CHAPTER 1 : INTRODUCTION

1.1 Computer Networks

A computer network, often simply referred to as a network, is a collection of computers and
devices connected by communication channels that facilitates communication among users
and allow users to share resources and information with other users (like sharing of printer,
files etc.). Networks may be classified according to wide variety of characteristics. The
most common way is according to physical media (hardware), that is used to interconnect
the individual devices in the network. Based upon this classification, the different types of
network available are wired network and wireless network.

1.1.1

Wired Networks

Wired networks are connected by the means of physical wires. The connection is usually
established with the help of physical devices like Switches and Hubs in between to increase
the strength of the connection. These networks are usually more efficient and much faster
than wireless networks. Once the connection is set there is a very little chance of getting
disconnected. Usually, repeaters are used in between to increase the communication
distance.
Advantages of wired networks are:

A wired network offer connection speeds of 100Mbps to 1000Mbps

Physical, fixed wired connections are not prone to interference and fluctuations in
available bandwidth, which can affect some wireless networking connections.

Disadvantages of wired networks over wireless networks are:

Expensive to maintain the network due to many cables between computer systems and
even if a failure in the cables occur then it will be very hard to replace that particular
cable as it involved more and more costs.
When using a laptop which is required to be connected to the network, a wired network
will limit the logical reason of purchasing a laptop in the first place

1.1.2

Wireless Networks

Wireless network refers to any type of computer network that is wireless. In the wireless
1

network, electromagnetic waves are used to connect two devices in the network instead of
some physical media. The absence of physical wires makes this kind of network very
flexible. It also reduces the installation and maintenance cost of the network. . Advantages
of Wireless Networks are:

Mobile users are provided with access to real-time information even when they are
away from their home or office.

Setting up a wireless system is easy and fast and it eliminates the need for pulling out
the cables through walls and ceilings.
Network can be extended to places which cannot be wired.

Wireless networks offer more flexibility and adapt easily to changes in the configuration
of the network.

Disadvantages of Wireless Networks are following:

Interference due to weather, other radio frequency devices, or obstructions like walls.
The total Throughput is affected when multiple connections exists.

1. 2 Types of Wireless Networks

One of the unique features of wireless networks is compare to wire network is that data
is transmitted from one point to another through wireless links i.e. there is no need of
wired link between the two nodes for transmission. They just need to be in the
transmission range of each other. Wireless communication between mobile users is
becoming popular than ever before. This is due to recent technological advances in mobile
computers and wireless data communication devices, such as wireless modems and
wireless LANs leading to higher data rates. Adaptation of these advancements by the
society has lead to lower prices. These are the two main reasons why mobile computing
continues to enjoy rapid growth. Devices commonly used for wireless networking include
portable computers, desktop computers, hand-held computers, personal Digital Assistants
(PDAs), cellular phones, pen based computers and pagers. Wireless technologies serve
many practical purposes. For example, mobile users can use their cellular phone to access
e-mail. Travelers with portable computers can connect to the Internet through base stations
installed at airports, railway stations and other public locations. Wireless networks have
few problems that must be dealt with. Since wireless networks operate on radio
frequencies, they have to contend with effects of radio communication such as noise,
2

fading and interference.

Wireless networks can be classified in two types:

Infra structured networks

Infra structure less networks (Ad hoc networks)

1.2.1 Infra structured Networks

Infrastructure network have fixed network topology. Wireless nodes connect through
the fixed point known as base station or access point. In most cases the access point or
base station or connected to the main network through wired link. The base station, or
access point, is one of the important elements in such types of networks. All of the
wireless connections must pass from the base station. Whenever a node is in the range of
several base stations then it connect to any one of them on the bases of some criteria.

1.2.2 Ad hoc Networks ( Infrastructure less networks )

Ad hoc networks also called infrastructure less networks are complex distributed
systems consist of wireless links between the nodes and each node also works as a router
to forwards the data on behalf of other nodes. The nodes are free to join or left the
network without any restriction. Thus the networks have no permanent infrastructure. In
ad hoc networks the nodes can be stationary or mobile. Therefore one can say that ad
hoc networks basically have two forms, one is static ad hoc networks (SANET) and the
other one is called mobile ad hoc networks (MANET). From the introduction of new
technologies such as IEEE 802.11 the commercial implementation of ad hoc network
becomes possible.
One of the good features of such networks is the flexibility and can be deployed very
easily. Thus it is suitable for the emergency situation. But on the other side it is also very
difficult to handle the operation of ad hoc networks. Each node is responsible to handle
its operation independently. Topology changes are very frequent and thus there will be
need of an efficient routing protocol.

1.3 Mobile Ad-Hoc Networks (MANET)

A mobile ad hoc network is a collection of mobile hosts that roams at will and
communicates with each other. These mobile networks are different from traditional
3

wireless networks, as the former don't have a fixed topology, no base-station support, and
no fixed routers. MANET has Multi-hop commutation capability. There is no centralized
administration or a backbone network to support it. In these types of networks each node
works as an independent router. Each host uses wireless RF transceivers as network
interface [30] Example applications of MANET are emergency search-and-rescue
operations; meetings or conventions where users need to deploy networks immediately,
without base stations or fixed network infrastructure. Figure 1.1 shows simple ad hoc
network of three mobile hosts using wireless network interfaces. The outermost nodes are
not within transmitter range of each other. However the middle node can be used to
forward packets between the outermost nodes. The middle node is acting as a router and
the three nodes are formed an ad-hoc network

Figure 1.1: Example of a simple ad-hoc network with three participating nodes

Wireless ad-hoc networks take advantage of the nature of the wireless communication
medium. In other words, in a wired network the physical cabling is done a prior restricting
the connection topology of the nodes. This restriction is not present in the wireless domain
and, provided that two nodes are within transmitter range or each other, an instantaneous
link between them may form.
Various features of mobile ad-hoc network are:

Self-organizing: Every time a mobile host moves, it needs to re-discover which mobile
hosts are reachable. It does this by sending a "ping" message in all directions and listens
for corresponding "pong" messages. The strength of the "ping" message weakens as
distance increases giving the mobile host a limited range within which "ping" messages
can be "heard". This range is called the scan range of the mobile host.

Fully decentralized: No central server exists in a MANET environment. Therefore

every mobile host is equally important within the network. Every node acts both as a
4

host and as a router. A node can be viewed as an abstract entity consisting of a router
and set of affiliated mobile hosts (Figure 1.2)

Figure 1.2: Block diagram of mobile node working both as host and router

Highly dynamic: The topology of MANET systems can change very rapidly.
Therefore within MANET systems, one will find that communication endpoints
frequently move independently of one another.

Low cost: Wireless ad hoc networks are built from low-cost transceivers and do not
incur charges for provider's access and airtime.

Limited physical security: The broadcast nature of wireless networks lends itself
to passive eavesdropping attacks without malicious nodes being detected. By
exploiting the specific aspects of wireless routing protocols being used, more
damaging attacks are possible.

Broadcast Nature of medium: Unlike traditional networks, the mobile devices

must rely on the broadcast nature of the wireless medium. Issues like hidden
terminal problem makes routing more complex.

Frequent network partitions: There are potentially frequent network partitions.

This might imply that simply no path exists from a mobile node to another as the
intermediate routing stations have moved too far apart.

1.4 Routing
Routing is the act of moving information from a source to a destination in an inter-network.
During this process, at least one intermediate node within the inter-network is encountered.
This concept is not new to computer science, now it has achieved popularity. The major
reason for this is because the earlier networks were very simple and homogeneous
environments; but, now high end and large scale internetworking has become popular with
the latest advancements in the networks and telecommunication technology.
The routing concept basically involves, two activities: firstly, determining optimal routing
paths and secondly, transferring the information groups (called packets) through an internetwork. The later concept is called as packet switching which is straight forward, and the
path determination could be very complex.
Routing protocols use several metrics to calculate the best path for routing the packets to its
destination. These metrics are a standard measurement that could be number of hops, which
is used by the routing algorithm to determine the optimal path for the packet to its
destination. The process of path determination is that, routing algorithms initialize and
maintain routing tables, which contain the total route information for the packet. This route
information varies from one routing algorithm to another.
Routing tables are filled with a variety of information which is generated by the routing
algorithms. Most common entries in the routing table are IP address prefix and the next
hop. Routing tables Destination/next hop associations tell the router that a particular
destination can be reached optimally by sending the packet to a router representing the
next hop on its way to the final destination and IP address prefix specifies a set of
destinations for which the routing entry is valid for.
Switching is relatively simple compared with the path determination. The concept of
switching is like, a host determines like it should send some packet to another host. By
some means it acquires the routers address and sends the packet addressed specifically to
the routers MAC address, with the protocol address of the destination host. The router then
examines the protocol address and verifies whether it know how to transfer the data to its
destination. If it knows how to transfer the data then it forwards the packet to its destination
and if it doesnt then it drops the packet.

1.5 Security Issues

As MANETs become widely used, the security issue has become one of the primary
concerns. For example, most of the routing protocols proposed for MANETs assume that
every node in the network is cooperative and not malicious [11]. Therefore, only one
compromised node can cause the failure of the entire network . The success of MANET
strongly depends on whether its security can be trusted. However, the characteristics of
MANET pose both challenges and opportunities in achieving the security goals, such as
confidentiality, authentication, integrity, availability, access control, and non-repudiation .
There are a wide variety of attacks that target the weakness of MANET. For example,
routing messages are an essential component of mobile network communications, as each
packet needs to be passed quickly through intermediate nodes, which the packet must
traverse from a source to the destination. Malicious routing attacks can target the routing
discovery or maintenance phase by not following the specifications of the routing
protocols. Attackers also exploit weaknesses into protocols working at various layers for
example, Blackhole attack exploit weaknesses into route discovery process of AODV.
The mobile hosts forming a MANET are normally mobile devices with limited physical
protection and resources. Security modules, such as tokens and smart cards, can be used to
protect against physical attacks. Cryptographic tools are widely used to provide powerful
security services, such as confidentiality, authentication, integrity, and non-repudiation.
Unfortunately, cryptography cannot guarantee availability; for example, it cannot prevent
radio jamming. Meanwhile, strong cryptography often demands a heavy computation
overhead and requires the auxiliary complicated key distribution and trust management
services, which mostly are restricted by the capabilities of physical devices (e.g. CPU or
battery).
The characteristics and nature of MANET require the strict cooperation of participating
mobile hosts. A number of security techniques have been invented and a list of security
protocols have been proposed to enforce cooperation and prevent misbehaviour. However,
none of preventive approach is perfect or capable to defend against all attacks. A second
line of defence called intrusion detection systems (IDS) is proposed and applied in
MANET. IDS are some of the latest security tools in the battle against attacks.
Intrusion detection can be defined as a process of monitoring activities in a system, which
can be a computer or network system. The mechanism by which this is achieved, is called
7

an intrusion detection system (IDS). An IDS collects activity information and then analyzes
it to determine whether there are any activities that violate the security rules. Once an IDS
determines that an unusual activity or an activity that is known to be an attack occurs, it
then generates an alarm to alert the security administrator. In addition, IDS can also initiate
a proper response to the malicious activity.

1.6 Objective
The objective of this work is to investigate on proposed fuzzy based intrusion detection
system against blackhole attack on AODV in MANETs b ased
by

realizing

on

their

performance

different environments. The analysis is done theoretically and through

simulations. Objectives of this work are summarized as

To get general understanding of ad-hoc networks and AODV protocol

To get general understanding of blackhole attack.

Propose fuzzy based intrusion detection system against blackhole attack.

Simulate the IDS in well known simulator ns-2.

1.7 Thesis Outline

Chapter 1 gives brief idea of background, objective of this work.
Chapter 2 Literature Review discusses the basic details of MANET, basics of AODV,
various active routing attacks in MANET are discussed and in the end, basics of
various intrusion detection systems against blackhole attack has been discussed .
Chapter 3 formulates the problem by discussing the issues in current IDSs of
AODV.
Chapter 4 proposes fuzzy based intrusion detection system against blackhole
attack in AODV .
Chapter 5 Simulation Details discuss the brief review ns-2 & simulation environment
used.
Chapter 6 Results and Analysis presents the various results generated from the
simulations . These results are shown in graphical form so that the fair comparison can be
done between the proposed system and existing system
8

At the end a brief summary of the work is presented with conclusion & directions for the
future work. Appendix provides general understanding routing parameters & tracing
formats of wireless network in ns-2.

CHAPTER 2 : LITERATURE REVIEW

A MANET is referred to as a network without infrastructure because the mobile nodes in
the network dynamically set up temporary paths among themselves to transmit packets. In
a MANET, a collection of mobile hosts with wireless network interfaces form a temporary
network without the aid of any fixed infrastructure or centralized ad- ministration. Nodes
within each others wireless transmission ranges can communicate directly; however,
nodes outside each others range have to rely on their neighboring nodes to relay
messages [29]. Thus, a multi-hop scenario occurs, where several intermediate hosts relay
the packets sent by the source host before they reach the destination host. Every node
functions as a router. The success of communication highly depends on other nodes
cooperation. At a given time, the system can be viewed as a random graph due to the
movement of the nodes, their transmitter/receiver coverage patterns, the transmission
power levels, and the co-channel interference levels. The network topology may change
with time as the nodes move or adjust their transmission and reception parameters. Thus, a
MANET has several salient characteristics [36]:

Dynamic topology

Resource constraints

No infrastructure

Limited physical security

All these characteristics of MANET make it more vulnerable to the attacks. One of these
attacks is the Black Hole attack. In the Black Hole attack, a malicious node absorbs all
data packets in itself. In this way, all packets in the network are dropped. A malicious
node dropping all the traffic in the network makes use of the vulnerabilities of the route
discovery packets of the on demand protocols, such as AODV. In route discovery process
of AODV protocol, intermediate nodes are responsible to find a fresh path to the
destination, sending discovery packets to the neighbor nodes. Malicious nodes do not use
this process and instead, they immediately respond to the source node with false
information as though it has fresh enough path to the destination. Therefore source node
sends its data packets via the malicious node to the destination assuming it is a true path.
Thus characteristics and nature of MANET require the strict cooperation of participating
10

mobile nodes. There should be strong detection technique that can work on real time
variables to find out intrusions in the network. Subsequent actions can be taken based on
the information collected by detection system.
This chapter presents a brief overview of AODV, a routing protocol used in MANET,
various security issues in MANET and various intrusion detection systems reported in the
literature of wireless Adhoc networks. Section 2.1 discusses the basic operation of AODV,
routing protocol used in MANET. Section 2.2 provides the various security goals of ad hoc
networks. The various security challenges that MANET faces are described in section 2.3.
Section 2.4 gives the detail about various routing attacks in AODV. The various security
schemes used in MANETs have been discussed in section 2.5.Section 2.6 describes the
study of various intrusion detection systems used in MANETs

2.1 Ad hoc On Demand Distance Vector Routing Protocol - AODV

The Ad-hoc On-Demand Distance Vector (AODV) [28]

is designed specifically to

address the routing problems in ad hoc wireless networks and provides communication
between mobile nodes with minimal control overhead and minimal route acquisition
latency [21]. AODV is a reactive protocol. It makes the route when it is needed and does
not require nodes to maintain the routes to various destinations that are not being used in
communication. AODV enables multi- hop routing between participating mobile nodes
wishing to establish and maintain an ad- hoc network. AODV is based upon the distance
vector algorithm. As long as the endpoints of a communication connection have valid
routes to each other AODV does not play any role. It is loop free protocol. Additionally,
it has support for multicast routing and avoids the Bellman Ford "counting to infinity"
problem [39]. It provides quick convergence when the network topology changes. The
use of destination sequence numbers guarantees that a route is "fresh".
The algorithm uses different messages to discover and maintain links. Whenever a node
wants to try and find a route to another node, it broadcasts a Route Request (RREQ) to
all its neighbors. The RREQ propagates through the network until it reaches the
destination or a node with a fresh route to the destination. Then the route is made
available by unicasting a RREP back to the source.
AODV enables mobile nodes to respond to link breakages and changes in the network
topology in a timely manner [10]. The algorithm uses hello messages (a special RREP)
11

that are broadcasted periodically to the immediate

neighbors. These hello messages

are local advertisements for the continued presence of the node and neighbors using
routes through the broadcasting node will continue to mark the routes as valid. If hello
messages stop coming from a particular node, the neighbor can assume that the node has
moved away and mark that link to the node as broken and notify the affected set of
nodes by sending a link failure notification (a special RREP).AODV also has a multicast
route invalidation message
In the following sections properties of AODV are presented along with the operational
details of its most fundamental functionalities, namely the route discovery and the route
maintenance processes.

2.1.1 Properties
As it was mentioned earlier AODV provides loop-freedom that is accomplished through
the use of sequence numbers. Every node maintains its own sequence number that
it increases monotonically each time it learns of a change in the topology of its
neighborhood. This sequence number ensures that the most recent route is selected
whenever a route discovery process is executed. In addition, in multicast-enabled AODV
each multicast group has its own sequence number, which is maintained by the multicast
group leader [21].
Furthermore,

AODV

is

able

to

provide

unicast,

multicast,

and

broadcast

communication ability. This capability of having all three communication forms in a

single protocol offers numerous advantages. When searching by using the multicast route
discovery it increases the unicast routing

knowledge and vice versa. In mobile

environments any reduction in control overheads has a significant advantage.

Additionally, having all three communication forms in a single protocol simplifies the
implementation process of the protocol.
Route tables are used in AODV to store applicable routing information. AODV utilizes
both a route table for unicast routes and a multicast route table for multicast routes. The
unicast route table includes information about the destination, the next-hop IP address
and its sequence number. For each destination a node maintains a list of precursor nodes,
which route through it in order to reach the destination [21]. This list is maintained
for the purpose of route maintenance in case of a link breakage. Additionally, a
12

lifetime is associated with each route table entry which is updated whenever the route is
successfully used. When an entrys lifetime attribute expires because it was not frequently
used it is removed from the routing table and if there is a need for this route again it is
reacquired though a route discovery process.
AODV is able to maintain both unicast and multicast routes even for nodes with
mobility. Also it provides a quick detection mechanism of invalid routes through the use
of route errors (RERR) messages. The protocol is able to respond to topological changes
that affect the active routes in a quick and timely manner. When the nodes in the network
move from their places and the topology is changed or the links in the active path are
broken, the intermediate node that discovers this link breakage propagates an RERR
packet. And the source node re-initializes the path discovery if it still desires the route.
This ensures quick response to broken links. Finally, because it does not use source routing
it does not introduce additional overhead since it requires only the next-hop routing
information.

2.1.2 Route Discovery

When a node desires to communicate with some destination node, it checks if the route to
this destination is available and valid in its routing table. In the case that the route is
available, it starts the communication right away, but if the route is either unavailable or
it has expired a route discovery process has to be initiated. In order to initiate a route
discovery process the source node has to send a RREQ packet. The format of the route
request packet are illustrated in figure 2.1. After creating the RREQ packet the node sets a
timer and waits for a route reply (RREP) message [10].

Figure 2.1 : The format of Route Request Packet

13

An intermediate node upon the reception of a RREQ packet checks whether it has seen
it before by examining the originators IP address and the RREQ broadcast ID pair. Each
node maintains a list of the originator IP and RREQ broadcast ID pair for each route
request that it receives. This information remains in this list for a finite period of time and
it is used to avoid flooding attacks or anomalous node behavior. If the intermediate node
has already seen this RREQ it silently discards the packet. If it has not seen this RREQ
within this finite period of time it starts processing it.
The first step is to set up the reverse route in its routing table. The reverse route contains
the originator IP address, the sequence number, the hops required to reach the source node
and the neighbor from which it has received the packet. This process is essential since it
is used to forward back the RREP. Figure 2.2 indicates the propagation process of a RREQ
along with the formation of the relevant reverse routes.

Figure 2.2 : Propagation of an AODV RREQ and

establishment of the reverse routes

In order for an intermediate node to reply to a RREQ it has to have an unexpired entry for
the destination in its routing table. Additionally, the sequence number associated
with that destination must be greater or equal to the one indicated in the RREQ packet. If
the entry satisfies these two conditions then it unicasts a RREP back to the source of the
RREQ by incrementing the hop count by one. The structure of the RREP and the fields it
contains are presented in figure 2.3 [10]. If none of the intermediate nodes is able to reply,
the RREQ eventually reaches the destination node. When the destination node sends the
14

RREP it places its current sequence number in the packet, initializes the hop count to
zero and places the length of time this route is valid in the RREPs Lifetime field [10].

Figure 2.3: Format of a Route Reply (RREP)

If this is the first time the source node communicates with this node the sequence number
will not be available and therefore it will not be included in the packet. When an
intermediate node receives the RREP it uses the reverse route established for the RREQ to
forward the packet to each destination, but before doing so it increments the hop count by
one. Figure 2.4 indicates the path of a RREP from the destination to the source node.

Figure 2.4: Propagation of a RREP message & from destination to source

node

15

It is possible that the destination node will receive more than one RREP from its neighbors.
In this case it uses the first RREP that it receives and upon the reception of another reply it
checks if the later packet contains a greater destination sequence number or if it has a
smaller hop count, meaning that it provides a fresher or sorter route. In this case it updates
the route entry with the new values; otherwise the reply packet is discarded.

2.1.3 Route Maintenance

Once the route between the source and the destination nodes is established it is maintained
for the source node as long as it remains active. If the source node moves during an active
session, it can simply reinitiate a route discovery process and establish a new route to
the destination and continue communication. However, if either the destination or an
intermediate node moves a RERR packet is sent to the source affected nodes. The RERR
packet header fields are illustrated in figure 2.5 [10].
The RERR message is initiated by the node upstream of the link failure which is closer to
the source. If the node upstream of the break has listed more that one nodes as a precursor
node for the destination, it broadcasts the REER to these neighbors.

Figure 2.5: The format of the Route Error message (RERR)

When the neighbor nodes receive the RERR packet they mark the route to the destination
16

as invalid by setting the distance to this destination node to infinity, and if they have any
precursor list of their own they propagate this message forward to their precursor nodes.
When the RERR reaches the source node it can reinitiate a route discovery if the route is
still needed.

Figure 2.6: Route maintenance

In figure 2.6 the route maintenance procedure is illustrated. In figure 2.6(a) the route
from source to destination contains the nodes 1, 2, 4, and 5. When node 4 decides to move
to position 4` breaks the connectivity in node 2. Node 3 being the closest upstream
neighbor to the link loss sends a RERR to node 1. Node 1 upon reception of the REER
packet marks the route as invalid and then forwards the RERR to the source node that
reinitiates a route discovery process since it still requires communication

with the

destination node. The new route that was created is presented in figure 2.6(b) where
node 4 was replaced by node 3.
RERRs are also sent when a node receives data packets for a destination that is not listed in
its routing table [10]. In this way the node without the route that is receiving the data
packets can inform its upstream neighbor that it should stop sending them, thus they are
not constantly discarded.

17

2.2 Security Goals

An ad hoc network can be considered secure if it holds the following attributes [23].

Availability: It should ensure that the network manages to provide all services despite
denial of service attacks. A denial of service attack can be launched at any layer of
an ad hoc network. On the physical and media access control layer a malicious user
can employ jamming in order to interfere with signals in the physical layer. On the
network layer, a malicious user can disrupt the normal operation of the routing table in
various ways. Lastly, on the higher layer, a malicious user can bring down high-level
services such as the key management service.

Confidentiality: It should ensure

that certain information is never disclosed

to

unauthorized user. This feature is mostly desired when transmitting sensitive information
such as military and tactical data. Routing information must also be confidential in
some cases when the users location must be kept secret.

Integrity: Guarantees that the message that is transmitted reaches its destination
without being changed or corrupted in any way. Message corruption can be caused by
either a malicious attack on the network or because of radio propagation failure.

Authentication: It should e nable a node to be sure of the identity of the n o d e s

with which it communicates. When there is no authentication scheme a malicious node
can behave as some other node and gain unauthorized access to resources or sensitive
information.

Non-repudiation: It should ensure that the originator of a message cannot refuse

sending this message. This attribute is useful when trying to detect isolated
compromised nodes.

Access and usage control: Access control ensures that access to information is
controlled by the ad hoc network. Usage control ensures that the information resource
is used correctly by the authorized node having the corresponding rights.

2. .3 Security Challenges
The prominent features of ad hoc networks pose both challenges and opportunities in
achieving the proposed security goals. The main security challenges that ad hoc networks
18

face have been discussed in this section [15].

One of the main challenges that ad hoc networking faces is related to the use of wireless
links. Due to the use of wireless medium an ad hoc network is vulnerable to link attacks
ranking from passive

eavesdropping to active impersonation, message replay and

message corruption. An adversary can easily eavesdrop network traffic by placing a

wireless enabled device within the range of the ad hoc network and capture routing and
application packets. By eavesdropping the malicious node can gain access to secret
information and violate the confidentiality requirement. Passive attacks like eavesdropping
are very hard to detect since they do not present any significant pattern or impact in
the performance of the network. Active attacks may allow a malicious node to delete or
inject to the network traffic erroneous messages, modify messages and impersonate as
another node, hence violating availability, integrity, authentication and non-repudiation.
As opposed to passive attacks, active attacks can be detected and limited with the
utilization of various schemes.
Moreover, nodes that roam in hostile environments with relatively poor physical
protection face a greater probability of being compromised. Therefore, attacks against the
ad hoc network can be launched from within the network by compromised or malicious
nodes. In order to be able to claim high availability in such an environment, an ad hoc
network should have a distributed protection architecture with no central entities. The
introduction of any central entity into a security solution could lead to a significant
vulnerability since the possibility of the centralized component of the security scheme
becoming compromised cannot be eliminated.
Due to the dynamic nature of an ad hoc network both its topology and membership can
change arbitrarily. This fact prevents the establishment of long-lived trust relationships
among the participating nodes. Unlike other wireless mobile networks, like mobile IP [31],
nodes in ad hoc networks may dynamically become affiliated with different administrative
domains. Thus, any security solution with static configuration will not be sufficient. It is
desirable for a security mechanism to adapt on the fly to these changes.
Finally, an ad hoc network is not limited to a specific number of participating nodes.
Even though it has not been practically attempted, ad hoc networks theoretically can be
composed of hundred or even thousands of nodes. Therefore a security mechanism in
order to be able to sufficiently accomplish its tasks has to be scalable and able to handle
19

arbitrarily large networks.

2.4 Active Routing Attacks
Unlike the passive attacks, active attacks can be detected and eventually avoided by
the legitimate nodes that participate in an ad hoc network. A malicious node may perform
an active attack in order to disable a service or in order to conserve energy. An active
attack may either being directed to disrupt the normal operation of a specific node or target
the performance of the ad hoc network as a whole. In this section the most important active
attacks are presented that can be easily be performed by an internal node against the
utilised ad hoc routing protocol [36].

Black Hole: In this attack, a malicious node uses the routing protocol to advertise itself
as having the shortest path to the destination node of the packet that was intercepted.
This attack can be easily implemented in AODV during the routing discovery process.
Upon reception of a route request the malicious node can guarantee that its reply
will be preferable from the source node by either increasing significantly the
destination sequence number or by advertising a considerably shorter path. Once the
forged route has been established the malicious node is able to become a member of the
active route and intercept the communication packets. The outcomes of this attack
can vary. The malicious node can either stop after inserting the false route information
in the network and aim in creating instability and unnecessary network traffic or drop
all incoming application packet for the specific destination and perform a denial-ofservice attack. This attack can also be used by the malicious node as the
first step to a man-in-the-middle attack.

Routing Table Overflow: In a routing table overflow attack the attacker attempts to
create routes to non-existing nodes. The goal is to create enough routes to prevent new
routes from being created or to overwhelm the protocol implementation. Proactive
routing protocols are more vulnerable to this attack, since they attempt to create and
maintain routes to all possible destinations. A malicious node to implement this attack
can simply send excessive route advertisements to the network. To implement this
attack in order to target a reactive protocol like AODV is slightly more complicated
since two nodes are required. The first node should make a legitimate request for a
route and the malicious node should reply with a forged address.

Resource Consumption: This attack aims in flooding the network with routing traffic
20

in order to consume battery life from the nodes and available bandwidth from the ad
hoc network. The malicious node continually requests for either existing or nonexisting destinations forcing the neighboring nodes to process and forward these
packets and therefore consume batteries and network bandwidth hindering the normal
operation of the network.

Dropping Routing Traffic: It is essential in the ad hoc network that all nodes
participate in the routing process. However, a node may act selfishly and process
only routing information that are related to itself in order to conserve energy. This
behavior/attack can create network instability or even segment the network.

Location disclosure: A location disclosure attack can reveal information related to the
location of a node or the topology and structure of the network. The information gained
might reveal which other nodes are adjacent to the target or the physical location of a
participating node. The attack can be implemented by using a command similar to
trace route that exists in Unix-like systems or with the use of the time-to-live attribute
of the routing packet and the addresses of the devices by sending ICMP error messages.
In the end, the attacker knows which nodes are situated on the route to the target node.
If the locations of some of the intermediary nodes are known, one can gain information
about the location of the destination node as well.

There are several other similar active attacks presented in the literature [16] but they
exploit more or less the same routing protocol vulnerabilities to achieve their goals.

2..5 Security Schemes

There are two main approaches in securing ad hoc environments currently utilized. The
first is the intrusion detection approach that aims in enabling the participating nodes to
detect and avoid malicious behavior in the network without changing the underlined
routing protocol or the underling infrastructure. Although the intrusion detection field
and its applications are widely researched in infrastructure networks it is rather new and
faces greater difficulties in the context of ad hoc networks. The second approach is
secure routing that aims in designing and implementing routing protocols that have
been designed from scratch to include security features. Mainly the secure protocols that
have been proposed are based on existing ad hoc routing protocols like AODV and
DSR but redesigned to include security features. In the following sections we briefly
21

present the two approaches in realizing security schemes that can be employed in ad
hoc networking environments.

2.5.1 Intrusion Detection

Intrusion is defined as any set of actions that attempt to compromise the
integrity, confidentiality, or availability of a resource [33]. Intrusion protection techniques
works as the first line of defense. However, intrusion protection alone is not sufficient since
there is no perfect security in any system, especially in the field of ad hoc networking due
to its fundamental vulnerabilities. Therefore, intrusion detection can work as the second
line of protection to capture audit data and perform traffic analysis to detect whether the
network or a specific node is under attack [22]. Once an intrusion has been detected in an
early stage, measures can be taken to minimize the damages or even gather evidence to
inform other legitimate nodes for the intruder and maybe launch a countermeasures to
minimize the effect of the active attacks.
An intrusion detection system (IDS) can be classified as network-based or hostbased according to the audit data that is used. Generally, a network-based IDS runs on a
gateway of a network and captures and examines the network traffic that flows through
it. Obviously this approach is not suitable for ad hoc networks since there is no central
point that allows monitoring of the whole network. A host-based IDS relies on capturing
local network traffic to the specific host. This data is analyzed and processed locally to
the host and is used either to secure the activities of this host, or to notify another
participating node for the malicious action of the node that performs the attack.
The intrusion detection techniques can be categorized into misuse detection and
anomaly detection [22]. The misuse detection uses patterns of well-known attacks to
match and identify known intrusions. This technique can accurately and effectively
detect instances of known attacks. However this technique is unable to detect newly
invented attacks. In ad hoc networking due to its dynamic nature it is difficult, but not
impossible, to define traffic patterns that indicate an attack. The anomaly detection
technique observes activities and network traffic that significantly deviates from the
established normal usage and identifies intrusions. Thus, after the normal behavior of the
network traffic has been established this technique does not require any prior knowledge
of the attack, and for that reason it can detect newly invented attacks. However, this
22

technique produces a greater percentage of false alarms since the definition of normal
routing operation is difficult to de defined, especially in an ad hoc network. There are
some intrusion detection systems that have been proposed for ad hoc environments [17]
and are presented in more detail in the following chapter.

2.5.2 Secure Routing

This approach attempts to design secure routing protocols for ad hoc networks. These
protocols are either completely new stand-alone protocols, or in some cases
incorporations of security mechanisms into existing protocols like AODV and DSR.
Generally the existing secure routing protocols that have been proposed can be broadly
classified into two categories, those that use hash chains, and those that in order to operate
require predefined trust relationships.
The Secure Efficient Ad hoc Distance vector routing protocol (SEAD) [14] employs the
use of hash chains to authenticate hop counts and sequence numbers. SEAD is based on
the design of the proactive ad hoc routing protocol DSDV. The SEAD protocol has as
minimum requirement the utilization of a clock synchronization mechanism or the
establishment of a shared secret between each pair of nodes. It provides loop freedom and
protects the nodes from impersonation and several other attacks. Another secure routing
protocol is Ariadne [14]. Unlike SEAD, Ariadne is based on a reactive protocol, namely
DSR, and it follows an end-to-end approach for building a security mechanism. Ariadne
assumes the existence of a shared secret key between two nodes and uses a message
authentication code (MAC) in order to authenticate point-to-point messages between nodes
[14]. An additional routing protocol that utilises hash chains to provide security features is
the Secure Ad hoc On-demand Distance Vector (SAODV) [14]. SAODV proposes a set
of extensions that secure the AODV routing packets. For authenticating the nonmutable fields it uses cryptographic signatures, while one-way hash chains are used for
securing every different route discovery process. In order to carry out the asymmetric
cryptography it requires the existence of a key management mechanism.
The Authenticated Routing for Ad hoc Networks (ARAN) protocol [20], falls into the
second category of protocols that require predefined trust relationships. ARAN is a standalone protocol that utilizes cryptographic public-key certificates in order to achieve the
security goals of authentication and non-repudiation. The protocol assumes that each node
23

knows a priori the public key of the certification authority that will be used to
authenticate the other participating nodes. Another protocol is the Security-aware Ad hoc
Routing (SAR) [18] that extends on-demand ad hoc routing protocols like AODV and
DSR. The main aspect of SAR is that it introduces a new security metric in the route
discovery and maintenance process, treating secure routing as a quality of service (QoS)
issue. SAR uses security attributes such as trust values and trust relationships in order to
define this metric. Its operation is applicable in situations where a route that satisfies
certain security requirements is more important and therefore preferable than any other
route that satisfies other requirements (i.e. shortest path). The final secure routing
protocol to be presented is the Secure Routing Protocol (SRP) [13]. SRP is a set of
security extensions that can be used in any protocol that uses broadcasting and route
queuing methods although the authors suggest that DSR is a particularly appropriate
choice. The operation of SRP requires the existence of a security association between the
source node that engages the route discovery process and the destination node. Upon the
establishment of the security association the nodes share a secret key that is further used by
the protocol.

2.6 Intrusion Detection Systems

Due to the different nature of ad hoc networks, the requirements of an intrusion
detection component designed to operate in ad hoc mode should fulfill the following:

It should not introduce a new weakness for the system. Ideally it should ensure its
own integrity.

It should require minimum resources to run and it should not degrade the
system performance by introducing additional overhead.

It should run continuously and remain transparent to the system and the users.

In the following sections some of the intrusion detection works in the field of ad hoc
networking are presented. [4].

2.6.1 Analytical Model of Route Acquisition Process Approach

In this system, a realistic analytical model of the AODV route acquisition process is
developed and the work is extended to derive a classification scheme for misbehaving
24

nodes, including nodes of black hole behaviors .

The system approach is described as

follows:
1)

Analytical

model

of

probability density function

route

acquisition

process: This model predicts the

of estimated route lengths,

powerful

metric

for

characterization of the network behavior. The derived probability density function p(d)
and the corresponding probability distribution function P(d) are given in equations
below. Detailed discussion on the derivation of the equations is discussed in [7]. The
p(d) describes the statistical relation between the distance of two nodes and the
corresponding probability of being connected, while P(d) gives the route length
distribution in the network. The variable distance d represents the distance between
source and destination.

2) Misbehaving nodes effect: They extend the model to cover the effect of the node
misbehavior[8]. That is the deformation of the probability distribution when misbehaving
nodes are present.

The deformation allows them to differentiate between the

normal behavior and the node misbehavior.

2.6.2 Real-Time Intrusion Detection for Ad hoc Networks : RIDAN System

Stamouli, Argyroudis and Tewari [6] designed a Real-time Intrusion Detection

for Ad

hoc Networks (RIDAN) system that adopts specification-based detection technique and
performs countermeasures to minimise the damage from the attacks. RIDAN details
are as follows:

25

1) Architecture: RIDAN utilises the timed finite state machines (TFSMs) process, which
is an extended finite state machine model with time states and timed constraints on the
state transition process.In order to recognise the patterns occurring when an attack is
launched, the generated AODV is analysed in both its normal operation state and when
an attack is in progress. The timers that control the transition between the states of the
TFSMs are derived from theoretical research and practical experimentation.

2) Detection and countermeasure: Based on the TFSMs design and operation, a node in
RIDAN decides if it should either trust another node or must go to an alarm state and take
countermeasure against it. The countermeasure action includes isolating the offending
node for a finite time period in order to avoid

possible

false

positive. RIDAN

implements two different TFSMs to correctly identify the black hole attack but owing to
the limited space, we only present one TFSM as shown in Fig. 2, which is used to
detect first black hole attack.
This TFSM is triggered whenever a node initiates a route discovery process. In state 1, if
a Route Reply message does not arrive within a predefined
(NET_TRAVERSAL_TIME),

the

time

period

TFSM timeouts (Tout_RESET) and resets to its

initial state (init_0).Upon receiving the first RREP, the state 2 of TFSM checks if the
included destination sequence number (RREP_dest_seq#) is suspiciously much higher
than the sequence number included in Route Request (orig_dest_seq#).
suspiciously higher, it goes directly to the alarm state (Alarm).

Figure 2.7 : First sequence number attack detection FSM

26

If it is

If it is not, it remains in the same state for time t. If the timer

expires without

receiving another Route Reply, it resets normally (N_RESET). If within the time limit
another Route Reply arrives, the validity of the destination sequence number is checked
again in state 3 and similarly a decision is taken whether to move to an alarm state. When
an alarm occurs, the source node must not update its routing table with the forged routing
information. The next step is to reset (A_RESET) the TFSM to its initial state (init_0).

2.6.3 Dynamic Training Approach

Kurosawa, Nakayama, Kato, Jamalipour and Nemoto [2] also adopted an anomaly-based
detection technique but incorporated dynamic training technique. In this approach, the
normal state views are updated periodically to adapt to the frequent network changes and
clustering-based technique is adopted to identify nodes that deviate from the normal
state. They have adopted the following 5-step process:

1) Feature selection: Three features

are selected to express a normal state of the

network. The network state in time slot i, is expressed by three-dimensional vector xi =

(xi1 ,xi2, xi3). The selected features are :
a) total number of sent out RREQ
b) total number of received RREP
c) average of destination sequence difference in each time slot between the RREP
sequence number and the one held in the list
2) Calculate mean: The mean vector values of these features are calculated, as
shown in (1) where D represents training data set for N time slot.
XD

1 N
Xi ..(1)
N i 1

Next, we calculate the distance from input data sample x to the mean vector xD
from Equation (2).

d(X) X- X D

.(2)
27

When the distance is larger than the threshold Th (which means it is out of range
as normal traffic), it will be judged as an attack (Equation (3)).
d(x) > Th : attack
d(x) Th : normal
Let T0 be the first time interval for a node participating in MANET. By using data
collected in this time interval, the initial mean vector is calculated, then calculated mean
vector will be used to detect the attack in the next period time interval . If the state in T is
judged as normal, then the corresponding data set will be used as learning data
set. Otherwise, it will be treated as data including attack and it will be
consequently discarded. This way, system keep on learning the normal state of
network. By doing this, system update the training data set to be used for the
next detection. Then the mean vector, which is calculated from the training data
set is used for detection of next data. By repeating this for every time interval
T, we can perform anomaly detection which can adapt to MANET
environment.
3) Calculate threshold:

The threshold value is dynamically updated using the data

collected in the time interval. If the initial training data were used, then the system
could not adapt the changing environment. The threshold value is the average of the
difference of dest_seq_no in each time slot between the sequence number in the routing
table and the RREP packet. The time interval to update the threshold value is as soon as a
newer node receives a RREP packet. As a new node receives a RREP for the first time, it
gets the updated value of the threshold.
2.5.4 Fuzzy based Trusted Ad hoc On-demand Distance Vector Routing Protocol for
MANET : FTAODV
J. Martin Leo Manickam and S.Shanmugavel [3] proposed , a Fuzzy based Trusted Ad
hoc On demand Distance Vector (FTAODV) routing

protocol without making any

extraneous assumptions in the existing AODV protocol is proposed. All nodes in the
network independently execute the fuzzy trust model to derive trust on its neighbors
28

The proposed Fuzzy based Trust model is integrated with AODV reactive routing
protocol as shown in figure 2.81. The trust model consists of following four components,
namely

Trust

Verification,

AODV

routing

extraction and Fuzzy based Trust computation.

protocol, Fuzzy input parameter

During

Trust

Verification,

each

node verifies the trust worthiness of the neighbor from which it receives the control
packet. In AODV routing protocol, nodes

will

interact

only

with

the

trusted

neighbors. During Fuzzy input parameter extraction, each node monitors its neighbors
based on directly experienced events. During Fuzzy based Trust computation, the
Mamdani based Fuzzy model [25] is used to compute the trust from the monitored events
to have a direct trust on its neighbors. These computed trust levels are then associated
with the routing process in AODV protocol.

Figure 2.8 : FTAODV Routing Model

Figure 2.9 : The Fuzzy System

Based

on

Mamdani

Fuzzy

model,

each

node computes the trust value for its

neighbors and maintained in the neighbor table. The trust value lies between 0 and 10.
Depending upon the trust level, malicious behavior of a node is determined, where 0 trust
value indicates the complete malicious behavior and trust value indicates a legitimate node.
29

During Trust Verification, each node verifies whether the control packet is sent by a
trusted neighbor or not. A neighbor is said to be trusted when its trust value is greater than
or equal to the Threshold Trust Value (TTV). It is the trust value below which a node is
considered to be malicious.

Nodes discard the packets received from an untrusted

neighbor.

30

CHAPTER 3 : PROBLEM FORMULATION

Chapter 2 presented a literature review on different security issues in MANET and
various intrusion detection systems developed for AODV in MANET. For the route
discovery, AODV (Ad hoc On-demand Distance Vector routing) is a popular on demand
routing protocol for mobile ad hoc network. AODV becomes one of the promising
protocols currently available for the mobile ad hoc network because of its moderate
overheads and dynamically adapting the routing topology better than other proposed
protocols for MANET. It is designed for mobile ad hoc network, where there are often
changes in the network topology. AODV popularity motivated many researchers to
work on its enhancements for different situations & rectifying different problems.
Intruders usually take part in route discovery process and pretends to have a fresh and
shortest route to destination. This chapter discusses current intrusion detection strategy
utilized by AODV. Section 3.1 discusses route discovery process of AODV and
management of routing table. Section 3.2 describes the formation of blackhole in AODV.
Section 3.3 discusses issues in detection systems which became the basis to propose Fuzzy
Based Intrusion Detection System against Blackhole in AODV in chapter 4.

3.1 Route Discovery and Routing table in AODV

Ad-hoc On-Demand Distance Vector (AODV) Routing Protocol is used for finding a
path to the destination in an ad-hoc network. To find the path to the destination all
mobile nodes work in cooperation using the routing control messages. Thanks to these
control messages, AODV Routing Protocol offers quick adaptation to dynamic network
conditions, low processing and memory overhead, low network bandwidth utilization
with small size control messages. The most distinguishing feature of AODV compared to
the other routing protocols is that it uses a destination sequence number for each route
entry. The destination sequence number is generated by the destination when a
connection is requested from it. Using the destination sequence number ensures loop
freedom. AODV makes sure the route to the destination does not contain a loop and is
the shortest path. Route Requests (RREQs), Route Replay (RREPs), Route Errors
(RERRs) are control messages used for establishing a path to the destination, sent using
UDP/IP protocols. When the source node wants to make a connection with the
destination node, it broadcasts an RREQ message. This RREQ message is propagated
31

from the source, received by neighbors (intermediate nodes) of the source node. The
intermediate nodes broadcast the RREQ message to their neighbors. This process goes
on until the packet is received by destination node or an intermediate node that has a
fresh enough route entry for the destination. Figure 3.1 shows how the RREQ message is
propagated in an ad-hoc network.

Figure 3.1: Broadcast RREQ packet & Route Table

Afterwards the RREP message is unicasted to the source node. The difference between
the broadcasting an RREQ and unicasting RREP can be seen from Figures 3.1 and 3.2.
While the RREQ and the RREP messages are forwarded by intermediate nodes,
intermediate nodes update their routing tables and save this route entry for 3 seconds,
which is the ACTIVE_ROUTE_TIMEOUT constant value of AODV protocol. Thus the
node knows over which neighbor to reach at the 23 destination. In terminology, the
32

neighbor list for destination is labeled as Precursor List. Figure 3.2 shows how the
RREP message is unicasted and how the route entries in the intermediate nodes are
updated.

Figure 3.2: Unicast RREP packet & Route Table

An important thing to note during route discovery is each & every node maintains next
hop only in their routing tables. No other information related to the nodes on the routes is
maintained.
Sequence Numbers serve as time stamps and allow nodes to compare how fresh their
information on the other node is. However when a node sends any type of routing control
message, RREQ, RREP, RERR etc., it increases its own sequence number. Higher sequence
number is more accurate information and whichever node sends the highest sequence
number, its information is considered and route is established over this node by the other
nodes.

33

The sequence number is a 32-bit unsigned integer value (i.e., 4294967295). If the sequence
number of the node reaches the possible highest sequence number, 4294967295, then it will
be reset to zero (0). If the results of subtraction of the currently stored sequence number in
a node and the sequence number of incoming AODV route control message is less than
zero, the stored sequence number is changed with the sequence number of the incoming
control message.
In Figure 3.3, while Node 2 forwards the RREP message coming from Node 3, it compares
its own previously stored sequence number with that of Node 3. If it notices that the
sequence number is newer than its own, then it changes its route table entry as necessary.

Figure 3.3 Updating the Sequence Number with fresh one

3.2 Black Hole Attack

Black Hole Attack is briefly explained in the previous Chapter. This Chapter will explain it
in more detail as it has already explained the AODV protocol. In an ad-hoc network that
34

uses the AODV protocol, a Black Hole node absorbs the network traffic and drops all
packets. To explain the Black Hole Attack it added a malicious node that exhibits Black
Hole behavior in the scenario of the figures of the previous
section.

Figure 3.4 Illustration of Black Hole Attack

In this scenario shown in Figure 3.4, assume that Node 3 is the malicious node. When
Node 1 broadcasts the RREQ message for Node 4, Node 3 immediately responds to Node 1
with an RREP message that includes the highest sequence number of Node 4, as if it is
coming from Node 4. Node 1 assumes that Node 4 is behind Node 3 with 1 hop and
discards the newly received RREP packet come from Node 2. Afterwards Node 1 starts to
send out its data packet to the node 3 trusting that these packets will reach Node 4 but Node
3 will drop all data packets.

In a Black Hole Attack, after a while, the sending node understands that there is a link error
because the receiving node does not send TCP ACK packets. If it sends out new TCP data
packets and discovers a new route for the destination, the malicious node still manages to
35

deceive the sending node. If the sending node sends out UDP data packets the problem is
not detected because the UDP data connections do not wait for the ACK packets.

3.3 Important Issues in Detection systems

The following are various important issues identified in the detection systems that are
currently used in AODV.

As discussed in the last chapter RIDAN Intrusion Detection System uses the sequence
number transmitted in RREP packet of AODV by subjective node.But the sequence no.
increases according to the number of connection with destination node. So the direct
value of this number can not completely define the behavior of a node.

In the centralized approach of detection systems, a single node in the network has to
decide the behavior of participating node, which can make the system unstable, as
failure of that node can down the network.

In the Cooperative Intrusion Detection System, a nodes blackhole behavior is decided

by calculating the forward packet ratio. By the time, blackhole behavior is detected, a
number of packets are dropped by node.

So for a successful detection system, neither a single factor is enough nor a single node
can completely define the misbehavior of a node. Intrusion detection system based on one
factor generates number of false alarms. The time period for detection is also greater, which
is responsible for more packet drop ratio. If the system rely on single node for generating
the alarms, it will increase the processing load on a single node, as it has to go through the
complete information passed by other nodes. Thus making the detection process a lot
slower. The detection system can be made to work more efficiently, if we combine the
above discussed factors for the detection process in a single system and is used by every
node in the network rather to be used by only one node. Also we have promiscuous mode
in the AODV, in which a node can listen the activities of other neighboring nodes and can
check the behavioral characteristics of its immediate neighbors. So, I am using both factors,
destination sequence number transmitted in the RREP packet and forward data packet ratio
for the detection of blackhole node in the promiscuous mode.

36

CHAPTER 4: FUZZY LOGIC BASED INTRUSION DETECTION

SYSTEM

This is the proposed intrusion detection system to detect the blackhole attack on AODV in
MANETs. This detection system is based on FUZZY LOGIC and various issues identified
in intrusion detection systems in section 3.3. As discussed in section 3.3, the major issue in
various detection systems is the use of only one factor for the identification of misbehavior
of a node and also some detection systems use centralized approach for the detection
purpose. The system proposes the improvement by making

use of two factors i.e.

destination sequence number and forward packet ratio for the detection system. I had
implemented these factors using Fuzzy Logic, which is a problem solving control system
methodology. Fuzzy Logic provides a simple way to arrive at a definite conclusion based
upon vague, ambiguous, impressive, noisy or missing input information. This chapter
discusses the detailed concept of proposed system.

4.1 Fuzzy Logic

Fuzzy logic is a form of multi-valued logic derived from fuzzy set theory to deal with
reasoning that is approximate rather than precise. In contrast with "crisp logic", where
binary sets have binary logic, fuzzy logic variables may have a truth value that ranges
between 0 and 1 and is not constrained to the two truth values of classic propositional logic
[38]. Furthermore, when linguistic variables are used, these degrees may be managed by
specific functions. Fuzzy logic incorporates a simple, rule based approach to solving a
problem rather than attempting to model a system mathematically. The Fuzzy logic model
is empirically-based, relying on an operators experience rather than their technical
understanding of the system.
Fuzzy logic was conceived as a better method for sorting and handling data but has proven
to be an excellent choice for many control system applications since it mimics human
control logic. It uses an imprecise but very descriptive language to deal with input data
more like a human operator. The fuzzy logic is the best methodology that can be adopted
for decision making problems. The various advantages of fuzzy logic system are discussed
as follows :
37

Fuzzy logic is conceptually easy to understand. The mathematical concepts behind

fuzzy reasoning are very simple. What makes fuzzy nice is the naturalness of its
approach and not its far-reaching complexity.

Fuzzy logic is flexible. With any given system, its easy to massage it or layer more
functionality on top of it without starting again from scratch.

Fuzzy logic is tolerant of imprecise data. Everything is imprecise if you look closely
enough, but more than that, most things are imprecise even on careful inspection. Fuzzy
reasoning builds this understanding into the process rather than tacking it onto the end.

Fuzzy logic can model nonlinear functions of arbitrary complexity. You can create a
fuzzy system to match any set of input-output data.

Fuzzy logic can be blended with conventional control techniques. Fuzzy systems dont
necessarily replace conventional control methods. In many cases fuzzy systems
augment them and simplify their implementation.

Fuzzy logic is based on natural language. The basis for fuzzy logic is the basis for
human communication. This observation underpins many of the other statements about
fuzzy logic. Natural language is that which is used by ordinary people on a daily basis.
Sentences written in ordinary language represent a triumph of efficient communication.
We are generally unaware of this because ordinary language is, of course, something we
use every day. Since fuzzy logic is built atop the structures of qualitative description
used in everyday language, fuzzy logic is easy to use.

4.1.1 Fuzzy Sets

Fuzzy logic starts with the concept of a fuzzy set. A fuzzy set is a set without a crisp,
clearly defined boundary. It can contain elements with only a partial degree of membership.
In fuzzy logic, the truth of any statement becomes a matter of degree. Any statement can be
fuzzy. The tool that fuzzy logic reasoning gives is the ability to reply to a yes-no question
with a not-quite-yes-or-no answer. This is the kind of thing that humans do all the time
(think how rarely you get a straight answer to a seemingly simple question) but its a rather
new trick for computers.

4.1.2 Membership Functions

38

The membership function is a graphical representation of the magnitude of participation of

each input. It associates a weighting with each of the inputs that are processed, define
functional overlap between inputs, and ultimately determines an output response. The rules
use the input membership values as weighting factors to determine their influence on the
fuzzy output sets of the final output conclusion. Once the functions are inferred, scaled, and
combined, they are defuzzified into a crisp output which drives the system. There are
different membership functions associated with each input and output response.

4.1.3 Fuzzy Logic Operators

Fuzzy logic is a superset of standard Boolean logic. If we keep the fuzzy logic values to the
extremes of 1 (completely true) and 0 (completely false), standard logical operators will
hold.

Figure 4.1: Fuzzy Logic Operators

The input values can be real numbers between 0 and 1. What function will preserve the
results of the classical logic truth table and also extend to all real numbers between 0 and
1.One answer is the min operation. We can replace the OR operation with the max function,
so that A OR B becomes equivalent to max (A, B). Finally the operation NOT A becomes
equivalent to the operation 1-A. Fuzzy intersection or conjunction (AND), fuzzy union or
disjunction (OR), and fuzzy complement (NOT) can either be defined using the classical
operators for these functions: AND=min, OR=max, and NOT= additive complement or
using customized functions. Fuzzy logic

uses the classical operator for the fuzzy

complement, but the AND and OR operators can be easily customized if desired.

4.1.4 IF-THEN Rules

39

Fuzzy sets and fuzzy operators are the subjects and verbs of fuzzy logic. These IF-THEN
rule statements are used to formulate the conditional statements that comprise fuzzy logic.
A single fuzzy IF-THEN rule assumes the form
IF x is A THEN y is B
where A and B are linguistic values defined by fuzzy sets on the ranges (universes of
discourse) x and y, respectively. The IF-part of the rule x is A is called the antecedent or
premise, while the THEN-part of the rule y is B is called the consequent or conclusion.
Interpreting IF-THEN rules is a three-part process.
In general, one rule by itself doesnt do much good. Whats needed are two or more rules
that can play off one another. The output of each rule is a fuzzy set. The output fuzzy sets
for each rule are then aggregated into a single output fuzzy set. Finally the resulting set is
defuzzified, or resolved to a single number. The next section shows how the whole process
works from beginning to end for a particular type of fuzzy inference system called a
Mamdani type.

4.1.5 Fuzzy Inference Systems

Fuzzy inference is the process of formulating the mapping from a given input to an output
using fuzzy logic. The mapping then provides a basis from which decisions can be made, or
patterns discerned. The process of fuzzy inference involves all of the pieces that are
described in the previous sections: membership functions, fuzzy logic operators, and ifthen rules. There are various types of fuzzy inference systems that can be implemented in
the Fuzzy Logic, e.g : Mamdani-type and Sugeno-type. These two types of inference
systems vary somewhat in the way outputs are determined. Fuzzy inference systems have
been successfully applied in fields such as automatic control, data classification, decision
analysis, expert systems, and computer vision. Because of its multidisciplinary nature,
fuzzy inference systems are associated with a number of names, such as fuzzy-rule-based
systems, fuzzy expert systems, fuzzy modeling, fuzzy associative memory, fuzzy logic
controllers, and simply (and ambiguously) fuzzy systems. Mamdanis fuzzy inference
method is the most commonly seen fuzzy methodology. Mamdani-type inference expects
the output membership functions to be fuzzy sets. After the aggregation process, there is a
fuzzy set for each output variable that needs defuzzification. Its possible, and in many
cases much more efficient, to use a single spike as the output membership function rather
than a distributed fuzzy set. This is sometimes known as a singleton output membership
40

function, and it can be thought of as a pre-defuzzified fuzzy set. It enhances the efficiency
of the defuzzification process because it greatly simplifies the computation required by the
more general Mamdani method, which finds the centroid of a two-dimensional function.
Rather than integrating across the two-dimensional function to find the centroid, we use the
weighted average of a few data points. Sugeno-type systems support this type of model. In
general, Sugeno-type systems can be used to model any inference system in which the
output membership functions are either linear or constant.
The parts of fuzzy Inference process are as shown in the block diagram below.

Fuzzification

Application

Implication

Process

of Fuzzy

(Shaping

operators

fuzzy set)

of

Aggregation

Defuzzification

Figure 4.2:- Fuzzy Inference Process

4.1.5. 1 Fuzzification of the input variables

The first step is to take the inputs and determine the degree to which they belong to each of
the appropriate fuzzy sets via membership functions. The input is always a crisp numerical
value limited to the universe of discourse of the input variable and the output is a fuzzy
degree of membership.

4.1.5. 2 Application of the fuzzy operator (AND or OR) in the antecedent

If the antecedent of a given rule has more than one part, the fuzzy operator is applied to
obtain one number that represents the result of the antecedent for that rule. This number
will then be applied to the output function. Any number of well-defined methods can fill in
for the AND operation or the OR operation. In fuzzy logic toolbox, two built -in AND
methods are supported: min (minimum) and prod (product). Two built -in OR methods are
also supported: max (maximum), and the probabilistic OR method probor.

4.1. 5. 3 Implication from the antecedent to the consequent

The implication method is defined as the shaping of the consequent (a fuzzy set) based on
the antecedent (a single number). The input for the implication process is a single number
41

given by the antecedent, and the output is a fuzzy set. Implication occurs for each rule. Two
built -in methods are supported, min (minimum) which truncates the output fuzzy set, and
prod (product) which scales the output fuzzy set.

4.1.5. 4. Aggregation of the consequents across the rules

Since decisions are based on the testing of all of the rules in an FIS, the
rules must be combined in some manner in order to make a decision.
Aggregation is the process by which the fuzzy sets that represent the
outputs of each rule are combined into a single fuzzy set. Aggregation
only

occurs

once

for

each

output

variable,

just

prior

to

the

defuzzification. The input of the aggregation process is the list of

truncated output functions returned by the implication process for each
rule. The output of the aggregation process is one fuzzy set for each
output variable.

4.1.5.5 Defuzzification
Input for defuzzification phase is unified fuzzy set formed by aggregation of consequents
and output is crisp number. If there are more than one output variables, final output for
each variable is a crisp number. The most popular defuzzification method is the centroid
calculation, which returns the center of area under the curve. There are five built -in
methods supported: centroid, bisector, middle of maximum ( the average of the maximum
value of the output set), largest of maximum, and smallest of maximum.

4.2 Proposed System

In proposed system , I integrated Fuzzy logic with AODV reactive routing protocol and a
proposed system is developed as shown in figure 4.3
In figure 4.3 the high-level architecture of the proposed systems logical components are
shown. The Fuzzy parameter extraction module listens to the traffic of its neighboring nodes in
the promiscuous mode and selects the factors on which the fuzzy rules will be implemented.
The Fuzzy computation module computes the fidelity level of respective node according to the
rules formulated for the system on the basis of parameter extracted in the previous unit.
42

The fuzzy verification model verifies the fidelity level of the node and checks the
behavior of the node.

Figure 4.3 The proposed system model

The final component of the architecture is the alarm module that is responsible for taking
the appropriate measures to keep the network performance within acceptable performance
measures. Therefore, the Fuzzy based intrusion detection components operates between
the network traffic and the routing protocol requiring minor modifications to the routing
protocol that is utilized in the network.
The Fuzzy based intrusion detection system runs locally in every participating node and it
makes decisions upon the partial view of the traffic that it observes. It completes the
solution by generating the alarm packets to take countermeasures for the isolation of the
detected misbehaving node and to keep the performance of the network within acceptable
limits.

4.2.1 Fuzzy parameter Extraction

The input to the Fuzzy System in node i is extracted by listening to the traffic received
and generated by its immediate neighbors and created a Fuzzy parameter list in new
43

neighbor table for its every neighbor. The neighbor table of node i has the following
fields for its neighbor node j : Forward Packet Ratio : it is the ratio of data packets
forwarded by node j to the data packets received by node j (if node j is not the
destination),Average Destination Sequence Number and Fidelity Level .
Forward Packet ratio : If a route has been established through node j, node i in its
immediate neighborhood will listen the traffic through node j. If node j is not the
destination, it must forward every data packet it is receiving from its neighbor in the route.
So the neighbor node of j will activate their promiscuous mode and will listen to the traffic
through node j and calculate the forward packet ratio, which is given by :

Forward packet ratio (of node j as seen by node i) :

(Data packets Forwarded) / (Data Packets Received)

Average Destination Sequence Number : In RREP packet, destination

transmits its updated sequence number. The sequence number will depend upon
the number of connections of that respective node in the network. If a node is a
blackhole node, it will transmit highest sequence number and pretends to be
destination. So we can check the behavior of node according to the sequence
number, it is transmitting in its reply packet. To check out the variations in the
sequence number, node i is calculating the average of the difference of destination
sequence number in each time slot between the previous sequence number in the neighbor
list for node j and current sequence number in the RREP packet. The time interval to
update the Average Destination Sequence number is as soon as a node transmits a
RREP packet.

4.2.2. Fuzzy Computation

The proposed fuzzy system with two inputs namely, forward packet ratio, Destination
sequence number ratio and one output, Fidelity Level. The rule bases of the evaluator is
shown in Table 4.1 . The bases of functions are chosen so that they result in
optimal

value of performance measures. From the crisp value of input variables, the

fuzzy values are calculated through membership functions of input shown in figure 4.4(a)
44

and 4.4(b) and fuzzy rules are applied. To illustrate one rule, the first rule can be
interpreted as, If Forward Packet Ratio is LOW and Sequence Number ratio is
LOW, then Fidelity level is LOW . Similarly the other rules are framed.

S.N

Forward Packet

Average Destination

Ratio

Sequence Number

Fidelity Level

LOW

LOW

LOW

LOW

MEDIUM

LOW

LOW

HIGH

LOW

MEDIUM

LOW

MEDIUM

MEDIUM

MEDIUM

MEDIUM

MEDIUM

HIGH

LOW

HIGH

LOW

HIGH

HIGH

MEDIUM

HIGH

HIGH

HIGH

LOW

Table 4.1: Fuzzy Rules

Forward Packet Ratio membership function

(b) Average Destination Sequence Number membership function

45

(c) Output Fidelity Level Membership function

Figure 4.4 : Input and Output membership function

Based

on

Mamdani

Fuzzy

model,

each

node computes the fidelity level for its

neighbors and maintained in the neighbor table. The fidelity level lies between 0 and
10. Minimum value for fidelity can occur as a result of more malicious behavior than
legitimate behavior of a neighboring node. Hence, a fidelity level of 0 represent complete
malicious behavior and 10 represent legitimate behavior of a particular node.

4.2.3 Fuzzy Verification Module

The calculated fidelity level is compared with a threshold value and module decides
whether a node is blackhole node or a normal node.

4.2.4 Alarm packets

On the basis of information passed by Fuzzy verification module, if the fidelity level
is less than the threshold fidelity level, this module generates the alarm packet with
IP address of node, that is declared as blackhole node. So the blackhole is isolated
from the network.

4.3 Proposed Methodology

Step1 : Switch on the promiscuous mode of the nodes.
Step2 : Construct a neighbor list of the every node in the network.
Step3: Each node in the network calculates the forward packet ratio of their
neighbors, which is given as :
46

Forward packet ratio : (Data packets Forwarded) /

(Data Packets Received)
and average destination sequence number that is calculated from sequence number sent in
RREP packet by that node (if the neighbor is neither source or destination), is given as :
average sequence ratio =
(fuzzy_count X average sequence ratio) + (seqno fuzzy_lseqno)) /
++( fuzzy_count)
where fuzzy_count is number of times, a node is listening reply from same node, seqno is
current sequence number in the RREP packet and fuzzy_lseqno is previous sequence
number transmitted by the node. Pseudo codes for parameter calculations are given in
Appendix A
Step4 : Fuzzify these two inputs according to the triangular membership functions defined
for the inputs.
Step5 : Apply the fuzzy rule base on fuzzified inputs.
Step6 : Find out fuzzy output based on the rules formulated.
Step7 : Calculate the crisp output value from fuzzy output value.
Step8 : Compare this output value with threshold value.
Step9 : If output in step 7 is less than threshold value (taken as 5) , the node is declared as
blackhole node.
Step10: Generate and transmit alarm packet with IP address of detected blackhole node.
The alarm packets are received by nodes in the network. Each node in the network
maintains the blacklist of malicious nodes of the network. The IP address of blackhole node
is stored in this list and further communication with this node is avoided.

4.4 Flow Chart of Proposed Methodology:- The flow chart of proposed methodology is
described in figure 4.5.

47

Make the neighbors list

Yes

If

Exit

neighbor is
source

or

destination

No
Collect the fuzzy parameters for each
neighbor node

Fuzzification

Rule Base Generation

Defuzzification (output in the form of

fidelity level)

No
Output fidelity level
< Threshold

Value
Yes

Blackhole Node

Generate the alarm packet

Exit
Figure 4.5: Flow Chart of Proposed Methodology

48

Legitimate node

Exit

CHAPTER 5 : SIMULATION DETAILS

Network Simulator-2 (NS-2) [5] from Berkeley has been used to simulate the ad-hoc
routing protocols. To simulate the mobile wireless radio environment mobility extension to
ns developed by the CMU monarch project at Carnegie Mellon University had been
utilized.

5.1 Network Simulator

Network simulator-2 is the result of an on-going effort of research and development that is
administrated by researchers at Berkeley. It is a discrete event simulator targeted at
networking research. It provides substantial support for simulation or TCP, routing, and
multicast protocols. From users view the simulators works as follows:

Figure 5.1 Simplified Users View of NS

As shown in Figure 5.1, in a simplified user's view, NS is Object-oriented Tcl (OTcl) script
interpreter that has a simulation event scheduler and network component object libraries,
and network setup (plumbing) module libraries (actually, plumbing modules are
implemented as member functions of the base simulator object). To setup and run a
simulation network, a user should write an OTcl script that initiates an event scheduler, sets
up the network topology using the network objects and the plumbing functions in the
library, and tells traffic sources when to start and stop transmitting packets through the
event scheduler

49

The simulator is written in C++ and a script language called OTcl. Ns use an OTcl
interpreter towards the user. This means that the user writes an OTcl script that defines the
network (number of nodes, links), the traffic in the network (sources, destinations, type of
traffic) and which protocols it will use. This script is then used by ns during the
simulations. The result of the simulations is an output trace file that can be used to do data
processg (calculate delay, throughput etc) and to visualize the simulation with a program
called Network Animator (NAM). NAM is a very good visualization tool that visualizes the
packets as they propagate through the network. An overview of how a simulation is done
in ns is shown in figure 5.2

Figure 5.2: Network Simulator-2

5.2 Network Simulator Architecture

NS-2 is an object oriented simulator, written in C++, with an OTcl interpreter as a frontend. For efficiency reason, NS separates the data path implementation from control path
implementations. In order to reduce packet and event processing time (not simulation
time), the event scheduler and the basic network component objects in the data path are
written and compiled using C++. These compiled objects are made available to the OTcl
interpreter through an OTcl linkage that creates a matching OTcl object for each of the C++
objects and makes the control functions and the configurable variables specified by the C+
+ object act as member functions and member variables of the corresponding OTcl object.
In this way, the controls of the C++ objects are given to OTcl. It is also possible to add
member functions and variables to a C++ linked OTcl object. The objects in C++ that do
not need to be controlled in a simulation or internally used by another object do not need to
be linked to OTcl. Likewise, an object (not in the data path) can be entirely implemented in
OTcl. Figure 5.3 shows an object hierarchy example in C++ and OTcl. One thing to note in
the figure is that for C++ objects that have an OTcl linkage forming a hierarchy, there is a
matching OTcl object hierarchy very similar to that of C++. The two hierarchies are closely
related to each other; from the user's perspective, there is a one-to-one correspondence
50

between a class in the interpreted hierarchy and one in the compiled hierarchy. The root of
this hierarchy is the class TclObject

Figure 5.3: C++ and OTcl: The Duality

Users create new simulator objects through the interpreter; these objects are instantiated
within the interpreter, and are closely mirrored by a corresponding object in the compiled
hierarchy. The interpreted class hierarchy is automatically established through methods
defined in the class TclClass. User instantiated objects are mirrored through methods
defined in the class TclObject. There are other hierarchies in the C++ code and OTcl
scripts; these other hierarchies are not mirrored in the manner of TclObject
NS-2 uses two languages because simulator has two different kinds of things to do. On one
hand, a detailed simulation of protocols requires system programming language which can
efficiently manipulate bytes, packet header and implement algorithms that run over large
data sets. For these tasks runtime speed is important and turn-around time (run simulation,
find bug, fix bug, recompile. re-run) is less important. On the other hand, a large part of
network research involves slightly varying parameters or configurations, or quickly
exploring a number of scenarios. In these cases, iteration time (change the model and renm) is more important. Since configuration runs once (at the beginning or the simulation),
run-time of the task is less important. NS-2 meets both or these needs with two languages,
C++ and OTcl. C++ is fast to run but slower to change, making it suitable for detailed
protocol implementation. OTcl runs much slower but can be changed very quickly (and
interactively), making it ideal for simulation configuration. NS-2 (via Tcl) provides glue to
make objects and variables appear on both languages.
There are three steps for NS-2 Simulation. Initially, a script is written in OTcl. Also an
environment is created which will include creation of nodes, their movement information
51

and traffic information. After the creation of these environments the next part is the
simulation. Simulation is done by the simulator. The third phase of the NS2 simulation is
the Analysis part. Analysis can be done through Animation (NAM) or through trace files
(awk, perl,Xgraph)

Figure 5.4: Network Simulator Architecture

5.3 Network Components in NS-2

Each component of NS2 [5] is briefly described here.
Link Layer The LL used by mobile node has an ARP module connected to it which
resolves all IP to hardware (MAC) address conversions. Normally for all outgoing (into the
channel) packets, the packets are handed down to the LL by the Routing Agent. The LL
hands down packets to the interface queue. For all incoming packets (out of the channel),
the MAC layer hands up packets to the LL which is then handed off at the node entry point.
ARP The Address Resolution Protocol (implemented in BSD style) module receives
queries from Link layer. If ARP has the hardware address for destination, it writes it intothe
MAC header of the packet. Otherwise it broadcasts an ARP query, and caches the packet
temporarily. For each unknown destination hardware address, there is a buffer for a single
packet. Incase additional packets to the same destination is sent to ARP, the earlier buffered

52

packet is dropped. Once the hardware address of a packets next hop is known, the packet
is inserted into the interface queue.
Interface Queue The class PriQueue is implemented as a priority queue which gives
priority to routing protocol packets, inserting them at the head of the queue. It supports
running a filter over all packets in the queue and removes those with a specified destination
address.
Mac Layer The IEEE 802.11 distributed coordination function (DCF) Mac protocol has
been implemented by CMU. DCF is similar to MACA and MACAW and is designed to use
both physical carrier sense and virtual carrier sense mechanisms to reduce the probability
of collisions due to hidden terminals. The transmission of each unicast packet is preceded
by a Request-to-Send/Clear-to-Send (RTS/CTS) exchange that reserves the wireless
channel for transmission of a data packet. Each correctly received unicast packet is
followed by an Acknowledgment (ACK) to the sender, which retransmits the packet a
limited number of times until this ACK is received. Broadcast packets are sent only when
virtual and physical carrier sense indicates that the medium is clear, but they are not
preceded by RTS/CTS and are not acknowledged by their recipients.
Antenna An omni-directional antenna having unity gain is used by mobile nodes.
Network Interfaces The Network Interface layer serves as hardware interface which is
used by mobile node to access the channel. This interface subject to collisions and the radio
propagation model receives packets transmitted by other node interfaces to the channel.
The interface stamps each transmitted packet with the meta-data related to the transmitting
interface like the transmission power, wavelength etc. This meta-data in packet header is
used by the propagation model in receiving network interface to determine if the packet has
minimum power to be received and/or captured and/or detected (carrier sense) by the
receiving node. The model approximates the DSSS radio interface (Lucent WaveLAN
direct-sequence spread-spectrum)
Radio Propagation Model It uses Friss-space attenuation (1/r2) at near distances and an
approximation to Two ray Ground (1/r4) at far distances. The approximation assumes
specular reflection off a flat ground plane.

53

5.4 Mobile Node

Each Mobile node makes use of routing agent for purpose of calculating routes to other
nodes in the ad-hoc network. Packets are sent from the application and are received by
routing agent. The agent decides a path that the packet must travel in order to reach its
destination and stamps it with this information. It then sends the packet down to link layer.
The link layer uses an Address Resolution Protocol (ARP) to decide the hardware addresses
of neighboring nodes and map IP addresses to their correct interfaces. When this
information is known, the packet is sent down to the interface queue and awaits a signal
from Multiple Access Control (MAC) protocol. When the MAC layer decides it is ok to
send it onto channel, it fetches the packet from the queue and hands it over to the network
interface which in turn sends the packet onto the radio channel.

Figure 5.5: A mobile Node

54

This packet is copied and is delivered to all network interfaces at the time at which the first
bit of the packet would begin arriving at the interface in a physical system. Each network
interface stamps the packet with the receiving interfaces properties and then invokes the
propagation model
The propagation model uses the transmit and receive stamps to determine the power with
which the interface will receive the packet. The receiving network interfaces then use their
properties to determine if they actually successfully received the packet and send it to the
MAC layer if appropriate. If the MAC layer receives the packet error and collision free, it
passes the packet to mobiles entry point. From there it reaches a demultiplexer, which
decides if the packet should be forwarded again, or if it has reached its destination node. If
the destination node is reached, the packet is sent to a port demultiplexer, which decides to
what application the packet should be delivered. If the packet should be forwarded again
the routing agent will be called and the same process will be repeated.

5.5 Simulation Overview

A typical simulation with NS is shown in figure 5.6. Basically, it consists of generating the
following input files to NS:

A scenario file that describes the movement pattern of the nodes.

A communication file that describes the traffic in the network.

These files can be generated by drawing them by hand using the visualization tool Ad-hockey
or by generating completely randomized movement and communication patterns with a script.

Ad-hockey is a Perl/Tk program that can assist in the creation of scenario files for use by
the CMU Monarch extensions to ns and the visualizations of the simulation trace files.
These files are then used for the simulation and as a result from this, a trace file is
generated as output. Prior to the simulation, the parameters that are going to be traced
during the simulation must be selected. The trace file can then be scanned and analyzed for
the various parameters that are to be measured. This can be used as data for plots with for
instance GNU-plot. The trace file can also be used to visualize simulation run with Adhockey or network animator.

55

Figure 5.6: Simulation Overview

5.6 Generation of Nodemovement and Trafficconnection for Wireless scenarios

Normally for large topologies, the node movement and traffic connection patterns are
defined in separate files for convenience. These movement and traffic files may be
generated using CMUs movement and connection-generators. In this section both are
described separately.
56

5.6.1 Creating node movements

CMUs version of setdest used system dependent /dev/random and made calls to library
functions inistate ( ) for generating random numbers. This was replaced with a more
portable random number generator (class RNG) available in ns. The node-movement
generator is available under ~ns/indep-utils/cmu-scen-gen/setdest directory. The command
line options for setdest are:
./setdest [-n num_of_nodes] [-p pausetime] [-s maxspeed] [-t simtime] [-x maxx] [-y maxy]
> [outdir/movement-file]
-n, no. of nodes in the scenario.
-p, pause time between events.
-s, maximum speed of nodes
-t, total simulation time.
-x,-y Dimensions of scenario in terms of X-axis and Y-axis.
[outdir/movement-file], name of file in which events are to be recorded.
After the parameters are passed at command line a movement file is generated. The file
begins with the initial position of the nodes and goes on to define node movements.
$ns_ at 2.000000000000 "$node (0) setdest 90.44117903333333457 44.896095544010
1.37355690010"
This line from movement file defines that node (0) at time 2.0s starts to move toward
destination (90.44, 44.89) at a speed of 1.37m/s. These command lines can be used to
change direction and speed of movement of mobile nodes. The General Operations
Director (GOD) object is used to store global information about the state of the
environment, network, or nodes that an omniscient observer would have, but that should
not be made known to any participant in the simulation. Currently, the GOD object is used
only to store an array of the shortest number of hops required to reach from one node to
another. The GOD object does not calculate this, on the fly during simulation runs, since it
can be quite time consuming. The information is loaded into the GOD object from the
movement pattern tile where lines of the form
$ns_ at 899.642 "$god_ set-dist 23 46 2"

57

are used to load the GOD object with the knowledge that the shortest path between node 23
and node 46 changed to 2 hops at time 899.642. The setdest program generates nodemovement files using the random waypoint algorithm. These files already include the lines
to load the GOD object with the appropriate information at the appropriate time.
Thus at the end of the node-movement file are listed information like number of destination
unreachable, total number of route and connectivity changes for mobile nodes and the same
info for each mobile node.

5.6.2 Creating random traffic pattern

Random traffic connections of TCP and CBR can be setup between mobile nodes using a
traffic-scenario generator script. This traffic generator script is available under
~ns/indep-utils/cmu-scen-gen and is called cbrgen.tcl. It can also be used to create CBR
and TCP traffics connection between wireless mobile nodes. In order to create a traffic
connection file, type of traffic connection(CBR or TCP) need to be defined, the number of
nodes and maximum number or connections to be setup between them, a random seed and
incase of CBR connections, a rate whose inverse value is used to compute the interval time
between the CBR packets.
So the command line looks like the following:
ns cbrgen.tcl [-type cbr | tcp] [-nn nodes] [-seed seed] [-mc connections][-rate rate] >
[outdir/ file-name]
-type, defines the type of traffic. Options arc TCP or CBR.
-nn, defines the number of nodes which are involved in the simulation.
-seed, provides a number between 0 and 1 for random number generator for the generation
of random traffic.
-mc, gives the number of connection to be created during simulation.
-rate, gives the rate at which the connections are created.
After passing the parameters on the command line a traffic pattern is generated that traffic
will be passed to a file so that it can be used as traffic pattern during simulations.

58

5.7 Scenarios
Before the start of simulations some common environments need to be created in which the
protocols are to be compared. The Scenario and the performance metrics are also to be
finalized before simulations.
The most common approach for an ad-hoc scenario is a randomized movement pattern with
a constantly sized area. Only two-dimensional simulations have been made, even though a
three dimensional approach would be better since it would correspond better to reality
(radio signals do propagate through walls and floors to some extent).
The two dimensional scenarios are typically based on couple of input variables. Pause time
and velocity are the two significant variables for the movement model. Nodes are initially
randomly distributed inside a rectangular area. When the simulation commences each node
pauses at its current position for pause time seconds. The next step is to pick a new
arbitrary location and start moving towards it. As with the pause time the velocity with
which the node will start moving is randomly chosen from an interval of max and min
velocity. When the node reaches its new position it will pause once again for pause time
seconds and then the process will repeat itself until the end of the simulation is reached, All
nodes behave in the same way.
On this Random waypoint movement model analysis is done with the help of one
parameter, speed(m/sec) of nodes. Two more scenarios are simulated, one with varying the
number of nodes in the network and other by varying no. of sources in the network. In SC-I
speed is varied and other parameters are constant, in SC-II no. of nodes are varied and in
SC-III n. of sources are varied as described in table 5.1.

Property

Speed (m/sec)

No. of nodes

No. of sources

Environment
SC-I

10,20,30,40,50,60

SC-II

20

SC-III

20

10
10,20,30,40,50,60
30

1
1
1,2,3,4,5,6

Table 5.1: Scenario Parameters

Each run of the simulation accepts scenario file as input that describes the exact motion of
each node and the exact sequence of packets originated by each node. It also describes each
time at which each change in motion or packet origination is to occur. Number of scenario
59

files is pre-generated with different parameters as explained in section 5.8. Both LRAODV
& ELRAODV protocols are run against both scenarios. Output of the simulation is trace
file & animator file. Trace file will be analyzed with the help of AWK programming
language available in all UNIX & LINUX environments.

5.8 Simulation Parameters

Various default parameters like Channel, Propagation medium, Network Interface type,
MAC protocol, Link layer type, interface queue, antenna type are same for both scenarios.
Other default parameters like path of node-movement file and traffic-generation file are
needed to mention accordingly in the tcl script file. The simulation parameters used to
produce the simulation suite for this work are summarized in table 5.2 and explained as
follows:
A scenario size is chosen as 1000m x 1000 m square because square area does not
discriminate one direction of motion like rectangular area do. The transmitter range of
IEEE 802.11 nodes in ns-2 is 250m [5] and this is maximum possible distance between two
mobile nodes. They cannot communicate with each other beyond this.

Parameters

Value

Transmitter Range

250 m

Bandwidth

2Mbits/s

Simulation Time

100

Number of nodes

50

Scenario size

1000 x 1000 m2

Traffic type

Constant Bit Rate

Packet size

64 bytes

Flows

25

Rate

4 packets/s

Table 5.2: Summary of common parameters used in Simulation

The source-destination pairs are spread randomly over the network. The number of sourcedestination pairs and the packet sending rate in each pair is varied to change the offered
60

load in the network. Traffic sources are CBR (continuous bit-rate). Each node starts its
journey from a random location to a random destination according to the speed parameter
specified in the scenarios. Once the destination is reached, another random destination is
targeted after specified pause. Simulations are run for 100 simulated seconds for 50 nodes.
For fairness, identical mobility and traffic scenarios are used across protocols.

Simulation trace Files :

After each simulation, trace files recording the traffic and node movements are generated.
These files need to be parsed in order to extract the information needed to measure the
performance metrics. Trace format of trace file contains following fields, as shown in
figure 5.7

Event Time Fro

m

To

Pkt

Pkt

Flags FID

ype Size

Src

Dst

Seq

Pkt

Addr Addr Num Id

Figure 5.7: Trace formats of output trace file

In it event field can have following values:

r : receive at node
s : sent by node
d: drop
+ : enqueue (at queue)
-: dequeue (at queue)
Each trace line starts with an event (+, -, r, s, d) descriptor followed by the simulation time
(in seconds) of that event. Next fields are From and to node, the link on which the event
occurred. Packet type tells type of layer generating packet whether it is application packet
(AGT), router packet (RTR), interface queue packet (IFQ) etc. Packet size is size of packet
at current layer. Size of packet increases when packet goes down and it decreases when
packet goes up. Flag can be set to P for priority, E for congestion experienced, A for
congestion window reduced and F for fast start. The next field is Flow Identity (FID) of
IPv6 that a user can set for each flow at input OTCL script. The next two fields are source
and destination address in forms of node.port.

61

The next field shows the network layer protocols sequence number. NS2 keep track of
UDP packet sequence number. The last field shows the unique id of the packet. Having
simulation trace data trace data at hand, all one has to do is to transform a subset of the data
of interest into a comprehensible information and analyze it.

62

CHAPTER 6 : RESULTS & DISCUSSION

6.1 Parameters chosen for Evaluation
A number of intrusion detection schemes for MANETs have been suggested and
they all try to detect the intrusions in the network using the different aspects of
routing protocols and of network. But how is it decided which one is the best. This
depends upon structure and properties of the network. The nodes might be moving fast
or slow, they might be highly concentrated into a small area or widely spread out over a
large area. There are undoubtedly many questions that a designer of a system has to
take into account. It is necessary to choose suitable metrics for system evaluations. The
performance metrics describes the outcome of the simulation or set of simulations. These
metrics are interesting because they can be used to point out what really happened during
the simulation and provide valuable information about the proposed system.

The

following metric are chosen in this work for protocol evaluation.

Detection Rate
It is the rate of detecting the blackhole node in the network. It is very important metric as it
signifies the success of intrusion detection system.

False Positive Alarm

It is the number of times, a legitimate node is detected as a malicious node.

Packet Delivery Ratio

The ratio between the number of packets originated by the application layer at CBR
source and the number of packets received by application layer at CBR sink at final
destination. It is desirable that a routing protocol keeps this ratio high. The greater this
ratio is, the reliable the ad-hoc network will be.
Packet Delivery Ratio = Received packets / Sent packets
Packet delivery ratio is important as it describes the loss rate that will be seen by the
transport protocols, which in turn affects the maximum throughput that the network can
support. This metric characterizes both the completeness and correctness of the routing
protocol.
63

Routing Overhead
The total number of routing packets transmitted & received by all the nodes during the
simulation known as routing overhead as energy dissipates both in sending a packet as
well as receiving a packet for processing it. For packets sent over multiple hops, each
transmission of the packet counts as one. This is interesting metric. In some way it
reveals how bandwidth efficient the routing protocol is. The routing overhead metric
simply shows how much of the bandwidth (which often is one of the limited factors in a
wireless system) that is consumed by routing messages, i.e. the amount of bandwidth
available to data packets. The routing overhead is typically much larger for proactive
protocols since it periodically floods the network with updates messages. As the mobility
in the network increases reactive protocols will of course have to send more routing
messages too. This is where the real strengths and weaknesses of the routing protocol
revealed. One thing more is that it is an important metric for comparing protocols, as it
measures the scalability of a protocol, the degree to which it will function in congested
or low-bandwidth environments.

End-to-End Delay
End-to-End Delay is average time a packet takes for delivery to its destination after it
was transmitted. It tells how a protocol adapts or arranges for an immediate delivery of
packets to its desired destination. Average delay is all possible delays caused by
Route Discovery Latency
Queuing at the interface queue
Retransmission delays at the MAC
Propagation delay
Transfer time

Simulation of both protocols in scenarios stated resulted in two types of traces. One of
them is useful for animation of the simulation and second is used for finding out the
efficiencies of the protocols and their behavior.

The trace files generated are very large in size; script written in AWK programming
64

language is used to analyze the trace files generated. The algorithms for the scripts are
listed in Appendix A.

6.2 Scenario I : Varying the mobility of nodes

In this scenario, the speed of nodes including blackhole node is varied from 10 m/sec to
70 m/sec. As the speed of node is varied its neighborhood of the nodes changes
regularly. So this scenario provides a good testing challenge for the proposed
system. The analysis is done using all above discussed parameters.

6.2.1 Detection Rate

Figure 6.1: Detection Rate in SC-1

Figure 6.1 shows that as the mobility of nodes increases, the neighborhood of the nodes
changes with the same rate, so the detection rate of proposed system falls a little, but it is
still better than DPRAODV in detecting the blackhole.

6.2.2 False Positive Alarm

As the mobility of nodes increases, the neighborhood of nodes changes regularly. So the
false detection of malicious nodes increases with mobility of nodes in the proposed system
as shown in figure 6.2, but it is still better than DPRAODV.
65

Figure 6.2: False Positive Alarm in SC-1

6.2.3 Packet Delivery Ratio

Figure 6.3 : Packet Delivery Ratio in SC-1

Figure 6.3 shows that as the mobility of nodes increases, the detection rate
decreases, so the packet delivery ratio decreases a little. But it is still better
than DPRAODV and attains the minimum 90%
tested speed.

66

delivery ratios at maximum

6.2.4 Routing Overhead

Figure 6.4 shows that the routing overhead of proposed system is a little more than normal
AODV due to generation of alarm packet.

Figure 6.4: Routing Overhead in SC-1

6.2.5 Average End to End Delay

Figure 6.5 shows that there is a little rise in average end to end delay in the proposed
system as compared with actual AODV system.

Figure 6.5: Average End to End Delay in SC-1

67

6.3 Scenario II : Varying the network size

In this scenario, the no. of nodes in the network is varied from 10 to 60 . The analysis is
done using all parameters, Detection Rate, False Positive Alarm, Packet delivery ratio,
Routing overhead and End-to-End delay.

6.3.1 Detection Rate

Figure 6.6: Detection Rate in SC-II

The Detection rate of this scenario is better than previous case as shown in figure 6.6. In this,
all the nodes are moving with same speed through out scenarios, but the number of nodes
changes from 10-60 the having fix mobility. The detection rate is having almost constant value
through the scenario, as no. of nodes will not make bad impact on detection.
6.3.2 False Positive Alarm

Figure 6.7: False Positive Alarm in SC-II

68

The mobility of nodes this scenarios is fixed at 20m/sec. So the mobility has not any effect on
the result on this scenarios. So detection rate and false positive alarms are not that effected in
this scenario.

6.3.3 Packet Delivery Ratio

Figure 6.8: Packet Delivery Ratio in SC-II

Our system has better detection rate than previous system, so the packet delivery ratio is better
in each case as shown in results in figure 6.8.
6.3.4 Routing Overhead

Figure 6.9:Routing Overhead in SC-II

69

Figure 6.9 shows that the routing overhead of proposed system is a little more than normal
AODV due to generation of alarm packet.
6.3.5 Average End to End Delay
Figure 6.10 shows that there is a little rise in average end to end delay in the proposed system
as compared with actual AODV system.

Figure 6.10: Average End to End delay in SC-II

6.4 Scenario III : Varying the traffic load

In this scenario, the no. of source nodes in the network is varied from 1 to 6 . The analysis
is done using all parameters, Detection Rate, False Positive Alarm, Packet delivery ratio,
Routing overhead and End-to-End delay.

6.4.1 Detection Rate

As the traffic load of a network increases, detection rate of proposed system falls a little but it
is better than previous system as well as previous scenarios as shown in figure 6.11

6.4.2 False Positive Alarm

As the traffic load of network increases, the no. of connection to a specific node also increases,
which further increases the sequence number of that node. So the destination will have higher
value of sequence number in this scenario. We are using average of destination sequence
70

number as one of our factors in detection. So systems chances for false detection in this
scenario increases which is shown in results of false detection rate for this scenario in figure
6.12.

Figure 6.11: Detection Rate in SC-III

Figure 6.12: False positive Alarm in SC-III

6.4.3 Packet Delivery Ratio

As we already discussed, our system has better detection rate than previous system, so the
packet delivery ratio is better in each case as shown in results in figure 6.13.

71

Figure 6.13: Packet delivery Ratio in SC-III

6.4.4 Routing Overhead

Figure 6.14 shows that the routing overhead of proposed system is a little more than normal
AODV due to generation of alarm packet.

Figure 6.14: Routing Overhead in SC-III

6.4.5 Average End to End Delay

Figure 6.15 shows that there is a little rise in average end to end delay in the proposed system
as compared with actual AODV system.

72

Figure 6.15: Average End to End Delay in SC-III

6.5 False Detection v/s Threshold Fidelity Level

We had also find out false detection rate as compared with threshold fidelity level. If the
threshold level in fuzzy system is kept at low values, the successful detection of malicious
behavior decreases and chances of considering malicious nodes as legitimate node increases.
But if threshold is kept at very high value, the legitimate nodes are also considered as
malicious, thus again increasing the false detection rate. As shown in figure 6.16, the most
suitable value of threshold is between 5 -5.5.

Figure 6.16 : False Detection Rate v/s Threshold Fidelity Level

73

SUMMARY
Adhoc network is a very hot field for these days researchers as it is infrastructure less
wireless network. Application areas of MANET are increasing day by day from Home
networks, Office networks, Ubiquitous computing, Bluetooth networks and finally
evolution of wearable computing. But as participating nodes are wireless and mobile due
to that network topology changes a lot, it poses a great challenge in security of the
network. Protocols of the network should make sure that the route is established
through legitimate nodes and not the malicious nodes. Other important issues are
energy efficiency & scalability as well as mobile nodes can not have continuous power
source.

Many protocols have been proposed in the literature mainly in three category of reactive,
proactive & mixed. Reactive protocols performs better as they are on-demand-driven,
they adjust with the network topology faster than others & incurred less overhead.
AODV is a popular on demand routing protocol for mobile Adhoc networks due to its
moderate overhead & route convergence performance. So many enhancements has been
proposed into AODV to improve its security, in terms of intrusion detection systems
and intrusion response systems.

This work proposes fuzzy based intrusion detection system to detect blackhole attack on
AODV in MANET by using AODV routing traffic and network traffic. The fuzzy rules are
applied on the collected parameters and according the results, it is decided, if the node is
blackhole node or legitimate node. Results prove that proposed fuzzy system is more
successful in the detection of blackhole node than the previous IDS and thus improves
overall packet delivery ratio of a network.

74

CONCLUSION
The objective of this work is to investigate the success of proposed intrusion detection
system against blackhole attack in AODV for MANET. The analysis of proposed system
is done in ns-2. Security is the primary issue in every network. Intruders in the network
can degrade the overall performance of network. Every network and supporting
protocols should have a definite system to detect the intruders, so that they can be
isolated from the network. This work proposes an intrusion detection system a g a i n s t
b l a c k h o l e a t t a c k in AODV using fuzzy logic. This system does an additional task of
generating the alarm packet to isolate the intruder from network. Following is the list of
conclusions made after the simulation.

Major improvement of the system is in terms of detection rate, which is 9% higher

than previous system as shown in the results of all three scenarios used for
simulation.

False positive alarm is at least 5% lower than previous system, which signifies how
the proposed system make effective distinction between normal behavior and
legitimate behavior.

As the detection rate is high and our system also generates the alarm packet to
isolate the blackhole node from the network, the packet delivery ratio o f s y s t e m
is improved up to required level.

Routing overhead and average end to end delay of the system is just same as of
original AODV.

75

FUTURE WORK
The following points can be considered for the extension of this study:

The proposed system can be further extended to provide security from more active
attacks that a malicious node can perform against the routing protocol.

The proposed system could

also be extended to operate for proactive routing

protocols like DSDV.

The work can be extended to work on TCP traffic.

Another thing that could be considered for future work is to implement and test the
proposed system in a real ad hoc network environment.

76

REFERENCES
[1] Payal N. Raj and Prashant B. Swadesh (2009) DPRAODV: A Dynamic Learning
System against Blackhole attack in AODV based MANET , International Journal
of Computer Science, Vol. 2.
[2] Satoshi Kurosawa, Hidehisa Nakayama, Nei Kato, Abbas Jamalipour and
Yoshiaki Nemoto (Nov. 2007) Detecting Blackhole Attack on AODVbased Mobile Ad Hoc Networks by Dynamic Learning Method

International Journal of Network Security, Vol.5, No.3, PP.338346,

[3] J. Martin Leo Manickam Anna and S.Shanmugavel (2007), Fuzzy based Trusted
Ad hoc On-demand Distance Vector Routing Protocol for MANET ,third IEEE
International Conference on Wireless and Mobile Computing, Networking and
Communications (WiMob2007)
[4] R.A. Raja Mahmood, A.I. Khan (2007) A Survey on Detecting Black Hole Attack
in AODV- based Mobile Ad Hoc Networks ,Clayton School of information
Technology, Monash UniversityAustralia High Capacity Optical Networks and
Enabling Technologies, 2007. HONET 2007. International Symposium on
[5] Kevin Fall

and

Kannan

Varadhan, (April, 2005)NS-Documentation,

http://www.isi.edu/nsnam/ns/ns-documentation.html.
[6] I. Stamouli, P. G. Argyroudis and H. Tewari, (2005) Real-time intrusion
detection for ad hoc Networks, Sixth IEEE Intl Symposium on a World of
Wireless Mobile and Multimedia Networks (WoWMoM'05), pp.374-380.
[7]

M. Hollick, J. Schmitt, C.Seipl and R.Steinmetz, ( Feb 2004 ) The ad hoc

on- demand distance vector protocol: an analytical model of the route
acquisition process, Proc. of Second Intl Conference on Wired/Wireless Internet
Communications (WWIC'04), Frankfurt, pp. 201-212.

[8]

M. Hollick, J. Schmitt, C. Seipl and R.Steinmetz,( June 2004) On the effect of

node misbehavior in ad hoc networks, Proc. Of IEEE Intl Conference on
Communications (ICC'04), Paris, pp. 3759-3763.

[9] Y.Zhang, W. Lee, and Y. Huang,(September 2003) Intrusion Detection

Techniques for Mobile Wireless Networks, ACM/Kluwer Wireless Networks
Journal (ACM WINET), Vol. 9, No. 5.
77

[10] C. Perkins, E Belding-Royer,( July 2003) Ad hoc On-demand Distance Vector

(AODV) Request For Comments (RFC) 3561.
[11] Amit Jordosh, Elizabeth M. Royer, Kevin C. Almeroth, Subhash Suri,( sept 1419-2003) Towards Realistic Mobility Models for Mobile Ad-hoc networks,
MobiCom03,.
[12] A. Habib, M. H. Hafeeda, B. Bhargava,(2003) Detecting Service Violation and
DoS Attacks, in Proceedings of Network and Distributed System Security
Symposium (NDSS).
[13] P. Papadimitratos, Z. J. Hass,( October 2002) Securing the internet Routing
Infrastructure IEEE Communications, Vol. 40, No. 10.
[14] Y.C. Hu, A. Perrig, D. B. Johnson (September 2002), Ariadne: A Secure Ondemand Routing Protocol for Ad hoc Networks, in Proceedings of the 8th ACM
International Conference on Mobile Computing and Networking (MobiCom02),
pp. 12-23,.
[15] F. Stajano,(2002) Security for Ubiquitous Computing, Wiley.
[16] P. Albers, O. Camp, J. M. Parcher, B. Jouga, L. Me, R. Puttini (2002), "Security in
Ad Hoc Networks: a General Intrusion Detection Architecture Enhancing Trust
Based Approaches", The 1st International workshop on Wireless Information
Systems" (WIS 2002), in the 4rth International Conference on Enterprise
Information System.
[17] K. Paul, D. Westhoff (2002), Context Aware Detection of Selfish Nodes in DSR
based Ad hoc Networks, in IEEE Semi-annual Proceedings of Vehicular
Technology Conference (VCT02).
[18] S. Yi, P. Naldurg, R. Kravets,( October 2001) Security-aware Ad hoc Routing
for Wireless Networks, in Proceedings of the 2nd ACM Symposium on Mobile Ad
hoc Networking and Computing (MobiHoc01), pp. 299-302.
[19] B. Dahill, B. N. Levine, E. Royer, C. Shields, (August,2001) A Secure Routing
Protocol for Ad

hoc

Networks,

Technical

report,

UM-CS-2001-037,

University of Massachusetts.
[20] B. Dahill, B. N. Levine, E. M. Royer, C. Shields, (August,2001)

A Secure

Routing Protocol for Ad hoc Networks, Technical Report, UM-CS-2001-037,

University of Massachusetts.
[21] C. E. Perkins, Ad hoc Networking, Addison-Wesley, 2001.
78

[22] Y. Zhang, W. Lee,(August,2000) Intrusion Detection on Wireless Ad hoc

Networks, in Proceedings 6th

Annual International Conference on Mobile

Computing and Networking (MobiCom00).

[23] V. Karpijoki,( 2000) Security in Ad hoc Networks,

In Proceedings of the

Helsinki University of Technology, Seminars on Network Security, Helsinki,

Finland.
[24] S. Marti, T. J. Giuli, K. Lai, M. Baker,(2000) Mitigating Routing Misbehaviour
in Mobile Ad hoc Networks, in Proceedings of the 6th Annual ACM/IEEE
international Conference on Mobile Computing and Networking, pp. 255-265.
[25] Timothy

J.

Ross,(I2000)Fuzzy

Logic

with

Engineering

Applications,McGraw Hill International Editions, International Editions.

[26]

L. Zhou, Z.J. Haas,( November/December, 1999) Securing Ad hoc Networks,

IEEE, Networks Magazine, Vol. 13, no 6.

[27] Charles Perkins, Elizabeth M. Royer, Ad-hoc on Demand Distance Vector

(AODV) Routing. Internet-Draft, draft-ieft-manet-aodv-01.txt, August 1998.
[28] Tony Larsson and Nicklas Hedman (1998) Routing Protocols in Wireless Ad-hoc
Networks A Simulation Study , Lulea University of Technology , Stockholm
[29] MANET

Charter,(1998) available at http://www.ietf.org/html.charters/manet

-charter html (1998-11-29).

[30]

Vaduvur Bharghavan, Alan Demers, Scott Shenker, and Lixia Zhang, (August
1994)MACAW: A media
Proceedings

of

the

access
SIGCOMM

protocol

for

wireless

LANs.

In

94Conference on Communications

Architectures, Protocols and Applications, pages 212225.

[31] J.

Ioannidis, D.

Protocols

for

Duchamp, J.
Mobile

M.

Gerald,( September 1991)

Internetworking,

ACM

SIGCOMM

IP Based
Computer

Communication Review (SIGCOMM91), pp. 234-245,.

[32] Phil Karn.(September 1990) MACA: A new channel access method for packet
radio, In Proceedings of the 9th Computer Networking Conference, pages 134
140.
[33] R. Heady, G. Luger, A. Maccade, M. Servilla,(August 1990) The architecture of a
Network Level

Intrusion Detection System, Technical report, Computer

science Department, University of New Mexico.

[34] C. Lee,(1990) Fuzzy logic in control systems: fuzzy logic controller, Part I
79

and II, IEEE Trans. Syst., Man & Cybern., Vol. 20,, pp. 404-435.
[35] Bing Wu, Jianmin Chen, Jie Wu, Mihaela Cardei, A Survey of Attacks and
Countermeasures in Mobile Ad Hoc Networks Department of Computer Science
and Engineering, Florida Atlantic University
[36] J.Lundberg, Routing Security

in

Ad

hoc

Networks,

http://citeseer.nj.nec.com/400961.html.
[37] Neural Networks, Fuzzy Logic and Genetic Algorithms, synthesis and applications
by S. Rajasekaran and G.A.Vijayalakshmi Pai Prentice Hall of India Publications.
[38] Fuzzy Logic with Engineering Applications by Timothy J.Ross Mcgraw Hill, Inc.
[39] Andrew S. Tanenbaum, Computer Networks. Prentice Hall of India, Third
Edition.

80

APPENDIX A
Pseudo codes for calculating forward packet ratio for node j
1. Scan the traffic of immediate neighbors.
2. f o r w a r d e d =0; receive=0; (for neighbor j)
3. do while packet transmission
4. i f ( n o d e j i s n e i t h e r s o u r c e o r d e s t i n a t i o n & & p a c k e t i s
CBR)
5. if(action is s) then a. forwarded = forwarded+1
b. elseif(action is r) then

receive=receive+1

6. end if
7. next record
8. end while
9. f o r w a r d packet ratio= forwarded/receive
10. end

81

Pseudo codes for calculating average destination sequence number for node j
1. Scan the traffic of immediate neighbors.
2. f_seqratio (average sequence number)=0; f_count = -1; (for neighbor j)
3. do while packet transmission
4. i f ( n o d e j i s n e i t h e r s o u r c e o r d e s t i n a t i o n & & p a c k e t i s
RREP)
5. if(f_count is -1) then a. f_seqratio =0;
f_lseqno= seqno (current sequence number)
b. else f_seqratio = (((f_count) * (f_seqratio)) + (seqno - f_lseqno))/
++(f_count);
f_lseqno = seqno;
6. end if
7. next record
8. end while
9. end

82

Algorithm for Packet Delivery Ratio

1. Scan the trace record by record
2. receive =0; sent=0;
3. do while no record left
4. get the record into variable
5. if(action is s) then a. sent =sent+1
b. elseif(action is r) then i. receive=receive+1
c. else i.
6. end if
7. next record
8. end while
9. packet_delivery_ratio= receive/sent
10. print packet_delivery_ratio
11. end

83

Algorithm for Routing Overhead

1. Scan the trace record by record
2. Router=0
3. do while no record left
4. get the record into variable
5. split the record into an array of elements a separated by spaces
6. trace_level= a[4]
7. if trace_level=RTR
a. router=router+1
8. endif
9. next record
10. end while
11. overhead= router/simulation_time_in_sec
12. print overhead
13. end

84

Algorithm for End-to-End Delays

1. Highestpacket_id=0;total_rec=0;
2. Do while no record left
3. (Records here are only traces of the agent and not the router)
4. Split the record into an array of elements "a' separated by spaces.
5. Extract various parameters such as action, time, seq_no, packet_id, node_i,
source, destination, flow id from the record. (Refer Appendix B for reading trace).
6. If (packet_id > highestpacket_id) then a. highestpacket_id= packet_id
7. endif
8. Maintain two arrays, one for start time and other for end time for every packet_id
initialized to 0.
9. If (if action is s) then
start_time [packet_id] = time
10. endif
11. if(action is r')then
end_time [packct_id] =time endif
12. next record
13. end while
14. for(packet_id in start[packet_id])
If (end[packet_id] is not 0)
Total_rec=total_rec + 1
delay= end(packet_id]- start[packct_id)
end if
15. end for
16. print Avg_delay=delay/total
17 stop

85

APPENDIX B
NS-2 Wireless Formats
This information comes from the ns Manual [12] "Mobile Networking in ns: Trace
Support" chapter, and the "trace/cmu-trace.cc" file. Wireless traces begin with one
of
four characters followed by one of two different trace formats, depending on
whether the trace logs the X and Y coordinates of the mobile node.

Event

Abbreviation Type

Value

%.9f %d (%6.2f %6.2f) %3s %4s %d %s %d [%x %x

%x %x]
%.9f _%d_ %3s %4s %d %s %d [%x %x %x %x]

s: Send
Wireless
Event

double

Time

int

Node ID

double

X Coordinate (If Logging Position)

double

Y Coordinate (If Logging Position)

string

Trace Name

r: Receive d: string
Drop
f: Forward

Reason

int

Event Identifier

string

Packet Type

int

Packet Size

hexadecimal

Time To Send Data

hexadecimal

Destination MAC Address

hexadecimal

Source MAC Address

hexadecimal

Type (ARP, IP)

Some older versions of NS2 (such as 2.1b5) have five hexadecimal values between
the square braces. The first hexadecimal value is the MAC frame control
information, and the remaining hexadecimal values are the same as listed above.
Depending on the packet type, the trace may log additional information:

86

Event

Type

Value

------- [%s %d/%d %d/%d]

ARP Trace

string

Request or Reply

Int

Source MAC Address

Int

Source Address

Int

Destination MAC Address

Int

Destination Address

[0x%x %d %d [%d %d] [%d %d]] (REQUEST)

hexadecimal Type
Int

Hop Count

Int

Broadcast ID

87

Int

Destination

Int

Destination Sequence Number

Int

Source

Int

Source Sequence Number

[0x%x %d [%d %d] %f] (%s)

hexadecimal Type
Int

Hop Count

Int

Destination

Int

Destination Sequence Number

double

Lifetime

string

Operation (REPLY, ERROR, HELLO)

Int

Delta

Int

ID

[0x%x %d %f %d] (CLEAR)

hexadecimal Type

IP Trace

Int

Destination

double

Tau

Int

Oid

------- [%d:%d %d:%d %d %d]

Int

Source IP Address

88

Int

Source Port Number

Int

Destination IP Address

Int

Destination Port Number

Int

TTL Value

Int

Next Hop Address, If Any

[%d %d] %d %d

TCP Trace

Int

Sequence Number

Int

Acknowledgment Number

Int

Number Of Times Packet Was Forwarded

Int

Optimal Number Of Forwards

[%d] %d %d

CBR Trace

Int

Sequence Number

Int

Number Of Times Packet Was Forwarded

Int

Optimal Number Of Forwards

89