CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION

Transcription

1 58 CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION 4.1 INTRODUCTION TO SLBHAD The focus of this chapter is to detect and isolate Black Hole attack in the MANET (Khattak et al 2013). In order to do that, network layer parameter is considered. Initially, the Black Hole detection technique starts with the density based attack analyzer technique where it analyses the impact of Black Hole and Gray Hole attacks. In order to analyze these two attacks send fake RREP algorithm is used. Next, the network layer Black Hole attack detection technique is responsible for initializing Honeypot node. To implement the proposed SLBHAD technique, spoofed RREQ packets are generated by malicious node detection timer algorithm, sending spoofed RREQ algorithm, sending fake request algorithm are used. The Route Lookup in network layer technique is proposed to detect malicious node ids of the network. In order to implement this, modified route lookup algorithm is implemented. To isolate the Black Hole nodes from the network, the isolation in the network layer technique is used to isolate malicious node from the network. The isolated nodes are broadcasted throughout the network using broadcast packet technique. Various simulation parameters are used to implement this SLBHAD technique. The proposed technique is compared with other existing techniques in order to understand the efficiency of SLBHAD.

2 DENSITY BASED ATTACK ANALYZER The density based attack analyzer technique consists of two steps: 1) Attracting - where the nodes attract other nodes by falsely sending information in the communication 2) Invading - where the node invades the communication process and drops packets. The basic difference between these two attacks is that the Gray Hole attack (Min & Jiliu 2009) initially behaves like a normal node and participates in routing process. But after sometime it drops the packet like Black Hole node, whereas Black Hole attack drops all the packets. The simple flowchart for generating these attacks is shown in Figure 4.1. It depicts the proposed technique, which simulates and analyzes the Black Hole and Gray Hole attacks. Attracting Step Send Fake Reply Incoming Packets Yes AODV Protocol coordination Attack No Exit Determine routes Increase Sequence number Select route Invading step RREQ Packets Yes No Handle other Packets Figure 4.1 Simple Flowchart for Attack Generation

3 60 During the attracting step, the attacker has to identify whether the incoming packets are AODV packets. Then, the attacker determines the route, selects the routing process, and coordinates the routing, by sending RREQ packets. During the Invading step, the attacker starts increasing its DSN and itself advertises that it has the highest DSN compared to the other nodes in the network. Thus, it induces an attack by sending a fake reply to the nodes in the network. In order to simulate both the attacks, the existing AODV protocol is modified. The modification done in an existing AODV protocol, which creates attacks are discussed in section The following two functions are the most important one, in which a Black Hole or Gray Hole vulnerability can be introduced. AODV:: recv (Packet *p, Handler*) AODV:: recvrequest (Packet *p) The function AODV:: recv will be called for each and every packet arriving at that routing agent. If the packet is an AODV packet, it will be treated accordingly. Therefore, in this function, a routing agent can maliciously drop a packet during certain kinds of attacks. The function AODV:: recvrequest will be called receiving an AODV RREQ packet type AODVTYPE_RREQ. On receiving this RREQ message from any of the neighboring nodes, the routing agent will try to resolve the route and send a RREP message, if a route is available. The algorithm steps for analyzing and simulating the Black Hole and Gray Hole attacks are given in next section.

4 Algorithm for analyzing Black Hole and Gray Hole attack The algorithm is known as send fake RREP algorithm which is responsible for generating fake RREP packets in the network. Input: AODV RREQ packet. Output: Fake RREP packet. Step 1: If (AODV_Packet) { Step 2: If (RREQ) { // If it is a RRREQ packet Step 3: SendRouteReply; // Send normal reply Step 4:} else if (Black Hole Attack) { //Maliciously sending wrong route to generate Black Hole attack Step 5: SendFakeRouteReply; Step 6: } else if (Gray Hole Attack) { //Gray Hole will send a genuine reply initially Step 7: Resolve the Route; Step 8: SendRouteReply ;}}} //it is the packet I am forwarding Step 9: If {No Attack} { Step 10: Handle it in a Normal way Step 11: } else if (Black Hole Attack) { //Maliciously drop the packet Step 12: Drop the Packet Step 13: } else if (Gray Hole Attack) { //Maliciously drop the packet Step 14: Drop the Packet}}} This algorithm call the function AODV:: send Reply with appropriate parameters. Hence, an agent will try to send a fake reply for the

5 62 purpose of attacking a neighboring node, by giving wrong routing information; it calls AODV:: send Reply and passes wrong routing information to the requesting node. In the proposed implementation, a modified function AODV:: sendfakereply is used for the purpose of sending wrong information to simulate both attacks. 4.3 SLBHAD The proposed network layer Black Hole detection technique has been strongly influenced by the spoofing technique. In general, spoofing is a technique, where a computer or people pretend to be another by false data, and exploit the system in order to get illegitimate access. Wireless networks suffer from various types of spoofing, such as MAC spoofing, Web Spoofing, DNS (Domain Name System) Spoofing, Spoofing, IP Spoofing, and URL Spoofing. MAC Spoofing is a technique where the hacker changes the MAC address of a network interface. Web Spoofing is a technique where the reality of the browsing session significantly differs from the mental model of a sophisticated user and the attacker, misleading the victim of an online fraud. Spoofing is a technique where an is created with a forged sender address. Spam and phishing are such types of spoofing techniques, which are used to mislead the recipients. DNS Spoofing DNS Spoofing is a technique where an illegal data is injected into the DNS, which causes the server to return an incorrect IP address in order to divert the traffic to another computer.

6 63 IP Spoofing IP spoofing is used to gain unauthorized access to a network or computer, where a malicious attacker forcefully sends a forged IP address. The forged IP address indicates that the message comes from a trusted host. URL Spoofing is a technique in which the malicious user creates the fake or forged URL, which is exactly similar to the original and safe URL. The objective of this research work is to develop a novel technique which secures the network layer. In this work, no encryption or key exchange algorithm is used. Encryption or key exchange techniques are difficult to implement in MANET because of its dynamic nature. Instead, spoofed AODV RREQ packets are used to detect the Black Hole attack in the network. Figure 4.2 explains the SLBHAD architecture. The architecture consists of collecting network layer audit data from the network layer, malicious node detection layer, Route Lookup in the network layer, isolation in the network layer, and finally broadcasts the malicious Black Hole node id throughout the network. Initially, the detection process starts with analyzing the network layer audit data. The malicious node detection layer consists of initializing the Black Hole detector, where it consists of the Black Hole detector node or Honeypot node in the MANET which uses spoofed packets. When the Black Hole node detects the spoofed RREQ packets from the detector/honeypot node, the Black Hole node replies that it has the route to the particular destination address, which does not exist in reality.

7 SLBHAD Architecture Malicious Node Detection Layer Initialize Black Hole detector Route Lookup In Network Layer Lookup for Destination Isolation in Network Layer Update the Black Hole id in the list Network Layer Trace Data Broadcast Spoofed RREQ packets Check for reply from neighboring nodes Update routing table with Black Hole information Find the next shortest hop towards destination Verify the reply from routing table for non existence node Verify if the node id is existence Yes Do not use the Black Hole node Isolate the Black Hole node Broadcast Malicious Black Hole node id Repeat Figure 4.2 SLBHAD Architecture

8 65 After initializing the Black Hole detector node it broadcasts the spoofed RREQ packets (Figure 4.3), and waits for the reply from the neighbors. If any node replies to this message, then that node id is updated in the routing table. The Route Lookup in the network layer is responsible for updating the malicious node details. This layer verifies whether the reply is for non existence node id from the malicious node. Finally, the isolation in network layer updates the Black Hole details in the list, and broadcasts it to the network. Thus, the proposed technique acts as a Honeypot (Cristine et al 2008, Haifeng Wang & Qingkui Chen 2010) where a trap (spoofed RREQ packet) is set to detect the malicious node Spoofed RREQ Packet Structure As discussed in Chapter 1, the normal AODV RREQ packet consists of several fields, such as the destination IP address, DSN, originating IP address, originator DSN, and so on, while in normal routing, when a node broadcasts a RREQ, the TTL value is set up to a maximum value, because the lifetime of the active route is updated until it reaches the destination node. The destination IP address is another field which is used to indicate the node to which a route is desired. During the normal route discovery process, a valid destination ID and a TTL are assigned to the nodes. But in the proposed detection technique, during the communication process, initially the Black Hole detector node (Honeypot) sends spoofed RREQ packets. The spoofed RREQ packet contains invalid nonexistent DSN and a TTL of 1. By receiving this packet the Black Hole node replies that it has a valid route to the particular node.

9 66 Field Description F1 Other Fields of RREQ packet DSN Non Existent Address TTL 1 Figure 4.3 Spoofed RREQ Packets This malicious node id is stored by the Honeypot node, broadcast to all other nodes in the network and then, finally isolated from the other nodes. During the communication process, the RREQ messages generated by this malicious node id are ignored and normal communication takes place. The existing AODV does not have any types of security techniques which are proposed in this thesis. The algorithms are included to detect the malicious nodes in the AODV protocol in the proposed work. Initially, the malicious node detection timer is invoked, in order to initiate the spoofed RREQ. This spoofed RREQ invokes for a particular time interval. Hence, the proposed SLBHAD technique periodically invokes the timer function to detect attacks. This function also invokes the Send Spoofed Route Request (), which broadcasts spoofed RREQ messages to the neighboring nodes in the network. This algorithm invokes this function periodically. Hence this technique schedules the call for particular time interval. The proposed algorithms use the recursive functions to detect attacks. The Algorithm of the Malicious Node Detection Timer is given below:

10 67 Input Output : Routing layer Data : Malicious RREQ Data Step1: Function Malicious Node Detection Timer () Step 2: Begin //Start sending spoofed RREQ packets Step 3: SendSpoofedRouteRequest (); Step 4: Interval (Malicious Node Detection Interval + Jitter) // Schedule next call to this function at Interval Step 5: Step 6: Schedule (Malicious Node Detection Timer (), Interval) End. The above mentioned malicious node detection timer algorithm is used to initiate send spoofed route request technique by malicious node detection layer/ Honeypot node. The Algorithm for sending spoofed RREQ message is given below: Step 1: Function SendSpoofedRouteRequest () Step 2: Step 3: Begin aodv _rt_entry *rt; //Create a non existing IP address Step 4: Step 5: Network Address (Non Existing node id);- rt = rtable.rt _lookup (Network Address); Step 6: if (rt ==0) { Step 7: Step 8: Step 9: rt = rtable. rt _add (Network Address);} SendFakeRequest (Network Address); End

11 68 The above algorithm creates a non-existence IP address, by checking the routing table entry, and adding the nonexistent routing address to the routing table. Then, it broadcasts the spoofed RREQ packet to all the nodes in the network. Additionally, it calls another function which originally sends a fake request to all the nodes in the MANET. Hence this algorithm is responsible for creating non existing IP address by Honeypot node and initiates sends fake request. The algorithm which originally sends fake request is given below: Step 1: Step 2: Function SendFakeRequest (Network Address) Begin // Allocate a RREQ packet Step 3: Spoofed RREQ _ Packet Create_ Default_ RREQ _Packet () // Fill out the RREQ packet with Spoofed Info Step 4: Spoofed RREQ _ Packet->rq _TTL = 1; Step 5: Step 6: Step 7: Spoofed RREQ _Packet->dst = Network Address; Broadcast (Spoofed RREQ _Packet); End The above algorithm originally broadcasts a fake request to the nodes in the network. It sets the TTL value to the minimum, and broadcasts the fake RREQ packet. This fake request is received by all the neighbors in the network, which is used to detect Black Hole nodes. The Black Hole nodes receive this fake RREQ packet and responds. Other non malicious nodes do not reply for these fake RREQ packets because in the routing table of the non malicious nodes, the invalid DSN and TTL will not present.

12 Malicious Node Detection The malicious node detection technique is responsible for detecting the Black Hole nodes in the network. Initially, the Black Hole detector initializes the malicious node detection process. First, it broadcasts the spoofed RREQ packets. As discussed above, the spoofed RREQ packet contains the non existence source id and the TTL value set to 1. Then this spoofed RREQ packet is broadcast to all the other nodes in the network. The broadcasted Honeypot spoofed RREQ packet waits for the reply from the neighbor nodes. If any neighbor replies to this packet, those nodes are marked as Black Hole nodes in the routing table. The reason is, since the normal nodes which are not malicious will not reply to this spoofed RREQ packet. So the routing table updates this Black Hole node information by marking it as malicious Route Lookup in Network Layer In order to resolve the route, the AODV calls the modified Route Lookup function. This algorithm is very important, because it detects the Black Hole attacks by checking the node id. If the malicious node replies that, it has the route towards the non-existence node, then that vulnerable (Black Hole) node is marked as malicious. In order to find a Black Hole node, a detection flag is set on the routing table. If the detection flag is true then, it is observed that the malicious node id is marked. Thus, routing via the malicious node is avoided. The algorithm is known as the modified Route Lookup, where it verifies the non-existence node id. The steps are given below:

13 70 Input: Black Hole node data/normal node data Output: Return Non existence node id. Steps Step1: Function On _ Modified_ Route_ Lookup (Address) Step 2: Begin Step 3: Detection Flag (false) Step 4: R1 (Normal_ Route _Lookup (Non Existing node id) ; Step 5: if (R1 & R1->flags =RTF_id) { //There is a malicious node in the routing table Step 6: Detection Flag (true) Step 7: Malicious node id (R1->Next hop ;} Step 8: for all routes R in Routing Table do { // If the next hop of the returned route is via the // Non Existing Node then just ignore it Step 9: if (Detection Flag & R->next hop =Malicious node id) { //Next Hop is a Black Hole-Avoid the route Step 10: Continue ;} Step 11: if (R->DST =Id) then break ;} Step 12: return R; Step 13: End. The Route Lookup algorithm for the network layer is responsible for updating the reply from the neighbor nodes. The node which replies to the spoofed RREQ packet is identified as the Black Hole node. Then, the node is marked as malicious in RTF and this information is updated in the routing table. Hence the above route lookup algorithm is responsible which marks the malicious node ids in the routing table.

14 Isolation in Network Layer The isolation technique is responsible for isolating the malicious node from the network. This technique is important, because it prevents broadcasting routes via the malicious node. A flag is set as malicious, and the nodes which reply to the non-existence node id are marked as malicious. Input: Reply from Non existence node id. Output: Isolate Black Hole id. The algorithm steps for isolating the malicious Black Hole node are given below. Step 1: Step 2: Step 3: Step 4: Step 5: Function Isolate (Address) Begin Black Hole node id (false); If (reply is for non existence node) Black Hole node id (true); //Avoid route via the Black Hole node Step 6: End The above algorithm is used to isolate the routing via malicious Black Hole nodes. From the route lookup algorithm it gets the details of malicious Black Hole node id from the network and avoids routing via it by isolating these nodes Broadcast Packets Finally, in the broadcast packet, this technique is responsible for broadcasting the malicious node details in the network. This technique collects the details of the Black Hole node ids from the network, and broadcasts this information to the other nodes in the network. It gets the

15 72 malicious node id as input from a Route Lookup module and checks for the detection flag and the malicious node id flag. If both these flags are set true, then the node id is broadcasted to the network. Input: Black Hole node ids from Route Lookup module Output: Broadcast Black Hole node id. Algorithm steps for broadcasting malicious node id are given below: Step 1: Function broadcast (RTF_id) Step 2: Begin Step 3: for all nodes in the network { //If the node id is the Black Hole id Step 4: if (Detection Flag =True & Malicious node id=true) Step 5: Broadcast (Malicious node)} Step 6: End. 4.4 SIMULATION PARAMETERS The various performance metrics are used to analyze the Black Hole and Gray Hole attacks. PDF is useful metric where it signifies the number of packets send from source node to the destination node.nrl is used to know about the details of network load. If NRL is more it is observed that the network load is increased by generating control packets. EED is used to know how successfully the proposed technique works. For example, if EED is low it is observed that the malicious Black Hole nodes are isolated from the network. Hence the packet only travels through MANET. 1. PDF: The ratio of the data packets delivered to the destinations, to those generated by the Constant Bit Rate (CBR) sources, is known as the PDF.

16 73 2. NRL: The number of routing packets transmitted per data packet delivered at the destination. The hop wise transmission of a routing packet is counted as one transmission. 3. EED: This includes the time taken for a packet to be transmitted from the source node to the destination node. The delay can be due to queuing at the interface queue, latency, retransmission delays, and propagation and transfer times. 4. Overhead: Overhead is measured in terms of the total generated routing packets. It is the count of the total packet generated and forwarded at the network layer. 5. PDR: PDR is measured for totally dropped packets due to various reasons, such as poor wireless channel, malicious and intentional packet dropping. In order to do the simulation, the various initial parameters used for this simulation are given in Table 4.1. Since the experiments are conducted for MANET, the wireless channel is used as channel type. The radio propagation model is used to predict the behavior of radio wave propagation in MANET. In that, the two ray ground model predicts the line of sight component. The antenna type used is Omni directional antenna where it covers all directions from the antenna with varying degrees of coverage. Drop tail queue is used as a queue type because the packets are accepted till the queue is empty and the incoming packets are dropped when the queue become full. The random way point model is used as mobility model where it exhibits the movement of mobile users and the location changes over time.

17 74 Table 4.1 Simulation Environment Parameters Values Channel type Wireless Channel Radio-propagation model Two Ray Ground Model Antenna type Omni Antenna Interface queue type Drop Tail/Pri Queue MAC type Maximum packet in Queue 50 Topographical Area 600 x 600 sq.m Mobility scenario 10 m/s Pause time 20 sec Mobility Model Random Waypoint Model The parameters in Table 4.2 are used as traffic parameters. The traffic parameters are used to set the application and transport layer stuffs. The application layer traffic agent used in this thesis work is CBR. CBR is relating to the rate at which the output data consumed is constant. Table 4.2 Traffic Parameters Parameters Values Traffic Agent CBR Transport Agent User Datagram Protocol(UDP) Traffic Source 7 CBR Rate 10 kbps The following parameters in Table 4.3 are used as variable parameters. The proposed technique uses AODV protocol and various types of node densities. These parameters are considered as variable parameters.

18 75 Table 4.3 Variable Parameters Parameters Values Routing protocols Normal AODV AODV with Back Hole, Gray Hole 1,2,3 and 4 Number of Nodes 20,30,40,50, Density Based Attack Analyzer In this work, the analysis, and implementation of both the Black Hole and Gray Hole attacks are carried out. In order to clearly analyze and understand the attacks, the following techniques have been implemented: T1-Analysing normal AODV T2-Analysing Black Hole AODV attack T3-Analysing Gray Hole AODV attack T4-Comparison of the Black Hole AODV attack and the Gray Hole AODV attack For all the above techniques, various types of node densities are used in order to understand the behaviour of the attacks. Table 4.4 shows the performance of the normal AODV. In Technique T1, the experiments have been carried out without any attacking nodes, with varying node densities. T1-Analysing normal AODV In Table 4.4, all the measured values are tabulated in the case of the Normal AODV protocol. All the simulations are run 3 times, and the average values are tabulated

19 76 Table 4.4 Analysis on Normal AODV Protocol Nodes PDF NRL Routed Packets AODV Dropped Packets From the above Table 4.4, the following observations are made: Various node densities are considered such as 20, 30, 40, 50 and 60 The NRL shows an gradual increase, because of the increase in density of nodes The routed packets are increased Table 4.5 displays the performance of the Black Hole attack for the AODV under various network densities and performance metrics. T2-Analysing Black Hole AODV In Table 4.5, all the measured values in the case of the AODV protocol under the Black Hole attack are tabulated. All the simulations were run 3 times and the average value is tabulated. When the MANET consists of 10% of Black Hole node, the PDF for 20 nodes gets decreased from 97.60% to 67.73% When the MANET consists of 20% of Black Hole nodes, the NRL gets increased from 1.46 Kbps to 2.23 Kbps in the case of 60 normal nodes

20 77 When the MANET consists of three Black Hole nodes, the routed packets get decreased from 2399 packets/sec to packets/sec Finally, the PDR also increased from 87 packets/sec to 1387 packets/sec when the network consists of 60% Black Hole nodes in the network Table 4.5 Analysis of the Black Hole AODV Protocol Nodes PDF NRL Routed Packets Dropped Packets With Black Hole With Black Hole With Black Hole With Black Hole

21 78 T3-Analysing Gray Hole AODV In Table 4.6, all the measured values in the case of the AODV protocol under the Gray Hole attack are tabulated. All the simulations were run 3 times and the average value is tabulated When the MANET consists of 10% of Gray Hole node, the PDF for 20 nodes gets decreased from 97.60% to 88.57% When the MANET consists of 20% of Gray Hole nodes, the NRL gets increased from 1.46 Kbps to 1.74 Kbps in the case of 60 normal nodes When the MANET consists of 30% of Gray Hole nodes, the routed packets decreased from 620 packets/sec to 465 packets/sec. But for the other node densities, the Gray Hole node initially accepts all the packets, and starts forwarding them without dropping any packets. So the routed packets seem to have increased more, compared to the normal AODV without any attack. Finally, the PDR also increased for the Gray Hole attacks from 87 packets/sec to 303 packets/sec when the network consists of 60% Gray Hole nodes in the network Table 4.6 displays the performance of the Gray Hole attack for the AODV under various network densities and performance metrics.

22 79 Table 4.6 Analysis of the Gray Hole AODV Protocol Nodes PDF NRL Routing Packets Dropped Packets With Gray Hole With Gray Hole With Gray Hole With Gray Hole Analyzing the Impact of the Black Hole and Gray Hole Attacks The Figures in this section explain the impact of the Black Hole and Gray Hole attacks.

23 80 Figure 4.4 Numbers of Nodes vs. PDF for Black Hole Attacks Figure 4.4 depicts the scenario of the PDF for Black Hole attacks. A PDF is a standard measure of the throughput. The PDF for the normal AODV and AODV with the Black Hole attack is depicted in Figure 4.4. In general, without a malicious node, the AODV has a good PDF. From the results in Figure 4.4, the following observations can be drawn for Black Hole attacks. The PDF decreases with increasing node densities and percentage of Black Hole nodes In the case of the Black Hole AODV, with 10% of malicious nodes, the PDF decreases from 97.60% (0% malicious nodes) to 67.73% (10% malicious nodes), when the nodes are moving at a mobility of 10m/s With 40% of malicious nodes, the PDF falls from 97.60% to 39.17%

24 81 Figure 4.5 Numbers of Nodes vs. PDF for Gray Hole Attacks Hole attacks are: From the results in Figure 4.5, the observations drawn for the Gray The PDF decreases with increasing node densities, and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 10% malicious nodes, the PDF decreases from 97.60% (0% malicious nodes) to % (10% malicious nodes) when the nodes are moving at a mobility of 10m/s With 40% of malicious nodes, the PDF falls from 97.60% to 84.23%

25 82 Figure 4.6 Numbers of Nodes vs. NRL for Black Hole Attacks The NRL can be evaluated, based on messages like the RREQ and RREP, with the statistics of the number of routed packets to that of received packets. can be made: From the results in Figure 4.6 observations such as the following No constant trend is observed in the NRL In the case of the Black Hole AODV, the NRL shows an increase compared to normal AODV With 10% malicious nodes, the NRL increases from 0.38 Kbps to 1.75 Kbps. Likewise with 40% of malicious nodes, the NRL shows an increase from 0.38 Kbps to 2.26 Kbps

26 83 Figure 4.7 Numbers of Nodes vs. NRL for Gray Hole Attacks made: From the results of Figure 4.7 the following observations can be For Gray Hole attacks, no constant trend is observed in NRL for the Gray Hole attacks In the case of the Gray Hole AODV, the NRL shows an increase With 10% malicious nodes, the NRL increases from 0.38 Kbps to 0.41 Kbps; likewise, with 40% malicious nodes, the NRL shows an increase from 0.38 Kbps to 1.87 Kbps

27 84 Figure 4.8 Number of Nodes vs. Dropped packets for Black Hole Attacks The PDR is useful towards detecting packet drop attacks. From the results in Figure 4.8 the following observations can be made: The packet drop count increases with increasing node densities, and percentage of Black Hole nodes In the case of the Black Hole AODV, with 10% malicious nodes, the packet drop count increases from 73 packets/sec (0% malicious nodes) to 413 packets/sec (10% malicious nodes) when the nodes are moving at a mobility of 10m/s With 40% malicious nodes, the packet drop count has the steepest increase from 73 packets/sec to 1052 packets/sec

28 85 Figure 4.9 Number of Nodes vs. Dropped packets for Gray Hole Attacks drawn: From the results in Figure 4.9 the following observations can be The packet drop count increases with increasing node densities and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 10% malicious nodes, the packet drop count increases from 73 packets/sec (0% malicious nodes) to 595 packets/sec (10% malicious nodes) when the nodes are moving with the mobility of 10m/s With 40% malicious nodes, the packet drop count has the steepest increase from 43 packets/sec to 409 packets/sec

29 86 Figure 4.10 Numbers of Nodes vs. Overhead for Black Hole Attacks The Overhead is a useful metric for analyzing the extra bandwidth consumed to deliver data packets. From the results in Figure 4.10 the following observations can be drawn: The Overhead increases with increasing node densities and percentage of Black Hole nodes In the case of the Black Hole AODV, with 20% malicious nodes, the overhead increases

30 87 Figure 4.11 Numbers of Nodes vs. Overhead for Gray Hole Attacks made: From the results in Figure 4.11, the following observations can be The overhead increases with increasing node densities and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 20% malicious nodes, the overhead increases Comparing the Impact of the Black Hole and Gray Hole Attacks The impact of the Black Hole attack and Gray Hole attack is compared in this section. Figure 4.12, compares the PDF for the Black Hole and Gray Hole attacks in MANET. The PDF is significantly very less in the case of Black Hole attacks compared to the Gray Hole attacks.

31 88 Figure 4.12 Comparison of the PDF for Black Hole and Gray Hole Attacks Figure 4.13, shows the NRL for both the Black Hole and Gray Hole attacks. The Black Hole attack increases the routing load of the MANET compared to the Gray Hole attack. Figure 4.14 shows the PDR for the Black Hole and Gray Hole attacks. The AODV without any attack, the PDR is very minimal. But the PDR for the Black Hole attack is the maximum, when compared to the Gray Hole attacks. From the results the observation is that, compared to the Gray Hole attacks, the Black Hole attack causes more damage to the routing behaviour.

32 89 Figure 4.13 Comparison of the NRL Ratio for the Black Hole and Gray Hole Attacks Figure 4.14 Comparison of the PDR for the Black Hole and Gray Hole Attacks

33 90 As shown in Figures 4.12, 4.13, 4.14, the impacts of these two attacks are considered under various network attributes, and also compared in this work. Black Hole attacks are more vulnerable than Gray Hole attacks, because the PDR is high for the Black Hole attacks compared to the Gray Hole attacks; moreover the NRL also increases in the presence of Black Hole attacks compared to the Gray Hole attacks. When compared to the PDF, the delivery rate of the Black Hole attacks decreases compared to Gray Hole attacks, the routing packets also decreased in the presence of Black Hole attacks compared to that of Gray Hole attacks. Thus from the simulation results it is understood that the Black Hole attacks cause more damage to MANET compared to Gray Hole attacks. Hence, the solution to the Black Hole attack is considered in this research Simulation Study for Detecting and Isolating Black Hole Attacks The simulation results for detecting and isolating Black Hole attacks in MANETs are presented in this section. For each set of parameters, the simulations are repeated 3 times, and the averages of the results are calculated. The following parameters are considered for the experiments. 1. Normal AODV 2. AODV without any detection and Black Hole attacks 3. AODV with the proposed SLBHAD technique For experiment 1, the simulation runs for 3 times and the average is taken. For experiment 2, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4 Black Holes) and the average is taken for every 3 runs. For experiment 3, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4 Black Holes) and the average is taken for each 3 runs. So, totally the

34 91 simulations run 27 times to get the results shown in the next subsection. The scenario generator available in NS-2, is used for generating 3 scenarios (for three repetitions). In all the cases Nodes 0 to 7 are the CBR sources and node 7 to 13 are the sinks. Table 4.7 illustrates the AODV technique without any detection techniques (with malicious nodes) applied. Table 4.7 Analysis on AODV without any Detection technique Black Holes PDF NRL EED No. of Packets Sent Dropped Packets Table 4.8 illustrates the proposed SLBHAD technique with different network parameters. Table 4.8 Analysis on AODV with the proposed SLBHAD technique Black Holes PDF NRL EED No. of Packets Sent Dropped Packets From Tables 4.7, 4.8 the following observations are made:

35 92 i. With the plain AODV, the PDF has a steep fall from (0% malicious nodes) to 22.53% (40% malicious nodes). The proposed SLBHAD technique increases the PDF to 89% (1% malicious node). ii. iii. iv. Similar results are observed in the PDR. The drop ratio is reduced in the proposed SLBHAD technique. For the AODV without any attack, the drop ratio is 11% (0% malicious nodes). The number of packets sent has also increased with the proposed technique The EED is decreased when there are 40% malicious nodes in the network. This is because, the proposed detection technique detects and isolates the Black Hole nodes from the network. So the packets are routed only via normal nodes v. The Normalized routing packets are also greatly reduced with the proposed SLBHAD technique From the above results it is concluded, that the SLBHAD leads to a substantial improvement over the plain AODV, from the point of view of the PDF. The details are presented in Figure 4.15, where a comparison corresponding to 40% malicious nodes, with the PDF is given. The proposed SLBHAD technique has got a good PDF compared to the normal AODV. From the Figure 4.15 to Figure 4.20, the SLBHAD technique is denoted as Detection_With_PRS, where PRS denotes Periodic Request Sending.

36 93 Figure 4.15 Comparison of the PDF (40% Malicious Nodes) Figure 4.16 presents a comparison of the dropped packets in the presence of 40% malicious nodes. It is found that the proposed SLBHAD technique performs considerably better than the normal AODV. Figure 4.16 Comparison of the PDR (40% Malicious Nodes) The overhead can be measured, based on the number of transmissions of messages like RREQ, RREP, and RRER. The overhead increases with increasing percentage of malicious nodes for the plain AODV. The proposed technique consumes less amount of network resources.

37 94 Figure 4.17 Comparison of the Overhead (40% Malicious Nodes) Figure 4.17 provides a comparison of the overhead between the AODV and the proposed SLBHAD technique. The overhead is measured in terms of successfully received or forwarded packets at the routing layer. In general, an increase in the overhead signifies poor performance. Figure 4.18 Comparison of the NRL (30% Malicious Nodes)

38 95 Figure 4.19 Comparison of the NRL (40% Malicious Nodes) Figures 4.18 and 4.19 signify the performance of the NRL. Without a detection technique, the NRL increases slightly up to 30% Black Holes in the network. But after 30% the NRL increases exponentially, without detection. The proposed detection process uses the SLBHAD detection technique, and hence, there is a reduction in the NRL. Thus, the NRL reduces for the proposed SLBHAD technique. Figure 4.20 Comparison of the EED (40% Malicious Nodes) From Figure 4.20, the following inferences can be drawn. In general, the EED decreases, when the percentage of malicious nodes

39 96 increases. In the proposed SLBHAD technique, the EED decreases significantly, which indicates that the connection is established within the lower number of hops. That is, when there is a malicious node in the network, the proposed SLBHAD technique detects and isolates the malicious nodes from the network. Hence, the communication is only via the normal nodes. So, the EED is decreased. 4.5 COMPARING THE ACCURACY OF THE DETECTION TECHNIQUE Many research works have been carried out to secure the (Hu et al 2004, Hu et al 2005) AODV routing protocol. The proposed detection technique is compared with an existing single layer technique, which uses the DAODV protocol. They use the anomaly detection technique, which is based on the dynamic learning process. In their technique, they use path finding features and path abnormality features to detect the abnormality of the nodes. Table 4.9 displays the comparison of the DAODV with the proposed SLBHAD technique. Table 4.9 Analysis on DAODV Black Holes PDF NRL EED No. of Packets sent Dropped

40 97 Number of Nodes vs Packet Delivery Fraction Packet Delivery Fraction(%) Number of Nodes Figure 4.21 Comparison of the PDF (40% Malicious Nodes) Figure 4.21 illustrates the PDF for AODV without any detection techniques, and the DAODV with the SLBHAD technique. This technique is compared with varying node densities i.e. 50,100,150,200. From the above figure, it is observed that the PDF is better than in the existing DAODV and AODV without any detection techniques.

41 98 Number of Nodes vs Normalized Routing Load Figure 4.22 Comparison of the NRL (40% Malicious Nodes) Figure 4.22 illustrates the NRL for the AODV without any detection techniques, and the DAODV with the SLBHAD technique. This technique is compared with varying node densities, i.e. 50,100,150, and 200. The NRL is very much in the proposed SLBHAD technique compared to other existing techniques.

42 99 Number of Nodes vs End-to-End Delay End to-end Delay in sec Number of Nodes Figure 4.23 Comparison of EED (40% Malicious Nodes) The Figure 4.23 illustrates EED for AODV without any detection techniques, DAODV with SLBHAD technique. This technique is compared with varying node densities i.e., 50,100,150,200.The EED is very low in the proposed technique because, after the isolation of Black Hole nodes the packets only travel through normal nodes. In Figure 4.24 displays the numbers of packets send from source to destination node. The packets routed more compared to DAODV and AODV without any detection technique.

43 100 Number of Nodes vs Packets Sent Packets Sent Number of Nodes Figure 4.24 Comparison of the number of packets sent (40% Malicious Nodes) Number of Nodes vs Dropped Packets Dropped Packets Number of Nodes Figure 4.25 Comparison of the number of packets dropped (40% Malicious Nodes) Finally, Figure 4.25 displays the dropped packets in the network. The proposed SLBHAD technique drops a very minimal number of packets compared to the other two techniques.

44 SUMMARY In this chapter, a novel technique is proposed to detect and isolate the Black Hole attacks in MANETs. Initially, the density based attack analyzer is used to analyze the network performance, when the attacks occur. It is shown that the proposed SLBHAD technique improves the PDF compared to the existing techniques. Moreover, that the proposed technique reduces the NRL and EED. The existing AODV algorithm is modified, and has Honeypot concepts incorporated in it. The PDF for the proposed SLBHAD technique is 89.03%. The PDF for existing AODV technique is 67.73% and DAODV is 70.64%. From this it is observed that the proposed SLBHAD technique improves the PDF significantly. When the network contains 40% of Black Hole nodes, the NRL for AODV is , for DAODV NRL is , for the proposed SLBHAD the NRL is From this it is observed that the network load is very low in the proposed SLBHAD technique. When the network contains 10% of Black Hole nodes, the EED for AODV is sec, for DAODV EED is sec, for the proposed SLBHAD the EED is sec. From this it is known that the proposed SLBHAD technique has very low EED. Hence the proposed technique isolates Black Hole nodes and travels via normal nodes. The simulation results based on extensive experiments illustrate the novelty and the effectiveness of the proposed technique.