May 12, 2010 17:39 RPS : Trim Size: 8.50in x 11.
00in (IEEE) icfcc2010-lineup˙vol-3: F1661
Preventing Black Hole Attack in Mobile Ad-hoc Networks Using Anomaly Detection
Yibeltal Fantahun Alem
Department of Computer Science
Tianjin University of Technology and Education
Tianjin 300222, China
getyibe@gmail.com
Abstract—Mobile ad-hoc networks are prone to a number of
security threats. The fact that mobile ad-hoc networks lack
fixed infrastructure and use wireless link for communication
makes them very susceptible to an adversary’s malicious
attacks. Black hole attack is one of the severe security threats
in ad-hoc networks which can be easily employed by exploiting
vulnerability of on-demand routing protocols such as AODV.
In this paper, we have proposed a solution based on
Intrusion Detection using Anomaly Detection (IDAD) to
prevent black hole attacks imposed by both single and multiple
black hole nodes. Result of a simulation study proves the
particular solution maximizes network performance by
minimizing generation of control (routing) packets as well as
effectively preventing black hole attacks against mobile ad-hoc
networks.
Keywords-Ad-hoc; Black hole attack; Anomaly Dectection;
AODV
I. INTRODUCTION
A mobile ad-hoc network is a self organizing network
that consists of mobile nodes that are capable of
communicating with each other without the help of fixed
infrastructure. On the contrary to traditional wired networks
that use copper wire as a communication channel, ad-hoc
networks use radio waves to transmit signals.
Mobility, an advantage of wireless communication, gives
a freedom of moving around while being connected to a
network environment. Ad-hoc networks are so flexible that
nodes can join and leave a network easily. But this flexibility
of mobile nodes results in a dynamic topology that makes it
very difficult in developing secure ad-hoc routing protocols.
Security being a serious issue, the nature of ad-hoc
networks makes them extremely vulnerable to adversary’s
malicious attacks. First of all, the use of wireless links
renders a mobile ad-hoc network to be vulnerable to attacks
of various types - black hole attack being one of them [1-2].
Unlike wired networks where an adversary must gain a
physical access to network wires or pass through several
lines of defense at firewalls and gateways, attacks on mobile
ad-hoc network can come from all directions and target at
any node. Compared to traditional wired networks (a
network in which network traffic could be monitored at
central devices such as switches and routers), mobile ad-hoc
networks have no network concentration points to filter
traffic.
c
978-1-4244-5824-0/$26.00 2010 IEEE V3-672
Zhao Cheng Xuan
Department of Computer Science
Tianjin University of Technology and Education
Tianjin 300222, China
xuanzc@tute.edu.cn
The use of wireless links, lack of fixed infrastructure and
the characteristic of dynamic topology associated with ad-
hoc networks make it impossible to use wired network
security mechanism as is.
II. AD-HOC ROUTING PROTOCOLS AND BLACK HOLE ATTACK
An ad-hoc routing protocol is a convention, or standard,
that controls how nodes decide which way
to route packets between computing devices in a mobile ad-
hoc network. Being one of the category of ad-hoc routing
protocols, on-demand protocols such as AODV (Ad-hoc On-
demand Distance Vector) and DSR (Dynamic Source
Routing) establish routes between nodes only when they are
required to route data packets.
AODV is one of the most common ad-hoc routing
protocols used for mobile ad-hoc networks. As its name
indicates AODV is an on-demand routing protocol that
discovers a route only when there is a demand from mobile
nodes in the network.
In an ad-hoc network that uses AODV as a routing
protocol, a mobile node that wishes to communicate with
other node first broadcasts an RREQ (Route Request)
message to find a fresh route to a desired destination node.
This process is called route discovery. Every neighboring
node that receives RREQ broadcast first saves the path the
RREQ was transmitted along to its routing table. It
subsequently checks its routing table to see if it has a fresh
enough route to the destination node provided in the RREQ
message. The freshness of a route is indicated by a
destination sequence number that is attached to it. If a node
finds a fresh enough route, it unicasts an RREP (Route Reply)
message back along the saved path to the source node or it
re-broadcasts the RREQ message otherwise. The same
process continues until an RREP message from the
destination node or an intermediate node that has fresh route
to the destination node is received by the source node.
Route discovery is a vulnerability of on-demand ad-hoc
routing protocols, especially AODV, which an adversary can
exploit to perform a black hole attack on mobile ad-hoc
networks. A malicious node in the network receiving an
RREQ message replies to source nodes by sending a fake
RREP message that contains desirable parameters to be
chosen for packet delivery to destination nodes. After
promising (by sending a fake RREP to confirm it has a path
to a destination node) to source nodes that it will forward
data, a malicious node starts to drop all the network traffic it
May 12, 2010 17:39 RPS : Trim Size: 8.50in x 11.00in (IEEE)
receives from source nodes. This deliberate dropping of
packets by a malicious node is what we call a black hole
attack.
1 2
RREP
Destination
RREQ
0
RREP
Source
RREQ 4 discovering node notifies all other nodes the presence of an
RREP Malicious node
RREQ
3
Figure 1. RREQ broadcast
A malicious node sends RREP messages without
checking its routing table for a fresh route to a destination.
As shown in Fig. 1 above, source node 0 broadcasts an
RREQ message to discover a route for sending packets to
destination node 2. An RREQ broadcast from node 0 is
received by neighboring nodes 1, 3 and 4. However,
malicious node 4 sends an RREP message immediately
without even having a route to destination node 2.
An RREP message from a malicious node is the first to
arrive at a source node. Hence, a source node updates its
routing table for the new route to the particular destination
node and discards any RREP message from other
neighboring nodes even from an actual destination node.
Once a source node saves a route, it starts sending buffered
data packets to a malicious node hoping they will be
forwarded to a destination node. Nevertheless, a malicious
node (performing a black hole attack) drops all data packets
rather than forwarding them on.
III. EXISTING TECHNIQUES OF PREVENTING BLACK HOLE
ATTACK IN MOBILE AD-HOC NETWORKS
Researchers have proposed various techniques to prevent
black hole attack in mobile ad-hoc networks. H.
Weerasinghe and H. Fu [3], introduces the use of DRI (Data
Routing Information) to keep track of past routing
experience among mobile nodes in the network and cross-
checking of RREP messages from intermediate nodes by
source nodes. The main drawback of this technique is that
mobile nodes have to maintain an extra database of past
routing experiences in addition to a routine work of
maintaining their routing table. It is evident that maintaining
past routing experiences wastes memory space as well as
consuming a significant amount of processing time which
contributes to slow communication.
The second drawback is over consumption of limited
bandwidth. Cross-checking of the validity of routes
contained in RREP message from an intermediate node is
implemented by sending a FREQ (Further Request) message
to the next-hop of the particular intermediate node. Sending
additional FREQ messages consumes a significant amount of
[Volume 3] 2010 2nd International Conference on Future Computer and Communication
icfcc2010-lineup˙vol-3: F1661
bandwidth from an already limited and precious resource. H.
Deng, W. Li and D. Agrawal [4], research is similar to
Weerasinghe’s technique except an additional weakness of
inability to prevent attack from multiple black hole nodes.
P. Raj and P. Swadas [5], proposed an adequate solution
by checking RREP messages from intermediate nodes for
possible intrusion activities. This technique is successful
based on the assumption of cooperation between nodes. If a
mobile node discovers a possible attack by an intruder, the
attack by broadcasting an ALARM message. This process
takes a considerable amount of time to notify all nodes for a
large network in addition to the network overhead that can be
caused by ALARM broadcast.
IV. INTRUSION DETECTION USING ANOMALY DETECTION
(IDAD)
Intrusion Detection Systems (IDS) are one of the main
techniques utilized to prevent attacks against security threats.
Intrusion detection is a process of detecting an adversary and
preventing its subsequent actions. IDS can be classified as
Network-based and Host-based. Network-based IDS can be
installed on data concentration points of a network such as
switches and routers. Where as Host-based IDS are installed
on hosts so that they can supervise the activities of a host and
users on the host.
Our proposed technique (IDAD) uses Host-based IDS
schema as a Network-based IDS schema can not be
employed to mobile ad-hoc networks where there is no
central device that monitors traffic flow. IDAD assumes
every activities of a user or a system can be monitored and
anomaly activities of an intruder can be identified from
normal activities. Hence, by identifying anomaly activities of
an adversary, it is possible to detect a possible intrusion and
isolate the adversary. To do so an IDAD needs to be
provided with a pre-collected set of anomaly activities,
called audit data. Once audit data is collected and is given to
the IDAD system, the IDAD system is able to compare every
activity of a host with the audit data on a fly. If any activity
of a host (node) resembles the activities listed in the audit
data, the IDAD system isolates the particular node by
forbidding further interaction.
Furthermore, IDAD works in a principle that trusts no
peer. This means mobile nodes do not rely on other nodes to
prevent intrusions.
Algorithm of IDAD to prevent black hole attack:
Notations
SN: Source Node
AD: AuditData
DP: Data Packet
RT: Routing Table
1 SN broadcasts RREQ
2 SN receives RREP
3 IF (RREP (e1, e2, e3 …en) is different from AD (a1,
a2, a3…an))
4{
5 save route to RT
V3-673
May 12, 2010 17:39 RPS : Trim Size: 8.50in x 11.00in (IEEE) icfcc2010-lineup˙vol-3: F1661

6 WHILE (size of BUFFER is not zero) replied by a malicious node to conclude an RREP message is
7 send DP from an intruder. However, this is not always the case. A
8} maximum destination sequence number could be reached
9 ELSE even under normal circumstances in a large network with
10 discard RREP numerous route discoveries. To avoid false positive alarms
11 goto step3 of intrusion detection, our technique checks multiple
12 } anomaly conditions. For example, RREP messages from a
malicious node contain exactly the same RREQ and RREP
time-stamps. This is due to the fact that a malicious node
In a black hole attack, a malicious node deceives source
immediately sends an RREP message after receiving RREQ
nodes by sending a fake RREP message [6]. Fake RREP
message with out checking its routing table.
messages from a malicious node contain the following
parameters: V. SIMULATION RESULTS
z maximum destination sequence number − to make The current simulation research of implementing IDAD to
the route up to date enable AODV with a security mechanism was carried out
z single hop-count − to make a route with the shortest using NS2.
path Note: All the simulation conditions such as the mobility of
z life-long route − informs a route will exist as long as nodes (random), speed of nodes (5m/s), size of terrain area
the network (500m*500m), number of source nodes (8), number of
z destination IP address − address of the destination destination nodes (8) and simulation time (60s) for all the
node copied from RREQ simulations are exactly the same.
z time-stamp − the time the RREP was generated Definition of variables in the measured metrics is listed
These entries of an RREP message from a malicious node as follows.
can be collected as audit data to differentiate anomaly Number of data packets sent is the number of data packets
activities from normalcy activities. Fig. 2 below shows the that are sent by a source node. It is represented by S and
flow chart of anomaly detection algorithm. calculated as follows:
n
Start S= ∑S
i =1
i (1)

where S i is the number of data packets sent by a source

RREP
(e1, e2… en) node at the ith transmission and n is the number of data
packet transmissions.
Number of data packets received, denoted by R, is the
number of data packets received by a destination node. It is
calculated as follows:
n

∑R
RREP Save
AuditData !=
Y (e1, e2 … en) R= i (2)
(a1, a2 … an) AuditData to routing
table i =1
where Ri is the number of data packets received by a
N
destination node at the ith transmission and n is the number
of data packet transmission.
Check for another RREP Discard Send Number of routing packets is the number of routing packets
RREP Packets (AODV packets in our case) that are generated during
simulation time. It is denoted by C and calculated as
follows:
n
N
Packets
finished
C= ∑C
i =1
i (3)

Y where Ci is the number of routing packets generated at the

ith route discovery and n is the number of route discoveries.
Stop Normalized routing load is the ratio of routing packets over
received data packets. Normalized routing lode is denoted
Figure 2. Flowchart of Intrusion Detection by IDAD by N and calculated as follows:
C
N= (4)
The solution proposed in S. Sharma and R. Gupta [7], R
considers a maximum destination sequence number that is

V3-674 2010 2nd International Conference on Future Computer and Communication [Volume 3]
May 12, 2010 17:39 RPS : Trim Size: 8.50in x 11.00in (IEEE) icfcc2010-lineup˙vol-3: F1661

where C is the number of routing (control) packets

generated and R is the number of data packets received.
Packet delivery fraction is the ratio of received packets over
sent packets in percentage. It is symbolized by P and
calculated as shown below.
R
P = × 100 (5)
S
Average end to end delay, denoted by D, is the average time
for a data packet delivered from source to destination. The
value of D is calculated as follows:

∑
n
d
i =1 i
D= (6)
n
where di is the time for end-to-end delay of data packets at
the ith transmission.
Figure 4. Throughput of received packets under black hole attack
Table I below presents the packet transmission attributes
during simulation of mobile ad-hoc network topologies.
TABLE I. PACKET TRANSMISSION ATTRIBUTES DURING SIMULATION

Packet size 512bytes

Interval between two packet transmission 0.125s
Maximum number of packets per 10000
connection
Rate of packet transmission 8packets/second

The simulation result was analyzed and is summarized in

TABLE II.

Fig. 3, Fig. 4 and Fig. 5 depict graphs generated by

Tracegraph software from the simulation trace files and
present throughput of received packets under normal
condition, throughput of received packets under black hole
attack and throughput of received packets preventing black Figure 5. Throughput of received packets preventing black hole attack by
hole attack by IDAD respectively. IDAD

VI. CONCLUSION
The self protection (no peer trust) principle of IDAD where
every single mobile node is responsible for protecting itself
effectively prevents a black hole attack regardless of the
number of black hole nodes. It also minimizes the number
of extra routing packets generated as a result of
communication between mobile nodes. The reduction of the
number of routing packets in turn minimizes network
overhead and facilitates a faster communication.
REFERENCES
[1] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-hoc
networks,” Sixth Annual International Conference on Mobile
Computing and Networking (MobiCom’2000), Boston, August 6-11,
2000.
[2] P. Yi, Z. Dai, S. Zhang, and Y. Zhong, “A new routing attack in
Figure 3. Throughput of received packets under normal condition mobile ad-hoc networks,” Sixth Annual International Conference on
Mobile Computing and Networking (MobiCom’2000), Boston,
August 6-11, 2000.

[Volume 3] 2010 2nd International Conference on Future Computer and Communication V3-675
May 12, 2010 17:39 RPS : Trim Size: 8.50in x 11.00in (IEEE) icfcc2010-lineup˙vol-3: F1661

[3] H. Weerasinghe and H. Fu, “Preventing cooperative black hole
attacks in mobile ad-hoc networks: simulation, implementation and
evaluation,” International Journal of Software Engineering and Its
Applications, Vol. 2, No. 3 (2008) pp. 39-54.
[4] H. Deng, W. Li, and D. Agrawal, “Routing security in wireless ad-
hoc network,” IEEE Communications Magazine, vol. 40, no. 10
(2002) pp. 70-75.
[5] P. Raj and P. Swadas, “A dynamic learning system against black hole
attack in AODV based MANET,” IJCSI International Journal of
Computer Science, Vol. 2, (2009) pp. 54-59.
[6] S. Dokurer “Simulation of black hole attack in wireless ad-hoc
networks,” Master thesis, September 2006, Atilim University,
Turkey.
[7] S. Sharma and R. Gupta, “Simulation study of blackhole attack in the
mobile ad-hoc networks,” Journal of Engineering Science and
Technology, Vol. 4, No. 2 (2009) pp. 243-250.

TABLE II. SUMMARIZED RESULT OF TRACE FILE ANALYSIS

Simulation
Simulation without Simulation with one Preventing one Preventing two
Measured Metrics with two
black hole attack black hole black hole black holes
black hole
Number of data
3059 3066 3029 3035 3028
packets sent
Number of data
3044 10 5 3016 3012
packets received
Total number of
424 1040 441 500 474
routing packets
Normalized routing
0.1392904 104.0 88.2 0.1657825 0.15737052
load
Packet delivery
99.50964 0.32615784 0.16507098 99.37397 99.471596
fraction (%)
Average end-to-end
0.01472166 0.01969009 0.02662297 0.0158748 0.0154934
delay
Note: Values in the table describe number of packets not amount of packets in bits or bytes.

V3-676 2010 2nd International Conference on Future Computer and Communication [Volume 3]