Documente Academic
Documente Profesional
Documente Cultură
1.1.1
Wired Networks
Wired networks are connected by the means of physical wires. The connection is usually
established with the help of physical devices like Switches and Hubs in between to increase
the strength of the connection. These networks are usually more efficient and much faster
than wireless networks. Once the connection is set there is a very little chance of getting
disconnected. Usually, repeaters are used in between to increase the communication
distance.
Advantages of wired networks are:
Physical, fixed wired connections are not prone to interference and fluctuations in
available bandwidth, which can affect some wireless networking connections.
1.1.2
Wireless Networks
Wireless network refers to any type of computer network that is wireless. In the wireless
1
network, electromagnetic waves are used to connect two devices in the network instead of
some physical media. The absence of physical wires makes this kind of network very
flexible. It also reduces the installation and maintenance cost of the network. . Advantages
of Wireless Networks are:
Mobile users are provided with access to real-time information even when they are
away from their home or office.
Setting up a wireless system is easy and fast and it eliminates the need for pulling out
the cables through walls and ceilings.
Network can be extended to places which cannot be wired.
Wireless networks offer more flexibility and adapt easily to changes in the configuration
of the network.
wireless networks, as the former don't have a fixed topology, no base-station support, and
no fixed routers. MANET has Multi-hop commutation capability. There is no centralized
administration or a backbone network to support it. In these types of networks each node
works as an independent router. Each host uses wireless RF transceivers as network
interface [30] Example applications of MANET are emergency search-and-rescue
operations; meetings or conventions where users need to deploy networks immediately,
without base stations or fixed network infrastructure. Figure 1.1 shows simple ad hoc
network of three mobile hosts using wireless network interfaces. The outermost nodes are
not within transmitter range of each other. However the middle node can be used to
forward packets between the outermost nodes. The middle node is acting as a router and
the three nodes are formed an ad-hoc network
Figure 1.1: Example of a simple ad-hoc network with three participating nodes
Wireless ad-hoc networks take advantage of the nature of the wireless communication
medium. In other words, in a wired network the physical cabling is done a prior restricting
the connection topology of the nodes. This restriction is not present in the wireless domain
and, provided that two nodes are within transmitter range or each other, an instantaneous
link between them may form.
Various features of mobile ad-hoc network are:
Self-organizing: Every time a mobile host moves, it needs to re-discover which mobile
hosts are reachable. It does this by sending a "ping" message in all directions and listens
for corresponding "pong" messages. The strength of the "ping" message weakens as
distance increases giving the mobile host a limited range within which "ping" messages
can be "heard". This range is called the scan range of the mobile host.
host and as a router. A node can be viewed as an abstract entity consisting of a router
and set of affiliated mobile hosts (Figure 1.2)
Figure 1.2: Block diagram of mobile node working both as host and router
Highly dynamic: The topology of MANET systems can change very rapidly.
Therefore within MANET systems, one will find that communication endpoints
frequently move independently of one another.
Low cost: Wireless ad hoc networks are built from low-cost transceivers and do not
incur charges for provider's access and airtime.
Limited physical security: The broadcast nature of wireless networks lends itself
to passive eavesdropping attacks without malicious nodes being detected. By
exploiting the specific aspects of wireless routing protocols being used, more
damaging attacks are possible.
1.4 Routing
Routing is the act of moving information from a source to a destination in an inter-network.
During this process, at least one intermediate node within the inter-network is encountered.
This concept is not new to computer science, now it has achieved popularity. The major
reason for this is because the earlier networks were very simple and homogeneous
environments; but, now high end and large scale internetworking has become popular with
the latest advancements in the networks and telecommunication technology.
The routing concept basically involves, two activities: firstly, determining optimal routing
paths and secondly, transferring the information groups (called packets) through an internetwork. The later concept is called as packet switching which is straight forward, and the
path determination could be very complex.
Routing protocols use several metrics to calculate the best path for routing the packets to its
destination. These metrics are a standard measurement that could be number of hops, which
is used by the routing algorithm to determine the optimal path for the packet to its
destination. The process of path determination is that, routing algorithms initialize and
maintain routing tables, which contain the total route information for the packet. This route
information varies from one routing algorithm to another.
Routing tables are filled with a variety of information which is generated by the routing
algorithms. Most common entries in the routing table are IP address prefix and the next
hop. Routing tables Destination/next hop associations tell the router that a particular
destination can be reached optimally by sending the packet to a router representing the
next hop on its way to the final destination and IP address prefix specifies a set of
destinations for which the routing entry is valid for.
Switching is relatively simple compared with the path determination. The concept of
switching is like, a host determines like it should send some packet to another host. By
some means it acquires the routers address and sends the packet addressed specifically to
the routers MAC address, with the protocol address of the destination host. The router then
examines the protocol address and verifies whether it know how to transfer the data to its
destination. If it knows how to transfer the data then it forwards the packet to its destination
and if it doesnt then it drops the packet.
an intrusion detection system (IDS). An IDS collects activity information and then analyzes
it to determine whether there are any activities that violate the security rules. Once an IDS
determines that an unusual activity or an activity that is known to be an attack occurs, it
then generates an alarm to alert the security administrator. In addition, IDS can also initiate
a proper response to the malicious activity.
1.6 Objective
The objective of this work is to investigate on proposed fuzzy based intrusion detection
system against blackhole attack on AODV in MANETs b ased
by
realizing
on
their
performance
At the end a brief summary of the work is presented with conclusion & directions for the
future work. Appendix provides general understanding routing parameters & tracing
formats of wireless network in ns-2.
Dynamic topology
Resource constraints
No infrastructure
All these characteristics of MANET make it more vulnerable to the attacks. One of these
attacks is the Black Hole attack. In the Black Hole attack, a malicious node absorbs all
data packets in itself. In this way, all packets in the network are dropped. A malicious
node dropping all the traffic in the network makes use of the vulnerabilities of the route
discovery packets of the on demand protocols, such as AODV. In route discovery process
of AODV protocol, intermediate nodes are responsible to find a fresh path to the
destination, sending discovery packets to the neighbor nodes. Malicious nodes do not use
this process and instead, they immediately respond to the source node with false
information as though it has fresh enough path to the destination. Therefore source node
sends its data packets via the malicious node to the destination assuming it is a true path.
Thus characteristics and nature of MANET require the strict cooperation of participating
10
mobile nodes. There should be strong detection technique that can work on real time
variables to find out intrusions in the network. Subsequent actions can be taken based on
the information collected by detection system.
This chapter presents a brief overview of AODV, a routing protocol used in MANET,
various security issues in MANET and various intrusion detection systems reported in the
literature of wireless Adhoc networks. Section 2.1 discusses the basic operation of AODV,
routing protocol used in MANET. Section 2.2 provides the various security goals of ad hoc
networks. The various security challenges that MANET faces are described in section 2.3.
Section 2.4 gives the detail about various routing attacks in AODV. The various security
schemes used in MANETs have been discussed in section 2.5.Section 2.6 describes the
study of various intrusion detection systems used in MANETs
is designed specifically to
address the routing problems in ad hoc wireless networks and provides communication
between mobile nodes with minimal control overhead and minimal route acquisition
latency [21]. AODV is a reactive protocol. It makes the route when it is needed and does
not require nodes to maintain the routes to various destinations that are not being used in
communication. AODV enables multi- hop routing between participating mobile nodes
wishing to establish and maintain an ad- hoc network. AODV is based upon the distance
vector algorithm. As long as the endpoints of a communication connection have valid
routes to each other AODV does not play any role. It is loop free protocol. Additionally,
it has support for multicast routing and avoids the Bellman Ford "counting to infinity"
problem [39]. It provides quick convergence when the network topology changes. The
use of destination sequence numbers guarantees that a route is "fresh".
The algorithm uses different messages to discover and maintain links. Whenever a node
wants to try and find a route to another node, it broadcasts a Route Request (RREQ) to
all its neighbors. The RREQ propagates through the network until it reaches the
destination or a node with a fresh route to the destination. Then the route is made
available by unicasting a RREP back to the source.
AODV enables mobile nodes to respond to link breakages and changes in the network
topology in a timely manner [10]. The algorithm uses hello messages (a special RREP)
11
are local advertisements for the continued presence of the node and neighbors using
routes through the broadcasting node will continue to mark the routes as valid. If hello
messages stop coming from a particular node, the neighbor can assume that the node has
moved away and mark that link to the node as broken and notify the affected set of
nodes by sending a link failure notification (a special RREP).AODV also has a multicast
route invalidation message
In the following sections properties of AODV are presented along with the operational
details of its most fundamental functionalities, namely the route discovery and the route
maintenance processes.
2.1.1 Properties
As it was mentioned earlier AODV provides loop-freedom that is accomplished through
the use of sequence numbers. Every node maintains its own sequence number that
it increases monotonically each time it learns of a change in the topology of its
neighborhood. This sequence number ensures that the most recent route is selected
whenever a route discovery process is executed. In addition, in multicast-enabled AODV
each multicast group has its own sequence number, which is maintained by the multicast
group leader [21].
Furthermore,
AODV
is
able
to
provide
unicast,
multicast,
and
broadcast
lifetime is associated with each route table entry which is updated whenever the route is
successfully used. When an entrys lifetime attribute expires because it was not frequently
used it is removed from the routing table and if there is a need for this route again it is
reacquired though a route discovery process.
AODV is able to maintain both unicast and multicast routes even for nodes with
mobility. Also it provides a quick detection mechanism of invalid routes through the use
of route errors (RERR) messages. The protocol is able to respond to topological changes
that affect the active routes in a quick and timely manner. When the nodes in the network
move from their places and the topology is changed or the links in the active path are
broken, the intermediate node that discovers this link breakage propagates an RERR
packet. And the source node re-initializes the path discovery if it still desires the route.
This ensures quick response to broken links. Finally, because it does not use source routing
it does not introduce additional overhead since it requires only the next-hop routing
information.
13
An intermediate node upon the reception of a RREQ packet checks whether it has seen
it before by examining the originators IP address and the RREQ broadcast ID pair. Each
node maintains a list of the originator IP and RREQ broadcast ID pair for each route
request that it receives. This information remains in this list for a finite period of time and
it is used to avoid flooding attacks or anomalous node behavior. If the intermediate node
has already seen this RREQ it silently discards the packet. If it has not seen this RREQ
within this finite period of time it starts processing it.
The first step is to set up the reverse route in its routing table. The reverse route contains
the originator IP address, the sequence number, the hops required to reach the source node
and the neighbor from which it has received the packet. This process is essential since it
is used to forward back the RREP. Figure 2.2 indicates the propagation process of a RREQ
along with the formation of the relevant reverse routes.
In order for an intermediate node to reply to a RREQ it has to have an unexpired entry for
the destination in its routing table. Additionally, the sequence number associated
with that destination must be greater or equal to the one indicated in the RREQ packet. If
the entry satisfies these two conditions then it unicasts a RREP back to the source of the
RREQ by incrementing the hop count by one. The structure of the RREP and the fields it
contains are presented in figure 2.3 [10]. If none of the intermediate nodes is able to reply,
the RREQ eventually reaches the destination node. When the destination node sends the
14
RREP it places its current sequence number in the packet, initializes the hop count to
zero and places the length of time this route is valid in the RREPs Lifetime field [10].
If this is the first time the source node communicates with this node the sequence number
will not be available and therefore it will not be included in the packet. When an
intermediate node receives the RREP it uses the reverse route established for the RREQ to
forward the packet to each destination, but before doing so it increments the hop count by
one. Figure 2.4 indicates the path of a RREP from the destination to the source node.
15
It is possible that the destination node will receive more than one RREP from its neighbors.
In this case it uses the first RREP that it receives and upon the reception of another reply it
checks if the later packet contains a greater destination sequence number or if it has a
smaller hop count, meaning that it provides a fresher or sorter route. In this case it updates
the route entry with the new values; otherwise the reply packet is discarded.
When the neighbor nodes receive the RERR packet they mark the route to the destination
16
as invalid by setting the distance to this destination node to infinity, and if they have any
precursor list of their own they propagate this message forward to their precursor nodes.
When the RERR reaches the source node it can reinitiate a route discovery if the route is
still needed.
In figure 2.6 the route maintenance procedure is illustrated. In figure 2.6(a) the route
from source to destination contains the nodes 1, 2, 4, and 5. When node 4 decides to move
to position 4` breaks the connectivity in node 2. Node 3 being the closest upstream
neighbor to the link loss sends a RERR to node 1. Node 1 upon reception of the REER
packet marks the route as invalid and then forwards the RERR to the source node that
reinitiates a route discovery process since it still requires communication
with the
destination node. The new route that was created is presented in figure 2.6(b) where
node 4 was replaced by node 3.
RERRs are also sent when a node receives data packets for a destination that is not listed in
its routing table [10]. In this way the node without the route that is receiving the data
packets can inform its upstream neighbor that it should stop sending them, thus they are
not constantly discarded.
17
Availability: It should ensure that the network manages to provide all services despite
denial of service attacks. A denial of service attack can be launched at any layer of
an ad hoc network. On the physical and media access control layer a malicious user
can employ jamming in order to interfere with signals in the physical layer. On the
network layer, a malicious user can disrupt the normal operation of the routing table in
various ways. Lastly, on the higher layer, a malicious user can bring down high-level
services such as the key management service.
to
unauthorized user. This feature is mostly desired when transmitting sensitive information
such as military and tactical data. Routing information must also be confidential in
some cases when the users location must be kept secret.
Integrity: Guarantees that the message that is transmitted reaches its destination
without being changed or corrupted in any way. Message corruption can be caused by
either a malicious attack on the network or because of radio propagation failure.
Access and usage control: Access control ensures that access to information is
controlled by the ad hoc network. Usage control ensures that the information resource
is used correctly by the authorized node having the corresponding rights.
2. .3 Security Challenges
The prominent features of ad hoc networks pose both challenges and opportunities in
achieving the proposed security goals. The main security challenges that ad hoc networks
18
Black Hole: In this attack, a malicious node uses the routing protocol to advertise itself
as having the shortest path to the destination node of the packet that was intercepted.
This attack can be easily implemented in AODV during the routing discovery process.
Upon reception of a route request the malicious node can guarantee that its reply
will be preferable from the source node by either increasing significantly the
destination sequence number or by advertising a considerably shorter path. Once the
forged route has been established the malicious node is able to become a member of the
active route and intercept the communication packets. The outcomes of this attack
can vary. The malicious node can either stop after inserting the false route information
in the network and aim in creating instability and unnecessary network traffic or drop
all incoming application packet for the specific destination and perform a denial-ofservice attack. This attack can also be used by the malicious node as the
first step to a man-in-the-middle attack.
Routing Table Overflow: In a routing table overflow attack the attacker attempts to
create routes to non-existing nodes. The goal is to create enough routes to prevent new
routes from being created or to overwhelm the protocol implementation. Proactive
routing protocols are more vulnerable to this attack, since they attempt to create and
maintain routes to all possible destinations. A malicious node to implement this attack
can simply send excessive route advertisements to the network. To implement this
attack in order to target a reactive protocol like AODV is slightly more complicated
since two nodes are required. The first node should make a legitimate request for a
route and the malicious node should reply with a forged address.
Resource Consumption: This attack aims in flooding the network with routing traffic
20
in order to consume battery life from the nodes and available bandwidth from the ad
hoc network. The malicious node continually requests for either existing or nonexisting destinations forcing the neighboring nodes to process and forward these
packets and therefore consume batteries and network bandwidth hindering the normal
operation of the network.
Dropping Routing Traffic: It is essential in the ad hoc network that all nodes
participate in the routing process. However, a node may act selfishly and process
only routing information that are related to itself in order to conserve energy. This
behavior/attack can create network instability or even segment the network.
Location disclosure: A location disclosure attack can reveal information related to the
location of a node or the topology and structure of the network. The information gained
might reveal which other nodes are adjacent to the target or the physical location of a
participating node. The attack can be implemented by using a command similar to
trace route that exists in Unix-like systems or with the use of the time-to-live attribute
of the routing packet and the addresses of the devices by sending ICMP error messages.
In the end, the attacker knows which nodes are situated on the route to the target node.
If the locations of some of the intermediary nodes are known, one can gain information
about the location of the destination node as well.
There are several other similar active attacks presented in the literature [16] but they
exploit more or less the same routing protocol vulnerabilities to achieve their goals.
present the two approaches in realizing security schemes that can be employed in ad
hoc networking environments.
technique produces a greater percentage of false alarms since the definition of normal
routing operation is difficult to de defined, especially in an ad hoc network. There are
some intrusion detection systems that have been proposed for ad hoc environments [17]
and are presented in more detail in the following chapter.
knows a priori the public key of the certification authority that will be used to
authenticate the other participating nodes. Another protocol is the Security-aware Ad hoc
Routing (SAR) [18] that extends on-demand ad hoc routing protocols like AODV and
DSR. The main aspect of SAR is that it introduces a new security metric in the route
discovery and maintenance process, treating secure routing as a quality of service (QoS)
issue. SAR uses security attributes such as trust values and trust relationships in order to
define this metric. Its operation is applicable in situations where a route that satisfies
certain security requirements is more important and therefore preferable than any other
route that satisfies other requirements (i.e. shortest path). The final secure routing
protocol to be presented is the Secure Routing Protocol (SRP) [13]. SRP is a set of
security extensions that can be used in any protocol that uses broadcasting and route
queuing methods although the authors suggest that DSR is a particularly appropriate
choice. The operation of SRP requires the existence of a security association between the
source node that engages the route discovery process and the destination node. Upon the
establishment of the security association the nodes share a secret key that is further used by
the protocol.
It should not introduce a new weakness for the system. Ideally it should ensure its
own integrity.
It should require minimum resources to run and it should not degrade the
system performance by introducing additional overhead.
It should run continuously and remain transparent to the system and the users.
In the following sections some of the intrusion detection works in the field of ad hoc
networking are presented. [4].
follows:
1)
Analytical
model
of
route
acquisition
powerful
metric
for
characterization of the network behavior. The derived probability density function p(d)
and the corresponding probability distribution function P(d) are given in equations
below. Detailed discussion on the derivation of the equations is discussed in [7]. The
p(d) describes the statistical relation between the distance of two nodes and the
corresponding probability of being connected, while P(d) gives the route length
distribution in the network. The variable distance d represents the distance between
source and destination.
2) Misbehaving nodes effect: They extend the model to cover the effect of the node
misbehavior[8]. That is the deformation of the probability distribution when misbehaving
nodes are present.
for Ad
hoc Networks (RIDAN) system that adopts specification-based detection technique and
performs countermeasures to minimise the damage from the attacks. RIDAN details
are as follows:
25
1) Architecture: RIDAN utilises the timed finite state machines (TFSMs) process, which
is an extended finite state machine model with time states and timed constraints on the
state transition process.In order to recognise the patterns occurring when an attack is
launched, the generated AODV is analysed in both its normal operation state and when
an attack is in progress. The timers that control the transition between the states of the
TFSMs are derived from theoretical research and practical experimentation.
2) Detection and countermeasure: Based on the TFSMs design and operation, a node in
RIDAN decides if it should either trust another node or must go to an alarm state and take
countermeasure against it. The countermeasure action includes isolating the offending
node for a finite time period in order to avoid
possible
false
positive. RIDAN
implements two different TFSMs to correctly identify the black hole attack but owing to
the limited space, we only present one TFSM as shown in Fig. 2, which is used to
detect first black hole attack.
This TFSM is triggered whenever a node initiates a route discovery process. In state 1, if
a Route Reply message does not arrive within a predefined
(NET_TRAVERSAL_TIME),
the
time
period
initial state (init_0).Upon receiving the first RREP, the state 2 of TFSM checks if the
included destination sequence number (RREP_dest_seq#) is suspiciously much higher
than the sequence number included in Route Request (orig_dest_seq#).
suspiciously higher, it goes directly to the alarm state (Alarm).
26
If it is
expires without
receiving another Route Reply, it resets normally (N_RESET). If within the time limit
another Route Reply arrives, the validity of the destination sequence number is checked
again in state 3 and similarly a decision is taken whether to move to an alarm state. When
an alarm occurs, the source node must not update its routing table with the forged routing
information. The next step is to reset (A_RESET) the TFSM to its initial state (init_0).
1 N
Xi ..(1)
N i 1
Next, we calculate the distance from input data sample x to the mean vector xD
from Equation (2).
d(X) X- X D
.(2)
27
When the distance is larger than the threshold Th (which means it is out of range
as normal traffic), it will be judged as an attack (Equation (3)).
d(x) > Th : attack
d(x) Th : normal
Let T0 be the first time interval for a node participating in MANET. By using data
collected in this time interval, the initial mean vector is calculated, then calculated mean
vector will be used to detect the attack in the next period time interval . If the state in T is
judged as normal, then the corresponding data set will be used as learning data
set. Otherwise, it will be treated as data including attack and it will be
consequently discarded. This way, system keep on learning the normal state of
network. By doing this, system update the training data set to be used for the
next detection. Then the mean vector, which is calculated from the training data
set is used for detection of next data. By repeating this for every time interval
T, we can perform anomaly detection which can adapt to MANET
environment.
3) Calculate threshold:
collected in the time interval. If the initial training data were used, then the system
could not adapt the changing environment. The threshold value is the average of the
difference of dest_seq_no in each time slot between the sequence number in the routing
table and the RREP packet. The time interval to update the threshold value is as soon as a
newer node receives a RREP packet. As a new node receives a RREP for the first time, it
gets the updated value of the threshold.
2.5.4 Fuzzy based Trusted Ad hoc On-demand Distance Vector Routing Protocol for
MANET : FTAODV
J. Martin Leo Manickam and S.Shanmugavel [3] proposed , a Fuzzy based Trusted Ad
hoc On demand Distance Vector (FTAODV) routing
extraneous assumptions in the existing AODV protocol is proposed. All nodes in the
network independently execute the fuzzy trust model to derive trust on its neighbors
28
The proposed Fuzzy based Trust model is integrated with AODV reactive routing
protocol as shown in figure 2.81. The trust model consists of following four components,
namely
Trust
Verification,
AODV
routing
During
Trust
Verification,
each
node verifies the trust worthiness of the neighbor from which it receives the control
packet. In AODV routing protocol, nodes
will
interact
only
with
the
trusted
neighbors. During Fuzzy input parameter extraction, each node monitors its neighbors
based on directly experienced events. During Fuzzy based Trust computation, the
Mamdani based Fuzzy model [25] is used to compute the trust from the monitored events
to have a direct trust on its neighbors. These computed trust levels are then associated
with the routing process in AODV protocol.
Based
on
Mamdani
Fuzzy
model,
each
neighbors and maintained in the neighbor table. The trust value lies between 0 and 10.
Depending upon the trust level, malicious behavior of a node is determined, where 0 trust
value indicates the complete malicious behavior and trust value indicates a legitimate node.
29
During Trust Verification, each node verifies whether the control packet is sent by a
trusted neighbor or not. A neighbor is said to be trusted when its trust value is greater than
or equal to the Threshold Trust Value (TTV). It is the trust value below which a node is
considered to be malicious.
neighbor.
30
from the source, received by neighbors (intermediate nodes) of the source node. The
intermediate nodes broadcast the RREQ message to their neighbors. This process goes
on until the packet is received by destination node or an intermediate node that has a
fresh enough route entry for the destination. Figure 3.1 shows how the RREQ message is
propagated in an ad-hoc network.
Afterwards the RREP message is unicasted to the source node. The difference between
the broadcasting an RREQ and unicasting RREP can be seen from Figures 3.1 and 3.2.
While the RREQ and the RREP messages are forwarded by intermediate nodes,
intermediate nodes update their routing tables and save this route entry for 3 seconds,
which is the ACTIVE_ROUTE_TIMEOUT constant value of AODV protocol. Thus the
node knows over which neighbor to reach at the 23 destination. In terminology, the
32
neighbor list for destination is labeled as Precursor List. Figure 3.2 shows how the
RREP message is unicasted and how the route entries in the intermediate nodes are
updated.
An important thing to note during route discovery is each & every node maintains next
hop only in their routing tables. No other information related to the nodes on the routes is
maintained.
Sequence Numbers serve as time stamps and allow nodes to compare how fresh their
information on the other node is. However when a node sends any type of routing control
message, RREQ, RREP, RERR etc., it increases its own sequence number. Higher sequence
number is more accurate information and whichever node sends the highest sequence
number, its information is considered and route is established over this node by the other
nodes.
33
The sequence number is a 32-bit unsigned integer value (i.e., 4294967295). If the sequence
number of the node reaches the possible highest sequence number, 4294967295, then it will
be reset to zero (0). If the results of subtraction of the currently stored sequence number in
a node and the sequence number of incoming AODV route control message is less than
zero, the stored sequence number is changed with the sequence number of the incoming
control message.
In Figure 3.3, while Node 2 forwards the RREP message coming from Node 3, it compares
its own previously stored sequence number with that of Node 3. If it notices that the
sequence number is newer than its own, then it changes its route table entry as necessary.
uses the AODV protocol, a Black Hole node absorbs the network traffic and drops all
packets. To explain the Black Hole Attack it added a malicious node that exhibits Black
Hole behavior in the scenario of the figures of the previous
section.
In this scenario shown in Figure 3.4, assume that Node 3 is the malicious node. When
Node 1 broadcasts the RREQ message for Node 4, Node 3 immediately responds to Node 1
with an RREP message that includes the highest sequence number of Node 4, as if it is
coming from Node 4. Node 1 assumes that Node 4 is behind Node 3 with 1 hop and
discards the newly received RREP packet come from Node 2. Afterwards Node 1 starts to
send out its data packet to the node 3 trusting that these packets will reach Node 4 but Node
3 will drop all data packets.
In a Black Hole Attack, after a while, the sending node understands that there is a link error
because the receiving node does not send TCP ACK packets. If it sends out new TCP data
packets and discovers a new route for the destination, the malicious node still manages to
35
deceive the sending node. If the sending node sends out UDP data packets the problem is
not detected because the UDP data connections do not wait for the ACK packets.
As discussed in the last chapter RIDAN Intrusion Detection System uses the sequence
number transmitted in RREP packet of AODV by subjective node.But the sequence no.
increases according to the number of connection with destination node. So the direct
value of this number can not completely define the behavior of a node.
In the centralized approach of detection systems, a single node in the network has to
decide the behavior of participating node, which can make the system unstable, as
failure of that node can down the network.
So for a successful detection system, neither a single factor is enough nor a single node
can completely define the misbehavior of a node. Intrusion detection system based on one
factor generates number of false alarms. The time period for detection is also greater, which
is responsible for more packet drop ratio. If the system rely on single node for generating
the alarms, it will increase the processing load on a single node, as it has to go through the
complete information passed by other nodes. Thus making the detection process a lot
slower. The detection system can be made to work more efficiently, if we combine the
above discussed factors for the detection process in a single system and is used by every
node in the network rather to be used by only one node. Also we have promiscuous mode
in the AODV, in which a node can listen the activities of other neighboring nodes and can
check the behavioral characteristics of its immediate neighbors. So, I am using both factors,
destination sequence number transmitted in the RREP packet and forward data packet ratio
for the detection of blackhole node in the promiscuous mode.
36
This is the proposed intrusion detection system to detect the blackhole attack on AODV in
MANETs. This detection system is based on FUZZY LOGIC and various issues identified
in intrusion detection systems in section 3.3. As discussed in section 3.3, the major issue in
various detection systems is the use of only one factor for the identification of misbehavior
of a node and also some detection systems use centralized approach for the detection
purpose. The system proposes the improvement by making
destination sequence number and forward packet ratio for the detection system. I had
implemented these factors using Fuzzy Logic, which is a problem solving control system
methodology. Fuzzy Logic provides a simple way to arrive at a definite conclusion based
upon vague, ambiguous, impressive, noisy or missing input information. This chapter
discusses the detailed concept of proposed system.
Fuzzy logic is flexible. With any given system, its easy to massage it or layer more
functionality on top of it without starting again from scratch.
Fuzzy logic is tolerant of imprecise data. Everything is imprecise if you look closely
enough, but more than that, most things are imprecise even on careful inspection. Fuzzy
reasoning builds this understanding into the process rather than tacking it onto the end.
Fuzzy logic can model nonlinear functions of arbitrary complexity. You can create a
fuzzy system to match any set of input-output data.
Fuzzy logic can be blended with conventional control techniques. Fuzzy systems dont
necessarily replace conventional control methods. In many cases fuzzy systems
augment them and simplify their implementation.
Fuzzy logic is based on natural language. The basis for fuzzy logic is the basis for
human communication. This observation underpins many of the other statements about
fuzzy logic. Natural language is that which is used by ordinary people on a daily basis.
Sentences written in ordinary language represent a triumph of efficient communication.
We are generally unaware of this because ordinary language is, of course, something we
use every day. Since fuzzy logic is built atop the structures of qualitative description
used in everyday language, fuzzy logic is easy to use.
The input values can be real numbers between 0 and 1. What function will preserve the
results of the classical logic truth table and also extend to all real numbers between 0 and
1.One answer is the min operation. We can replace the OR operation with the max function,
so that A OR B becomes equivalent to max (A, B). Finally the operation NOT A becomes
equivalent to the operation 1-A. Fuzzy intersection or conjunction (AND), fuzzy union or
disjunction (OR), and fuzzy complement (NOT) can either be defined using the classical
operators for these functions: AND=min, OR=max, and NOT= additive complement or
using customized functions. Fuzzy logic
complement, but the AND and OR operators can be easily customized if desired.
Fuzzy sets and fuzzy operators are the subjects and verbs of fuzzy logic. These IF-THEN
rule statements are used to formulate the conditional statements that comprise fuzzy logic.
A single fuzzy IF-THEN rule assumes the form
IF x is A THEN y is B
where A and B are linguistic values defined by fuzzy sets on the ranges (universes of
discourse) x and y, respectively. The IF-part of the rule x is A is called the antecedent or
premise, while the THEN-part of the rule y is B is called the consequent or conclusion.
Interpreting IF-THEN rules is a three-part process.
In general, one rule by itself doesnt do much good. Whats needed are two or more rules
that can play off one another. The output of each rule is a fuzzy set. The output fuzzy sets
for each rule are then aggregated into a single output fuzzy set. Finally the resulting set is
defuzzified, or resolved to a single number. The next section shows how the whole process
works from beginning to end for a particular type of fuzzy inference system called a
Mamdani type.
function, and it can be thought of as a pre-defuzzified fuzzy set. It enhances the efficiency
of the defuzzification process because it greatly simplifies the computation required by the
more general Mamdani method, which finds the centroid of a two-dimensional function.
Rather than integrating across the two-dimensional function to find the centroid, we use the
weighted average of a few data points. Sugeno-type systems support this type of model. In
general, Sugeno-type systems can be used to model any inference system in which the
output membership functions are either linear or constant.
The parts of fuzzy Inference process are as shown in the block diagram below.
Fuzzification
Application
Implication
Process
of Fuzzy
(Shaping
operators
fuzzy set)
of
Aggregation
Defuzzification
given by the antecedent, and the output is a fuzzy set. Implication occurs for each rule. Two
built -in methods are supported, min (minimum) which truncates the output fuzzy set, and
prod (product) which scales the output fuzzy set.
occurs
once
for
each
output
variable,
just
prior
to
the
4.1.5.5 Defuzzification
Input for defuzzification phase is unified fuzzy set formed by aggregation of consequents
and output is crisp number. If there are more than one output variables, final output for
each variable is a crisp number. The most popular defuzzification method is the centroid
calculation, which returns the center of area under the curve. There are five built -in
methods supported: centroid, bisector, middle of maximum ( the average of the maximum
value of the output set), largest of maximum, and smallest of maximum.
The fuzzy verification model verifies the fidelity level of the node and checks the
behavior of the node.
The final component of the architecture is the alarm module that is responsible for taking
the appropriate measures to keep the network performance within acceptable performance
measures. Therefore, the Fuzzy based intrusion detection components operates between
the network traffic and the routing protocol requiring minor modifications to the routing
protocol that is utilized in the network.
The Fuzzy based intrusion detection system runs locally in every participating node and it
makes decisions upon the partial view of the traffic that it observes. It completes the
solution by generating the alarm packets to take countermeasures for the isolation of the
detected misbehaving node and to keep the performance of the network within acceptable
limits.
neighbor table for its every neighbor. The neighbor table of node i has the following
fields for its neighbor node j : Forward Packet Ratio : it is the ratio of data packets
forwarded by node j to the data packets received by node j (if node j is not the
destination),Average Destination Sequence Number and Fidelity Level .
Forward Packet ratio : If a route has been established through node j, node i in its
immediate neighborhood will listen the traffic through node j. If node j is not the
destination, it must forward every data packet it is receiving from its neighbor in the route.
So the neighbor node of j will activate their promiscuous mode and will listen to the traffic
through node j and calculate the forward packet ratio, which is given by :
value of performance measures. From the crisp value of input variables, the
fuzzy values are calculated through membership functions of input shown in figure 4.4(a)
44
and 4.4(b) and fuzzy rules are applied. To illustrate one rule, the first rule can be
interpreted as, If Forward Packet Ratio is LOW and Sequence Number ratio is
LOW, then Fidelity level is LOW . Similarly the other rules are framed.
S.N
Forward Packet
Average Destination
Ratio
Sequence Number
Fidelity Level
LOW
LOW
LOW
LOW
MEDIUM
LOW
LOW
HIGH
LOW
MEDIUM
LOW
MEDIUM
MEDIUM
MEDIUM
MEDIUM
MEDIUM
HIGH
LOW
HIGH
LOW
HIGH
HIGH
MEDIUM
HIGH
HIGH
HIGH
LOW
45
Based
on
Mamdani
Fuzzy
model,
each
neighbors and maintained in the neighbor table. The fidelity level lies between 0 and
10. Minimum value for fidelity can occur as a result of more malicious behavior than
legitimate behavior of a neighboring node. Hence, a fidelity level of 0 represent complete
malicious behavior and 10 represent legitimate behavior of a particular node.
4.4 Flow Chart of Proposed Methodology:- The flow chart of proposed methodology is
described in figure 4.5.
47
Yes
If
Exit
neighbor is
source
or
destination
No
Collect the fuzzy parameters for each
neighbor node
Fuzzification
No
Output fidelity level
< Threshold
Value
Yes
Blackhole Node
Exit
Figure 4.5: Flow Chart of Proposed Methodology
48
Legitimate node
Exit
As shown in Figure 5.1, in a simplified user's view, NS is Object-oriented Tcl (OTcl) script
interpreter that has a simulation event scheduler and network component object libraries,
and network setup (plumbing) module libraries (actually, plumbing modules are
implemented as member functions of the base simulator object). To setup and run a
simulation network, a user should write an OTcl script that initiates an event scheduler, sets
up the network topology using the network objects and the plumbing functions in the
library, and tells traffic sources when to start and stop transmitting packets through the
event scheduler
49
The simulator is written in C++ and a script language called OTcl. Ns use an OTcl
interpreter towards the user. This means that the user writes an OTcl script that defines the
network (number of nodes, links), the traffic in the network (sources, destinations, type of
traffic) and which protocols it will use. This script is then used by ns during the
simulations. The result of the simulations is an output trace file that can be used to do data
processg (calculate delay, throughput etc) and to visualize the simulation with a program
called Network Animator (NAM). NAM is a very good visualization tool that visualizes the
packets as they propagate through the network. An overview of how a simulation is done
in ns is shown in figure 5.2
between a class in the interpreted hierarchy and one in the compiled hierarchy. The root of
this hierarchy is the class TclObject
Users create new simulator objects through the interpreter; these objects are instantiated
within the interpreter, and are closely mirrored by a corresponding object in the compiled
hierarchy. The interpreted class hierarchy is automatically established through methods
defined in the class TclClass. User instantiated objects are mirrored through methods
defined in the class TclObject. There are other hierarchies in the C++ code and OTcl
scripts; these other hierarchies are not mirrored in the manner of TclObject
NS-2 uses two languages because simulator has two different kinds of things to do. On one
hand, a detailed simulation of protocols requires system programming language which can
efficiently manipulate bytes, packet header and implement algorithms that run over large
data sets. For these tasks runtime speed is important and turn-around time (run simulation,
find bug, fix bug, recompile. re-run) is less important. On the other hand, a large part of
network research involves slightly varying parameters or configurations, or quickly
exploring a number of scenarios. In these cases, iteration time (change the model and renm) is more important. Since configuration runs once (at the beginning or the simulation),
run-time of the task is less important. NS-2 meets both or these needs with two languages,
C++ and OTcl. C++ is fast to run but slower to change, making it suitable for detailed
protocol implementation. OTcl runs much slower but can be changed very quickly (and
interactively), making it ideal for simulation configuration. NS-2 (via Tcl) provides glue to
make objects and variables appear on both languages.
There are three steps for NS-2 Simulation. Initially, a script is written in OTcl. Also an
environment is created which will include creation of nodes, their movement information
51
and traffic information. After the creation of these environments the next part is the
simulation. Simulation is done by the simulator. The third phase of the NS2 simulation is
the Analysis part. Analysis can be done through Animation (NAM) or through trace files
(awk, perl,Xgraph)
52
packet is dropped. Once the hardware address of a packets next hop is known, the packet
is inserted into the interface queue.
Interface Queue The class PriQueue is implemented as a priority queue which gives
priority to routing protocol packets, inserting them at the head of the queue. It supports
running a filter over all packets in the queue and removes those with a specified destination
address.
Mac Layer The IEEE 802.11 distributed coordination function (DCF) Mac protocol has
been implemented by CMU. DCF is similar to MACA and MACAW and is designed to use
both physical carrier sense and virtual carrier sense mechanisms to reduce the probability
of collisions due to hidden terminals. The transmission of each unicast packet is preceded
by a Request-to-Send/Clear-to-Send (RTS/CTS) exchange that reserves the wireless
channel for transmission of a data packet. Each correctly received unicast packet is
followed by an Acknowledgment (ACK) to the sender, which retransmits the packet a
limited number of times until this ACK is received. Broadcast packets are sent only when
virtual and physical carrier sense indicates that the medium is clear, but they are not
preceded by RTS/CTS and are not acknowledged by their recipients.
Antenna An omni-directional antenna having unity gain is used by mobile nodes.
Network Interfaces The Network Interface layer serves as hardware interface which is
used by mobile node to access the channel. This interface subject to collisions and the radio
propagation model receives packets transmitted by other node interfaces to the channel.
The interface stamps each transmitted packet with the meta-data related to the transmitting
interface like the transmission power, wavelength etc. This meta-data in packet header is
used by the propagation model in receiving network interface to determine if the packet has
minimum power to be received and/or captured and/or detected (carrier sense) by the
receiving node. The model approximates the DSSS radio interface (Lucent WaveLAN
direct-sequence spread-spectrum)
Radio Propagation Model It uses Friss-space attenuation (1/r2) at near distances and an
approximation to Two ray Ground (1/r4) at far distances. The approximation assumes
specular reflection off a flat ground plane.
53
54
This packet is copied and is delivered to all network interfaces at the time at which the first
bit of the packet would begin arriving at the interface in a physical system. Each network
interface stamps the packet with the receiving interfaces properties and then invokes the
propagation model
The propagation model uses the transmit and receive stamps to determine the power with
which the interface will receive the packet. The receiving network interfaces then use their
properties to determine if they actually successfully received the packet and send it to the
MAC layer if appropriate. If the MAC layer receives the packet error and collision free, it
passes the packet to mobiles entry point. From there it reaches a demultiplexer, which
decides if the packet should be forwarded again, or if it has reached its destination node. If
the destination node is reached, the packet is sent to a port demultiplexer, which decides to
what application the packet should be delivered. If the packet should be forwarded again
the routing agent will be called and the same process will be repeated.
These files can be generated by drawing them by hand using the visualization tool Ad-hockey
or by generating completely randomized movement and communication patterns with a script.
Ad-hockey is a Perl/Tk program that can assist in the creation of scenario files for use by
the CMU Monarch extensions to ns and the visualizations of the simulation trace files.
These files are then used for the simulation and as a result from this, a trace file is
generated as output. Prior to the simulation, the parameters that are going to be traced
during the simulation must be selected. The trace file can then be scanned and analyzed for
the various parameters that are to be measured. This can be used as data for plots with for
instance GNU-plot. The trace file can also be used to visualize simulation run with Adhockey or network animator.
55
57
are used to load the GOD object with the knowledge that the shortest path between node 23
and node 46 changed to 2 hops at time 899.642. The setdest program generates nodemovement files using the random waypoint algorithm. These files already include the lines
to load the GOD object with the appropriate information at the appropriate time.
Thus at the end of the node-movement file are listed information like number of destination
unreachable, total number of route and connectivity changes for mobile nodes and the same
info for each mobile node.
58
5.7 Scenarios
Before the start of simulations some common environments need to be created in which the
protocols are to be compared. The Scenario and the performance metrics are also to be
finalized before simulations.
The most common approach for an ad-hoc scenario is a randomized movement pattern with
a constantly sized area. Only two-dimensional simulations have been made, even though a
three dimensional approach would be better since it would correspond better to reality
(radio signals do propagate through walls and floors to some extent).
The two dimensional scenarios are typically based on couple of input variables. Pause time
and velocity are the two significant variables for the movement model. Nodes are initially
randomly distributed inside a rectangular area. When the simulation commences each node
pauses at its current position for pause time seconds. The next step is to pick a new
arbitrary location and start moving towards it. As with the pause time the velocity with
which the node will start moving is randomly chosen from an interval of max and min
velocity. When the node reaches its new position it will pause once again for pause time
seconds and then the process will repeat itself until the end of the simulation is reached, All
nodes behave in the same way.
On this Random waypoint movement model analysis is done with the help of one
parameter, speed(m/sec) of nodes. Two more scenarios are simulated, one with varying the
number of nodes in the network and other by varying no. of sources in the network. In SC-I
speed is varied and other parameters are constant, in SC-II no. of nodes are varied and in
SC-III n. of sources are varied as described in table 5.1.
Property
Speed (m/sec)
No. of nodes
No. of sources
Environment
SC-I
10,20,30,40,50,60
SC-II
20
SC-III
20
10
10,20,30,40,50,60
30
1
1
1,2,3,4,5,6
Each run of the simulation accepts scenario file as input that describes the exact motion of
each node and the exact sequence of packets originated by each node. It also describes each
time at which each change in motion or packet origination is to occur. Number of scenario
59
files is pre-generated with different parameters as explained in section 5.8. Both LRAODV
& ELRAODV protocols are run against both scenarios. Output of the simulation is trace
file & animator file. Trace file will be analyzed with the help of AWK programming
language available in all UNIX & LINUX environments.
Parameters
Value
Transmitter Range
250 m
Bandwidth
2Mbits/s
Simulation Time
100
Number of nodes
50
Scenario size
1000 x 1000 m2
Traffic type
Packet size
64 bytes
Flows
25
Rate
4 packets/s
The source-destination pairs are spread randomly over the network. The number of sourcedestination pairs and the packet sending rate in each pair is varied to change the offered
60
load in the network. Traffic sources are CBR (continuous bit-rate). Each node starts its
journey from a random location to a random destination according to the speed parameter
specified in the scenarios. Once the destination is reached, another random destination is
targeted after specified pause. Simulations are run for 100 simulated seconds for 50 nodes.
For fairness, identical mobility and traffic scenarios are used across protocols.
To
Pkt
Pkt
Flags FID
ype Size
Src
Dst
Seq
Pkt
61
The next field shows the network layer protocols sequence number. NS2 keep track of
UDP packet sequence number. The last field shows the unique id of the packet. Having
simulation trace data trace data at hand, all one has to do is to transform a subset of the data
of interest into a comprehensible information and analyze it.
62
The
Detection Rate
It is the rate of detecting the blackhole node in the network. It is very important metric as it
signifies the success of intrusion detection system.
Routing Overhead
The total number of routing packets transmitted & received by all the nodes during the
simulation known as routing overhead as energy dissipates both in sending a packet as
well as receiving a packet for processing it. For packets sent over multiple hops, each
transmission of the packet counts as one. This is interesting metric. In some way it
reveals how bandwidth efficient the routing protocol is. The routing overhead metric
simply shows how much of the bandwidth (which often is one of the limited factors in a
wireless system) that is consumed by routing messages, i.e. the amount of bandwidth
available to data packets. The routing overhead is typically much larger for proactive
protocols since it periodically floods the network with updates messages. As the mobility
in the network increases reactive protocols will of course have to send more routing
messages too. This is where the real strengths and weaknesses of the routing protocol
revealed. One thing more is that it is an important metric for comparing protocols, as it
measures the scalability of a protocol, the degree to which it will function in congested
or low-bandwidth environments.
End-to-End Delay
End-to-End Delay is average time a packet takes for delivery to its destination after it
was transmitted. It tells how a protocol adapts or arranges for an immediate delivery of
packets to its desired destination. Average delay is all possible delays caused by
Route Discovery Latency
Queuing at the interface queue
Retransmission delays at the MAC
Propagation delay
Transfer time
Simulation of both protocols in scenarios stated resulted in two types of traces. One of
them is useful for animation of the simulation and second is used for finding out the
efficiencies of the protocols and their behavior.
The trace files generated are very large in size; script written in AWK programming
64
language is used to analyze the trace files generated. The algorithms for the scripts are
listed in Appendix A.
Figure 6.1 shows that as the mobility of nodes increases, the neighborhood of the nodes
changes with the same rate, so the detection rate of proposed system falls a little, but it is
still better than DPRAODV in detecting the blackhole.
Figure 6.3 shows that as the mobility of nodes increases, the detection rate
decreases, so the packet delivery ratio decreases a little. But it is still better
than DPRAODV and attains the minimum 90%
tested speed.
66
67
The Detection rate of this scenario is better than previous case as shown in figure 6.6. In this,
all the nodes are moving with same speed through out scenarios, but the number of nodes
changes from 10-60 the having fix mobility. The detection rate is having almost constant value
through the scenario, as no. of nodes will not make bad impact on detection.
6.3.2 False Positive Alarm
68
The mobility of nodes this scenarios is fixed at 20m/sec. So the mobility has not any effect on
the result on this scenarios. So detection rate and false positive alarms are not that effected in
this scenario.
Our system has better detection rate than previous system, so the packet delivery ratio is better
in each case as shown in results in figure 6.8.
6.3.4 Routing Overhead
69
Figure 6.9 shows that the routing overhead of proposed system is a little more than normal
AODV due to generation of alarm packet.
6.3.5 Average End to End Delay
Figure 6.10 shows that there is a little rise in average end to end delay in the proposed system
as compared with actual AODV system.
number as one of our factors in detection. So systems chances for false detection in this
scenario increases which is shown in results of false detection rate for this scenario in figure
6.12.
71
72
73
SUMMARY
Adhoc network is a very hot field for these days researchers as it is infrastructure less
wireless network. Application areas of MANET are increasing day by day from Home
networks, Office networks, Ubiquitous computing, Bluetooth networks and finally
evolution of wearable computing. But as participating nodes are wireless and mobile due
to that network topology changes a lot, it poses a great challenge in security of the
network. Protocols of the network should make sure that the route is established
through legitimate nodes and not the malicious nodes. Other important issues are
energy efficiency & scalability as well as mobile nodes can not have continuous power
source.
Many protocols have been proposed in the literature mainly in three category of reactive,
proactive & mixed. Reactive protocols performs better as they are on-demand-driven,
they adjust with the network topology faster than others & incurred less overhead.
AODV is a popular on demand routing protocol for mobile Adhoc networks due to its
moderate overhead & route convergence performance. So many enhancements has been
proposed into AODV to improve its security, in terms of intrusion detection systems
and intrusion response systems.
This work proposes fuzzy based intrusion detection system to detect blackhole attack on
AODV in MANET by using AODV routing traffic and network traffic. The fuzzy rules are
applied on the collected parameters and according the results, it is decided, if the node is
blackhole node or legitimate node. Results prove that proposed fuzzy system is more
successful in the detection of blackhole node than the previous IDS and thus improves
overall packet delivery ratio of a network.
74
CONCLUSION
The objective of this work is to investigate the success of proposed intrusion detection
system against blackhole attack in AODV for MANET. The analysis of proposed system
is done in ns-2. Security is the primary issue in every network. Intruders in the network
can degrade the overall performance of network. Every network and supporting
protocols should have a definite system to detect the intruders, so that they can be
isolated from the network. This work proposes an intrusion detection system a g a i n s t
b l a c k h o l e a t t a c k in AODV using fuzzy logic. This system does an additional task of
generating the alarm packet to isolate the intruder from network. Following is the list of
conclusions made after the simulation.
False positive alarm is at least 5% lower than previous system, which signifies how
the proposed system make effective distinction between normal behavior and
legitimate behavior.
As the detection rate is high and our system also generates the alarm packet to
isolate the blackhole node from the network, the packet delivery ratio o f s y s t e m
is improved up to required level.
Routing overhead and average end to end delay of the system is just same as of
original AODV.
75
FUTURE WORK
The following points can be considered for the extension of this study:
The proposed system can be further extended to provide security from more active
attacks that a malicious node can perform against the routing protocol.
Another thing that could be considered for future work is to implement and test the
proposed system in a real ad hoc network environment.
76
REFERENCES
[1] Payal N. Raj and Prashant B. Swadesh (2009) DPRAODV: A Dynamic Learning
System against Blackhole attack in AODV based MANET , International Journal
of Computer Science, Vol. 2.
[2] Satoshi Kurosawa, Hidehisa Nakayama, Nei Kato, Abbas Jamalipour and
Yoshiaki Nemoto (Nov. 2007) Detecting Blackhole Attack on AODVbased Mobile Ad Hoc Networks by Dynamic Learning Method
and
Kannan
http://www.isi.edu/nsnam/ns/ns-documentation.html.
[6] I. Stamouli, P. G. Argyroudis and H. Tewari, (2005) Real-time intrusion
detection for ad hoc Networks, Sixth IEEE Intl Symposium on a World of
Wireless Mobile and Multimedia Networks (WoWMoM'05), pp.374-380.
[7]
[8]
hoc
Networks,
Technical
report,
UM-CS-2001-037,
University of Massachusetts.
[20] B. Dahill, B. N. Levine, E. M. Royer, C. Shields, (August,2001)
A Secure
In Proceedings of the
J.
Ross,(I2000)Fuzzy
Logic
with
Engineering
Vaduvur Bharghavan, Alan Demers, Scott Shenker, and Lixia Zhang, (August
1994)MACAW: A media
Proceedings
of
the
access
SIGCOMM
protocol
for
wireless
LANs.
In
94Conference on Communications
Ioannidis, D.
Protocols
for
Duchamp, J.
Mobile
M.
Internetworking,
ACM
SIGCOMM
IP Based
Computer
and II, IEEE Trans. Syst., Man & Cybern., Vol. 20,, pp. 404-435.
[35] Bing Wu, Jianmin Chen, Jie Wu, Mihaela Cardei, A Survey of Attacks and
Countermeasures in Mobile Ad Hoc Networks Department of Computer Science
and Engineering, Florida Atlantic University
[36] J.Lundberg, Routing Security
in
Ad
hoc
Networks,
http://citeseer.nj.nec.com/400961.html.
[37] Neural Networks, Fuzzy Logic and Genetic Algorithms, synthesis and applications
by S. Rajasekaran and G.A.Vijayalakshmi Pai Prentice Hall of India Publications.
[38] Fuzzy Logic with Engineering Applications by Timothy J.Ross Mcgraw Hill, Inc.
[39] Andrew S. Tanenbaum, Computer Networks. Prentice Hall of India, Third
Edition.
80
APPENDIX A
Pseudo codes for calculating forward packet ratio for node j
1. Scan the traffic of immediate neighbors.
2. f o r w a r d e d =0; receive=0; (for neighbor j)
3. do while packet transmission
4. i f ( n o d e j i s n e i t h e r s o u r c e o r d e s t i n a t i o n & & p a c k e t i s
CBR)
5. if(action is s) then a. forwarded = forwarded+1
b. elseif(action is r) then
receive=receive+1
6. end if
7. next record
8. end while
9. f o r w a r d packet ratio= forwarded/receive
10. end
81
Pseudo codes for calculating average destination sequence number for node j
1. Scan the traffic of immediate neighbors.
2. f_seqratio (average sequence number)=0; f_count = -1; (for neighbor j)
3. do while packet transmission
4. i f ( n o d e j i s n e i t h e r s o u r c e o r d e s t i n a t i o n & & p a c k e t i s
RREP)
5. if(f_count is -1) then a. f_seqratio =0;
f_lseqno= seqno (current sequence number)
b. else f_seqratio = (((f_count) * (f_seqratio)) + (seqno - f_lseqno))/
++(f_count);
f_lseqno = seqno;
6. end if
7. next record
8. end while
9. end
82
83
84
85
APPENDIX B
NS-2 Wireless Formats
This information comes from the ns Manual [12] "Mobile Networking in ns: Trace
Support" chapter, and the "trace/cmu-trace.cc" file. Wireless traces begin with one
of
four characters followed by one of two different trace formats, depending on
whether the trace logs the X and Y coordinates of the mobile node.
Event
Abbreviation Type
Value
s: Send
Wireless
Event
double
Time
int
Node ID
double
double
string
Trace Name
r: Receive d: string
Drop
f: Forward
Reason
int
Event Identifier
string
Packet Type
int
Packet Size
hexadecimal
hexadecimal
hexadecimal
hexadecimal
Some older versions of NS2 (such as 2.1b5) have five hexadecimal values between
the square braces. The first hexadecimal value is the MAC frame control
information, and the remaining hexadecimal values are the same as listed above.
Depending on the packet type, the trace may log additional information:
86
Event
Type
Value
ARP Trace
string
Request or Reply
Int
Int
Source Address
Int
Int
Destination Address
hexadecimal Type
Int
Hop Count
Int
Broadcast ID
87
Int
Destination
Int
Int
Source
Int
hexadecimal Type
Int
Hop Count
Int
Destination
Int
double
Lifetime
string
Int
Delta
Int
ID
hexadecimal Type
IP Trace
Int
Destination
double
Tau
Int
Oid
Int
Source IP Address
88
Int
Int
Destination IP Address
Int
Int
TTL Value
Int
[%d %d] %d %d
TCP Trace
Int
Sequence Number
Int
Acknowledgment Number
Int
Int
[%d] %d %d
CBR Trace
Int
Sequence Number
Int
Int
89