Documente Academic
Documente Profesional
Documente Cultură
Proposed Methodology
Our Aim : To compare effects of normal AODV, Black Hole Attack and
Gray Hole Attack in terms of Network Throughput, Average Packets Dropped and
End-to-End Delay in MANET and to find the performance of the ad hoc network by
changing different network parameters. We have used NS-2 to simulate the Black
Hole and Gray Hole attacks. Then we compared the results of the AODV routing
protocol with and without Black Hole and Gray Hole Attacks. We implement a
security method, using AODV, as a counter measure of Black Hole and Gray Hole
attack. Thus, we studied and compared the performance of the network before and
after introducing the detection method to minimize the effect of the attacks.
Planned Work:
Realisation of AODV: This section mainly deals with the implementation of
our scenarios by manipulating the AODV routing protocol and performance metrics
are evaluated based on different parameters.
Realisation of Black Hole and Gray Hole Attack: In this module,
implementation of the attacks in MANETs and its consequences is taken into
consideration.
Realisation of Security Method for Black Hole and Gray Hole Attack: In this
segment, a security method which will focus on minimizing the effect of Black Hole
Unicast Routing
The simplest routing over the internet is the static routing in which the shortest route
in terms of number of hops is chosen throughout the connection. In contrast to static
routing the internet can find an alternative route once it discovers that a route is
disconnected. This option is used in ns by adding the command
NS can simulate noisy links or even links that becomes disconnected. To simulate a
disconnection of a link between nodes $n1 and $n4 from time 1 to 4.5, for example,
we should type
5
4
1 2
0
We now consider the network depicted in Figure 3.1. This has two alternative routes
between the source node 0 and the destination node 5.
The default static routing, used by ns, will choose the route 0-1-4-5 for setting
connections.
Multicast routing
There may be several multicast groups of members and the groups may overlap in
multicasting. In IP multicast, receiver must request membership in multicast group
where as a sender can send without first joining a group. Senders do not receive
feedback from the network about the receivers in IP multicast routing. All the nodes
in the network may not be able to handle multicast. In NS we can declare the nodes
with multicast capabilities.
Multicast requires enhancements to the nodes and links of the network, NS has
therefore specific requirements from the simulator class before creating the topology.
We thus begin by the special command
4 1 0
Broadcast routing
Broadcast is the term used to describe communication where a piece of information
is sent from one point to all other points. In this case, there is just one sender, but the
information is sent to all connected receivers.
Broadcast transmission is supported on most LANs (e.g. Ethernet), and may be used
to send the same message to all computers on the LAN (e.g. the address resolution
protocol (arp) uses this to send an address resolution query to all computers on a
LAN). Network layer protocols (such as IPv4) also support a form of broadcast that
allows the same packet to be sent to every system in a logical network (in IPv4 this
consists of the IP network ID and an all 1's host number).
This destructive node advertises its availability of new routes without checking the
routing table. Thus the attacker node always have the availability in replying the
route request, thereby intercept the data packet and retain it [10]. In flooding based
protocol, the malicious node reply will be received by the requesting node before the
response of reply of the actual node. Hence the malicious and forged route is created.
The node will either drop all the packets or promote it to the unknown address, once
The malicious drop rate is defined by the ratio of dropped packet number and
received packet number. The malicious drop rate of a Black Hole is 100 %.
Adversary selectively drops only data packets, but still participates in the
routing protocol correctly.
The damage is directly related to the likelihood of an adversary being selected
as part of the route.
o Does not work when power control and multi-rate are used
o Also vulnerable to attacks from two consecutive colluding adversaries
The attacker disrupts the route between the victim nodes to a given destination or
invades between by suppressing other alternative route. These nodes are the Black
Hole nodes. After receiving a RREQ message from nodes, an inside attacker will
send a false RREP message instantly with the modified high sequence number. The
source node will assume that there is a new route available towards the destination.
The source node ignores the RREP packet from the other nodes including the correct
nodes where it automatically denies the other nodes and it will start sending the
packets towards the malicious nodes. Then the malicious node takes all the routes
towards itself and it does not allow forwarding the packets anywhere. This type of
attack will happen frequently which is severe to find out and we have to use a
detection technique to solve this attack. This attack is called a black hole attack
where it swallows all the data.
Gray Hole is a node that can switch from behaving correctly to behaving like a Black
Hole that is actually an attacker, and acts as a normal node. Hence it is difficult to
identify the attacker easily. Every node maintains a routing table that stores the next
In this type of attack, the attacker misleads the network by approving to forward the
packets in the network. The attacker drops the packet as soon as it receives the
packets from the neighbouring node. This is an active attack where the attacker node
behaves normal in the beginning and reply true RREP messages to the nodes that has
sent the RREQ messages. Once it receives the packet, it starts dropping the packets
and thereby launches Denial-of-Service (DoS) attack. The malicious activity may
vary.
A gray hole does not drop all the data packets but just part of packets. The Gray
The main criterion for identification of a malicious node is the estimated percentage
of Average Packets Dropped, which is compared against pre-established mis-
behaviour threshold. Any other node dropping more packets than this threshold is
said to be mis-behaving. Those nodes whose percentage of dropping packets is
below the threshold are said to be behaving properly. In Gray hole attack, the nodes
either drop packets selectively, as for example, dropping all UDP packets while
forwarding TCP packets or drop packets in a statistical manner, as for example,
dropping 50 percent of the packets or dropping them with a probabilistic distribution.
Gray hole attack may occur due to a malicious node which is deliberately or
damaged node interface. Hence, if proper security measures are not taken to detect
such attacks, the operation of the network will be disrupted.
Mobile ad hoc networks need a routing protocol that is robust against both
dynamically changing topology and malicious attacks. Routing protocols for ad hoc
networks are still under research, and there is no single standard routing protocol.
We have decided to use the AODV (Ad hoc On-demand Distance Vector) routing
protocol. ADOV is an on-demand algorithm, i.e. it builds routes between nodes only
as desired, and maintains them as long as it is needed by the source nodes. It is
capable of unicast or multicast routing, multicast groups and has been noted to be
scalable.
During the attack, the attacker has to identify whether the incoming packets are
AODV packets. Then the attacker determines the route and selects the routing
process by sending RREQ packets. First, the attacker coordinates in routing by
sending RREQ packets. During invading step, the attacker starts increasing its
sequence number compared to other nodes in network. Thus it induces attack by
sending a fake reply to the nodes in the network.
To detect the Black Hole and Gray Hole nodes, we have adopted a procedure.. The
source node S, occasionally checks through all available routes to determine if all the
messages sent are received correctly by the destination. The sender broadcasts a
“check” request message, for example source node ‘S’ wants to send data packet to
destination node ‘D’, and initiates the route discovery process. Node ‘2’ is assumed
to be a malicious node. It claims that it has route to the destination whenever it
receives route request packets, and immediately sends the responds to node ‘S’. If
In our work, we have simulated malicious node that drops all the packets which
passes through it. We have created malicious nodes in AODV protocol by modifying
the aodv.cc and aodv.h files.
In aodv.h file we add “bool malicious” in the program as follows. This variable is
used to define whether the node is malicious or not.
/*
* History management
*/
bool malicious;
double PerHopTime(aodv_rt_entry *rt);
nsaddr_t index; // IP Address of this node
u_int32_t seqno; // Sequence Number
int bid; // Broadcast ID
aodv_rtable rthead; // routing table
aodv_ncache nbhead; // Neighbor Cache
aodv_bcache bihead; // Broadcast ID Cache
In aodv.cc we add the line “malicious = false;”. This line is added as initially nodes
are not malicious and we need to add the line to define which node is malicious.
/*
Constructor
*/
index = id;
seqno = 2;
bid = 1;
malicious = false;
LIST_INIT(&nbhead);
LIST_INIT(&bihead);
logtarget = 0;
ifqueue = 0;
}
Now we need to add the line to catch the nodes which are malicious. We add the line
“malicious = true”
int
AODV::command(int argc, const char*const* argv) {
if(strcmp(argv[1], "hacker") == 0) {
malicious = true;
return TCL_OK;
}
if(argc == 2) {
Tcl& tcl = Tcl::instance();
if(strncasecmp(argv[1], "id", 2) == 0) {
tcl.resultf("%d", index);
return TCL_OK;
}
if(strcmp(argv[1], "hacker") == 0) {
return TCL_OK;
}
Now we need to define what a malicious node should do. Here in this case we want
that the malicious node should drop any packet that is received. We define this in
Route Handling Functions.
/*
Route Handling Functions
*/
$ns at 0.0 "[$node_(5) set ragent_] hacker" This command defines the node (5) to be
malicious and drop all the packets.
After the modifications in the aodv.cc and aodv.h file, we recompile and install the
program using Makefile.
The Objective
Our main objective is to find a quantitative, distributed and dynamic intrusive
detective solution for MANETs that involve mobile nodes in a non-cluster based
environment.
Nodes in MANETs that display erroneous or malevolent behavior are often termed
“malicious”. Here, we refer all nodes displaying undefined or unexpected behavior
as “malicious node”. Hence our aim is to identify the nodes displaying malicious
behavior.
Selecting a Simulator
We have used NS2 simulator for carrying out the various simulations. We used NS-
2.35 under debian linux 4. The reason for choosing NS2 is that it is simple to
understand and can implement various protocols. The implementation of the
malicious node behavior, the Intrusion detection system and its integration with the
existing NS2 software is easier.
To model well cellular networks, often sophisticated simulation tools of the physical
radio channel are needed, as well as the simulation of power control mechanism.
NS2 does not have an advanced physical layer module although it contains some
simple modeling features of radio channels.
In ad-hoc networks, in contrast, the routing protocols are central, NS2 allows to
simulate the main existing routing as well as transport and applications that use
them. Moreover, it allows taking into account the MAC and link layer, the mobility,
and some basic features of the physical layer.
NS2 simulator can be used to simulate classical queuing models. In the simplest
form of classical models, the time between packets arrival is random and has some
general probability distribution. The time it takes to transmit a packet is random as
well distributed according to some other transmission rate but a varying size of a
packet.
There have been many approaches to intrusion detection in MANETs. The initial
classification is based on authentication based schemes. These rely on the
Node identities can be easily stolen but it is not easy to replicate the behavior.
Identity based behavior requires storage of identifier database and logic.
Each new node is given a unique identifier, which makes the process of
deployment more expensive.
Thus, we limit our intrusion detection system based on behavior. This is more
efficient, lightweight and easily scalable solution to Intrusion Detection in MANETs.
The Intrusion Detection Systems based on behavior can be classified based on;
Anomaly Detection
A baseline profile of the normal system activity is created. Whenever there is any
deviation from the baseline, the system activity is treated as a possible intrusion. The
shortcomings of this approach are,
Anomalous activities that are not intrusive are flagged as intrusive (false
positives)
Intrusive activities that behave in a non-anomalous manner are not detected
(false negatives)
Anomaly detection may demand that the normal profile be periodically updated and
the deviations from the normal profile computed in mobile computing. These
periodic calculations may impose heavy load on some of the resource constrained
devices.
Compound Detection
This is an improvement over misuse and anomaly detection. A compound decision
based on the normal behavior of the system and the intrusive behavior of the intruder
is formed. Here, the detector operates by detecting the intrusion against the historical
normal traffic in the system. This gives better accuracy in detecting undefined
behavior. M. Alam, T. Li et al. in [16], proposed an IDS which uses a quantitative
method of anomaly definition based on transmission characteristics depending on
historical transmission behavior of the node. Though the above suggestion gives us a
non-centralized solution, it does not cater to the mobile nodes or MANETs.
Intrusion Detection
A secure ad hoc network requires identification of nodes within the network that
have malicious behavior. This is done is two stages.
Each node calculates and maintains the DTQ for all the neighboring nodes. When
the DTQ value is less than the threshold value, the neighbor node is marked as
malicious node.
The process of malicious node recognition is shown by the flowchart in figure 5.1.
Here, for example node A has detected that node B’s has fallen below a threshold
therefore node A sends a broadcast request for a vote on its suspicion. When the
nodes in the Adhoc network receives such a request, they check their DTQ values in
their respective tables for node B. Depending on the search they send a positive or
negative reply by voting. The votes received are summed by node to decide the
status of node B.
Voting Details
Vote Arrival: The node initiating vote keeps a count of the number of votes
received. For a particular vote request, it does not register more than one vote from
the same neighbor. After receiving votes from all the neighbors, the node decides for
or against the voted-upon node. Here, we consider the total number of nodes less one
which is the maximum expected neighbor count.
Vote Request Time-out: The ideal situation is when all the neighbors respond to a
request. In MANETs, as packets are lost during transit and some of the nodes decide
not to vote, the vote initiator cannot wait indefinitely. The vote-request time out
solves this dilemma, and is said as soon as the vote-request is sent out. At the end of
this time-out period, the vote request initiator aggregates all the votes it has received,
and makes a decision based on the counts. All the votes received after this timeout
are ignored.
The Voters: All the nodes that receive a vote request attempt to vote. However, if
Acquitted: If a node is acquitted after the vote decision, it is treated as a usual node
Network Throughput
Throughput is the measure of how fast we can actually send through network. The
number of packets delivered to the receiver provides the throughput of the network.
It is the ratio of the total amount of data that reaches a receiver from a sender to the
time it takes for the receiver to get the last packet.
Throughput =
Where
= End to end delay
= Transmission delay
= Propagating delay
= Processing delay
∑
∑
Forward Percentage =
The losses are usually due to congestion on the network and buffer overflows on the
end-systems. A buffer is a portion of a computer’s memory that is set aside as a
temporary holding place for data that is being sent to or received from an external
device. A buffer overflow occurs any time more information is written into the
buffer than there is space allocated for it in the memory.
We review black hole attacks, the authors in [17] revised the AODV routing protocol
to reduce the chances for a Black Hole Node to grab routing paths. This method is
very useful to prevent a black hole node located near a source node.
Another approach using AODV proposed in [18] is that a source node does not
immediately send out a data packet, upon the receipt of the first Route Reply, but
waits for subsequent collection of Route Replies from its neighbouring nodes. After
comparing all route replies the source node selects one from the neighbouring nodes
which has the same next hop as other alternative routes and begins to send out the
data packets.
The authors of [19] also proposed a revised AODV routing protocol, called PCBHA
(Prevention of a Co-operative Black Hole Attack), in order to prevent cooperative
A dynamic learning method was proposed [20] to detect a black hole node. If the
characteristics change of a node exceeds the threshold within a period of time, this
node is judged as a Black Hole Node. Otherwise, the data of the latest observation is
added to the data set for dynamic updating purposes.
A general approach for detecting the black hole attack was presented [21] which
based on the neighbourhood to detect the interloper. A routing recovery protocol to
set up a correct course to the true destination was planned. This method introduced
the neighbour set of a node which consisted of all the nodes that are within the radio
transmission range. Two types of control packets shared the neighbour set between
the different nodes. When two neighbour sets received at the same time are different,
it was presumed that it was generated by two different nodes. The disadvantage with
this scheme is that should be public key infrastructure otherwise the detection
remains susceptible.
Another method for detecting Gray Hole Attack [23] was proposed. Each intrusion
detection agent runs independently and detects intrusion from traces. Only one-hop
information is maintained at each node for each route. If local evidence is
inconclusive, the neighbouring IDS agents cooperate to perform global intrusion
detection.
The Black and Gray Hole attack [24] will bring great damage to the performance of
The Intrusion Detection systems are broadly classified into five categories [25], [26].
a) Stand Alone Intrusion Detection System,
b) Distributive and Co-operative Intrusion Detection System,
c) Host Based Intrusion Detection System,
d) Network Based Intrusion Detection System, and
e) Hierarchical Intrusion Detection System.
A number of IDS techniques have been proposed in research literature. Cluster based
voting schemes have been proposed to enable sharing and vetting of messages, and
data, generated and gathered by IDS systems.
A distributed and collaborative anomaly detection based IDS for Adhoc Networks
monitors the AODV routing behaviour was proposed [14]. AODV routing behaviour
and distributed network monitors for detecting run-time violation of specifications.
A method for building confidence measures of root trust worthiness without a central
trust authority was presented in [27]. The authors also present a concise summary of
previous work of establishing trust in Adhoc networks.
In [28], a value was assigned to the “reputation” of a node and this information was
used to identify the misbehaving nodes. Co-operation was only with the nodes with
trusted reputation.
A trust-based mechanism was coupled with a mobile agent based intrusion detection
system [29] however; it does not discuss the security implications or overhead
These detectors operate by detecting the intrusion against the historical and normal
traffic in the system. Hence, these detectors have a greater accuracy in detecting
undefined behaviour. They would at the very least be able to qualify their decisions
better. In [30] IDS was proposed which uses a quantitative method of anomaly
definition based on transmission characteristics, but factors in historical transmission
behaviour of the node.
A collaborative method for black hole attack prevention was proposed [32]. A
architecture to deal with collusion amongst nodes was designed using a watchdog
method. The algorithm classified the nodes in a network into three types: trusted,
watchdog, and ordinary nodes. The normal node neighbours were observed by every
watch dog chosen and decides whether they can be treated as trusted or malicious.
An aggregate signature algorithm to trace packet dropping nodes was proposed [33].
This consisted of three related algorithms.
(a) The creating proof algorithm
(b) The check-up algorithm
(c) The diagnosis algorithm
A novel intrusion detection and response system has been proposed [35], which was
known as Router-guard. This worked mainly on the concept of monitoring and node
cooperation and successfully detected malicious mobile nodes and protected the
system.
In [36] a “Cross Layer Based Intrusion Detection System” (CIDS) has been
proposed for Adhoc networks. The trace file patterns were analysed to detect the
intruders. The network efficiency was increased as it could communicate data
securely from the source to the destination.
Probes disguised as normal packets to detect malicious nodes [37] were used. A
centralised authority that receives reports on statistics of various IP flows was used
[38]. However these techniques could not distinguish between causes for packet loss.
Reputation based systems are a new paradigm which are used for enhancing security.
These systems are easy to use and can face a variety of attacks. These systems do no
rely on the conventional use of common secret to establish confidential and secured
communication between two parties. These systems are based on observations and
are used to decide whom to trust and to encourage trust worthy behaviour. In [39]
three goals for reputation systems were identified:
a. Isolate untrustworthy principal from trustworthy principal.
b. To persuade the principals to behave in trustworthy manner.
c. To prevent the untrustworthy principals from participating in the reputation
mechanism.
Most of the proposed methods for Intrusion Detection and Malicious Node Detection