12 Chapter 3

Performance Study of An Ad hoc Network
under Malicious Node Attack

5
3
3. The Problem Statement
The performance and use of wireless technologies has increased tremendously,
opening up avenues for application in the less explored areas. MANET is one
important field of concern, in which the mobile nodes organize themselves in a
network without the help of any predefined infrastructure. Securing MANETs is an
important part of deploying and utilizing them since, MANET is used in critical
applications where data and communication integrity is important. Existing solutions
for wireless networks can be used to obtain a certain level of such security.
Nevertheless, these solutions may always be sufficient, as ad hoc network have their
own vulnerabilities which cannot be addressed by these solutions. To obtain an
acceptable level of security in such a context, security solution should be coupled
with an intrusion detection mechanism. A quantitative method is proposed to detect
intrusion in MANETs with mobile nodes. This is a behavioural anomaly based
system, which makes it dynamic, scalable, configurable and robust. We have used
Adhoc On-demand Distance Vector (AODV) routing protocol to verify our method
by running simulations with mobile nodes. We have observed by using this method,
we can achieve a high malicious node detection rate and a low false positive
detection rate.
Designing an intrusion detection system for mobile ad hoc networks is very

challenging. The very nature of wireless network, i.e. lack of fixed infrastructure
makes it difficult to collect audit data for the network. The limited resources of the
wireless network are vital parameters that need to be considered while designing the
IDS framework. Sometimes it is very difficult to differentiate between false alarms
and true positives.
Our objective is to design an efficient mechanism for intrusion detection system in

the mobile ad hoc environment. We have divided the problems into following major
Deptt. of ECE, NERIST Page 53

5
4
issues.
 Statistical security features required to be considered while designing the

detection engines.
 The designed intrusion detection system should have low overhead for the
system.
 After the intrusion system was designed, its performance to be evaluated and
the proposed work validated.
Proposed Methodology
 Our Aim : To compare effects of normal AODV, Black Hole Attack and
Gray Hole Attack in terms of Network Throughput, Average Packets Dropped and
End-to-End Delay in MANET and to find the performance of the ad hoc network by
changing different network parameters. We have used NS-2 to simulate the Black
Hole and Gray Hole attacks. Then we compared the results of the AODV routing
protocol with and without Black Hole and Gray Hole Attacks. We implement a
security method, using AODV, as a counter measure of Black Hole and Gray Hole
attack. Thus, we studied and compared the performance of the network before and
after introducing the detection method to minimize the effect of the attacks.
 Planned Work:
 Realisation of AODV: This section mainly deals with the implementation of
our scenarios by manipulating the AODV routing protocol and performance metrics
are evaluated based on different parameters.
 Realisation of Black Hole and Gray Hole Attack: In this module,
implementation of the attacks in MANETs and its consequences is taken into
consideration.
 Realisation of Security Method for Black Hole and Gray Hole Attack: In this
segment, a security method which will focus on minimizing the effect of Black Hole

5
5
and Gray Hole Attack in MANET and provide safety to the ad hoc network is
proposed.
 To evaluate the performance of the MANET Intrusion Detection System and
validate the work.
3.1. The AODV Communication Mechanisms

AODV is an ad hoc IP routing protocol that supports unicast, broadcast and
multicast. The routing decisions are made using distance vectors. The multicast
operation of the protocol enables nodes that are not part of any multicast group to
participate in forwarding the data and signal packets.
Unicast Routing
The simplest routing over the internet is the static routing in which the shortest route
in terms of number of hops is chosen throughout the connection. In contrast to static
routing the internet can find an alternative route once it discovers that a route is
disconnected. This option is used in ns by adding the command
$ns rtproto AODV
NS can simulate noisy links or even links that becomes disconnected. To simulate a
disconnection of a link between nodes $n1 and $n4 from time 1 to 4.5, for example,
we should type
5
4
1 2
0
Figure 3.1: A routing example

5
6
$ns rtmodel-at 1.0 down $n1 $n4

$ns rtmodel-at 4.5 up $n1 $n4
We now consider the network depicted in Figure 3.1. This has two alternative routes
between the source node 0 and the destination node 5.
The default static routing, used by ns, will choose the route 0-1-4-5 for setting
connections.
Multicast routing
There may be several multicast groups of members and the groups may overlap in
multicasting. In IP multicast, receiver must request membership in multicast group
where as a sender can send without first joining a group. Senders do not receive
feedback from the network about the receivers in IP multicast routing. All the nodes
in the network may not be able to handle multicast. In NS we can declare the nodes
with multicast capabilities.
Multicast requires enhancements to the nodes and links of the network, NS has
therefore specific requirements from the simulator class before creating the topology.
We thus begin by the special command
Set ns [new Simulator]

$ns multicast
As source will stop completely sending packets if there are no connected receivers in
that group; it will resume sending packet when a receiver connects.
As example of a multicast configuration with a six node network is depicted in

figure 3.2.

5
7
3
2
4 1 0
Figure 3.2: A multicast routing example
Broadcast routing
Broadcast is the term used to describe communication where a piece of information
is sent from one point to all other points. In this case, there is just one sender, but the
information is sent to all connected receivers.
Broadcast transmission is supported on most LANs (e.g. Ethernet), and may be used
to send the same message to all computers on the LAN (e.g. the address resolution
protocol (arp) uses this to send an address resolution query to all computers on a
LAN). Network layer protocols (such as IPv4) also support a form of broadcast that
allows the same packet to be sent to every system in a logical network (in IPv4 this
consists of the IP network ID and an all 1's host number).
The Broadcast Storm

 MANET consists of a set of Mobile Hosts that may communicate with one
another from time to time
 No base stations are present
 Each host is equipped with a CSMA/CA
 Transmission of a message to all other MHs required
 The broadcast is spontaneous

5
8
 Due to Mobile Host mobility and lack of synchronization, any kind of global
topology knowledge is prohibitive
 Little or no local information may be collected in advance
 The broadcast is frequently unreliable
 Acknowledgement mechanism is rarely used
 Distribute a broadcast message to as many Mobile Hosts as possible without
putting too much effort
 A Mobile Host may miss a broadcast message because it is off-line, it is
temporarily isolated from the network, or it experiences repetitive collisions
 Broadcast
o Acknowledgements may cause serious medium contention
o In many applications 100% reliable broadcast is unnecessary
o Mobile Host can detect duplicate broadcast messages
o If flooding is used blindly, many redundant messages will be sent and serious
contention/collision will be incurred
 Redundant rebroadcasts
o When a Mobile Host decides to rebroadcast, all its neighbors may already
have the message
 Contention
o Transmissions from neighbors may severely contend with each other
 Collision
o Due to absence of collision detection, collisions are more likely to occur and
cause more damage
Example (simple flooding)

5
9
Figure 3.3: A simple flooding example
3.2. Implementing attacks on AODV routing Protocol

 Black Hole Attack
MANETs face various security threats in which the traffic is redirected to such a
node that actually does not exist in the network. Black Hole attack disturbs the
routing protocol by misleading other nodes about the routing information. In Black
Hole attack a malicious node uses its routing protocol in order to endorse itself for
having the shortest path to the destination node or to the packet it wants to interrupt.
This destructive node advertises its availability of new routes without checking the
routing table. Thus the attacker node always have the availability in replying the
route request, thereby intercept the data packet and retain it [10]. In flooding based
protocol, the malicious node reply will be received by the requesting node before the
response of reply of the actual node. Hence the malicious and forged route is created.
The node will either drop all the packets or promote it to the unknown address, once

6
0
this route is established [11].
The malicious drop rate is defined by the ratio of dropped packet number and
received packet number. The malicious drop rate of a Black Hole is 100 %.
The Black Hole attack has two properties;

 The node exploits the mobile ad hoc routing protocol, such as AODV, to
intercept packets. It shows a valid route to a target node, even though the route is
false.
 The attacker consumes the intercepted packets without forwarding it.
However, there is a risk that the neighbouring node may check and represent the
ongoing attacks. Alternatively, an attacker may suppress or modifies packets
originating from some nodes, leaving the data from the other nodes unchanged. This
limits the suspicion of its wrong doing.
 Adversary selectively drops only data packets, but still participates in the
routing protocol correctly.
 The damage is directly related to the likelihood of an adversary being selected
as part of the route.
 Black Hole Attack Mitigation

o A node can overhear its neighboring nodes forwarding packets to other
destinations
o Local monitoring can detect:
o Packet forge: An outgoing packet that has no corresponding incoming packet
o Packet modification: Difference between the incoming and outgoing packet
fields
o Intentional packet delay: A packet was forwarded after a threshold time
instead of immediately
o Average Packets Dropped: Packets were not forwarded within a maximum

6
1
acceptable timeout threshold.
 Missed detection: In the figure 3.3. shown below, a malicious event goes
undetected at guard G because:
 A collision occurs at G when the malicious node S transmits
 False detection: A normal event is classified by a guard G as a malicious

event because:
 A collision occurs at G when the sender S transmits a packet
 A collision occurs at G when the monitored node D forwards the packet
o Does not work when power control and multi-rate are used
o Also vulnerable to attacks from two consecutive colluding adversaries
 Secure Data Transmission (SDT)

o Uses end-to-end acknowledgements from destination
o Disseminates a packet across several node-disjoint paths
o Good for well connected networks
o Bad for sparsely connected networks
o Protection of node-disjoint path discovery is not fully achieved against
colluding adversaries
o Also vulnerable to flood rushing attacks
When a node requires a route to a destination, it initiates a route discovery process

within the network. The intruder sends fake RREP packets. An inside attacker may

6
2
forge a RREP message as a fresh route to the destination node after receiving a
RREQ message in AODV routing. The attacker than forges a fake RREP message by
increasing the destination sequence number. This is to suppress the other RREP
messages that the source node may receive from the other nodes.
The attacker disrupts the route between the victim nodes to a given destination or
invades between by suppressing other alternative route. These nodes are the Black
Hole nodes. After receiving a RREQ message from nodes, an inside attacker will
send a false RREP message instantly with the modified high sequence number. The
source node will assume that there is a new route available towards the destination.
The source node ignores the RREP packet from the other nodes including the correct
nodes where it automatically denies the other nodes and it will start sending the
packets towards the malicious nodes. Then the malicious node takes all the routes
towards itself and it does not allow forwarding the packets anywhere. This type of
attack will happen frequently which is severe to find out and we have to use a
detection technique to solve this attack. This attack is called a black hole attack
where it swallows all the data.
 Gray Hole Attack

A variation of Black Hole Attack is the Gray Hole Attack, in which the nodes will
drop the packets selectively. Selective forward attack is of two types, they are
 Dropping all the UDP packets and forwarding the TCP packets.
 Dropping 50% of the packets or dropping them with a probabilistic
distribution. These are attacks that seek to disrupt the network without being
detected by security system.
Gray Hole is a node that can switch from behaving correctly to behaving like a Black
Hole that is actually an attacker, and acts as a normal node. Hence it is difficult to
identify the attacker easily. Every node maintains a routing table that stores the next

6
3
hop node information which is a route packet to destination node. If a source node is
in need to route a packet to the destination node, it uses a specific route and will be
checked in the routing table of its availability. If a node appreciates a route discovery
process by broadcasting Route Request (RREQ) message to its neighbor, the
intermediate nodes will update their routing tables for reverse route to the source on
receiving the route request message. A Route Reply (RREP) message is sent back to
the source node when the RREQ query reaches either the destination node or any
other node which has a current route to the destination. The Gray Hole Attack has
two phases.
 A malicious node exploits the AODV protocol to advertise itself as having a
valid route to destination node, with the intention of interrupting packets of spurious
route.
 The node drops the interrupted packets with a certain probability and
detection of Gray Hole attacks is a difficult process. Normally, in the Gray Hole
attacks, the attacker behaves maliciously for the time until the packets are dropped
and then switch to their normal behavior [12]. Both the normal node and the
attackers are same. Due to this behavior it is very difficult to figure out such kind of
attacks in the network. The other popular known name of Gray Hole attack is
misbehaving attack [13].
In this type of attack, the attacker misleads the network by approving to forward the
packets in the network. The attacker drops the packet as soon as it receives the
packets from the neighbouring node. This is an active attack where the attacker node
behaves normal in the beginning and reply true RREP messages to the nodes that has
sent the RREQ messages. Once it receives the packet, it starts dropping the packets
and thereby launches Denial-of-Service (DoS) attack. The malicious activity may
vary.
A gray hole does not drop all the data packets but just part of packets. The Gray

6
4
Magnitude is defined as the percentage of the packets which are maliciously dropped
by an attacker. For example, a Gray Hole with a gray magnitude of 60 percent will
drop a data packet with a probability of 60 percent.
The main criterion for identification of a malicious node is the estimated percentage
of Average Packets Dropped, which is compared against pre-established mis-
behaviour threshold. Any other node dropping more packets than this threshold is
said to be mis-behaving. Those nodes whose percentage of dropping packets is
below the threshold are said to be behaving properly. In Gray hole attack, the nodes
either drop packets selectively, as for example, dropping all UDP packets while
forwarding TCP packets or drop packets in a statistical manner, as for example,
dropping 50 percent of the packets or dropping them with a probabilistic distribution.
Gray hole attack may occur due to a malicious node which is deliberately or
damaged node interface. Hence, if proper security measures are not taken to detect
such attacks, the operation of the network will be disrupted.
Mobile ad hoc networks need a routing protocol that is robust against both
dynamically changing topology and malicious attacks. Routing protocols for ad hoc
networks are still under research, and there is no single standard routing protocol.
We have decided to use the AODV (Ad hoc On-demand Distance Vector) routing
protocol. ADOV is an on-demand algorithm, i.e. it builds routes between nodes only
as desired, and maintains them as long as it is needed by the source nodes. It is
capable of unicast or multicast routing, multicast groups and has been noted to be
scalable.
 Proposed Framework for Black Hole and Gray Hole Attack

Black Hole and Gray Hole attack involves in dropping packets. Black Hole attack
drops all received packets intended for forwarding, whereas Gray Hole attack drops
packets at certain frequencies. Both the attacks consist of two steps;

6
5
 Attracting steps-where the nodes attract other nodes by sending false
information in the communication.
 Invading step-where the node invades the communication process and drop
the packets.
During the attack, the attacker has to identify whether the incoming packets are
AODV packets. Then the attacker determines the route and selects the routing
process by sending RREQ packets. First, the attacker coordinates in routing by
sending RREQ packets. During invading step, the attacker starts increasing its
sequence number compared to other nodes in network. Thus it induces attack by
sending a fake reply to the nodes in the network.
 Implementation of Black Hole and Gray Hole Attack

The behaviour of the node which has to exhibit Black Hole or Gray Hole Attack will
have to follow a new protocol. As the simulation is carried out in AODV, we
preferred to simulate Black Hole or Gray Hole behaviour in AODV. The simulation
is carried out in NS-2.35 over Debian Linux. We installed the NS-2.35 and
duplicated the AODV protocol directory and renamed it as BlackHoleAodv and
GrayHoleAodv. This new directory is added after modification to NS to function as
a Black Hole and Gray Hole AODV routing protocol. All the files names with aodv
is renamed as BlackHoleAodv and GrayHoleAodv respectively in the directory
excepting the file aodv_packet.h. This is important because in the simulation, the
sources of AODV, Black Hole AODV and Gray Hole AODV protocol will send the
same AODV packets to all the receivers. All the subroutines, classes, functions,
variables, constants and structures having name aodv are changed to BlackHoleAodv
and GrayHoleAodv. Few more files of NS are modified like ns-lib.tcl and /makefile.
The new compiled NS program functioned well as new routing protocols called
Black Hole Aodv and Gray Hole Aodv respectively.

6
6
The performance of the new implemented Black Hole AODV and Gray Hole AODV
protocols is compared with that of the existing AODV routing protocol to study the
behaviour of the network under these attacks.
 Detection of Black Hole and Gray Hole Attack
Figure 3.4: A Black Hole/Gray Hole Attack
In the above Figure;

 S : Source
 D : Destination
 1 : Node 1
 3 : Node 3
 4 : Node 4
 2 : Malicious Node
To detect the Black Hole and Gray Hole nodes, we have adopted a procedure.. The
source node S, occasionally checks through all available routes to determine if all the
messages sent are received correctly by the destination. The sender broadcasts a
“check” request message, for example source node ‘S’ wants to send data packet to
destination node ‘D’, and initiates the route discovery process. Node ‘2’ is assumed
to be a malicious node. It claims that it has route to the destination whenever it
receives route request packets, and immediately sends the responds to node ‘S’. If

6
7
the response from node ‘2’ reaches node ‘S’ first, then node ‘S’ thinks that the route
discovery is complete. Thus, it ignores all other reply messages and begin to send
data packets to Node ‘2’, as such, all the packets through the malicious Node ‘2’ are
consumed or are lost. In Black hole attack all the packets are dropped, whereas in
Gray Hole attack the node refuses to forward certain packets and simply drops them.
Thus the attacker either drops all packets or selectively drops the packets originating
from single IP address or range of IP addresses. The Black Hole nodes and Gray
Hole nodes in MANETS are very effective. The simulation result shows the
effectiveness and efficiency of the mechanism.
In our work, we have simulated malicious node that drops all the packets which
passes through it. We have created malicious nodes in AODV protocol by modifying
the aodv.cc and aodv.h files.
In aodv.h file we add “bool malicious” in the program as follows. This variable is
used to define whether the node is malicious or not.
/*
* History management
*/
bool malicious;
double PerHopTime(aodv_rt_entry *rt);
nsaddr_t index; // IP Address of this node
u_int32_t seqno; // Sequence Number
int bid; // Broadcast ID
aodv_rtable rthead; // routing table
aodv_ncache nbhead; // Neighbor Cache
aodv_bcache bihead; // Broadcast ID Cache
In aodv.cc we add the line “malicious = false;”. This line is added as initially nodes
are not malicious and we need to add the line to define which node is malicious.
/*
Constructor
*/

6
8
AODV::AODV(nsaddr_t id) : Agent(PT_AODV),
btimer(this), htimer(this), ntimer(this),
rtimer(this), lrtimer(this), rqueue() {
index = id;
seqno = 2;
bid = 1;
malicious = false;
LIST_INIT(&nbhead);
LIST_INIT(&bihead);
logtarget = 0;
ifqueue = 0;
}
Now we need to add the line to catch the nodes which are malicious. We add the line
“malicious = true”
int
AODV::command(int argc, const char*const* argv) {
if(strcmp(argv[1], "hacker") == 0) {
malicious = true;
return TCL_OK;
}
if(argc == 2) {
Tcl& tcl = Tcl::instance();
if(strncasecmp(argv[1], "id", 2) == 0) {
tcl.resultf("%d", index);
return TCL_OK;
}
if(strcmp(argv[1], "hacker") == 0) {
return TCL_OK;
}
Now we need to define what a malicious node should do. Here in this case we want
that the malicious node should drop any packet that is received. We define this in
Route Handling Functions.
/*
Route Handling Functions
*/

6
9
void
AODV::rt_resolve(Packet *p) {
struct hdr_cmn *ch = HDR_CMN(p);
struct hdr_ip *ih = HDR_IP(p);
aodv_rt_entry *rt;
// if I am malicious node
if (malicious == true ) {
drop(p, DROP_RTR_ROUTE_LOOP);
/*
DROP_RTR_ROUTE_LOOP is added for no reason.
*/
}
In our TCL file we define malicious node with following command.
$ns at 0.0 "[$node_(5) set ragent_] hacker" This command defines the node (5) to be
malicious and drop all the packets.
After the modifications in the aodv.cc and aodv.h file, we recompile and install the
program using Makefile.
3.3. Research Approach

The proposed solution is based on a quantitative intrusion detection technique [16].
This technique is applied to a MANET with mobile nodes.
 The Objective
Our main objective is to find a quantitative, distributed and dynamic intrusive
detective solution for MANETs that involve mobile nodes in a non-cluster based
environment.
Besides, we developed a simulation for mobile networks which includes

o Implementation of the AODV routing protocol
o Simulate the mobile nodes by varying different network parameters
o Introducing malicious nodes in a network

7
0
o Making a comparative study from the data obtained from the trace files
o Efficiency of the network in terms of the throughput, average packets dropped
and latency before and after the implementation of IDS.
o Finally, conclude on an optimal solution in terms of space, group size, speed
of the malicious and non-malicious nodes in the network.
 Specific needs and Challenges
We break up our research problem definition into further details to assist us in

proposing a solution. This solution will address each of the challenges or problem
faced in creating an Intrusion Detection System
Nodes in MANETs that display erroneous or malevolent behavior are often termed
“malicious”. Here, we refer all nodes displaying undefined or unexpected behavior
as “malicious node”. Hence our aim is to identify the nodes displaying malicious
behavior.
Nodes moving in uncontrolled environments with relatively poor physical protection

have a non-negligible probability of compromised. The network faces threats of
attacks from the outside world as well as by the compromised nodes within the
network. Therefore, we require finding out whether our solution is time continuous
or not.
 Selecting a Simulator
We have used NS2 simulator for carrying out the various simulations. We used NS-
2.35 under debian linux 4. The reason for choosing NS2 is that it is simple to
understand and can implement various protocols. The implementation of the
malicious node behavior, the Intrusion detection system and its integration with the
existing NS2 software is easier.

7
1
In cellular networks, the wireless part is restricted only to the access to a network,
and within the network classical routing protocols can be used. Ad-hoc network in
contrast rely on special routing protocols that have to be adapted to frequent
topology changes.
To model well cellular networks, often sophisticated simulation tools of the physical
radio channel are needed, as well as the simulation of power control mechanism.
NS2 does not have an advanced physical layer module although it contains some
simple modeling features of radio channels.
In ad-hoc networks, in contrast, the routing protocols are central, NS2 allows to
simulate the main existing routing as well as transport and applications that use
them. Moreover, it allows taking into account the MAC and link layer, the mobility,
and some basic features of the physical layer.
NS2 simulator can be used to simulate classical queuing models. In the simplest
form of classical models, the time between packets arrival is random and has some
general probability distribution. The time it takes to transmit a packet is random as
well distributed according to some other transmission rate but a varying size of a
packet.
 The Intrusion Detection System (IDS)

Intrusion detection is an activity that determines whether a process or user is
attempting something unexpected. It works, as defined, on the basis of examining
activity on a specific machine or network and deciding whether the activity is normal
or suspicious. It can either compare current activity to known attack patterns or
simply raise an alarm condition when specific measurements exceed present values.
There have been many approaches to intrusion detection in MANETs. The initial
classification is based on authentication based schemes. These rely on the

7
2
identification of nodes by unique identifier. Use of encryption keys fall into this
category, and they have been deeply studied. The second approach is behavioural
based algorithm where intrusion is defined based on nodal activities, rather than its
identifier. This is a better approach for the following reasons.
 Node identities can be easily stolen but it is not easy to replicate the behavior.
 Identity based behavior requires storage of identifier database and logic.
 Each new node is given a unique identifier, which makes the process of
deployment more expensive.
Thus, we limit our intrusion detection system based on behavior. This is more
efficient, lightweight and easily scalable solution to Intrusion Detection in MANETs.
The Intrusion Detection Systems based on behavior can be classified based on;
Anomaly Detection
A baseline profile of the normal system activity is created. Whenever there is any
deviation from the baseline, the system activity is treated as a possible intrusion. The
shortcomings of this approach are,
 Anomalous activities that are not intrusive are flagged as intrusive (false
positives)
 Intrusive activities that behave in a non-anomalous manner are not detected
(false negatives)
Anomaly detection may demand that the normal profile be periodically updated and
the deviations from the normal profile computed in mobile computing. These
periodic calculations may impose heavy load on some of the resource constrained
devices.
A distributive and Co-operative intrusion detection model based on statistically

7
3
anomaly detection technique was proposed by Zhang and Lee [14]. In such
networks, every node participates and runs and IDS agent. This agent performs local
data collection and detection. When a node reports an anomaly, a co-operative
detection and global intrusion response can be triggered. Here, two attack scenarios
are considered separately:
 Abnormal updates to routing table
 Detection of abnormal activities in the layers other than the routing layers.
Signature Misuse Detection

In this kind of detection, the signature and the traces of the intruder is observed in
the system. A legal behavior model is defined and the observed behavior is
compared against the legal model to detect the intrusion. The system tries to detect
the intrusion activity irrespective of the traffic background of the network.
Specification based Detection

Under this kind of detection, a set of constraints are defined which defines the
correct operation of a program or protocol. The programs are monitored and
executed with respect to the defined constraints. IDS based on this approach are
proposed by Tseng and Balasubramanyam [15].
Compound Detection
This is an improvement over misuse and anomaly detection. A compound decision
based on the normal behavior of the system and the intrusive behavior of the intruder
is formed. Here, the detector operates by detecting the intrusion against the historical
normal traffic in the system. This gives better accuracy in detecting undefined
behavior. M. Alam, T. Li et al. in [16], proposed an IDS which uses a quantitative
method of anomaly definition based on transmission characteristics depending on
historical transmission behavior of the node. Though the above suggestion gives us a
non-centralized solution, it does not cater to the mobile nodes or MANETs.

7
4
 Implementation of Intrusion Detection System
Similar to the implementation of the Blackhole/Grayhole AODV, we have to
implement the Intrusion Detection System. We copy the directory of AODV and
rename the same as idsaodv. All the files having name aodv is renamed as idsaodv
except for aodv_packet.h. The files ns-lib.tcl and /make file is modified to include
this new idsaodv protocol.
The modified program is compiled and installed thereafter. The modified NS is

tested for Black Hole AODV and Gray Hole AODV with AODV routing protocol.
The results of simulation of the Black Hole AODV and the Gray hole AODV is
compared with the IDS AODV for network throughput and average packets dropped.
 Intrusion Detection
A secure ad hoc network requires identification of nodes within the network that
have malicious behavior. This is done is two stages.
 Recognizing the nodes displaying malicious behavior

The current research tries to detect malicious nodes that drop data packets partially
or fully. Every node keeps a count of the number of acknowledgements it receives
from the neighboring nodes to which it has tried to transmit. Thus each node records
the throughput of every neighbor node during communication. This behavior is
measured over a period of time which determines the historical quality of behavior
of the neighbor node. The stability of the nodal behavior is denoted by “STB()”, data
transmission quality is referred to as “DTQ” which is a function of STB(), the
probability of error in the channel is P(), the power needed for transmitting the total
data attempted to be sent is D, the energy to send one byte of data is “E”, k is a
constant (which depends upon the efficiency of the node in terms of resources,
memory, battery backup etc.), and T is the time period for which the behavior of a
particular node is observed.

7
5
The research work is limited to non-cluster based networks and transmission is

considered in terms of packets. A packet is either transmitted completely or not at
all.
Each node calculates and maintains the DTQ for all the neighboring nodes. When
the DTQ value is less than the threshold value, the neighbor node is marked as
malicious node.
The process of malicious node recognition is shown by the flowchart in figure 5.1.
Figure 3.5: Flow Chart to identify the malicious Node.
 Confirming the Identification

This confirms that the malicious node is correctly identified. The decision is based

7
6
on a group consensus approach. A request is sent to every node in a network to
accept or reject the decision. On receiving such a request, nodes can either vote for
or veto by referring to its own DTQ readings. Based on the replies the vote initiating
node draws a consensus. If the votes approving malicious behaviour are more, the
node is added into a blacklist. Any further communication with this node is barred
by all the other nodes.
Here, for example node A has detected that node B’s has fallen below a threshold
therefore node A sends a broadcast request for a vote on its suspicion. When the
nodes in the Adhoc network receives such a request, they check their DTQ values in
their respective tables for node B. Depending on the search they send a positive or
negative reply by voting. The votes received are summed by node to decide the
status of node B.
 Voting Details
Vote Arrival: The node initiating vote keeps a count of the number of votes
received. For a particular vote request, it does not register more than one vote from
the same neighbor. After receiving votes from all the neighbors, the node decides for
or against the voted-upon node. Here, we consider the total number of nodes less one
which is the maximum expected neighbor count.
Vote Request Time-out: The ideal situation is when all the neighbors respond to a
request. In MANETs, as packets are lost during transit and some of the nodes decide
not to vote, the vote initiator cannot wait indefinitely. The vote-request time out
solves this dilemma, and is said as soon as the vote-request is sent out. At the end of
this time-out period, the vote request initiator aggregates all the votes it has received,
and makes a decision based on the counts. All the votes received after this timeout
are ignored.
The Voters: All the nodes that receive a vote request attempt to vote. However, if

7
7
the number of messages they receive from the vote initiator is not sufficient for them
to decide they refrain from voting.
Figure 3.6: Flow chart for the Voting Process
 Process after Vote Decision:

Blacklisting: Once a node is blacklisted, a message is sent to all the nodes with this
information immediately, as shown in the figure 5.2. All nodes receiving this
message add the node to their blacklist details too. Hence forth, no communication
from such nodes is responded to anymore.
Acquitted: If a node is acquitted after the vote decision, it is treated as a usual node

7
8
by all the other nodes. No information about the acquittal is sent out. Hence, the vote
initiator who has a low DTQ value of a particular node will now have to wait again
for the next bucket to occur before it can re-initiate the vote request, as the vote
request initiation is allowed only once every bucket. This ensures that there is no
repeated or pre-mature vote request.
3.4. Performance Metrics

In the performance evaluation of a protocol for MANETs, the protocol should be
tested under realistic conditions. We perform extensive simulations using NS-2
simulator. A routing protocol for MANETs is usually evaluated in terms of
performance metrics. The metrics used by us are Network Throughput, Average end-
to-end delay (Delay) and Average Packet Drop.
 Network Throughput
Throughput is the measure of how fast we can actually send through network. The
number of packets delivered to the receiver provides the throughput of the network.
It is the ratio of the total amount of data that reaches a receiver from a sender to the
time it takes for the receiver to get the last packet.
Throughput =
 Average end-to-end delay (Delay)

The average time from the beginning of the packet transmission (including route
acquisition delay) at source node until packet delivery to a destination. The packet
end-to-end delay is the average time that packets take to traverse the network. This is
the time from the generation of the packet by the sender up to their reception at the
destination’s application layer and is expressed in seconds. It therefore includes all
the delays in the network such as buffer queues, transmission time and delays
induced by routing activities and MAC control exchanges. Various applications

7
9
require different levels of packet delay. Delay sensitive applications such as voice
require a low average delay in the network whereas other applications such as FTP
may be tolerant to delays up to a certain level. MANETs are characterised by node
mobility, packet retransmissions due to weak signal strengths between nodes, and
connection tearing and making. These cause the delay in the network to increase.
The end-to-end delay is therefore a measure of the how well a routing protocol
adapts to the various constraints in the network and represents the reliability the
routing protocol.
Where
= End to end delay
= Transmission delay
= Propagating delay
= Processing delay
Equation for average end to end delay is:
∑
∑
Where n is number of received packets.
 Average Packet Drop

Packet loss occurs when one or more packets being transmitted across the network
fail to arrive at the destination. It may be due to the path breaks caused by mobility
of nodes, congestion of the network and node failure due to a drain battery. It is
defined as the Average Packets Dropped by the routers during transmission.
Forward Percentage =

8
0
Packet loss is the discarding of packets in a network when a router or other network
device is overloaded and cannot accept additional packets at a given moment.
Packets are the fundamental unit of information transport in all modern computer
networks, and increasingly in other communications networks as well.
The losses are usually due to congestion on the network and buffer overflows on the
end-systems. A buffer is a portion of a computer’s memory that is set aside as a
temporary holding place for data that is being sent to or received from an external
device. A buffer overflow occurs any time more information is written into the
buffer than there is space allocated for it in the memory.
3.5. Literature Review

AODV is one of the most protuberant communication protocols in MANET. Due to
many weaknesses, AODV attracts many researches to develop new variants protocol
based on AODV protocol to improve its performance. A number of IDS techniques
have been proposed in the research literature
We review black hole attacks, the authors in [17] revised the AODV routing protocol
to reduce the chances for a Black Hole Node to grab routing paths. This method is
very useful to prevent a black hole node located near a source node.
Another approach using AODV proposed in [18] is that a source node does not
immediately send out a data packet, upon the receipt of the first Route Reply, but
waits for subsequent collection of Route Replies from its neighbouring nodes. After
comparing all route replies the source node selects one from the neighbouring nodes
which has the same next hop as other alternative routes and begins to send out the
data packets.
The authors of [19] also proposed a revised AODV routing protocol, called PCBHA
(Prevention of a Co-operative Black Hole Attack), in order to prevent cooperative

8
1
black holes.
A dynamic learning method was proposed [20] to detect a black hole node. If the
characteristics change of a node exceeds the threshold within a period of time, this
node is judged as a Black Hole Node. Otherwise, the data of the latest observation is
added to the data set for dynamic updating purposes.
A general approach for detecting the black hole attack was presented [21] which
based on the neighbourhood to detect the interloper. A routing recovery protocol to
set up a correct course to the true destination was planned. This method introduced
the neighbour set of a node which consisted of all the nodes that are within the radio
transmission range. Two types of control packets shared the neighbour set between
the different nodes. When two neighbour sets received at the same time are different,
it was presumed that it was generated by two different nodes. The disadvantage with
this scheme is that should be public key infrastructure otherwise the detection
remains susceptible.
A solution to defend selective forwarding attack (Gray Hole Attack) in Wireless

Mesh Networks was offered consists of two stages [22]. First stage is Counter-
Threshold Based that uses the detection threshold and packet counter to discover the
attacks. Second stage is Query Based that uses acknowledgement from intermediate
nodes to confirm the attacker.
Another method for detecting Gray Hole Attack [23] was proposed. Each intrusion
detection agent runs independently and detects intrusion from traces. Only one-hop
information is maintained at each node for each route. If local evidence is
inconclusive, the neighbouring IDS agents cooperate to perform global intrusion
detection.
The Black and Gray Hole attack [24] will bring great damage to the performance of

8
2
Ad Hoc network. The malicious drop rate is defined by the ratio of dropped packet
number and received packet number. For example, a Gray Hole is gray magnitude of
60% will drop a data packet with a probability of 60% and a classical Black Hole has
a grey magnitude of 100%.
The Intrusion Detection systems are broadly classified into five categories [25], [26].
a) Stand Alone Intrusion Detection System,
b) Distributive and Co-operative Intrusion Detection System,
c) Host Based Intrusion Detection System,
d) Network Based Intrusion Detection System, and
e) Hierarchical Intrusion Detection System.
A number of IDS techniques have been proposed in research literature. Cluster based
voting schemes have been proposed to enable sharing and vetting of messages, and
data, generated and gathered by IDS systems.
A distributed and collaborative anomaly detection based IDS for Adhoc Networks
monitors the AODV routing behaviour was proposed [14]. AODV routing behaviour
and distributed network monitors for detecting run-time violation of specifications.
A method for building confidence measures of root trust worthiness without a central
trust authority was presented in [27]. The authors also present a concise summary of
previous work of establishing trust in Adhoc networks.
In [28], a value was assigned to the “reputation” of a node and this information was
used to identify the misbehaving nodes. Co-operation was only with the nodes with
trusted reputation.
A trust-based mechanism was coupled with a mobile agent based intrusion detection
system [29] however; it does not discuss the security implications or overhead

8
3
required to secure the network and individual nodes from the mobile agents
themselves. Gateway nodes in neighbouring zones can then further collaborate to
perform intrusion detection tasks in a wider area to attempt to reduce false positive
alarms.
These detectors operate by detecting the intrusion against the historical and normal
traffic in the system. Hence, these detectors have a greater accuracy in detecting
undefined behaviour. They would at the very least be able to qualify their decisions
better. In [30] IDS was proposed which uses a quantitative method of anomaly
definition based on transmission characteristics, but factors in historical transmission
behaviour of the node.
A collaborative method for black hole attack prevention was proposed [32]. A
architecture to deal with collusion amongst nodes was designed using a watchdog
method. The algorithm classified the nodes in a network into three types: trusted,
watchdog, and ordinary nodes. The normal node neighbours were observed by every
watch dog chosen and decides whether they can be treated as trusted or malicious.
An aggregate signature algorithm to trace packet dropping nodes was proposed [33].
This consisted of three related algorithms.
(a) The creating proof algorithm
(b) The check-up algorithm
(c) The diagnosis algorithm
Here, the reliability is satisfying as proof on forwarded packets is used. As by-

directional communicational links are not required, the application scope is wide.
The malicious nodes are well detected and the bandwidth overhead is low as the
nodes do not need to check each other.
In [34], an intrusion detection system based on Suburban Ad Hoc Network (SAHN)

8
4
was proposed. This SAHN-IDS was useful for multi-hop Adhoc network, where the
misbehaving node were detected by getting unfair share of transmission channel.
The efficiency of the proposed scheme was shown by the simulation results.
A novel intrusion detection and response system has been proposed [35], which was
known as Router-guard. This worked mainly on the concept of monitoring and node
cooperation and successfully detected malicious mobile nodes and protected the
system.
In [36] a “Cross Layer Based Intrusion Detection System” (CIDS) has been
proposed for Adhoc networks. The trace file patterns were analysed to detect the
intruders. The network efficiency was increased as it could communicate data
securely from the source to the destination.
Probes disguised as normal packets to detect malicious nodes [37] were used. A
centralised authority that receives reports on statistics of various IP flows was used
[38]. However these techniques could not distinguish between causes for packet loss.
Reputation based systems are a new paradigm which are used for enhancing security.
These systems are easy to use and can face a variety of attacks. These systems do no
rely on the conventional use of common secret to establish confidential and secured
communication between two parties. These systems are based on observations and
are used to decide whom to trust and to encourage trust worthy behaviour. In [39]
three goals for reputation systems were identified:
a. Isolate untrustworthy principal from trustworthy principal.
b. To persuade the principals to behave in trustworthy manner.
c. To prevent the untrustworthy principals from participating in the reputation
mechanism.
Most of the proposed methods for Intrusion Detection and Malicious Node Detection

8
5
can discover a few types of attacks like depending on the status of the network. The
problem occurs when we come across a malicious node whose nature of attack is
unknown to the network. The other problem which Intrusion Detection System faces
is the requirement of large bandwidth for exchange of large packets amongst the
nodes. This leads to large amount of processing and reduces the network
performance as the number of packets received by the target nodes will be less.

12 Chapter 3

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

12 Chapter 3

Hochgeladen von

Copyright:

Verfügbare Formate

Performance Study of An Ad hoc Network

under Malicious Node Attack

Designing an intrusion detection system for mobile ad hoc networks is very

Our objective is to design an efficient mechanism for intrusion detection system in

Deptt. of ECE, NERIST Page 53

 Statistical security features required to be considered while designing the

Deptt. of ECE, NERIST Page 54

3.1. The AODV Communication Mechanisms

$ns rtproto AODV

Figure 3.1: A routing example

Deptt. of ECE, NERIST Page 55

$ns rtmodel-at 1.0 down $n1 $n4

Set ns [new Simulator]

As example of a multicast configuration with a six node network is depicted in

Deptt. of ECE, NERIST Page 56

Figure 3.2: A multicast routing example

The Broadcast Storm

Deptt. of ECE, NERIST Page 57

Deptt. of ECE, NERIST Page 58

Figure 3.3: A simple flooding example

3.2. Implementing attacks on AODV routing Protocol

Deptt. of ECE, NERIST Page 59

The Black Hole attack has two properties;

 Black Hole Attack Mitigation

Deptt. of ECE, NERIST Page 60

 False detection: A normal event is classified by a guard G as a malicious

 Secure Data Transmission (SDT)

When a node requires a route to a destination, it initiates a route discovery process

Deptt. of ECE, NERIST Page 61

 Gray Hole Attack

Deptt. of ECE, NERIST Page 62

Deptt. of ECE, NERIST Page 63

 Proposed Framework for Black Hole and Gray Hole Attack

Deptt. of ECE, NERIST Page 64

 Implementation of Black Hole and Gray Hole Attack

Deptt. of ECE, NERIST Page 65

 Detection of Black Hole and Gray Hole Attack

Figure 3.4: A Black Hole/Gray Hole Attack

In the above Figure;

Deptt. of ECE, NERIST Page 66

Deptt. of ECE, NERIST Page 67

Deptt. of ECE, NERIST Page 68

3.3. Research Approach

Besides, we developed a simulation for mobile networks which includes

Deptt. of ECE, NERIST Page 69

 Specific needs and Challenges

We break up our research problem definition into further details to assist us in

Nodes moving in uncontrolled environments with relatively poor physical protection

Deptt. of ECE, NERIST Page 70

 The Intrusion Detection System (IDS)

Deptt. of ECE, NERIST Page 71

A distributive and Co-operative intrusion detection model based on statistically

Deptt. of ECE, NERIST Page 72

Signature Misuse Detection

Specification based Detection

Deptt. of ECE, NERIST Page 73

The modified program is compiled and installed thereafter. The modified NS is

 Recognizing the nodes displaying malicious behavior

Deptt. of ECE, NERIST Page 74

The research work is limited to non-cluster based networks and transmission is

Figure 3.5: Flow Chart to identify the malicious Node.

 Confirming the Identification

Deptt. of ECE, NERIST Page 75

Deptt. of ECE, NERIST Page 76