chapter 4 single layer black hole attack...
TRANSCRIPT
58
CHAPTER 4
SINGLE LAYER BLACK HOLE ATTACK DETECTION
4.1 INTRODUCTION TO SLBHAD
The focus of this chapter is to detect and isolate Black Hole attack
in the MANET (Khattak et al 2013). In order to do that, network layer
parameter is considered. Initially, the Black Hole detection technique starts
with the density based attack analyzer technique where it analyses the impact
of Black Hole and Gray Hole attacks. In order to analyze these two attacks
send fake RREP algorithm is used. Next, the network layer Black Hole attack
detection technique is responsible for initializing Honeypot node.
To implement the proposed SLBHAD technique, spoofed RREQ
packets are generated by malicious node detection timer algorithm, sending
spoofed RREQ algorithm, sending fake request algorithm are used. The Route
Lookup in network layer technique is proposed to detect malicious node ids of
the network. In order to implement this, modified route lookup algorithm is
implemented. To isolate the Black Hole nodes from the network, the isolation
in the network layer technique is used to isolate malicious node from the
network. The isolated nodes are broadcasted throughout the network using
broadcast packet technique. Various simulation parameters are used to
implement this SLBHAD technique. The proposed technique is compared
with other existing techniques in order to understand the efficiency of
SLBHAD.
59
4.2 DENSITY BASED ATTACK ANALYZER
The density based attack analyzer technique consists of two steps:
1) Attracting - where the nodes attract other nodes by falsely sending
information in the communication 2) Invading - where the node invades the
communication process and drops packets. The basic difference between
these two attacks is that the Gray Hole attack (Min & Jiliu 2009) initially
behaves like a normal node and participates in routing process. But after
sometime it drops the packet like Black Hole node, whereas Black Hole
attack drops all the packets. The simple flowchart for generating these attacks
is shown in Figure 4.1. It depicts the proposed technique, which simulates and
analyzes the Black Hole and Gray Hole attacks.
Figure 4.1 Simple Flowchart for Attack Generation
Attracting Step
Incoming Packets
AODV Protocolcoordination
Determine routes Increase Sequencenumber
Invading stepSelect route
RREQPackets
Handle other Packets
Attack
Send Fake Reply
Yes
No
Yes
No
Exit
60
During the attracting step, the attacker has to identify whether the
incoming packets are AODV packets. Then, the attacker determines the route,
selects the routing process, and coordinates the routing, by sending RREQ
packets. During the Invading step, the attacker starts increasing its DSN and
itself advertises that it has the highest DSN compared to the other nodes in the
network. Thus, it induces an attack by sending a fake reply to the nodes in the
network. In order to simulate both the attacks, the existing AODV protocol is
modified. The modification done in an existing AODV protocol, which
creates attacks are discussed in section 4.2.1. The following two functions are
the most important one, in which a Black Hole or Gray Hole vulnerability can
be introduced.
AODV:: recv (Packet *p, Handler*)
AODV:: recvRequest (Packet *p)
The function “AODV:: recv” will be called for each and every
packet arriving at that routing agent. If the packet is an AODV packet, it will
be treated accordingly. Therefore, in this function, a routing agent can
maliciously drop a packet during certain kinds of attacks. The function
“AODV:: recvRequest” will be called receiving an AODV RREQ packet type
“AODVTYPE_RREQ”. On receiving this RREQ message from any of the
neighboring nodes, the routing agent will try to resolve the route and send a
RREP message, if a route is available. The algorithm steps for analyzing and
simulating the Black Hole and Gray Hole attacks are given in next section.
61
4.2.1 Algorithm for analyzing Black Hole and Gray Hole attack
The algorithm is known as “send fake RREP algorithm” which is
responsible for generating fake RREP packets in the network.
Input: AODV RREQ packet.
Output: Fake RREP packet.
Step 1: If (AODV_Packet) {
Step 2: If (RREQ) { // If it is a RRREQ packet
Step 3: SendRouteReply; // Send normal reply
Step 4:} else if (Black Hole Attack) {
//Maliciously sending wrong route to generate Black Hole attack
Step 5: SendFakeRouteReply;
Step 6: } else if (Gray Hole Attack) {
//Gray Hole will send a genuine reply initially
Step 7: Resolve the Route;
Step 8: SendRouteReply ;}}}
//it is the packet I am forwarding
Step 9: If {No Attack} {
Step 10: Handle it in a Normal way
Step 11: } else if (Black Hole Attack) {
//Maliciously drop the packet
Step 12: Drop the Packet
Step 13: } else if (Gray Hole Attack) {
//Maliciously drop the packet
Step 14: Drop the Packet}}}
This algorithm call the function “AODV:: send Reply” with
appropriate parameters. Hence, an agent will try to send a fake reply for the
62
purpose of attacking a neighboring node, by giving wrong routing
information; it calls “AODV:: send Reply” and passes wrong routing
information to the requesting node. In the proposed implementation, a
modified function “AODV:: sendFakeReply” is used for the purpose of
sending wrong information to simulate both attacks.
4.3 SLBHAD
The proposed network layer Black Hole detection technique has
been strongly influenced by the spoofing technique. In general, spoofing is a
technique, where a computer or people pretend to be another by false data,
and exploit the system in order to get illegitimate access. Wireless networks
suffer from various types of spoofing, such as MAC spoofing, Web Spoofing,
DNS (Domain Name System) Spoofing, Email Spoofing, IP Spoofing, and
URL Spoofing.
MAC Spoofing is a technique where the hacker changes the MAC
address of a network interface.
Web Spoofing is a technique where the reality of the browsing
session significantly differs from the mental model of a sophisticated user and
the attacker, misleading the victim of an online fraud.
Email Spoofing is a technique where an email is created with a
forged sender address. Spam and phishing are such types of email spoofing
techniques, which are used to mislead the recipients.
DNS Spoofing DNS Spoofing is a technique where an illegal data
is injected into the DNS, which causes the server to return an incorrect IP
address in order to divert the traffic to another computer.
63
IP Spoofing IP spoofing is used to gain unauthorized access to a
network or computer, where a malicious attacker forcefully sends a forged IP
address. The forged IP address indicates that the message comes from a
trusted host.
URL Spoofing is a technique in which the malicious user creates
the fake or forged URL, which is exactly similar to the original and safe URL.
The objective of this research work is to develop a novel technique
which secures the network layer. In this work, no encryption or key exchange
algorithm is used. Encryption or key exchange techniques are difficult to
implement in MANET because of its dynamic nature. Instead, spoofed
AODV RREQ packets are used to detect the Black Hole attack in the
network. Figure 4.2 explains the SLBHAD architecture. The architecture
consists of collecting network layer audit data from the network layer,
malicious node detection layer, Route Lookup in the network layer, isolation
in the network layer, and finally broadcasts the malicious Black Hole node id
throughout the network.
Initially, the detection process starts with analyzing the network
layer audit data. The malicious node detection layer consists of initializing the
Black Hole detector, where it consists of the Black Hole detector node or
Honeypot node in the MANET which uses spoofed packets. When the Black
Hole node detects the spoofed RREQ packets from the detector/Honeypot
node, the Black Hole node replies that it has the route to the particular
destination address, which does not exist in reality.
64
4.3.1 SLBHAD Architecture
Yes
Figure 4.2 SLBHAD Architecture
Initialize BlackHole detector
BroadcastSpoofed RREQ
packets
Check for replyfrom neighboring
nodes
Update routingtable with BlackHole information
Repeat
NetworkLayer
Trace Data
MaliciousNode Detection
Layer
Do not use theBlack Hole node
Update the BlackHole id in the list
BroadcastMalicious
Black Holenode id
Isolate the BlackHole node
Isolation inNetwork Layer
Lookup forDestination
Find the nextshortest hop
towardsdestination
Verify the replyfrom routing tablefor non existence
node
RouteLookup
In NetworkLayer
Verify if thenode id isexistence
65
After initializing the Black Hole detector node it broadcasts the
spoofed RREQ packets (Figure 4.3), and waits for the reply from the
neighbors. If any node replies to this message, then that node id is updated in
the routing table. The Route Lookup in the network layer is responsible for
updating the malicious node details. This layer verifies whether the reply is
for non existence node id from the malicious node. Finally, the isolation in
network layer updates the Black Hole details in the list, and broadcasts it to
the network. Thus, the proposed technique acts as a Honeypot (Cristine et al
2008, Haifeng Wang & Qingkui Chen 2010) where a trap (spoofed RREQ
packet) is set to detect the malicious node.
4.3.2 Spoofed RREQ Packet Structure
As discussed in Chapter 1, the normal AODV RREQ packet
consists of several fields, such as the destination IP address, DSN, originating
IP address, originator DSN, and so on, while in normal routing, when a node
broadcasts a RREQ, the TTL value is set up to a maximum value, because the
lifetime of the active route is updated until it reaches the destination node.
The destination IP address is another field which is used to indicate the node
to which a route is desired. During the normal route discovery process, a valid
destination ID and a TTL are assigned to the nodes. But in the proposed
detection technique, during the communication process, initially the Black
Hole detector node (Honeypot) sends spoofed RREQ packets. The spoofed
RREQ packet contains invalid nonexistent DSN and a TTL of 1. By receiving
this packet the Black Hole node replies that it has a valid route to the
particular node.
66
Field Description
F1
…
…
…
…
Other Fields of
RREQ packet.
. … . . . .
. … . . . .
. … . . . .
DSN Non Existent Address
TTL 1
Figure 4.3 Spoofed RREQ Packets
This malicious node id is stored by the Honeypot node, broadcast to
all other nodes in the network and then, finally isolated from the other nodes.
During the communication process, the RREQ messages generated by this
malicious node id are ignored and normal communication takes place. The
existing AODV does not have any types of security techniques which are
proposed in this thesis. The algorithms are included to detect the malicious
nodes in the AODV protocol in the proposed work. Initially, the malicious
node detection timer is invoked, in order to initiate the spoofed RREQ. This
spoofed RREQ invokes for a particular time interval. Hence, the proposed
SLBHAD technique periodically invokes the timer function to detect attacks.
This function also invokes the Send Spoofed Route Request (), which
broadcasts spoofed RREQ messages to the neighboring nodes in the network.
This algorithm invokes this function periodically. Hence this technique
schedules the call for particular time interval. The proposed algorithms use
the recursive functions to detect attacks. The Algorithm of the Malicious
Node Detection Timer is given below:
67
Input : Routing layer Data
Output : Malicious RREQ Data
Step1: Function Malicious Node Detection Timer ()
Step 2: Begin
//Start sending spoofed RREQ packets
Step 3: SendSpoofedRouteRequest ();
Step 4: Interval (Malicious Node Detection Interval + Jitter)
// Schedule next call to this function at Interval
Step 5: Schedule (Malicious Node Detection Timer (), Interval)
Step 6: End.
The above mentioned malicious node detection timer algorithm isused to initiate send spoofed route request technique by malicious nodedetection layer/ Honeypot node.
The Algorithm for sending spoofed RREQ message is given below:
Step 1: Function SendSpoofedRouteRequest ()
Step 2: Begin
Step 3: aodv _rt_entry *rt;
//Create a non existing IP address
Step 4: Network Address (Non Existing node id);-
Step 5: rt = rtable.rt _lookup (Network Address);
Step 6: if (rt ==0) {
Step 7: rt = rtable. rt _add (Network Address);}
Step 8: SendFakeRequest (Network Address);
Step 9: End
68
The above algorithm creates a non-existence IP address, by
checking the routing table entry, and adding the nonexistent routing address to
the routing table. Then, it broadcasts the spoofed RREQ packet to all the
nodes in the network. Additionally, it calls another function which originally
sends a fake request to all the nodes in the MANET. Hence this algorithm is
responsible for creating non existing IP address by Honeypot node and
initiates sends fake request.
The algorithm which originally sends fake request is given below:
Step 1: Function SendFakeRequest (Network Address)
Step 2: Begin
// Allocate a RREQ packet
Step 3: Spoofed RREQ _ Packet Create_ Default_ RREQ _Packet ()
// Fill out the RREQ packet with Spoofed Info
Step 4: Spoofed RREQ _ Packet->rq _TTL = 1;
Step 5: Spoofed RREQ _Packet->dst = Network Address;
Step 6: Broadcast (Spoofed RREQ _Packet);
Step 7: End
The above algorithm originally broadcasts a fake request to the
nodes in the network. It sets the TTL value to the minimum, and broadcasts
the fake RREQ packet. This fake request is received by all the neighbors in
the network, which is used to detect Black Hole nodes. The Black Hole nodes
receive this fake RREQ packet and responds. Other non malicious nodes do
not reply for these fake RREQ packets because in the routing table of the non
malicious nodes, the invalid DSN and TTL will not present.
69
4.3.3 Malicious Node Detection
The malicious node detection technique is responsible for detecting
the Black Hole nodes in the network. Initially, the Black Hole detector
initializes the malicious node detection process. First, it broadcasts the
spoofed RREQ packets. As discussed above, the spoofed RREQ packet
contains the non existence source id and the TTL value set to 1. Then this
spoofed RREQ packet is broadcast to all the other nodes in the network. The
broadcasted Honeypot spoofed RREQ packet waits for the reply from the
neighbor nodes. If any neighbor replies to this packet, those nodes are marked
as Black Hole nodes in the routing table. The reason is, since the normal
nodes which are not malicious will not reply to this spoofed RREQ packet. So
the routing table updates this Black Hole node information by marking it as
malicious.
4.3.4 Route Lookup in Network Layer
In order to resolve the route, the AODV calls the modified Route
Lookup function. This algorithm is very important, because it detects the
Black Hole attacks by checking the node id. If the malicious node replies that,
it has the route towards the non-existence node, then that vulnerable (Black
Hole) node is marked as malicious. In order to find a Black Hole node, a
detection flag is set on the routing table. If the detection flag is true then, it is
observed that the malicious node id is marked. Thus, routing via the malicious
node is avoided. The algorithm is known as the modified Route Lookup,
where it verifies the non-existence node id. The steps are given below:
70
Input: Black Hole node data/Normal node data
Output: Return Non existence node id.
Steps
Step1: Function On _ Modified_ Route_ Lookup (Address)
Step 2: Begin
Step 3: Detection Flag (false)
Step 4: R1 (Normal_ Route _Lookup (Non Existing node id) ;
Step 5: if (R1 & R1->flags =RTF_id) {
//There is a malicious node in the routing table
Step 6: Detection Flag (true)
Step 7: Malicious node id (R1->Next hop ;}
Step 8: for all routes R in Routing Table do {
// If the next hop of the returned route is via the
// Non Existing Node then just ignore it
Step 9: if (Detection Flag & R->next hop =Malicious node id) {
//Next Hop is a Black Hole-Avoid the route
Step 10: Continue ;}
Step 11: if (R->DST =Id) then break ;}
Step 12: return R;
Step 13: End.
The Route Lookup algorithm for the network layer is responsible
for updating the reply from the neighbor nodes. The node which replies to the
spoofed RREQ packet is identified as the Black Hole node. Then, the node is
marked as malicious in RTF and this information is updated in the routing
table. Hence the above route lookup algorithm is responsible which marks the
malicious node ids in the routing table.
71
4.3.5 Isolation in Network Layer
The isolation technique is responsible for isolating the malicious
node from the network. This technique is important, because it prevents
broadcasting routes via the malicious node. A flag is set as malicious, and the
nodes which reply to the non-existence node id are marked as malicious.
Input: Reply from Non existence node id.
Output: Isolate Black Hole id.
The algorithm steps for isolating the malicious Black Hole node aregiven below.
Step 1: Function Isolate (Address)
Step 2: Begin
Step 3: Black Hole node id (false);
Step 4: If (reply is for non existence node)
Step 5: Black Hole node id (true);
//Avoid route via the Black Hole node
Step 6: End
The above algorithm is used to isolate the routing via malicious
Black Hole nodes. From the route lookup algorithm it gets the details of
malicious Black Hole node id from the network and avoids routing via it by
isolating these nodes.
4.3.6 Broadcast Packets
Finally, in the broadcast packet, this technique is responsible for
broadcasting the malicious node details in the network. This technique
collects the details of the Black Hole node ids from the network, and
broadcasts this information to the other nodes in the network. It gets the
72
malicious node id as input from a Route Lookup module and checks for the
detection flag and the malicious node id flag. If both these flags are set true,
then the node id is broadcasted to the network.
Input: Black Hole node ids from Route Lookup module
Output: Broadcast Black Hole node id.
Algorithm steps for broadcasting malicious node id are givenbelow:
Step 1: Function broadcast (RTF_id)
Step 2: Begin
Step 3: for all nodes in the network {
//If the node id is the Black Hole id
Step 4: if (Detection Flag =True & Malicious node id=True)
Step 5: Broadcast (Malicious node)}
Step 6: End.
4.4 SIMULATION PARAMETERS
The various performance metrics are used to analyze the Black
Hole and Gray Hole attacks. PDF is useful metric where it signifies the
number of packets send from source node to the destination node.NRL is used
to know about the details of network load. If NRL is more it is observed that
the network load is increased by generating control packets. EED is used to
know how successfully the proposed technique works. For example, if EED is
low it is observed that the malicious Black Hole nodes are isolated from the
network. Hence the packet only travels through MANET.
1. PDF: The ratio of the data packets delivered to the
destinations, to those generated by the Constant Bit Rate
(CBR) sources, is known as the PDF.
73
2. NRL: The number of routing packets transmitted per data
packet delivered at the destination. The hop wise
transmission of a routing packet is counted as one
transmission.
3. EED: This includes the time taken for a packet to be
transmitted from the source node to the destination node.
The delay can be due to queuing at the interface queue,
latency, retransmission delays, and propagation and transfer
times.
4. Overhead: Overhead is measured in terms of the total
generated routing packets. It is the count of the total packet
generated and forwarded at the network layer.
5. PDR: PDR is measured for totally dropped packets due to
various reasons, such as poor wireless channel, malicious
and intentional packet dropping.
In order to do the simulation, the various initial parameters used for
this simulation are given in Table 4.1. Since the experiments are conducted
for MANET, the wireless channel is used as channel type. The radio
propagation model is used to predict the behavior of radio wave propagation
in MANET. In that, the two ray ground model predicts the line of sight
component. The antenna type used is Omni directional antenna where it
covers all directions from the antenna with varying degrees of coverage. Drop
tail queue is used as a queue type because the packets are accepted till the
queue is empty and the incoming packets are dropped when the queue become
full. The random way point model is used as mobility model where it exhibits
the movement of mobile users and the location changes over time.
74
Table 4.1 Simulation Environment
Parameters Values
Channel type Wireless Channel
Radio-propagation model Two Ray Ground Model
Antenna type Omni Antenna
Interface queue type Drop Tail/Pri Queue
MAC type 802.11
Maximum packet in Queue 50
Topographical Area 600 x 600 sq.m
Mobility scenario 10 m/s
Pause time 20 sec
Mobility Model Random Waypoint Model
The parameters in Table 4.2 are used as traffic parameters. The
traffic parameters are used to set the application and transport layer stuffs.
The application layer traffic agent used in this thesis work is CBR. CBR is
relating to the rate at which the output data consumed is constant.
Table 4.2 Traffic Parameters
Parameters Values
Traffic Agent CBR
Transport Agent User Datagram Protocol(UDP)
Traffic Source 7
CBR Rate 10 kbps
The following parameters in Table 4.3 are used as variable
parameters. The proposed technique uses AODV protocol and various types
of node densities. These parameters are considered as variable parameters.
75
Table 4.3 Variable Parameters
Parameters Values
Routing protocols Normal AODV
AODV with Back Hole, Gray Hole 1,2,3 and 4
Number of Nodes 20,30,40,50,60
4.4.1 Density Based Attack Analyzer
In this work, the analysis, and implementation of both the Black
Hole and Gray Hole attacks are carried out. In order to clearly analyze and
understand the attacks, the following techniques have been implemented:
T1-Analysing normal AODV
T2-Analysing Black Hole AODV attack
T3-Analysing Gray Hole AODV attack
T4-Comparison of the Black Hole AODV attack and the
Gray Hole AODV attack
For all the above techniques, various types of node densities are
used in order to understand the behaviour of the attacks. Table 4.4 shows the
performance of the normal AODV. In Technique T1, the experiments have
been carried out without any attacking nodes, with varying node densities.
T1-Analysing normal AODV
In Table 4.4, all the measured values are tabulated in the
case of the Normal AODV protocol. All the simulations are
run 3 times, and the average values are tabulated
76
Table 4.4 Analysis on Normal AODV
Protocol Nodes PDF NRL Routed PacketsDroppedPackets
AODV
20 97.60 0.38 620.33 7330 97.97 0.61 1008.67 6540 98.30 0.65 1079.67 4350 98.40 0.73 1206.67 3860 96.77 1.46 2399.00 87
From the above Table 4.4, the following observations are made:
Various node densities are considered such as 20, 30, 40, 50
and 60
The NRL shows an gradual increase, because of the increase
in density of nodes
The routed packets are increased
Table 4.5 displays the performance of the Black Hole attack for theAODV under various network densities and performance metrics.
T2-Analysing Black Hole AODV
In Table 4.5, all the measured values in the case of theAODV protocol under the Black Hole attack are tabulated.All the simulations were run 3 times and the average value istabulated.
When the MANET consists of 10% of Black Hole node,the PDF for 20 nodes gets decreased from 97.60% to67.73%
When the MANET consists of 20% of Black Hole nodes,the NRL gets increased from 1.46 Kbps to 2.23 Kbps in thecase of 60 normal nodes
77
When the MANET consists of three Black Hole nodes, therouted packets get decreased from 2399 packets/sec to1304.67 packets/sec
Finally, the PDR also increased from 87 packets/sec to 1387
packets/sec when the network consists of 60% Black Hole
nodes in the network
Table 4.5 Analysis of the Black Hole AODV
Protocol Nodes PDF NRL Routed PacketsDroppedPackets
WithBlackHole 1
20 67.73 0.45 493.33 59030 54.13 1.12 938.00 79640 67.53 0.91 1003.67 58850 65.03 1.18 1323.00 60360 79.23 1.75 2355.33 413
WithBlackHole 2
20 44.13 0.72 430.00 983
30 35.17 1.17 652.00 1125
40 53.83 1.03 893.67 821
50 57.87 1.30 1097.00 707
60 54.00 2.23 1724.33 820
WithBlackHole 3
20 26.87 1.01 445.67 1271
30 19.93 1.79 596.67 1381
40 39.50 1.61 731.67 1057
50 27.07 2.24 839.00 1246
60 48.60 1.69 1304.67 897
WithBlackHole 4
20 22.53 110.7 350.67 135030 11.73 6.03 563.00 152340 20.13 5.33 764.00 138750 17.00 3.30 933.33 141360 39.17 2.26 1338.67 1052
78
T3-Analysing Gray Hole AODV
In Table 4.6, all the measured values in the case of the
AODV protocol under the Gray Hole attack are tabulated.
All the simulations were run 3 times and the average value is
tabulated
When the MANET consists of 10% of Gray Hole node, the
PDF for 20 nodes gets decreased from 97.60% to 88.57%
When the MANET consists of 20% of Gray Hole nodes, the
NRL gets increased from 1.46 Kbps to 1.74 Kbps in the
case of 60 normal nodes
When the MANET consists of 30% of Gray Hole nodes, the
routed packets decreased from 620 packets/sec to 465
packets/sec. But for the other node densities, the Gray Hole
node initially accepts all the packets, and starts forwarding
them without dropping any packets. So the routed packets
seem to have increased more, compared to the normal
AODV without any attack.
Finally, the PDR also increased for the Gray Hole attacks
from 87 packets/sec to 303 packets/sec when the network
consists of 60% Gray Hole nodes in the network
Table 4.6 displays the performance of the Gray Hole attack for the
AODV under various network densities and performance metrics.
79
Table 4.6 Analysis of the Gray Hole AODV
Protocol Nodes PDF NRL Routing PacketsDropped
Packets
WithGray
Hole 1
20 88.57 00.41 595.00 226
30 89.10 00.72 1075.00 227
40 88.13 00.74 1084.67 231
50 98.40 00.73 1206.67 38
60 96.77 10.46 2399.00 87
WithGray
Hole 2
20 84.83 0.40 551.33 283
30 80.57 0.79 1083.00 373
40 80.70 0.80 1076.00 355
50 96.87 0.83 1357.00 67
60 88.87 1.74 2594.00 227
WithGray
Hole 3
20 76.80 0.36 465.00 434
30 78.07 0.80 1070.67 415
40 81.23 0.69 941.00 329
50 94.00 0.78 1233.00 113
60 85.03 1.74 2516.00 291
WithGray
Hole 4
20 76.70 0.37 474.67 420
30 74.40 0.81 1011.33 476
40 76.53 0.71 926.67 409
50 86.57 0.88 1262.67 236
60 84.23 1.87 2664.67 303
4.4.2 Analyzing the Impact of the Black Hole and Gray Hole Attacks
The Figures in this section explain the impact of the Black Hole
and Gray Hole attacks.
80
Figure 4.4 Numbers of Nodes vs. PDF for Black Hole Attacks
Figure 4.4 depicts the scenario of the PDF for Black Hole attacks.
A PDF is a standard measure of the throughput. The PDF for the normal
AODV and AODV with the Black Hole attack is depicted in Figure 4.4. In
general, without a malicious node, the AODV has a good PDF. From the
results in Figure 4.4, the following observations can be drawn for Black Hole
attacks.
The PDF decreases with increasing node densities and
percentage of Black Hole nodes
In the case of the Black Hole AODV, with 10% of malicious
nodes, the PDF decreases from 97.60% (0% malicious
nodes) to 67.73% (10% malicious nodes), when the nodes
are moving at a mobility of 10m/s
With 40% of malicious nodes, the PDF falls from 97.60% to
39.17%
81
Figure 4.5 Numbers of Nodes vs. PDF for Gray Hole Attacks
From the results in Figure 4.5, the observations drawn for the Gray
Hole attacks are:
The PDF decreases with increasing node densities, and
percentage of Gray Hole nodes
In the case of the Gray Hole AODV, with 10% malicious
nodes, the PDF decreases from 97.60% (0% malicious
nodes) to 88.57 % (10% malicious nodes) when the nodes
are moving at a mobility of 10m/s
With 40% of malicious nodes, the PDF falls from 97.60% to
84.23%
82
Figure 4.6 Numbers of Nodes vs. NRL for Black Hole Attacks
The NRL can be evaluated, based on messages like the RREQ and
RREP, with the statistics of the number of routed packets to that of received
packets.
From the results in Figure 4.6 observations such as the following
can be made:
No constant trend is observed in the NRL
In the case of the Black Hole AODV, the NRL shows an
increase compared to normal AODV
With 10% malicious nodes, the NRL increases from 0.38
Kbps to 1.75 Kbps. Likewise with 40% of malicious nodes,
the NRL shows an increase from 0.38 Kbps to 2.26 Kbps
83
Figure 4.7 Numbers of Nodes vs. NRL for Gray Hole Attacks
From the results of Figure 4.7 the following observations can be
made:
For Gray Hole attacks, no constant trend is observed in NRL
for the Gray Hole attacks
In the case of the Gray Hole AODV, the NRL shows an
increase
With 10% malicious nodes, the NRL increases from 0.38
Kbps to 0.41 Kbps; likewise, with 40% malicious nodes, the
NRL shows an increase from 0.38 Kbps to 1.87 Kbps
84
Figure 4.8 Number of Nodes vs. Dropped packets for Black Hole Attacks
The PDR is useful towards detecting packet drop attacks. From the
results in Figure 4.8 the following observations can be made:
The packet drop count increases with increasing node
densities, and percentage of Black Hole nodes
In the case of the Black Hole AODV, with 10% malicious
nodes, the packet drop count increases from 73 packets/sec
(0% malicious nodes) to 413 packets/sec (10% malicious
nodes) when the nodes are moving at a mobility of 10m/s
With 40% malicious nodes, the packet drop count has the
steepest increase from 73 packets/sec to 1052 packets/sec
85
Figure 4.9 Number of Nodes vs. Dropped packets for Gray Hole Attacks
From the results in Figure 4.9 the following observations can be
drawn:
The packet drop count increases with increasing node
densities and percentage of Gray Hole nodes
In the case of the Gray Hole AODV, with 10% malicious
nodes, the packet drop count increases from 73 packets/sec
(0% malicious nodes) to 595 packets/sec (10% malicious
nodes) when the nodes are moving with the mobility of
10m/s
With 40% malicious nodes, the packet drop count has the
steepest increase from 43 packets/sec to 409 packets/sec
86
Figure 4.10 Numbers of Nodes vs. Overhead for Black Hole Attacks
The Overhead is a useful metric for analyzing the extra bandwidth
consumed to deliver data packets. From the results in Figure 4.10 the
following observations can be drawn:
The Overhead increases with increasing node densities and
percentage of Black Hole nodes
In the case of the Black Hole AODV, with 20% malicious
nodes, the overhead increases
87
Figure 4.11 Numbers of Nodes vs. Overhead for Gray Hole Attacks
From the results in Figure 4.11, the following observations can be
made:
The overhead increases with increasing node densities and
percentage of Gray Hole nodes
In the case of the Gray Hole AODV, with 20% malicious
nodes, the overhead increases
4.4.3 Comparing the Impact of the Black Hole and Gray Hole
Attacks
The impact of the Black Hole attack and Gray Hole attack is
compared in this section. Figure 4.12, compares the PDF for the Black Hole
and Gray Hole attacks in MANET. The PDF is significantly very less in the
case of Black Hole attacks compared to the Gray Hole attacks.
88
Figure 4.12 Comparison of the PDF for Black Hole and Gray HoleAttacks
Figure 4.13, shows the NRL for both the Black Hole and Gray Hole
attacks. The Black Hole attack increases the routing load of the MANET
compared to the Gray Hole attack. Figure 4.14 shows the PDR for the Black
Hole and Gray Hole attacks. The AODV without any attack, the PDR is very
minimal. But the PDR for the Black Hole attack is the maximum, when
compared to the Gray Hole attacks. From the results the observation is that,
compared to the Gray Hole attacks, the Black Hole attack causes more
damage to the routing behaviour.
89
Figure 4.13 Comparison of the NRL Ratio for the Black Hole and GrayHole Attacks
Figure 4.14 Comparison of the PDR for the Black Hole and Gray HoleAttacks
90
As shown in Figures 4.12, 4.13, 4.14, the impacts of these two
attacks are considered under various network attributes, and also compared in
this work. Black Hole attacks are more vulnerable than Gray Hole attacks,
because the PDR is high for the Black Hole attacks compared to the Gray
Hole attacks; moreover the NRL also increases in the presence of Black Hole
attacks compared to the Gray Hole attacks. When compared to the PDF, the
delivery rate of the Black Hole attacks decreases compared to Gray Hole
attacks, the routing packets also decreased in the presence of Black Hole
attacks compared to that of Gray Hole attacks. Thus from the simulation
results it is understood that the Black Hole attacks cause more damage to
MANET compared to Gray Hole attacks. Hence, the solution to the Black
Hole attack is considered in this research.
4.4.4 Simulation Study for Detecting and Isolating Black Hole
Attacks
The simulation results for detecting and isolating Black Hole
attacks in MANETs are presented in this section. For each set of parameters,
the simulations are repeated 3 times, and the averages of the results are
calculated. The following parameters are considered for the experiments.
1. Normal AODV
2. AODV without any detection and Black Hole attacks
3. AODV with the proposed SLBHAD technique
For experiment 1, the simulation runs for 3 times and the average is
taken. For experiment 2, the simulation runs for 3 * 4 times (12 runs) (for 1,
2, 3 and 4 Black Holes) and the average is taken for every 3 runs. For
experiment 3, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4
Black Holes) and the average is taken for each 3 runs. So, totally the
91
simulations run 27 times to get the results shown in the next subsection. The
scenario generator available in NS-2, is used for generating 3 scenarios (for
three repetitions). In all the cases Nodes 0 to 7 are the CBR sources and node
7 to 13 are the sinks. Table 4.7 illustrates the AODV technique without any
detection techniques (with malicious nodes) applied.
Table 4.7 Analysis on AODV without any Detection technique
BlackHoles
PDF NRL EED No. ofPackets Sent
Dropped
Packets
1 67.73 0.45 68.24 493.33 590
2 44.13 0.72 49.17 430.00 983
3 26.87 1.01 42.34 445.67 1271
4 22.53 110.79 37.71 350.67 1350
Table 4.8 illustrates the proposed SLBHAD technique with
different network parameters.
Table 4.8 Analysis on AODV with the proposed SLBHAD technique
BlackHoles
PDF NRL EED No. ofPackets Sent
Dropped
Packets
1 89.03 0.48 52.37 721.00 229
2 73.37 0.53 42.52 631.67 470
3 61.30 0.53 38.86 505.33 683
4 48.87 0.62 32.03 481.33 895
From Tables 4.7, 4.8 the following observations are made:
92
i. With the plain AODV, the PDF has a steep fall from 97.60
(0% malicious nodes) to 22.53% (40% malicious nodes).
The proposed SLBHAD technique increases the PDF to 89%
(1% malicious node).
ii. Similar results are observed in the PDR. The drop ratio is
reduced in the proposed SLBHAD technique. For the AODV
without any attack, the drop ratio is 11% (0% malicious
nodes).
iii. The number of packets sent has also increased with the
proposed technique
iv. The EED is decreased when there are 40% malicious nodes
in the network. This is because, the proposed detection
technique detects and isolates the Black Hole nodes from the
network. So the packets are routed only via normal nodes
v. The Normalized routing packets are also greatly reduced
with the proposed SLBHAD technique
From the above results it is concluded, that the SLBHAD leads to a
substantial improvement over the plain AODV, from the point of view of the
PDF. The details are presented in Figure 4.15, where a comparison
corresponding to 40% malicious nodes, with the PDF is given. The proposed
SLBHAD technique has got a good PDF compared to the normal AODV.
From the Figure 4.15 to Figure 4.20, the SLBHAD technique is denoted as
Detection_With_PRS, where PRS denotes Periodic Request Sending.
93
Figure 4.15 Comparison of the PDF (40% Malicious Nodes)
Figure 4.16 presents a comparison of the dropped packets in the
presence of 40% malicious nodes. It is found that the proposed SLBHAD
technique performs considerably better than the normal AODV.
Figure 4.16 Comparison of the PDR (40% Malicious Nodes)
The overhead can be measured, based on the number of
transmissions of messages like RREQ, RREP, and RRER. The overhead
increases with increasing percentage of malicious nodes for the plain AODV.
The proposed technique consumes less amount of network resources.
94
Figure 4.17 Comparison of the Overhead (40% Malicious Nodes)
Figure 4.17 provides a comparison of the overhead between the
AODV and the proposed SLBHAD technique. The overhead is measured in
terms of successfully received or forwarded packets at the routing layer. In
general, an increase in the overhead signifies poor performance.
Figure 4.18 Comparison of the NRL (30% Malicious Nodes)
95
Figure 4.19 Comparison of the NRL (40% Malicious Nodes)
Figures 4.18 and 4.19 signify the performance of the NRL. Without
a detection technique, the NRL increases slightly up to 30% Black Holes in
the network. But after 30% the NRL increases exponentially, without
detection. The proposed detection process uses the SLBHAD detection
technique, and hence, there is a reduction in the NRL. Thus, the NRL reduces
for the proposed SLBHAD technique.
Figure 4.20 Comparison of the EED (40% Malicious Nodes)
From Figure 4.20, the following inferences can be drawn. In
general, the EED decreases, when the percentage of malicious nodes
96
increases. In the proposed SLBHAD technique, the EED decreases
significantly, which indicates that the connection is established within the
lower number of hops. That is, when there is a malicious node in the network,
the proposed SLBHAD technique detects and isolates the malicious nodes
from the network. Hence, the communication is only via the normal nodes.
So, the EED is decreased.
4.5 COMPARING THE ACCURACY OF THE DETECTION
TECHNIQUE
Many research works have been carried out to secure the
(Hu et al 2004, Hu et al 2005) AODV routing protocol. The proposed
detection technique is compared with an existing single layer technique,
which uses the DAODV protocol. They use the anomaly detection technique,
which is based on the dynamic learning process. In their technique, they use
path finding features and path abnormality features to detect the abnormality
of the nodes. Table 4.9 displays the comparison of the DAODV with the
proposed SLBHAD technique.
Table 4.9 Analysis on DAODV
BlackHoles
PDF NRL EED No. of Packetssent
Dropped
1 70.64 0.49 66.14 450.00 500
2 54.23 0.62 47.23 390.00 560
3 30.56 0.96 40.56 375.00 1105
4 29.23 100.79 37.23 360.25 1256
97
Figure 4.21 Comparison of the PDF (40% Malicious Nodes)
Figure 4.21 illustrates the PDF for AODV without any detection
techniques, and the DAODV with the SLBHAD technique. This technique is
compared with varying node densities i.e. 50,100,150,200. From the above
figure, it is observed that the PDF is better than in the existing DAODV and
AODV without any detection techniques.
Number of Nodes vs Packet Delivery Fraction
Number of Nodes
Pack
et D
eliv
ery
Frac
tion(
%)
98
Figure 4.22 Comparison of the NRL (40% Malicious Nodes)
Figure 4.22 illustrates the NRL for the AODV without any
detection techniques, and the DAODV with the SLBHAD technique. This
technique is compared with varying node densities, i.e. 50,100,150, and 200.
The NRL is very much in the proposed SLBHAD technique compared to
other existing techniques.
Number of Nodes vs Normalized Routing Load
99
Figure 4.23 Comparison of EED (40% Malicious Nodes)
The Figure 4.23 illustrates EED for AODV without any detection
techniques, DAODV with SLBHAD technique. This technique is compared
with varying node densities i.e., 50,100,150,200.The EED is very low in the
proposed technique because, after the isolation of Black Hole nodes the
packets only travel through normal nodes. In Figure 4.24 displays the
numbers of packets send from source to destination node. The packets routed
more compared to DAODV and AODV without any detection technique.
Number of Nodes vs End-to-End Delay
Number of Nodes
End
–to-
End
Del
ay in
sec
100
Figure 4.24 Comparison of the number of packets sent (40% MaliciousNodes)
Figure 4.25 Comparison of the number of packets dropped (40%Malicious Nodes)
Finally, Figure 4.25 displays the dropped packets in the network.
The proposed SLBHAD technique drops a very minimal number of packets
compared to the other two techniques.
Number of Nodes vs Packets Sent
Number of Nodes
Number of Nodes
Pack
ets S
ent
Dro
pped
Pac
kets
Number of Nodes vs Dropped Packets
101
4.6 SUMMARY
In this chapter, a novel technique is proposed to detect and isolate
the Black Hole attacks in MANETs. Initially, the density based attack
analyzer is used to analyze the network performance, when the attacks occur.
It is shown that the proposed SLBHAD technique improves the PDF
compared to the existing techniques. Moreover, that the proposed technique
reduces the NRL and EED. The existing AODV algorithm is modified, and
has Honeypot concepts incorporated in it.
The PDF for the proposed SLBHAD technique is 89.03%. The PDF
for existing AODV technique is 67.73% and DAODV is 70.64%. From this it
is observed that the proposed SLBHAD technique improves the PDF
significantly. When the network contains 40% of Black Hole nodes, the NRL
for AODV is 110.79, for DAODV NRL is 100.79, for the proposed SLBHAD
the NRL is 0.62. From this it is observed that the network load is very low in
the proposed SLBHAD technique. When the network contains 10% of Black
Hole nodes, the EED for AODV is 68.24 sec, for DAODV EED is 66.14 sec,
for the proposed SLBHAD the EED is 52.37 sec. From this it is known that
the proposed SLBHAD technique has very low EED. Hence the proposed
technique isolates Black Hole nodes and travels via normal nodes. The
simulation results based on extensive experiments illustrate the novelty and
the effectiveness of the proposed technique.