CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION

Similar documents
Comparing the Impact of Black Hole and Gray Hole Attacks in Mobile Adhoc Networks

3. Evaluation of Selected Tree and Mesh based Routing Protocols

Routing Protocols in MANETs

Analysis of Black-Hole Attack in MANET using AODV Routing Protocol

Performance Analysis of AODV Routing Protocol with and without Malicious Attack in Mobile Adhoc Networks

Performance Analysis of Aodv Protocol under Black Hole Attack

Chapter 7 CONCLUSION

Implementation: Detection of Blackhole Mechanism on MANET

Defending MANET against Blackhole Attackusing Modified AODV

Mobility and Density Aware AODV Protocol Extension for Mobile Adhoc Networks-MADA-AODV

Considerable Detection of Black Hole Attack and Analyzing its Performance on AODV Routing Protocol in MANET (Mobile Ad Hoc Network)

Computation of Multiple Node Disjoint Paths

Blackhole Attack Detection in Wireless Sensor Networks Using Support Vector Machine

Performance of Ad-Hoc Network Routing Protocols in Different Network Sizes

Simulation & Performance Analysis of Mobile Ad-Hoc Network Routing Protocol

AODV-PA: AODV with Path Accumulation

Behaviour of Routing Protocols of Mobile Adhoc Netwok with Increasing Number of Groups using Group Mobility Model

A Comparative Analysis of Energy Preservation Performance Metric for ERAODV, RAODV, AODV and DSDV Routing Protocols in MANET

Impulse Radio Ultra Wide Band Based Mobile Adhoc Network Routing Performance Analysis

Design and Development of Secure Data Cache Framework. Please purchase PDF Split-Merge on to remove this watermark.

Regression-based Link Failure Prediction with Fuzzy-based Hybrid Blackhole/Grayhole Attack Detection Technique

Performance Enhancement of AOMDV with Energy Efficient Routing Based On Random Way Point Mobility Model

Security Enhancement of AODV Protocol for Mobile Ad hoc Network

QoS Routing By Ad-Hoc on Demand Vector Routing Protocol for MANET

Mitigating Superfluous Flooding of Control Packets MANET

An Efficient Scheme for Detecting Malicious Nodes in Mobile ad Hoc Networks

QUALITY OF SERVICE PROVISIONING IN MANET USING A CROSS-LAYER APPROACH FOR ROUTING

Anil Saini Ph.D. Research Scholar Department of Comp. Sci. & Applns, India. Keywords AODV, CBR, DSDV, DSR, MANETs, PDF, Pause Time, Speed, Throughput.

Review: Performance Evaluation of TCP Congestion Control Mechanisms Using Random-Way-Point Mobility Model

A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols. Broch et al Presented by Brian Card

Characterizing the Impact of Black-Hole Attacks on Elastic and Inelastic applications in MANETs

Lecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday

Mobile Ad-hoc Networks (MANET)

IJRIM Volume 1, Issue 4 (August, 2011) (ISSN ) A SURVEY ON BEHAVIOUR OF BLACKHOLE IN MANETS ABSTRACT

ENERGY BASED AODV ROUTING PROTOCOL FOR WIRELESS MESH NETWORK

Detection of Vampire Attack in Wireless Adhoc

Performance Analysis of DSR Routing Protocol With and Without the Presence of Various Attacks in MANET

CAODV Free Blackhole Attack in Ad Hoc Networks

Packet Estimation with CBDS Approach to secure MANET

Ms A.Naveena Electronics and Telematics department, GNITS, Hyderabad, India.

PERFORMANCE BASED EVALUATION OF DSDV, AODV AND DSR ROUTING PROTOCOLS IN MANET

Efficient On-Demand Routing for Mobile Ad-Hoc Wireless Access Networks

[Nitnaware *, 5(11): November 2018] ISSN DOI /zenodo Impact Factor

Keywords: AODV, MANET, WRP

A STUDY ON AODV AND DSR MANET ROUTING PROTOCOLS

Reliable Routing In VANET Using Cross Layer Approach

Chapter -6 IMPROVED CONGESTION CONTROL MECHANISM FOR REAL TIME DATA TRANSMISSION

Performance Comparison of AODV, DSR, DSDV and OLSR MANET Routing Protocols

DESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN

MANET ROUTING ATTACKS

PERFORMANCE BASED EVALUATION OF DSDV, AODV AND DSR ROUTING PROTOCOLS IN MANET

CHAPTER 4 IMPACT OF ROUTING ATTACKS IN LOCATION BASED ROUTING PROTOCOL

Detection and Removal of Blackhole Attack Using Handshake Mechanism in MANET and VANET

Recent Researches in Communications, Information Science and Education

Performance Evaluation of AODV and DSDV Routing Protocol in wireless sensor network Environment

CHAPTER 3 IMPROVED AODV BASED ON LINK QUALITY METRICS

CHAPTER 3 PERFORMANCE ANALYSIS OF TRANSPORT PROTOCOLS TCP, UDP, SCTP AND DCCP VARIANTS

Optimizing Performance of Routing against Black Hole Attack in MANET using AODV Protocol Prerana A. Chaudhari 1 Vanaraj B.

Webpage: Volume 4, Issue VI, June 2016 ISSN

Ad-Hoc Data Processing and Its Relation with Cloud Computing Process Using Functional Approach

Security Scheme for Malicious Node Detection in Mobile Ad Hoc Networks

PERFORMANCE COMPARISON OF LINK, NODE AND ZONE DISJOINT MULTI-PATH ROUTING STRATEGIES AND MINIMUM HOP SINGLE PATH ROUTING FOR MOBILE AD HOC NETWORKS

A Neighbor Coverage Based Probabilistic Rebroadcast Reducing Routing Overhead in MANETs

EFFICIENT ROUTING AND CHANNEL ASSIGNMENT IN MULTICHANNEL MOBILE ADHOC NETWORKS

Estimate the Routing Protocols for Internet of Things

Performance measurement of MANET routing protocols under Blackhole security attack

Secure Enhanced Authenticated Routing Protocol for Mobile Ad Hoc Networks

Performance Evaluation of MANET through NS2 Simulation

SEAR: SECURED ENERGY-AWARE ROUTING WITH TRUSTED PAYMENT MODEL FOR WIRELESS NETWORKS

Evaluation of Routing Protocols for Mobile Ad hoc Networks

A Simulation study : Performance comparison of AODV and DSR

Analysis and Simulations of Routing Protocols with Different Load Conditions of MANETs

DETECTION OF COOPERATIVE BLACKHOLE ATTACK ON MULTICAST IN MANET

Content. 1. Introduction. 2. The Ad-hoc On-Demand Distance Vector Algorithm. 3. Simulation and Results. 4. Future Work. 5.

Switching & ARP Week 3

Intrusion Detection System for Rushing Attack in MANETs

Study and Comparison of Mesh and Tree- Based Multicast Routing Protocols for MANETs

Experiment and Evaluation of a Mobile Ad Hoc Network with AODV Routing Protocol

A Routing Protocol for Utilizing Multiple Channels in Multi-Hop Wireless Networks with a Single Transceiver

International Journal of Advance Engineering and Research Development

Keywords: Blackhole attack, MANET, Misbehaving Nodes, AODV, RIP, PDR

Survey on Attacks in Routing Protocols In Mobile Ad-Hoc Network

Scalability of Routing Methods in Ad Hoc Networks

Impact of Node Velocity and Density on Probabilistic Flooding and its Effectiveness in MANET

CHAPTER 4. The main aim of this chapter is to discuss the simulation procedure followed in

Detection and Removal of Black Hole Attack in Mobile Ad hoc Network

Evaluation of Ad-hoc Routing Protocols with. Different Mobility Models for Warfield. Scenarios

A Hybrid Routing Protocol for Ad-hoc Wireless Network Based on Proactive and Reactive Routing Schemes

Measure of Impact of Node Misbehavior in Ad Hoc Routing: A Comparative Approach

Selfish Scheduler for Packet Scheduling Based on Packet Weighted Energy Drain Rate in Manets

A Novel Approach for Preventing Black-Hole Attack in MANETs Rashmi 1, Ameeta Seehra 2

Wireless Network Security Spring 2013

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Performance Analysis of Three Routing Protocols for Varying MANET Size

Performance Evaluation of Mesh - Based Multicast Routing Protocols in MANET s

Chapter-4. Simulation Design and Implementation

Effects of Sensor Nodes Mobility on Routing Energy Consumption Level and Performance of Wireless Sensor Networks

MODIFICATION AND COMPARISON OF DSDV AND DSR PROTOCOLS

A COMPARISON STUDY OF DSDV AND SEAD WIRELESS AD HOC NETWORK ROUTING PROTOCOLS

Performance evaluation of AODV, DSR and DSDV in mobile ad-hoc network using NS-2

Transcription:

58 CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION 4.1 INTRODUCTION TO SLBHAD The focus of this chapter is to detect and isolate Black Hole attack in the MANET (Khattak et al 2013). In order to do that, network layer parameter is considered. Initially, the Black Hole detection technique starts with the density based attack analyzer technique where it analyses the impact of Black Hole and Gray Hole attacks. In order to analyze these two attacks send fake RREP algorithm is used. Next, the network layer Black Hole attack detection technique is responsible for initializing Honeypot node. To implement the proposed SLBHAD technique, spoofed RREQ packets are generated by malicious node detection timer algorithm, sending spoofed RREQ algorithm, sending fake request algorithm are used. The Route Lookup in network layer technique is proposed to detect malicious node ids of the network. In order to implement this, modified route lookup algorithm is implemented. To isolate the Black Hole nodes from the network, the isolation in the network layer technique is used to isolate malicious node from the network. The isolated nodes are broadcasted throughout the network using broadcast packet technique. Various simulation parameters are used to implement this SLBHAD technique. The proposed technique is compared with other existing techniques in order to understand the efficiency of SLBHAD.

59 4.2 DENSITY BASED ATTACK ANALYZER The density based attack analyzer technique consists of two steps: 1) Attracting - where the nodes attract other nodes by falsely sending information in the communication 2) Invading - where the node invades the communication process and drops packets. The basic difference between these two attacks is that the Gray Hole attack (Min & Jiliu 2009) initially behaves like a normal node and participates in routing process. But after sometime it drops the packet like Black Hole node, whereas Black Hole attack drops all the packets. The simple flowchart for generating these attacks is shown in Figure 4.1. It depicts the proposed technique, which simulates and analyzes the Black Hole and Gray Hole attacks. Attracting Step Send Fake Reply Incoming Packets Yes AODV Protocol coordination Attack No Exit Determine routes Increase Sequence number Select route Invading step RREQ Packets Yes No Handle other Packets Figure 4.1 Simple Flowchart for Attack Generation

60 During the attracting step, the attacker has to identify whether the incoming packets are AODV packets. Then, the attacker determines the route, selects the routing process, and coordinates the routing, by sending RREQ packets. During the Invading step, the attacker starts increasing its DSN and itself advertises that it has the highest DSN compared to the other nodes in the network. Thus, it induces an attack by sending a fake reply to the nodes in the network. In order to simulate both the attacks, the existing AODV protocol is modified. The modification done in an existing AODV protocol, which creates attacks are discussed in section 4.2.1. The following two functions are the most important one, in which a Black Hole or Gray Hole vulnerability can be introduced. AODV:: recv (Packet *p, Handler*) AODV:: recvrequest (Packet *p) The function AODV:: recv will be called for each and every packet arriving at that routing agent. If the packet is an AODV packet, it will be treated accordingly. Therefore, in this function, a routing agent can maliciously drop a packet during certain kinds of attacks. The function AODV:: recvrequest will be called receiving an AODV RREQ packet type AODVTYPE_RREQ. On receiving this RREQ message from any of the neighboring nodes, the routing agent will try to resolve the route and send a RREP message, if a route is available. The algorithm steps for analyzing and simulating the Black Hole and Gray Hole attacks are given in next section.

61 4.2.1 Algorithm for analyzing Black Hole and Gray Hole attack The algorithm is known as send fake RREP algorithm which is responsible for generating fake RREP packets in the network. Input: AODV RREQ packet. Output: Fake RREP packet. Step 1: If (AODV_Packet) { Step 2: If (RREQ) { // If it is a RRREQ packet Step 3: SendRouteReply; // Send normal reply Step 4:} else if (Black Hole Attack) { //Maliciously sending wrong route to generate Black Hole attack Step 5: SendFakeRouteReply; Step 6: } else if (Gray Hole Attack) { //Gray Hole will send a genuine reply initially Step 7: Resolve the Route; Step 8: SendRouteReply ;}}} //it is the packet I am forwarding Step 9: If {No Attack} { Step 10: Handle it in a Normal way Step 11: } else if (Black Hole Attack) { //Maliciously drop the packet Step 12: Drop the Packet Step 13: } else if (Gray Hole Attack) { //Maliciously drop the packet Step 14: Drop the Packet}}} This algorithm call the function AODV:: send Reply with appropriate parameters. Hence, an agent will try to send a fake reply for the

62 purpose of attacking a neighboring node, by giving wrong routing information; it calls AODV:: send Reply and passes wrong routing information to the requesting node. In the proposed implementation, a modified function AODV:: sendfakereply is used for the purpose of sending wrong information to simulate both attacks. 4.3 SLBHAD The proposed network layer Black Hole detection technique has been strongly influenced by the spoofing technique. In general, spoofing is a technique, where a computer or people pretend to be another by false data, and exploit the system in order to get illegitimate access. Wireless networks suffer from various types of spoofing, such as MAC spoofing, Web Spoofing, DNS (Domain Name System) Spoofing, Email Spoofing, IP Spoofing, and URL Spoofing. MAC Spoofing is a technique where the hacker changes the MAC address of a network interface. Web Spoofing is a technique where the reality of the browsing session significantly differs from the mental model of a sophisticated user and the attacker, misleading the victim of an online fraud. Email Spoofing is a technique where an email is created with a forged sender address. Spam and phishing are such types of email spoofing techniques, which are used to mislead the recipients. DNS Spoofing DNS Spoofing is a technique where an illegal data is injected into the DNS, which causes the server to return an incorrect IP address in order to divert the traffic to another computer.

63 IP Spoofing IP spoofing is used to gain unauthorized access to a network or computer, where a malicious attacker forcefully sends a forged IP address. The forged IP address indicates that the message comes from a trusted host. URL Spoofing is a technique in which the malicious user creates the fake or forged URL, which is exactly similar to the original and safe URL. The objective of this research work is to develop a novel technique which secures the network layer. In this work, no encryption or key exchange algorithm is used. Encryption or key exchange techniques are difficult to implement in MANET because of its dynamic nature. Instead, spoofed AODV RREQ packets are used to detect the Black Hole attack in the network. Figure 4.2 explains the SLBHAD architecture. The architecture consists of collecting network layer audit data from the network layer, malicious node detection layer, Route Lookup in the network layer, isolation in the network layer, and finally broadcasts the malicious Black Hole node id throughout the network. Initially, the detection process starts with analyzing the network layer audit data. The malicious node detection layer consists of initializing the Black Hole detector, where it consists of the Black Hole detector node or Honeypot node in the MANET which uses spoofed packets. When the Black Hole node detects the spoofed RREQ packets from the detector/honeypot node, the Black Hole node replies that it has the route to the particular destination address, which does not exist in reality.

64 4.3.1 SLBHAD Architecture Malicious Node Detection Layer Initialize Black Hole detector Route Lookup In Network Layer Lookup for Destination Isolation in Network Layer Update the Black Hole id in the list Network Layer Trace Data Broadcast Spoofed RREQ packets Check for reply from neighboring nodes Update routing table with Black Hole information Find the next shortest hop towards destination Verify the reply from routing table for non existence node Verify if the node id is existence Yes Do not use the Black Hole node Isolate the Black Hole node Broadcast Malicious Black Hole node id Repeat Figure 4.2 SLBHAD Architecture

65 After initializing the Black Hole detector node it broadcasts the spoofed RREQ packets (Figure 4.3), and waits for the reply from the neighbors. If any node replies to this message, then that node id is updated in the routing table. The Route Lookup in the network layer is responsible for updating the malicious node details. This layer verifies whether the reply is for non existence node id from the malicious node. Finally, the isolation in network layer updates the Black Hole details in the list, and broadcasts it to the network. Thus, the proposed technique acts as a Honeypot (Cristine et al 2008, Haifeng Wang & Qingkui Chen 2010) where a trap (spoofed RREQ packet) is set to detect the malicious node. 4.3.2 Spoofed RREQ Packet Structure As discussed in Chapter 1, the normal AODV RREQ packet consists of several fields, such as the destination IP address, DSN, originating IP address, originator DSN, and so on, while in normal routing, when a node broadcasts a RREQ, the TTL value is set up to a maximum value, because the lifetime of the active route is updated until it reaches the destination node. The destination IP address is another field which is used to indicate the node to which a route is desired. During the normal route discovery process, a valid destination ID and a TTL are assigned to the nodes. But in the proposed detection technique, during the communication process, initially the Black Hole detector node (Honeypot) sends spoofed RREQ packets. The spoofed RREQ packet contains invalid nonexistent DSN and a TTL of 1. By receiving this packet the Black Hole node replies that it has a valid route to the particular node.

66 Field Description F1 Other Fields of RREQ packet................ DSN Non Existent Address TTL 1 Figure 4.3 Spoofed RREQ Packets This malicious node id is stored by the Honeypot node, broadcast to all other nodes in the network and then, finally isolated from the other nodes. During the communication process, the RREQ messages generated by this malicious node id are ignored and normal communication takes place. The existing AODV does not have any types of security techniques which are proposed in this thesis. The algorithms are included to detect the malicious nodes in the AODV protocol in the proposed work. Initially, the malicious node detection timer is invoked, in order to initiate the spoofed RREQ. This spoofed RREQ invokes for a particular time interval. Hence, the proposed SLBHAD technique periodically invokes the timer function to detect attacks. This function also invokes the Send Spoofed Route Request (), which broadcasts spoofed RREQ messages to the neighboring nodes in the network. This algorithm invokes this function periodically. Hence this technique schedules the call for particular time interval. The proposed algorithms use the recursive functions to detect attacks. The Algorithm of the Malicious Node Detection Timer is given below:

67 Input Output : Routing layer Data : Malicious RREQ Data Step1: Function Malicious Node Detection Timer () Step 2: Begin //Start sending spoofed RREQ packets Step 3: SendSpoofedRouteRequest (); Step 4: Interval (Malicious Node Detection Interval + Jitter) // Schedule next call to this function at Interval Step 5: Step 6: Schedule (Malicious Node Detection Timer (), Interval) End. The above mentioned malicious node detection timer algorithm is used to initiate send spoofed route request technique by malicious node detection layer/ Honeypot node. The Algorithm for sending spoofed RREQ message is given below: Step 1: Function SendSpoofedRouteRequest () Step 2: Step 3: Begin aodv _rt_entry *rt; //Create a non existing IP address Step 4: Step 5: Network Address (Non Existing node id);- rt = rtable.rt _lookup (Network Address); Step 6: if (rt ==0) { Step 7: Step 8: Step 9: rt = rtable. rt _add (Network Address);} SendFakeRequest (Network Address); End

68 The above algorithm creates a non-existence IP address, by checking the routing table entry, and adding the nonexistent routing address to the routing table. Then, it broadcasts the spoofed RREQ packet to all the nodes in the network. Additionally, it calls another function which originally sends a fake request to all the nodes in the MANET. Hence this algorithm is responsible for creating non existing IP address by Honeypot node and initiates sends fake request. The algorithm which originally sends fake request is given below: Step 1: Step 2: Function SendFakeRequest (Network Address) Begin // Allocate a RREQ packet Step 3: Spoofed RREQ _ Packet Create_ Default_ RREQ _Packet () // Fill out the RREQ packet with Spoofed Info Step 4: Spoofed RREQ _ Packet->rq _TTL = 1; Step 5: Step 6: Step 7: Spoofed RREQ _Packet->dst = Network Address; Broadcast (Spoofed RREQ _Packet); End The above algorithm originally broadcasts a fake request to the nodes in the network. It sets the TTL value to the minimum, and broadcasts the fake RREQ packet. This fake request is received by all the neighbors in the network, which is used to detect Black Hole nodes. The Black Hole nodes receive this fake RREQ packet and responds. Other non malicious nodes do not reply for these fake RREQ packets because in the routing table of the non malicious nodes, the invalid DSN and TTL will not present.

69 4.3.3 Malicious Node Detection The malicious node detection technique is responsible for detecting the Black Hole nodes in the network. Initially, the Black Hole detector initializes the malicious node detection process. First, it broadcasts the spoofed RREQ packets. As discussed above, the spoofed RREQ packet contains the non existence source id and the TTL value set to 1. Then this spoofed RREQ packet is broadcast to all the other nodes in the network. The broadcasted Honeypot spoofed RREQ packet waits for the reply from the neighbor nodes. If any neighbor replies to this packet, those nodes are marked as Black Hole nodes in the routing table. The reason is, since the normal nodes which are not malicious will not reply to this spoofed RREQ packet. So the routing table updates this Black Hole node information by marking it as malicious. 4.3.4 Route Lookup in Network Layer In order to resolve the route, the AODV calls the modified Route Lookup function. This algorithm is very important, because it detects the Black Hole attacks by checking the node id. If the malicious node replies that, it has the route towards the non-existence node, then that vulnerable (Black Hole) node is marked as malicious. In order to find a Black Hole node, a detection flag is set on the routing table. If the detection flag is true then, it is observed that the malicious node id is marked. Thus, routing via the malicious node is avoided. The algorithm is known as the modified Route Lookup, where it verifies the non-existence node id. The steps are given below:

70 Input: Black Hole node data/normal node data Output: Return Non existence node id. Steps Step1: Function On _ Modified_ Route_ Lookup (Address) Step 2: Begin Step 3: Detection Flag (false) Step 4: R1 (Normal_ Route _Lookup (Non Existing node id) ; Step 5: if (R1 & R1->flags =RTF_id) { //There is a malicious node in the routing table Step 6: Detection Flag (true) Step 7: Malicious node id (R1->Next hop ;} Step 8: for all routes R in Routing Table do { // If the next hop of the returned route is via the // Non Existing Node then just ignore it Step 9: if (Detection Flag & R->next hop =Malicious node id) { //Next Hop is a Black Hole-Avoid the route Step 10: Continue ;} Step 11: if (R->DST =Id) then break ;} Step 12: return R; Step 13: End. The Route Lookup algorithm for the network layer is responsible for updating the reply from the neighbor nodes. The node which replies to the spoofed RREQ packet is identified as the Black Hole node. Then, the node is marked as malicious in RTF and this information is updated in the routing table. Hence the above route lookup algorithm is responsible which marks the malicious node ids in the routing table.

71 4.3.5 Isolation in Network Layer The isolation technique is responsible for isolating the malicious node from the network. This technique is important, because it prevents broadcasting routes via the malicious node. A flag is set as malicious, and the nodes which reply to the non-existence node id are marked as malicious. Input: Reply from Non existence node id. Output: Isolate Black Hole id. The algorithm steps for isolating the malicious Black Hole node are given below. Step 1: Step 2: Step 3: Step 4: Step 5: Function Isolate (Address) Begin Black Hole node id (false); If (reply is for non existence node) Black Hole node id (true); //Avoid route via the Black Hole node Step 6: End The above algorithm is used to isolate the routing via malicious Black Hole nodes. From the route lookup algorithm it gets the details of malicious Black Hole node id from the network and avoids routing via it by isolating these nodes. 4.3.6 Broadcast Packets Finally, in the broadcast packet, this technique is responsible for broadcasting the malicious node details in the network. This technique collects the details of the Black Hole node ids from the network, and broadcasts this information to the other nodes in the network. It gets the

72 malicious node id as input from a Route Lookup module and checks for the detection flag and the malicious node id flag. If both these flags are set true, then the node id is broadcasted to the network. Input: Black Hole node ids from Route Lookup module Output: Broadcast Black Hole node id. Algorithm steps for broadcasting malicious node id are given below: Step 1: Function broadcast (RTF_id) Step 2: Begin Step 3: for all nodes in the network { //If the node id is the Black Hole id Step 4: if (Detection Flag =True & Malicious node id=true) Step 5: Broadcast (Malicious node)} Step 6: End. 4.4 SIMULATION PARAMETERS The various performance metrics are used to analyze the Black Hole and Gray Hole attacks. PDF is useful metric where it signifies the number of packets send from source node to the destination node.nrl is used to know about the details of network load. If NRL is more it is observed that the network load is increased by generating control packets. EED is used to know how successfully the proposed technique works. For example, if EED is low it is observed that the malicious Black Hole nodes are isolated from the network. Hence the packet only travels through MANET. 1. PDF: The ratio of the data packets delivered to the destinations, to those generated by the Constant Bit Rate (CBR) sources, is known as the PDF.

73 2. NRL: The number of routing packets transmitted per data packet delivered at the destination. The hop wise transmission of a routing packet is counted as one transmission. 3. EED: This includes the time taken for a packet to be transmitted from the source node to the destination node. The delay can be due to queuing at the interface queue, latency, retransmission delays, and propagation and transfer times. 4. Overhead: Overhead is measured in terms of the total generated routing packets. It is the count of the total packet generated and forwarded at the network layer. 5. PDR: PDR is measured for totally dropped packets due to various reasons, such as poor wireless channel, malicious and intentional packet dropping. In order to do the simulation, the various initial parameters used for this simulation are given in Table 4.1. Since the experiments are conducted for MANET, the wireless channel is used as channel type. The radio propagation model is used to predict the behavior of radio wave propagation in MANET. In that, the two ray ground model predicts the line of sight component. The antenna type used is Omni directional antenna where it covers all directions from the antenna with varying degrees of coverage. Drop tail queue is used as a queue type because the packets are accepted till the queue is empty and the incoming packets are dropped when the queue become full. The random way point model is used as mobility model where it exhibits the movement of mobile users and the location changes over time.

74 Table 4.1 Simulation Environment Parameters Values Channel type Wireless Channel Radio-propagation model Two Ray Ground Model Antenna type Omni Antenna Interface queue type Drop Tail/Pri Queue MAC type 802.11 Maximum packet in Queue 50 Topographical Area 600 x 600 sq.m Mobility scenario 10 m/s Pause time 20 sec Mobility Model Random Waypoint Model The parameters in Table 4.2 are used as traffic parameters. The traffic parameters are used to set the application and transport layer stuffs. The application layer traffic agent used in this thesis work is CBR. CBR is relating to the rate at which the output data consumed is constant. Table 4.2 Traffic Parameters Parameters Values Traffic Agent CBR Transport Agent User Datagram Protocol(UDP) Traffic Source 7 CBR Rate 10 kbps The following parameters in Table 4.3 are used as variable parameters. The proposed technique uses AODV protocol and various types of node densities. These parameters are considered as variable parameters.

75 Table 4.3 Variable Parameters Parameters Values Routing protocols Normal AODV AODV with Back Hole, Gray Hole 1,2,3 and 4 Number of Nodes 20,30,40,50,60 4.4.1 Density Based Attack Analyzer In this work, the analysis, and implementation of both the Black Hole and Gray Hole attacks are carried out. In order to clearly analyze and understand the attacks, the following techniques have been implemented: T1-Analysing normal AODV T2-Analysing Black Hole AODV attack T3-Analysing Gray Hole AODV attack T4-Comparison of the Black Hole AODV attack and the Gray Hole AODV attack For all the above techniques, various types of node densities are used in order to understand the behaviour of the attacks. Table 4.4 shows the performance of the normal AODV. In Technique T1, the experiments have been carried out without any attacking nodes, with varying node densities. T1-Analysing normal AODV In Table 4.4, all the measured values are tabulated in the case of the Normal AODV protocol. All the simulations are run 3 times, and the average values are tabulated

76 Table 4.4 Analysis on Normal AODV Protocol Nodes PDF NRL Routed Packets AODV Dropped Packets 20 97.60 0.38 620.33 73 30 97.97 0.61 1008.67 65 40 98.30 0.65 1079.67 43 50 98.40 0.73 1206.67 38 60 96.77 1.46 2399.00 87 From the above Table 4.4, the following observations are made: Various node densities are considered such as 20, 30, 40, 50 and 60 The NRL shows an gradual increase, because of the increase in density of nodes The routed packets are increased Table 4.5 displays the performance of the Black Hole attack for the AODV under various network densities and performance metrics. T2-Analysing Black Hole AODV In Table 4.5, all the measured values in the case of the AODV protocol under the Black Hole attack are tabulated. All the simulations were run 3 times and the average value is tabulated. When the MANET consists of 10% of Black Hole node, the PDF for 20 nodes gets decreased from 97.60% to 67.73% When the MANET consists of 20% of Black Hole nodes, the NRL gets increased from 1.46 Kbps to 2.23 Kbps in the case of 60 normal nodes

77 When the MANET consists of three Black Hole nodes, the routed packets get decreased from 2399 packets/sec to 1304.67 packets/sec Finally, the PDR also increased from 87 packets/sec to 1387 packets/sec when the network consists of 60% Black Hole nodes in the network Table 4.5 Analysis of the Black Hole AODV Protocol Nodes PDF NRL Routed Packets Dropped Packets With Black Hole 1 20 67.73 0.45 493.33 590 30 54.13 1.12 938.00 796 40 67.53 0.91 1003.67 588 50 65.03 1.18 1323.00 603 60 79.23 1.75 2355.33 413 20 44.13 0.72 430.00 983 With Black Hole 2 30 35.17 1.17 652.00 1125 40 53.83 1.03 893.67 821 50 57.87 1.30 1097.00 707 60 54.00 2.23 1724.33 820 20 26.87 1.01 445.67 1271 With Black Hole 3 30 19.93 1.79 596.67 1381 40 39.50 1.61 731.67 1057 50 27.07 2.24 839.00 1246 60 48.60 1.69 1304.67 897 20 22.53 110.7 350.67 1350 With Black Hole 4 30 11.73 6.03 563.00 1523 40 20.13 5.33 764.00 1387 50 17.00 3.30 933.33 1413 60 39.17 2.26 1338.67 1052

78 T3-Analysing Gray Hole AODV In Table 4.6, all the measured values in the case of the AODV protocol under the Gray Hole attack are tabulated. All the simulations were run 3 times and the average value is tabulated When the MANET consists of 10% of Gray Hole node, the PDF for 20 nodes gets decreased from 97.60% to 88.57% When the MANET consists of 20% of Gray Hole nodes, the NRL gets increased from 1.46 Kbps to 1.74 Kbps in the case of 60 normal nodes When the MANET consists of 30% of Gray Hole nodes, the routed packets decreased from 620 packets/sec to 465 packets/sec. But for the other node densities, the Gray Hole node initially accepts all the packets, and starts forwarding them without dropping any packets. So the routed packets seem to have increased more, compared to the normal AODV without any attack. Finally, the PDR also increased for the Gray Hole attacks from 87 packets/sec to 303 packets/sec when the network consists of 60% Gray Hole nodes in the network Table 4.6 displays the performance of the Gray Hole attack for the AODV under various network densities and performance metrics.

79 Table 4.6 Analysis of the Gray Hole AODV Protocol Nodes PDF NRL Routing Packets Dropped Packets 20 88.57 00.41 595.00 226 With Gray Hole 1 30 89.10 00.72 1075.00 227 40 88.13 00.74 1084.67 231 50 98.40 00.73 1206.67 38 60 96.77 10.46 2399.00 87 20 84.83 0.40 551.33 283 With Gray Hole 2 30 80.57 0.79 1083.00 373 40 80.70 0.80 1076.00 355 50 96.87 0.83 1357.00 67 60 88.87 1.74 2594.00 227 20 76.80 0.36 465.00 434 With Gray Hole 3 30 78.07 0.80 1070.67 415 40 81.23 0.69 941.00 329 50 94.00 0.78 1233.00 113 60 85.03 1.74 2516.00 291 20 76.70 0.37 474.67 420 With Gray Hole 4 30 74.40 0.81 1011.33 476 40 76.53 0.71 926.67 409 50 86.57 0.88 1262.67 236 60 84.23 1.87 2664.67 303 4.4.2 Analyzing the Impact of the Black Hole and Gray Hole Attacks The Figures in this section explain the impact of the Black Hole and Gray Hole attacks.

80 Figure 4.4 Numbers of Nodes vs. PDF for Black Hole Attacks Figure 4.4 depicts the scenario of the PDF for Black Hole attacks. A PDF is a standard measure of the throughput. The PDF for the normal AODV and AODV with the Black Hole attack is depicted in Figure 4.4. In general, without a malicious node, the AODV has a good PDF. From the results in Figure 4.4, the following observations can be drawn for Black Hole attacks. The PDF decreases with increasing node densities and percentage of Black Hole nodes In the case of the Black Hole AODV, with 10% of malicious nodes, the PDF decreases from 97.60% (0% malicious nodes) to 67.73% (10% malicious nodes), when the nodes are moving at a mobility of 10m/s With 40% of malicious nodes, the PDF falls from 97.60% to 39.17%

81 Figure 4.5 Numbers of Nodes vs. PDF for Gray Hole Attacks Hole attacks are: From the results in Figure 4.5, the observations drawn for the Gray The PDF decreases with increasing node densities, and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 10% malicious nodes, the PDF decreases from 97.60% (0% malicious nodes) to 88.57 % (10% malicious nodes) when the nodes are moving at a mobility of 10m/s With 40% of malicious nodes, the PDF falls from 97.60% to 84.23%

82 Figure 4.6 Numbers of Nodes vs. NRL for Black Hole Attacks The NRL can be evaluated, based on messages like the RREQ and RREP, with the statistics of the number of routed packets to that of received packets. can be made: From the results in Figure 4.6 observations such as the following No constant trend is observed in the NRL In the case of the Black Hole AODV, the NRL shows an increase compared to normal AODV With 10% malicious nodes, the NRL increases from 0.38 Kbps to 1.75 Kbps. Likewise with 40% of malicious nodes, the NRL shows an increase from 0.38 Kbps to 2.26 Kbps

83 Figure 4.7 Numbers of Nodes vs. NRL for Gray Hole Attacks made: From the results of Figure 4.7 the following observations can be For Gray Hole attacks, no constant trend is observed in NRL for the Gray Hole attacks In the case of the Gray Hole AODV, the NRL shows an increase With 10% malicious nodes, the NRL increases from 0.38 Kbps to 0.41 Kbps; likewise, with 40% malicious nodes, the NRL shows an increase from 0.38 Kbps to 1.87 Kbps

84 Figure 4.8 Number of Nodes vs. Dropped packets for Black Hole Attacks The PDR is useful towards detecting packet drop attacks. From the results in Figure 4.8 the following observations can be made: The packet drop count increases with increasing node densities, and percentage of Black Hole nodes In the case of the Black Hole AODV, with 10% malicious nodes, the packet drop count increases from 73 packets/sec (0% malicious nodes) to 413 packets/sec (10% malicious nodes) when the nodes are moving at a mobility of 10m/s With 40% malicious nodes, the packet drop count has the steepest increase from 73 packets/sec to 1052 packets/sec

85 Figure 4.9 Number of Nodes vs. Dropped packets for Gray Hole Attacks drawn: From the results in Figure 4.9 the following observations can be The packet drop count increases with increasing node densities and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 10% malicious nodes, the packet drop count increases from 73 packets/sec (0% malicious nodes) to 595 packets/sec (10% malicious nodes) when the nodes are moving with the mobility of 10m/s With 40% malicious nodes, the packet drop count has the steepest increase from 43 packets/sec to 409 packets/sec

86 Figure 4.10 Numbers of Nodes vs. Overhead for Black Hole Attacks The Overhead is a useful metric for analyzing the extra bandwidth consumed to deliver data packets. From the results in Figure 4.10 the following observations can be drawn: The Overhead increases with increasing node densities and percentage of Black Hole nodes In the case of the Black Hole AODV, with 20% malicious nodes, the overhead increases

87 Figure 4.11 Numbers of Nodes vs. Overhead for Gray Hole Attacks made: From the results in Figure 4.11, the following observations can be The overhead increases with increasing node densities and percentage of Gray Hole nodes In the case of the Gray Hole AODV, with 20% malicious nodes, the overhead increases 4.4.3 Comparing the Impact of the Black Hole and Gray Hole Attacks The impact of the Black Hole attack and Gray Hole attack is compared in this section. Figure 4.12, compares the PDF for the Black Hole and Gray Hole attacks in MANET. The PDF is significantly very less in the case of Black Hole attacks compared to the Gray Hole attacks.

88 Figure 4.12 Comparison of the PDF for Black Hole and Gray Hole Attacks Figure 4.13, shows the NRL for both the Black Hole and Gray Hole attacks. The Black Hole attack increases the routing load of the MANET compared to the Gray Hole attack. Figure 4.14 shows the PDR for the Black Hole and Gray Hole attacks. The AODV without any attack, the PDR is very minimal. But the PDR for the Black Hole attack is the maximum, when compared to the Gray Hole attacks. From the results the observation is that, compared to the Gray Hole attacks, the Black Hole attack causes more damage to the routing behaviour.

89 Figure 4.13 Comparison of the NRL Ratio for the Black Hole and Gray Hole Attacks Figure 4.14 Comparison of the PDR for the Black Hole and Gray Hole Attacks

90 As shown in Figures 4.12, 4.13, 4.14, the impacts of these two attacks are considered under various network attributes, and also compared in this work. Black Hole attacks are more vulnerable than Gray Hole attacks, because the PDR is high for the Black Hole attacks compared to the Gray Hole attacks; moreover the NRL also increases in the presence of Black Hole attacks compared to the Gray Hole attacks. When compared to the PDF, the delivery rate of the Black Hole attacks decreases compared to Gray Hole attacks, the routing packets also decreased in the presence of Black Hole attacks compared to that of Gray Hole attacks. Thus from the simulation results it is understood that the Black Hole attacks cause more damage to MANET compared to Gray Hole attacks. Hence, the solution to the Black Hole attack is considered in this research. 4.4.4 Simulation Study for Detecting and Isolating Black Hole Attacks The simulation results for detecting and isolating Black Hole attacks in MANETs are presented in this section. For each set of parameters, the simulations are repeated 3 times, and the averages of the results are calculated. The following parameters are considered for the experiments. 1. Normal AODV 2. AODV without any detection and Black Hole attacks 3. AODV with the proposed SLBHAD technique For experiment 1, the simulation runs for 3 times and the average is taken. For experiment 2, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4 Black Holes) and the average is taken for every 3 runs. For experiment 3, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4 Black Holes) and the average is taken for each 3 runs. So, totally the

91 simulations run 27 times to get the results shown in the next subsection. The scenario generator available in NS-2, is used for generating 3 scenarios (for three repetitions). In all the cases Nodes 0 to 7 are the CBR sources and node 7 to 13 are the sinks. Table 4.7 illustrates the AODV technique without any detection techniques (with malicious nodes) applied. Table 4.7 Analysis on AODV without any Detection technique Black Holes PDF NRL EED No. of Packets Sent Dropped Packets 1 67.73 0.45 68.24 493.33 590 2 44.13 0.72 49.17 430.00 983 3 26.87 1.01 42.34 445.67 1271 4 22.53 110.79 37.71 350.67 1350 Table 4.8 illustrates the proposed SLBHAD technique with different network parameters. Table 4.8 Analysis on AODV with the proposed SLBHAD technique Black Holes PDF NRL EED No. of Packets Sent Dropped Packets 1 89.03 0.48 52.37 721.00 229 2 73.37 0.53 42.52 631.67 470 3 61.30 0.53 38.86 505.33 683 4 48.87 0.62 32.03 481.33 895 From Tables 4.7, 4.8 the following observations are made:

92 i. With the plain AODV, the PDF has a steep fall from 97.60 (0% malicious nodes) to 22.53% (40% malicious nodes). The proposed SLBHAD technique increases the PDF to 89% (1% malicious node). ii. iii. iv. Similar results are observed in the PDR. The drop ratio is reduced in the proposed SLBHAD technique. For the AODV without any attack, the drop ratio is 11% (0% malicious nodes). The number of packets sent has also increased with the proposed technique The EED is decreased when there are 40% malicious nodes in the network. This is because, the proposed detection technique detects and isolates the Black Hole nodes from the network. So the packets are routed only via normal nodes v. The Normalized routing packets are also greatly reduced with the proposed SLBHAD technique From the above results it is concluded, that the SLBHAD leads to a substantial improvement over the plain AODV, from the point of view of the PDF. The details are presented in Figure 4.15, where a comparison corresponding to 40% malicious nodes, with the PDF is given. The proposed SLBHAD technique has got a good PDF compared to the normal AODV. From the Figure 4.15 to Figure 4.20, the SLBHAD technique is denoted as Detection_With_PRS, where PRS denotes Periodic Request Sending.

93 Figure 4.15 Comparison of the PDF (40% Malicious Nodes) Figure 4.16 presents a comparison of the dropped packets in the presence of 40% malicious nodes. It is found that the proposed SLBHAD technique performs considerably better than the normal AODV. Figure 4.16 Comparison of the PDR (40% Malicious Nodes) The overhead can be measured, based on the number of transmissions of messages like RREQ, RREP, and RRER. The overhead increases with increasing percentage of malicious nodes for the plain AODV. The proposed technique consumes less amount of network resources.

94 Figure 4.17 Comparison of the Overhead (40% Malicious Nodes) Figure 4.17 provides a comparison of the overhead between the AODV and the proposed SLBHAD technique. The overhead is measured in terms of successfully received or forwarded packets at the routing layer. In general, an increase in the overhead signifies poor performance. Figure 4.18 Comparison of the NRL (30% Malicious Nodes)

95 Figure 4.19 Comparison of the NRL (40% Malicious Nodes) Figures 4.18 and 4.19 signify the performance of the NRL. Without a detection technique, the NRL increases slightly up to 30% Black Holes in the network. But after 30% the NRL increases exponentially, without detection. The proposed detection process uses the SLBHAD detection technique, and hence, there is a reduction in the NRL. Thus, the NRL reduces for the proposed SLBHAD technique. Figure 4.20 Comparison of the EED (40% Malicious Nodes) From Figure 4.20, the following inferences can be drawn. In general, the EED decreases, when the percentage of malicious nodes

96 increases. In the proposed SLBHAD technique, the EED decreases significantly, which indicates that the connection is established within the lower number of hops. That is, when there is a malicious node in the network, the proposed SLBHAD technique detects and isolates the malicious nodes from the network. Hence, the communication is only via the normal nodes. So, the EED is decreased. 4.5 COMPARING THE ACCURACY OF THE DETECTION TECHNIQUE Many research works have been carried out to secure the (Hu et al 2004, Hu et al 2005) AODV routing protocol. The proposed detection technique is compared with an existing single layer technique, which uses the DAODV protocol. They use the anomaly detection technique, which is based on the dynamic learning process. In their technique, they use path finding features and path abnormality features to detect the abnormality of the nodes. Table 4.9 displays the comparison of the DAODV with the proposed SLBHAD technique. Table 4.9 Analysis on DAODV Black Holes PDF NRL EED No. of Packets sent Dropped 1 70.64 0.49 66.14 450.00 500 2 54.23 0.62 47.23 390.00 560 3 30.56 0.96 40.56 375.00 1105 4 29.23 100.79 37.23 360.25 1256

97 Number of Nodes vs Packet Delivery Fraction Packet Delivery Fraction(%) Number of Nodes Figure 4.21 Comparison of the PDF (40% Malicious Nodes) Figure 4.21 illustrates the PDF for AODV without any detection techniques, and the DAODV with the SLBHAD technique. This technique is compared with varying node densities i.e. 50,100,150,200. From the above figure, it is observed that the PDF is better than in the existing DAODV and AODV without any detection techniques.

98 Number of Nodes vs Normalized Routing Load Figure 4.22 Comparison of the NRL (40% Malicious Nodes) Figure 4.22 illustrates the NRL for the AODV without any detection techniques, and the DAODV with the SLBHAD technique. This technique is compared with varying node densities, i.e. 50,100,150, and 200. The NRL is very much in the proposed SLBHAD technique compared to other existing techniques.

99 Number of Nodes vs End-to-End Delay End to-end Delay in sec Number of Nodes Figure 4.23 Comparison of EED (40% Malicious Nodes) The Figure 4.23 illustrates EED for AODV without any detection techniques, DAODV with SLBHAD technique. This technique is compared with varying node densities i.e., 50,100,150,200.The EED is very low in the proposed technique because, after the isolation of Black Hole nodes the packets only travel through normal nodes. In Figure 4.24 displays the numbers of packets send from source to destination node. The packets routed more compared to DAODV and AODV without any detection technique.

100 Number of Nodes vs Packets Sent Packets Sent Number of Nodes Figure 4.24 Comparison of the number of packets sent (40% Malicious Nodes) Number of Nodes vs Dropped Packets Dropped Packets Number of Nodes Figure 4.25 Comparison of the number of packets dropped (40% Malicious Nodes) Finally, Figure 4.25 displays the dropped packets in the network. The proposed SLBHAD technique drops a very minimal number of packets compared to the other two techniques.

101 4.6 SUMMARY In this chapter, a novel technique is proposed to detect and isolate the Black Hole attacks in MANETs. Initially, the density based attack analyzer is used to analyze the network performance, when the attacks occur. It is shown that the proposed SLBHAD technique improves the PDF compared to the existing techniques. Moreover, that the proposed technique reduces the NRL and EED. The existing AODV algorithm is modified, and has Honeypot concepts incorporated in it. The PDF for the proposed SLBHAD technique is 89.03%. The PDF for existing AODV technique is 67.73% and DAODV is 70.64%. From this it is observed that the proposed SLBHAD technique improves the PDF significantly. When the network contains 40% of Black Hole nodes, the NRL for AODV is 110.79, for DAODV NRL is 100.79, for the proposed SLBHAD the NRL is 0.62. From this it is observed that the network load is very low in the proposed SLBHAD technique. When the network contains 10% of Black Hole nodes, the EED for AODV is 68.24 sec, for DAODV EED is 66.14 sec, for the proposed SLBHAD the EED is 52.37 sec. From this it is known that the proposed SLBHAD technique has very low EED. Hence the proposed technique isolates Black Hole nodes and travels via normal nodes. The simulation results based on extensive experiments illustrate the novelty and the effectiveness of the proposed technique.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback