{4n+2}{V}_{S_i}{h}_{S_i}}$}\right.}$.

(3)

The mean time to exfiltration: $MTTE={\displaystyle {\sum }_{i=0}^{4n}{V}_{S_i}{h}_{S_i}}$.

(4)

The probability of the security state: $S={\displaystyle \raisebox{1ex}{$V_{S_0}{h}_{S_0}$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\sum }_{i=0}^{4n+2}{V}_{S_i}{h}_{S_i}}$}\right.}$.

(5)

Loss security risk: $S_{low}={\displaystyle \raisebox{1ex}{${\displaystyle {\sum }_{j=1}^{2n}{V}_{S_j}{h}_{S_j}}$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\sum }_{i=0}^{4n+2}{V}_{S_i}{h}_{S_i}}$}\right.}$.

(6)

High security risk: $S_{high}={\displaystyle \raisebox{1ex}{${\displaystyle {\sum }_{j=2n+1}^{4n}{V}_{S_j}{h}_{S_j}}$}\!\left/ \!\raisebox{-1ex}{${\displaystyle {\sum }_{i=0}^{4n+2}{V}_{S_i}{h}_{S_i}}$}\right.}$

4. Experimental Results

In this section, we analyze USFC system dependability from the perspectives of availability and security. Through multiple sets of experiments, we will thoroughly validate the effectiveness and practicality of the proposed method under varying system parameters and node configurations.

4.1. Experimental Configuration

Numerical analysis experiments based on models and formulas are conducted in a Maple environment in order to investigate the effects of system parameters on metrics.

Table 5. Default parameter settings.

Parameter	Mean	Default Value	Distribution	The Corresponding USFC Event	Reason
The time to obtain node access	2–4 h	The three SFs are 2 h, 2.5 h and 3.3 h, respectively.	Exponential	An attacker gains access to a node in the USFC.	Each malicious data packet sent by the attacker is independent, and the conditions for triggering a vulnerability each time are random and do not accumulate any useful information.
The restarting time	0.1–1 h	0.7 h	Exponential [29]	The node recovers from an attack.	The failure rate of the recovery process is usually assumed to be constant.
The repairing and restarting time	0.1–1 h	0.8 h	Exponential [29]
The recovery time after node is exploited/infected	0.1–1 h	0.1 h	Exponential [29]
The time to exfiltrate data	0.5–4 h	The three SFs are 0.8 h, 1.4 h and 3.4 h, respectively.	Hypoexponential [30]	An attacker steals USFC data.	The process of stealing data involves multiple stages.
The time to infect node	2–4 h	The three SFs are 3 h, 3.5 h and 4 h, respectively.	Weibull [31]	An attacker infects node in USFC.	During UAV flight, the distance between nodes and link quality changes dynamically, so the infection rate is not constant.
TTIRES/TTIRIS	0–2 h	10 s	Heaviside [29]	The time interval between detecting an attack on a node and the actual execution of a recovery operation.	In real-world scenarios, the recovery operation is performed according to a preset procedure, and the time interval is fixed.

lists the default parameter settings used in the experiment. It is worth noting that the parameters used in experiments are only examples to verify the effectiveness of the proposed model and formulas. Other parameters are also applicable to our model. In addition, each malicious data packet sent by the attacker is independent, and the conditions for triggering a vulnerability each time are random and do not accumulate any useful information. Therefore, we set the time to obtain node access, following exponential distribution. The remaining distributions are set according to [29,30,31], which is also only an example to verify our approach, and other distributions are equally applicable to our approach.

During the experiment, we used the Dirac delta function in Maple to implement the Heaviside distribution. We first calculate its derivative to obtain the density function (Dirac delta function). Maple automatically applies the sifting property of Dirac delta function. This method is exact and analytic, which does not involve any numerical approximations, thus obtaining closed-form results consistent with the theoretical properties of SMP. The Heaviside distribution is used to simulate fixed TTIRES and TTIRIS. In a typical USFC, such latency is typically in the range of seconds. Setting the mean in such a large range (0–2 h) will show how dependability metrics change with TTIRES and TTIRIS and help determine the optimal TTIRES and TTIRIS corresponding to the optimal dependability metrics.

4.2. Dependability Assessment Results

We conduct simulation and numerical analysis experiments for each USFC dependability metric. Figure 5 illustrates the simulation experiment process. First, initialize the system parameters. Next, confirm the minimum time (min_time) for all components to be exploited by attackers, and add this min_time to the current_time. Subsequently, check whether the current_time is less than the time_limit of the simulation experiment. If the current_time is less than the time_limit, calculate the MTTE (Algorithm 1) and the probability of the USFC system in each state (Algorithm 2). After that, generate time intervals for subsequent possible events and set the time intervals of subsequent impossible events to the maximum value. Then, compare the times of subsequent possible events to find the minimum value (min_time’) and update the current time. Repeat the above steps until the current time exceeds the time limit, at which point the experiment ends. The results are shown in Figure 6. The comparison shows that the results of the numerical analysis experiments are close to the simulation results, demonstrating the approximate accuracy of our model and formulas.

We then evaluate the USFC dependability metrics by varying the parameters. Figure 7a shows that as mean recovery time after node is exploited increases, both high security risk and low security risk increase, while steady-state availability and the probability of the security state decrease. In Figure 7b, it can be observed that as the mean time to infect node increases, high security risk decreases, while the other three indicators all increase. Conversely, when the mean recovery time after node is infected increases, the opposite trends are observed in Figure 7c. From Figure 7, we can also obtain the optimal parameter values when these four metrics achieve synergistic optimization.

Algorithm 1: Calculate MTTE

Input: max_value, time_limit, current_time

Output: avg_mtte

1.   begin

2.     while (current_time < time_limit) do

3.        if the next event is that the system enters state E/I/RE/RI then:

4.         mtte = mtte + time_E/time_RE/time_I/time_RI

5.         Generate time intervals for subsequent possible events

6.         Set the time intervals of subsequent impossible events to the maximum value

7.        else if the next event is that the system enters state R/F then:

8.         mtte = mtte + time_R/time_F

9.         count = count + 1

10.         total_mtte = total_mtte + mtte

11.         mtte = 0

12.         Generate time intervals for subsequent possible events

13.   Set the time intervals of subsequent impossible events to the maximum value

14.        else if the next event is the recovery from state RE/RI to state P then:

15.         mtte = mtte + time_REP/time_RIP

16.         Generate time intervals for subsequent possible events

17.         Set the time intervals of subsequent impossible events to the maximum value

18.        else if the next event is the recovery from state R/F to state P then:

19.         Generate time intervals for subsequent possible events

20.         Set the time intervals of subsequent impossible events to the maximum value

21.        end if

22.     end while

23.     if count == 0 then

24.       avg_mtte = max_value

25.     else

26.       avg_mtte = total_mtte/count

27.     end if

28.   end

Algorithm 2: Calculate the probability of USFC system in each state

Input: time_limit, current_time

Output: The probability of USFC system in each state

1.    begin

2.      while current_time < time_limit do

3.        if the next event is that the system enters state P/E/I/RE/RI/R/F then:

4.          count_P/E/I/RE/RI/R/F= count_P/E/I/RE/RI/R/F+1

5.          Generate time intervals for subsequent possible events

6.          Set the time intervals of subsequent impossible events to the maximum value

7.          total_events = total_events+1

8.        end if

9.      end while

10.      The probability of USFC system in each state = count_P/E/I/RE/RI/R/F/total_events

11.    end

Figure 8 shows the probability of the security state and unavailable state under different parameters for USFC composed of two, three, and four SFs. It can be seen that with the increase in mean time to obtain node access and mean time to exfiltrate data, the probability of the security state increases while the probability of the unavailable state decreases. As the mean restarting time and mean repairing and restarting time increase, the probability of the unavailable state increases while the probability of the security state decreases. This trend holds true regardless of the number of SFs. Furthermore, we observe that under the same time parameters, the probability of the security state decreases as the number of SFs increases, whereas USFCs with more SFs exhibit a higher probability of the unavailable state.

Figure 9 and Figure 10 analyze high security risk and low security risk of the USFC by varying the mean time to obtain node access, mean time to exfiltrate data, and mean restarting time. Under all experimental configurations, both high security risk and low security risk exhibit a monotonic increasing trend as the number of SFs increases from 2 to 4. As the mean time to obtain node access and mean restarting time increase, the USFC security risk shows a decreasing trend. When the mean time to exfiltrate data varies from 1 h to 3 h, both high security risk and low security risk increase under different SF configurations, but the magnitude of this increase is small. A comparison between Figure 9 and Figure 10 reveals that under the same parameter configurations, high security risk is approximately 2.5 to 2.8 times that of low security risk. Compared to time-related parameters, the number of SFs has a more significant impact on both high and low security risks.

Figure 11 and Figure 12 show the high security risk, low security risk, steady-state availability, and the probability of the security state under different recovery trigger time intervals from the exploitation state (TTIRES) and recovery trigger time intervals from the infection state (TTIRIS) when the number of SFs is 3. As TTIRES increases, high security risk first rises and then declines, exhibiting a distinct peak characteristic. The peak corresponding to the first SF is the highest, while the peak corresponding to the third SF is the lowest. Meanwhile, low security risk shows a monotonically increasing trend. Unlike TTIRES, TTIRIS presents a monotonic impact on security risk. As TTIRIS increases, high security risk increases continuously, whereas low security risk decreases continuously. Moreover, for high security risk, the first SF is most affected, while for low security risk, the third SF is most affected. A comparison between Figure 12a,b reveals that the steady-state availability remains consistently higher than the probability of the security state under the same configurations, and the gap between them gradually widens over time. Meanwhile, we can observe that both the steady-state availability and the probability of the security state exhibit a monotonic decreasing trend over trigger time intervals, though the rates of decline vary significantly. When comparing the impacts of TTIRES and TTIRIS, TTIRES has a more significant effect on the steady-state availability. Both TTIRES and TTIRIS have a greater influence on the probability of the security state than on steady-state availability.

Figure 13 shows the results of MTTE. We first evaluated the MTTE by varying the mean time to obtain node access from 2 h to 4 h and the mean time to exfiltrate data from 1 h to 3 h under different number of SFs. Results are shown in Figure 13a,b. We can observe that with increasing mean time to obtain node access and exfiltrate data, MTTE increases. Under the same parameters, as the number of SFs increases, the MTTE decreases accordingly. Figure 13c shows MTTE under TTIRES and TTIRIS of different SFs. MTTE decreases as the trigger time interval increases. TTIRES and TTIRIS of the first SF result in higher MTTE compared to the second SF and third SF. In real-world scenarios, the decreasing trend of MTTE as the number of SFs increases can be mitigated by deploying security modules such as data encryption and fine-grained permission management and by using automated tools for anomaly detection.

5. Discussion

This work takes the first step toward assessing USFC dependability from availability and security perspectives. By constructing a multidimensional SMP-based model, we quantitatively analyzed the impact of the dynamic interaction between attacker behaviors and USFC system recovery behaviors on USFC dependability. However, there are still some limitations that require further in-depth research, as detailed below.

• This paper focuses on developing an evaluation model that can be used to capture USFC system behaviors from both attacker attack and system defense perspectives. Based on the developed model, we derive formulas for calculating the availability and security metrics of a USFC system composed of any number of SFs. In practical applications, parameters measured through actual measurements can be substituted into the derived formulas to improve the evaluation results. Furthermore, the quantitative correlations between the parameters reflected in these formulas can directly empower the USFC deployment based on deep reinforcement learning algorithms, achieving synergistic optimization of various metrics while satisfying constraints.
• In order to ensure that the Markov property is satisfied at each time instance, this paper designs system state representations such as (E,P,P…,P). This design means that the accumulated information of the remaining nodes cannot be saved. In fact, the time it takes for the attacker to gain access to the remaining components is influenced by the time it takes for the attacker to gain access to the first node. Therefore, the assumptions in this paper will introduce errors in the accuracy of the experimental results but will not affect the qualitative results obtained from the dependability metric assessment. In the future, we can capture the system behavior discussed in this paper by establishing a model in which the Markov property only needs to be satisfied at certain points in time.
• This paper focuses on the theoretical analysis of USFC dependability. However, there is a gap between theoretical analysis and actual measurements. Given the difficulty of deploying a practical platform and the significant time required for conducting experiments, we will evaluate the gap between theoretical analysis and actual measurements in the future. It is worth noting that the theoretical analysis conducted in this paper can supplement the actual measurement results, which help in analyzing the reasons behind the actual measurement results.
• The USFC dependability analysis model developed in this paper mainly consists of system states and distribution functions of the state transition times, focusing on characterizing the behaviors of the USFC system after an attack and its corresponding defensive actions. In real-world scenarios, high mobility, unstable communication links, and strict energy constraints of actual UAV platforms can cause dynamic changes in state transition times. Therefore, we can incorporate these factors as time-varying parameters into the distribution functions to characterize their dynamic impact on state transition times in the future. Furthermore, the fact that our model supports general distributions allows it to be extended to help analyze the impact of these time-varying parameters on USFC dependability.

6. Conclusions

This paper first constructs a dependability analysis model for USFC composed of any number of SFs, which meticulously characterizes the different stages of an attack and the recovery behavior triggered at each stage. Then, we derive the calculation formulas for availability and security metrics to analyze the dependability of the USFC, providing a theoretical foundation for determining the parameter settings corresponding to optimal dependability. Finally, this paper executes numerous numerical analysis experiments, demonstrating not only the changing trends of various dependability metrics under different parameters but also the parameter combinations for synergistic optimization among metrics. For a single event (such as node infection), regardless of the distribution used to describe its occurrence interval, as long as the expectation is the same, the average number of occurrences per unit time will be the same in the long run. Therefore, the qualitative conclusions obtained from the steady-state dependability metric assessment in this paper are robust to the distribution. In the future, we will first develop a practical platform to validate the proposed approach. Then, we will transform dynamic conditions into time-varying parameters and incorporate them into the distribution functions of state transition times to make the evaluation results more accurate. Finally, we will leverage the proposed dependability assessment model and metric calculation formulas to empower the optimization algorithm, providing support for SFC deployment decisions in UAVs.