ABSTRACT. Communication is usually done through means of network where there is a lot of intrusion

Transcription

1 ABSTRACT Communication is usually done through means of network where there is a lot of intrusion included to it. In order to detect the misbehavior, there should an effective strategy, which is capable of detecting the kind of misbehavior in the network. Misbehavior in a network can be described as a node dropping the packets intentionally even though it has the capability of forwarding the packets, a node attracting the packets towards it making the source to believe that it has capability of forwarding the packets to the destination, degrading the over all performance of the network. It is always important to a network to be aware of the malicious activities going on in order to prevent and to avoid them. In this paper, solutions for detecting the misbehavior are proposed which involves Base Station. Few rules defined by Base Station can help in detecting the misbehavior of the network. The kind of possible attacks and the ways of detecting the misbehavior is shown in a simulated environment. 2

2 TABLE OF CONTENTS Abstract... 2 Table of Contents... 3 List of Figures Background and Rationale Delay Tolerant Networks Routing In Socially Selfish Delay Tolerant Networks A Practical Incentive Protocol Mitigating Routing Misbehavior In Mobile Ad Hoc Networks Trust Management and Adversary Detection for Delay Tolerant Networks A Secure Multilayer Credit-Based Incentive Scheme for Delay-Tolerant Networks Narrative Problem Statement Motivation Project Objective Functionalities of the Project Proposed System Design System Design and Architecture Use Case Diagram

3 3.3 Flow Diagram Environment ns2 Simulator Tcl/tk NAM C Linux Implementation Configuring Network Simulator Creating the Nodes in the Network Creating the Application Implementation of Proposed System Testing and Evaluation Test case 1 (DOS Attack) Test case 2 (Man in the Middle Attack) Test case 3 (Sinkhole Attack) Results Network Performance Conclusion and Future work References And Bibliography

4 LIST OF FIGURES Figure 1: System Design and Architecture Figure 2: Use Case Diagram- Detection System Figure 3: Flow Chart for Architecture Figure 4: Network Simulator With Nodes Configured Figure 5: Communication Between the Nodes Figure 6: Trace Files Figure 7: Showing User s Input for DOS Attack Figure 8: Communication Between Source and Destination Figure 9: Attacker Node Attacking Targeted Node Figure 10: BS Detecting Malicious Activity Figure 11: User s Input for Man in the Middle Attack Figure 12: Communication Between Source and Destination Figure 13: Man In the Middle Attack Figure 14: BS Detecting Malicious Activity Figure 15: Showing User s Input for Sinkhole Attack Figure 16: Source Communicating with Malicious Node Thinking it is Destination Figure 17: Malicious Node Accepting the Packets Figure 18: BS Giving Alert Figure 19: Packet Delivery Ratio for Man in the Middle Attack Figure 20: Throughput for Man in the Middle Attack

5 Figure 21: Packet Delivery Ratio for DOS Attack Figure 22: Throughput for DOS Attack

6 1. BACKGROUND AND RATIONALE 1.1 Delay-Tolerant Networks Delay-tolerant networks generally use intermittent nodes for transmission of messages or data as these are designed to operate on extreme distances. So, in the process of sending the data, these intermediate nodes may misbehave by dropping the packets intentionally or by any other means. Some of the nodes make use of the services provided by the network and forward the packets only to those nodes, which they are convenient with. Such nodes are called selfish nodes. Generally all nodes are inspected by a Trusted Authority to know which node is malicious and which is not. Contact history of nodes involved in the transmission is forwarded to the trusted authority to verify which node has misbehaved. Various solutions for detecting misbehavior in delay tolerant networks are discussed in this section Routing in Socially Selfish Delay Tolerant Networks Various solutions for detecting misbehavior in delay tolerant networks are discussed in this section. There can be a case where we can assume that most of the nodes forward the packets for others but there are many nodes that behave selfishly. They transfer packets to the nodes in order to build a social tie and thus misbehave. These nodes are willing to forward packets that have a good reputation and thus take advantage to build their strength of the interpersonal tie. There may be a case where the user is willing to forward the packet to a strong tie when compared to a weaker tie, which has resource constraints. This is called as social selfishness that influences the 7

7 node to behave tactically. The node which is responsible for forwarding the packets may not be willing to forward the packet to a node which has no social ties instead chooses a node which has received packets from nodes with stronger ties when resources are constrained. So there is a need to take in consideration for selfish nodes. An algorithm called Social Selfishness Aware Routing (SSAR) algorithm was introduced to assure a genuine delivery of packets to destination [1]. In this process, in order to ensure the packet reaches the destination through selfish nodes, buffers and bandwidth are set up near the nodes to make them popular since the nodes are selfish they forward packets through popular nodes so that they get social benefit. This algorithm considers both the users desire as well as the contact information in order to ensure better forwarding strategy. SSAR works by observing the node s desire and capability to forward the packet and thus reduces the packet drop rate. It uses a multiple knapsack problem with assignment restrictions that forward the packets for social selfishness and without any routing problems. Disadvantage: This algorithm is suitable only for selfish nodes and cannot be applied for other kind of problems in DTNs and there is only a single concept called selfishness is focused on. This algorithm may not provide full efficiency to a huge network because it has to provide buffers and broadcasts to the selected nodes. 1.3 A Practical Incentive Protocol The nodes in DTNs behave selfishly and this feature of DTN can be a problem to the network. Also, due to lack of contemporaneous path and variety of system conditions, it is difficult to predict the route of a packet before hand. To face these problems, a protocol was 8

8 introduced in which the packets can achieve a high delivery rate and low average delay [4]. Each packet is referred to as bundles of messages and an incentive [4] is attached to the packet. This incentive has the capability to forward the packets by attracting the nodes and thus satisfy the selfish behavior of the nodes. This incentive is not only attractive but also fair for all the other nodes in the network. In the reward model, intermediate nodes are given reward by the source node if the packets reach the destination. Disadvantage: With the proposed incentive protocol, there may be problems in the network. Because these may launch few attacks like free ride attack, layer removing and adding attacks, which can be launched by selfish nodes. 1.4 Mitigating Routing Misbehavior in Mobile Ad Hoc Networks Throughput of any ad hoc network is very important and may be the key factor to decide the efficiency of a network. There are two techniques through which the throughput of the network can be increased. WatchDog is used to identify the malicious/misbehaving nodes and PathRater helps routing algorithm [3] to know about these nodes. Through simulation they have observed that the use of these two techniques in a moderate ad hoc network increases the throughput by 17% in the presence of 40% misbehaving nodes and increasing the overhead transmission percentage from 9% to 17%, and during the extreme conditions it increases the throughput by 27% while increasing the overhead from 12% to 24%. These two techniques are used with Dynamic Source Routing (DSR) Algorithm to mitigate the misbehavior of nodes. In DSR, all the nodes are bidirectional and will have the list of all neighboring nodes corresponding to it. WatchDog uses an interesting mechanism of overhearing the packets that are being 9

9 forwarded by it to the next node, it waits and checks if the node is forwarding the packet to the correct node or instead dropping it. With the use of WatchDog each node maintains the rating for the neighboring nodes that in turn is used by PathRater to identify the misbehaving node. PathRater gets the nodes, which are not functioning as specified, and gives it to DSR that will eliminate the node/suspend it for some time. Disadvantage: DSR along with WatchDog has some disadvantages for example, it cannot detect the misbehavior of a node in Ambiguous Collisions, Receiver Collisions, network with low transmission power and partial dropping. The overhead increases very drastically with the use of PathRater and Watchdog. 1.5 Trust Management and Adversary Detection for Delay Tolerant Networks Delay Tolerant Networks play a major role in wireless communications. Due to the typical behavior of DTN s, it is a challenging task to ensure security of the network. Byzantine attacks are predominant and cause serious damage to the network in terms of data availability and latency. It differentiates from MANET s for the above characteristics and so the security mechanisms used for MANET s are not applicable for DTN s. Here a mechanism was proposed, which detects the malicious nodes and controls the network. The proposed model is Iterative Trust and Reputation Mechanism (ITRM) whose functionality is to analyze every node that evaluates the other node with past behavior. It uses a computational complexity that depends on the number of nodes; it computes the ratings/reputations of nodes without any central authority. The two main goals of ITRM are evaluating the service quality of nodes who provide service by taking into account the feedback provided by the nodes who use the services and calculating the 10

10 trustworthiness of the nodes by reviewing their feedback. In the trust mechanism, the most common attack is Bad-mouthing which means the malicious nodes give wrong feedback about other nodes in order to effect their rating and the other attack is Ballot stuffing wherein the nodes give more rating to the nodes which have less reputation. Disadvantage: Trust management may not always identifies the malicious nodes because it depends upon the nodes that provide ratings and it does not have any central authority to review the ratings provided by the nodes. 1.6 A Secure Multilayer Credit-Based Incentive Scheme for Delay-Tolerant Networks Delay Tolerant Networks are often called as opportunistic data forwarding networks, which means the intermediate nodes store, carry and forward the packets in the network. That means, all the nodes in the network should be efficient and willing to transfer the data, but often this is not the case because all nodes might not be good and few may be malicious/selfish. Here is a proposed secure multilayer credit based incentive scheme to address the data forwarding. SMART [2] uses a credit-based scheme, which provides incentives to the selfish nodes and tries to make it up to the other nodes data rate. One important and good feature about SMART is it allows the credits to be transferred within the network by the nodes without the involvement of the sender. This suits DTNs because the sender doesn't have the path in which the data is transferred. The sender or destination or any intermediate node carries out the credit-based scheme in different layers, which will be prescribed. The first layer is called base layer wherein the sender sets the rules or policies that are to be followed. The next layers will be created by the intermediate nodes by appending a non forgettable digital signature and this layer is called as 11

11 endorsed layer, which specifies that the forwarding nodes agrees to the service and the reward mechanisms used. Disadvantage: SMART has a unique approach to the problem but there are few catches here with the security of the network. It doesn't have any central system which keeps tracks of the nodes and there may be malicious nodes which may inject additional layers for its comfort and remove some of the important layers from the packets and effects the data packet rate tremendously. All these are similar kind of solutions that are used to analyze the packet flow and detect the misbehaving node in a network. These solutions have one or more flaws in them. So there is a need for a algorithm or protocol, which is sufficient enough to detect the misbehavior among nodes in a network. This project is about one of such solutions. A system is proposed where in the information about all the nodes is sent to a Base Station, which monitors the nodes in a network [7]. Few rules are defined by BS in order to detect the malicious activity in the network. By this method, misbehavior can be detected irrespective of the behavior of the node (selfish nodes). 12

12 2. NARRATIVE 2.1 Problem Statement The most common problem of every network is to achieve integrity without any overhead and at a reduced cost. Intermittent nodes in a network that are used in transferring the packets to destination sometimes cannot be trusted. That means nodes may misbehave either by dropping the packets intentionally or by sending the packets through other nodes those are not on the path to that destination. There were many solutions proposed but had disadvantages like routing overhead, which in turn creates cost overhead. So, there is a need to inspect and analyze the nodes that are misbehaving in DTNs and to avoid such problems and prevent the network from being attacked. 2.2 Motivation Due to the misbehavior of nodes, network performance can be degraded to a bad level. There may be serious attacks prone to the network because of these misbehaving selfish nodes. Gradually network providers are under a serious threat and users cannot find integrity and efficiency in the network. This is the reason for detecting misbehavior of nodes in the network. 2.3 Project Objective The main objective of the proposed system is to inspect all the nodes in a network through a Trusted Authority, which is responsible for collecting all the information regarding the nodes behavior. Existing traditional methods create an additional overhead to the network and consume more time and cost but could not provide an efficient way of detecting the misbehaving node. This protocol improves the efficiency of the network and this is done in a lower cost. 13

13 2.4 Functionalities of The Project The Base Station (BS) is a kind of authority, which looks after each and every node in the Delay Tolerant Networks. Information of all the nodes in a network is sent to the BS. Whenever an intermediate node is misbehaving by dropping packets, BS comes to know about it as it monitors the network. So, when the same node is dropping the packets more than the threshold value (which can be set) that node can be considered as malicious node. There can be many kinds of attacks that can target a network for different reasons. In few attacks, the aim of the malicious node is to drop the packets in between and not reach the destination. In some other attack like Sinkhole attack, the aim of the malicious node is to attract all the packets towards it and not allowing the destination to get any of the packets. 14

14 3. PROPOSED SYSTEM DESIGN The proposed system consists of a network with a misbehavior detection systems for secure transmission of data in DTNs. In this network, the base station has all the information about the nodes that are participating in the network. The base station is periodically judges the behavior of the nodes depending on the evidence collected from all the nodes that are involved in forwarding the packet/message. Advantages of the proposed system are: Ø It reduce the detection overhead, if the Probabilistic Misbehavior Detection Scheme without compromising the detection performance. Ø This method improves security as well as efficiency. Ø It reduces transmission overhead incurred by misbehavior detection and detects the malicious nodes effectively. 3.1 System Design and Architecture. Figure 1 shows the architecture of detecting malicious node in the network. It consists of three modules: Design of network Monitoring module Detection of malicious node module 15

15 Figure 1: System Design and Architecture A network is formed with a topology that is capable enough to monitor and detect the malicious nodes. A base station is used to for this purpose. It monitors all the activities that are taking place in the network. Source and destination nodes can be defined only after all the nodes in the network are created and configured. In the monitoring module, the module scans the network for any malicious activity. That means the network is screened for attacks and the base station keeps log of all the attacks. This is done at different layers of the network internally. Monitoring of the nodes is done before the attack as well as after the attack. In detection of malicious node module, the node that misbehaves is determined. For determining the malicious node, the network has to find the attacks and drawbacks, which matches the rules 16

16 processing. The node that matches the rules will be detected as the malicious node. The base station keeps log of nodes activity in the network. The rules can be as follows. The base station has to monitor each and every node It must maintain log of attacks for each node. If a node drops the packets or misbehaves in any other way, this information is updated to the base station. If the same node drops the packets more than three times, then the node is considered to be malicious. Three is set as the threshold value for each node to drop packets. 3.2 Use Case Diagram A use case diagram specifies the interaction of the system with the user. It defines the relationship between the user and the different use cases involved in the system. Figure 2: Use Case Diagram- Detection System 17

17 Use case activities: User starts the communication by selecting source and destination. Packets are sent over the network Base station monitors the network. Network is scanned for packet dropping near the nodes. If the packet is dropped for more than 3 times near a particular node and if the destination node has not received any packets from the source, then it is termed as malicious node. If there is no malicious activity in the network, packet reaches the destination successfully and process can be terminated. 3.3 Flow Diagram A flow diagram represents the flow of the project and relationship among the modules. The data is represented by using rectangles, squares etc., each showing a particular function. To represent the relation among these rectangles and squares, arrows are used. 18

18 Figure 3: Flow Chart for Architecture Figure 3 shows the flow of the project. First, communication is started among the nodes when user specifies the source and destination. To know that the communication has started, packets are sent from one node to the other. When these packets are being transmitted, the base station monitors all 19

19 the nodes before any attack takes place. When any suspicious activity is found, flow will be given to the detection module. However, the detection module checks how many times a particular node has dropped the packets or whether the destination has received the packets sent by the source. If a node drops the packets and reaches the threshold value (3), then that the node is detected to be malicious in that particular attack. If there is no loss of packets, communication continues as normal and comes to stop. That means, the receiver receives the packets sent by the sender without any packet loss in between. 3.4 Environment To run the project in a simulated environment, a simulator is needed. In this project, ns2 simulator is used to show how the network works. TCL/TK Tool Command Language is used to configure the nodes and set up the network. C++ is used to implement the required logic and protocol ns2 Simulator Network Simulator-2 (ns-2) is generally used to test and show how a network works. It provides wired and wireless communications over a network and also supports TCP, routing etc. It is used by many researches to implement and test their work, which depicts it on a real network [9]. Instead of manually creating a network and performing tests on it, a simulator is used to test the work and if it is successful then it can be implemented on a real network. Doing so can decrease the overhead, lot of time, cost and wastage of resources. The core of ns2 is written in C++ and the configuring the network environment in Tcl/tk. 20

20 3.4.2 tcl/tk Tcl is a simple tool command language that can be pronounced as tickle. It is mainly a scripting language created by John Ousterhout. Syntax is very simple and is easy to learn. It has all the features that are needed for implementing any program on a variety of platforms. Tk is a toolkit that is used for creating graphics using Tcl, which can be run on Windows, Mac OS X, and Linux systems. Tcl/tk can be used from many languages like C, Pearl, Ruby, and Python NAM NAM is a network animator used to show the animation required for simulation on a simulator. It is a Tcl/tk based animator tool used to keep track of all trace files and packet routing on a simulator. It supports packet tracing level animation, topology layout and various data inspection tools C++ C++ is a general purpose Object Oriented programming language. It can be used for programming in low-level purpose like in embedded systems or in system s kernel. It can also be used for developing web applications on servers and any kind of entertainment applications. In this project, C++ is used to write the program for the protocol to be implemented Linux Red Hat Linux operating system is required. Because Tcl language is supported only on Linux operating system. 21

21 4. IMPLEMENTATION 4.1 Configuring Network Simulator: The entire design of detecting the malicious system is implemented on the network simulator. The proposed system with three modules can be implemented on the simulator, which behaves in the similar way as in real time. Before implementing these modules, the simulator has to be configured with nodes and network. TCL scripting language is used to configure the nodes in the network Creating Nodes in the Network: Creation of nodes in the network is based on the communication protocol. Here TCP protocol is used for node communication. There should be a sender node and receiver node. TCP agent is the sender node and TCP sink is the receiver node that is capable of receiving the packets and to acknowledge the sender. Every network has a Base Station (BS) to monitor the activities of the nodes. So, before a node enters into a network, it has to register itself to the BS so that BS has the identity of each and every node in a network Creating the Application: CBR (Constant Bit Rate) is the traffic used to create the application. CBR is capable of transferring the packets at a constant rate between the sender and the receiver and with low latency traffic. This fits well with the network simulator so is used in this project. Figure 4 shows the nodes in a network simulator with the configurations defined as above. 22

22 Figure 4: Network Simulator With Nodes Configured Number of nodes in the network is of user s choice. That means variable number of nodes can be given as an input from the console. Source and destination nodes are of user s choice. Figure 5 shows the communication between the source and destination. Circles around the nodes show the communication among the nodes. 23

23 Figure 5: Communication Between The Nodes From Figure 5, it can be shown that source node 1 is communicating with the destination node 28 to send packets in the network simulator. 4.2 Implementation of the Proposed System: DoS Attack (Denial of Service): In order to find the malicious activity, attacks are created in the network. This attack mainly degrades the performance of the network. The malicious or the attacker node will flood the targeted node with unwanted requests and make it inactive so that it will not be able to handle the requests. Because of this there will not be proper communication to the destination. Since the attacked node is flooded with the requests, it will not 24

24 be able to make the service to the destination. Only because the attacker node is flooding a targeted node with unwanted hello requests, it cannot be said that the node is malicious. But here, to define few rules for the base station in order to detect the malicious activity, a threshold limit for receiving the packets was set. Man in the middle attack: This attack is introduced to find the malicious node, which is one of the intermediate nodes. In this attack, one of the intermediate nodes behaves maliciously by dropping packets that are intended for the destination. Sybil attack: In this attack the malicious node tries to attract all the traffic towards it that is intended for the destination. This malicious node will duplicate its identity by having the same IP address as the destination node. It can thus attract the traffic towards it and behaves maliciously. This is a kind of impersonation attack, which is named after a lady who had schizophrenia (a multiple personality disorder). Monitoring module: In this project, BS is involved in monitoring the network. In this module, BS monitors the activities by maintaining a routing table according to the AODV routing protocol. Whenever a new node wants to enter into the network, it has to first register to the BS. BS keeps all the entries in the routing table. This is implemented using new Reno protocol. It initializes the packet flow with minimum packets. When the source gets the Acknowledgement packets, then the packet flow is increased. It has the capability of controlling the packet flow when there is a malicious activity in the network. Intrusion detection module: This module is used to detect any malicious activity in the network. BS plays an important role in detecting the malicious activity going on in the network. DOS, Man in the middle and Sinkhole attacks are implemented to test the detection module. 25

25 Detection in DOS attack: Generally the attacker node tries to flood the targeted node with unwanted requests. BS that has all the information of the nodes such as node s IP address, MAC address, monitors the network. Whenever the BS finds out that a particular node is continuously sending the requests to another node, it records this information and suspects that some malicious activity is taking place in the network. Detection in Man in the middle attack: Whenever the source and destination are communicating, the malicious node or the hacker node tries to impersonate both the source and destination and gains access in the communication. This hacker node takes advantage of the packet flow and drops them in between making them unreachable to the destination. BS monitoring the network comes to know that a particular node is dropping packets continuously. So, whenever a node is dropping packets more that three times, BS comes to know that there is some malicious activity going on in the network. The number three is defined as the threshold value, rule defined by the BS. Detection in Sybil attack: The Hacker node tries to attract all the packets that are intended for the destination. In order to do so, hacker node tries to behave as destination and make the sender node believe that it is the destination node or it has the capability of forwarding the packets to the destination. So, before any communication takes place in the network, each and every node should register itself to the BS. So, BS has all the nodes IP address and MAC address that are present in the network. However the hacker node will register into the network (to attract all the traffic) with the same IP address as that of the destination node. When BS comes to know that two nodes are having the same IP address, it will give an alert saying that it has detected some malicious activity. 26

26 Whenever the simulation is started with any attack, data trace files are created which contains all the routing information of the nodes. Like which node is sending the request and which node is receiving the request and all. Normal man cannot read and understand the trace file. So simulation is shown on a network animator, which is exact depiction of the trace file which can be shown in Figure 6. Figure 6: Trace Files Limitations: While implementing the attacks, user has the ability to give number of nodes, source, destination, choice of the attack and the base station as the inputs from the console. Sometimes there will be segmentation fault while executing the program. This is because, when the user gives more number of nodes as input, these nodes may overlap on one another and user may not see the nodes on the animator clearly. This is kind of warning but the program runs fine. 27

27 5. TESTING AND EVALUATION Testing is very important in finding out the flaws if there are any in the project. Testing can be done by giving different inputs and analyzing the output. Generally in any given network, all the nodes will be communicating with each other. To test this project, different attacks are created in the network and BS will find out the malicious activity going on in the network. 5.1 Test Case 1 (DOS Attack): To test this attack, number of nodes, source, destination and base station can be given as input by the user. In this project, there are three attacks implemented. So the user has to give the choice of the attack as one of the inputs. In this project, the three attacks are defined as three choices: 1. DOS attack 2. Man in the middle attack 3. Sybil attack Figure 7: Showing User s Input for DOS Attack 28

28 As shown in Figure 7, number of nodes is set to 80, source, destination, choice of the attack and base station are given as inputs by the user. Communication takes place between the source and destination, which can be shown in the Figure 8 with the base station monitoring the traffic. Figure 8: Communication Between Source and Destination Before the communication starts, all the nodes register their identities to the destination. The attacker node will attack the targeted node. Here, the attacker node will target the source node as 29

29 shown in Figure 9 by continuously sending the request packets to it and makes the source flood with requests and thus degrade the performance of the network. Figure 9: Attacker Node Attacking Targeted Node 30

30 When the attacker node is continuously sending the request packets to the source, BS monitoring the traffic, suspects some malicious activity near the source that it is receiving many requests than it can handle and detects that a node is attacking the source and thus finds out the malicious activity in the network which is shown in Figure 10. Fig 10: BS Detecting Malicious Activity BS detects the malicious activity as described in the detection module of DOS attack. 31

31 5.2 Test Case 2 (Man in the middle attack): One of the intermediate nodes behaves maliciously and takes advantage of the packets and drops them to make the communication unreachable to the destination. As said above, user can enter the number of nodes, source node, destination node, choice of the attack (here for the man in the middle attack it is 2) and base station. Figure 11: User s Input for Man In The Middle Attack As shown in Figure 11, number of nodes is set to 50. Source, destination, choice of attack and the base station are given as input from the console. 32

32 Source starts communication by sending packets through some intermediate nodes to the destination, which is shown in Figure 12. Figure 12: Communication Between Source and Destination 33

33 When the packets are being transferred from source to destination, if there is a presence of malicious node in the path, that malicious node will drop the packets and thus make the packets unreachable to the destination. This malicious node is one of the intermediate nodes that participate in the communication. Figure 13: Man In The Middle Attack As shown in Figure 13, malicious node (intermediate node) is dropping the packets. 34

34 When the BS finds out that a node has dropped the packets more than three times, it comes to know that there is a malicious node in the network and detects that node that has dropped the packets. In Figure 14, it can be shown that BS has detected the malicious activity in the network. Figure 14: BS Detecting Malicious Activity 35

35 5.3 Test case 3 (Sybil attack): Malicious node attracts all the traffic towards it that is intended to the destination. The user can enter the number of nodes, source node, destination node, choice of the attack (here for the sybil attack it is 3) and base station, which can be shown in Figure 15. Figure 15: Showing User s Input for Sybil Attack 36

36 Source starts communication. Since the malicious node tries to attract all the packets towards it, source will be sending all the packets towards the malicious node thinking that it is the destination node. This scenario is shown in Figure 16. Figure 16: Source Communicating With Malicious Node Thinking it is Destination 37

37 As shown in Figure 17, it is clear that malicious node is taking all the packets that are intended for destination. Figure 17: Malicious Node Accepting the Packets 38

38 The base station, which has all the node s identities, recognizes that there are two entries with the same IP address and gives an alert that there is some malicious activity taking place in the network. This is shown in Figure 18. Figure 18: Base Station Giving Alert 39

39 6. RESULTS The following results are generated which are helpful in determining the performance of the network. Packet delivery ratio: Shows totally how many packets were delivered successfully. Throughput: Given a particular time, how many packets were delivered. 6.1 Network performance Figure 19: Packet Delivery Ratio for Man In The Middle Attack As shown in Figure 19, it is clear that packet delivery ratio is approximately 1.7%. Since the packets sent are 5099 but only 88 packets were received. 40

40 Figure 20: Throughput for Man In The Middle Attack Given the time intervals as 10 sec, throughput is calculated as shown in Figure 20. When the graph is down, it means very fewer packets were transferred. 41

41 Figure 21: Packet Delivery Ratio for DOS Attack Packet delivery ratio for DOS Attack is around 16%, which is shown in Figure 21. Packets sent are but only 2526 packets were received. 42

42 Figure 22: Throughput for DOS Attack Throughput for DOS attack is obtained for every 10 seconds. It seems to be very low since the DOS attack degrades the performance of the network by not allowing the communication between the source and destination. 43

43 7. CONCLUSION AND FUTURE WORK Detection of malicious node in a network is very important to avoid network crashes. In this project, malicious activity is determined with the help of base station. Rules described by the base station help in determining the malicious activities in the network. When these rules match any of the node s properties, then that node is considered as malicious node. Few attacks are launched in order to test the detection module and were successfully able to detect the attacks, which can be shown from the screenshots of the results. BS plays an important role in determining the behavior of the network. Performance of the network is also known using xgraph which is the graph representation of throughput and packet delivery ratio. This project works on static nodes. That means the nodes are not moving. The same project can be implemented on mobile nodes in future. In this project, in every attack, the base station is able to detect only one malicious node. In future, the base station can define efficient rules or there can be some protocol, which has the capability of detecting more number of malicious nodes in the network. 44

44 REFERENCES AND BIBLIOGRAPHY [1] Q. Li, S. Zhu, and G. Cao, Routing in Socially Selfish Delay- Tolerant Networks, Proc. IEEE INFOCOM 10, [2] H. Zhu, X. Lin, R. Lu, Y. Fan, and X. Shen, SMART: A Secure Multilayer Credit-Based Incentive Scheme for Delay-Tolerant Networks, IEEE Trans. Vehicular Technology, vol. 58, no. 8,pp , [3] Q. Li and G. Cao, Mitigating Routing Misbehavior in Disruption Tolerant Networks, IEEE Trans. Information Forensics and Security, vol. 7, no. 2, pp , Apr [4] R. Lu, X. Lin, H. Zhu, and X. Shen, Pi: A Practical Incentive Protocol for Delay Tolerant Networks, IEEE Trans. Wireless Comm., vol. 9, no. 4, pp , Apr [5] E. Ayday, H. Lee, and F. Fekri, Trust Management and Adversary Detection for Delay- Tolerant Networks, Proc. Military Comm. Conf. (Milcom 10), [6] F. Li, A. Srinivasan, and J. Wu, Thwarting Blackhole Attacks in Disruption-Tolerant Networks Using Encounter Tickets, IEEE INFOCOM, 2009 [7] Haojin Zhu, Member, IEEE, Suguo Du, Zhaoyu Gao, IEEE, Mianxiong Dong and Zhenfu Cao. A Probabilistic Misbehavior Detection Scheme toward Efficient Trust Establishment in Delay-Tolerant Networks, IEEE Transactions, Feb [8] H. Xia1 Z. Jia1 L. Ju1 Y. Zhu2 1. Trust management model for mobile ad hoc network based on analytic hierarchy process and fuzzy theory, IEEE IET-WSS , Dec [9] [10] GuoHongxing, "Design And Implementation of Network Information Security Early-Warning Control System", Computer Security, IEEE Conference, 2012 (02). 45