MITIGATING WORMHOLE ATTACK IN WIRELESS MOBILE …1*Suyash Bhardwaj, 2Dr. Vivek Kumar 1Ph.D. Scholar,...

© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)

JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 252

MITIGATING WORMHOLE ATTACK IN

WIRELESS MOBILE ADHOC NETWORK

1*Suyash Bhardwaj, 2Dr. Vivek Kumar 1Ph.D. Scholar, 2Professor,

1,2Department of Computer Science, Faculty of Technology,

Gurukula Kangri Vishwavidyalaya, Haridwar, Uttarakhand, India

Abstract: Mobile Ad hoc Networks or MANETs are infrastructure less, rapidly deployable temporary networks used for a

communication in emergency situations or when the wired communication systems fail. It could be unfriendly environments,

rough terrain or disaster situation; MANET performs exceptionally well; however, it falls short when exposed to routing attacks.

To ensure the security and strength of the MANET in such unpredictable situations the requirement of a secure, effective,

scalable, swift, and efficient mechanism is obligatory. The generally used protocol under MANET is AODV, however AODV

performs well in any type of scenario except it is not secure from the attacks, from outside attackers as well from the inside

compromised nodes. These attacks are tough to detect, furthermore complicated to avoid. Such an attack is Wormhole attack.

In this paper, we propose a Novel Secure Cooperative Neighbour Based Approach in AODV (CNBWH-AODV) to identify and

prevent wormhole attack. The wormhole attack is very difficult to detect, since a wormhole captures a routing message from one

point of the network, tunnels it and then replay it at another point in the network. Wormhole node does not necessarily drop

routing or data messages, and does not require the full message to be delivered at the same time. The message can be delivered in

smaller parts or in bits using a high power wireless transmission antenna or direct wired connection. If a wormhole does not drop

or modify data, it is almost impossible to detect the attacker. The most important part of our approach is detecting a wormhole

attack without requiring any special hardware. Proposed approach uses the 1 hop neighbour information for identifying the

colluding attacker, using cooperative neighbours. This approach works for both hidden and exposed type of wormhole attacks,

and does not create any routing overhead. This approach is able to completely avoid the wormhole nodes and improves the

performance of the network as shown in the simulations under NS2.

Index Terms - MANET, AODV, Worm Hole Attack, Cooperative Neighbour Based Detection Mechanism.

I. INTRODUCTION

Communication devices and high speed network have become a part of our day to day life. Networks mediums have grown

from wired slow Ethernet base dial up connections to wireless 5G high speed internet communication. All these progressions have

given freedom to people to interact with each other, even when they are located at geographically distant locations. This freedom

of communication has brought both benefits as well as shortcomings. They are less secure and are prone to attacks, the privacy

and security is an issue with these infrastructure less networks [1]. Wireless mobile Adhoc network or MANET’s are highly

dynamic, easily deployable wireless systems that are not dependent on any central fixed structure. However, they consist of

mobile nodes or devices that are free to roam in the area and can be connected at the time of requirement in a random manner.

These devices are capable of behaving as routers, that are responsible for route discovery and route maintenance. They behave

like source and destination in such a manner, where the communication takes place between sender and receiver, through wireless

multi-hop communication network [2]

MANET’s are short lived in comparison to wired network, as such mobile devices are equipped with very limited resources

and battery power [3]. There are some distinct characteristics as shown by MANET such as lack of fixed infrastructure, weak

security, limited battery life, dynamic topology, and limited bandwidth. These characteristics make them more prone to attacks

yet provide the high adaptability, so they are very useful in different applications like video conferencing, departmental meeting,

resource sharing, search and rescue operations, military deployment, disaster management situations, electoral system, and many

more. Applications of MANET technology are limitless and they could include industrial, commercial as well as future military

networking applications. They can be properly combined with satellite-based information delivery systems such as GPS, to

provide a really flexible solution for setting up communication systems for fire, disaster and other safety or rescue operations.

There are also many other applications possible for MANET technology which are not yet comprehended or planned by the

technocrats. [4]

There are numerous different protocols which are already planned for routing in MANETs. Furthermore, these protocols may

be categorized into three categories: Reactive or On-Demand Routing Protocols, Proactive or Table-Driven Routing Protocols and

Hybrid Routing Protocols. The Reactive Protocols, like the Ad hoc On-Demand Distance Vector (AODV) routing protocol [5],

starts route discovery only when obligatory. In Proactive Routing Protocols, such as the Optimized Link State Routing (OLSR)

protocol [6] mobile nodes discover and update routes by exchanging network information in the fixed duration of time. Hybrid

http://www.jetir.org/



Routing protocols are those protocols which combine the best features of both reactive and proactive type routing protocols.

Reactive and Proactive types of routing protocols depend on the route information provided by the neighbouring nodes, however,

does not provide any centralized or distributed mechanism for detection and prevention of attacks from these neighbouring nodes

[7]. Most of the routing protocols generally believe that the devices of the network are reliable and can be trusted, on the other

hand, a malicious node can initiate an attack to disrupt route discovery since the beginning of the network setup and can attack

data transmissions without being detected for a long time.

II. AODV OVERVIEW

The Adhoc On-Demand Distance Vector routing protocol (AODV) [5] is a reactive or on demand type routing protocols that

finds a route towards destination only when it is required. In AODV, active nodes contribute in the route selection process while

the nodes existing on inactive routes do not share routing table updates and information exchanges. The algorithm’s primary

objective is to broadcast discovery messages whenever essential, however, hello messages are regularly sent to immediate

neighbours to maintain local connectivity and general topology.

Network Communication in AODV depends on regular updating route table entries at nodes participating in an active session;

whereas all nodes maintain a sequence number counter which helps to replace stale stored routes. This scheme utilizes bandwidth

capably by diminishing the network burden for control and data messages, consequently confirms loop-free routing. In AODV the

Route Discovery procedure is started only when the source device or node wants to transfer messages to another node in the

network and there is no existing path between the source and the destination. The sequence number and the broadcast id are the

two counters maintained by each mobile node in the whole network. Subsequently, the route acquisition process starts with

spreading a Route Request (RREQ) message flooded by the source node to all the neighbours, whereas in reply neighbour can

send a Route Reply (RREP) message, when the neighbour has a path towards the destination, otherwise it can either drop or

forward the RREQ message to other neighbours after incrementing hop count by one, thus creating a backward route towards the

source. As shown in Figure 1 the source A broadcasts the RREQ and all the neighbours forwards the RREQ until it reaches the

destination H. Multiple RREQ received with the same sequence number are ignored by the intermediate nodes as well as

destination. Moreover, every node forwards the RREQ message when it does not have a route towards destination. If any node

possibly has a path or route reaching destination, it can generate a route reply message on behalf of the destination.

Figure 1: Route acquisition in AODV

When the first route request (RREQ) message is received at destination, a corresponding route reply (RREP) is unicasted

towards source using backward path, as shown in Figure 1. Further received RREQ messages with the same sequence number are

ignored. Additionally, this RREP updates the destination sequence number and sets up a final path from source to the destination.

Figure 1 denotes the final path formed when the RREP is sent by the destination H towards the source node A. When the route is

established, the data communication can be started by source in form of sending messages to destination using this path.

A. AODV vulnerabilities

There are many threats against routing protocol, some of these include Flooding Attack [7], Black Hole Attack [1][4][7], Gray

Hole Attack [4][7], Link Spoofing [4], Wormhole Attack [7], Replay Attack [7], Passive Eavesdropping [4] [7], Active

interfering, Impersonation [4], Selfish Node Attack [4] and Selective Forwarding attack [4].

III. WORM HOLE ATTACK

In AODV, route request is broadcasted by the nodes that receive it, while the route reply is unicasted to set the reverse path

towards the source. Every intermediate node plays a critical role in the route discovery process. During this process, if any

intermediate node is sending route request or route reply messages to its partner situated at some distant location in the same or

different network cluster, is actually using a dedicated link or hidden transmission tunnel to create a wormhole attack in the

network. For the duration of a wormhole attack, the attacker node obtains or intercepts messages from one place or point in the

system and tunnels the messages to another place in the system, and then forwards them from that location [8]. Attacker node

compromises the route discovery process and disables the node to build routes between nodes correctly. At the same time, the

network traffic concentrates in an attackers’ tunnel, making him able to read and modify passing data packets. Over time, more

and more routes in network will use this tunnel. However, the wormhole attacker reduces the hop count, so it is easy for it to send




messages earlier than normal routing process. As stated by [9] it is possible for an attacker to selectively unicast bits of messages

through the wormhole link in a nonstop routine, exclusive of the waiting for whole message to be acknowledged.

A wormhole attacks may give fabricated wrong route, if the source node selects this wrong route, attacker node has the

opportunity of sending the messages to another point in the network or just sinking them. These attacks are tough to perceive as

attacker nodes is able to imitate real nodes, and the attacker is not dropping the routing or data messages, else it has tunnelled

them to another point in the network [9]. quantified the severity of such attack by mentioning that these attacks are operative and

can pose a threat in secured networks, where authentication, integrity, confidentiality and non-repudiation are preserved.

A. Types of wormhole attack

The wormhole attacks are classified in two types, based on participation of malicious node in the route discovery process, that

is either exposed or hidden [10].

1. Hidden Type of Wormhole attack

In the hidden type of attack, an attacker node receives packets from one node and transmits them to another distant node

without updating the hop count. In this situation, when the destination node receives this packet, it believes that the sender is its

neighbour, as it does not know about the presence of intermediate attacker. Sometimes only one attacker is able to perform this

attack, however more number of attacking nodes will fool the compromised node to create the entries of neighbours that are

located at several hop distance as 1 hop neighbours. This will result in expanded routing table and overall routing will be

compromised.

For example, as presented in Figure 2 (a), the wormhole tunnel exists in between wormhole node X and node Y. Node X and

node Y does not increment the hop count, hence the destination node will assume that the message is received directly from

source, in this case node B, assumes that node A is its 1 hop neighbour, due to illusion created by wormhole nodes. In this

situation wormhole node remains hidden during route discovery, and it is almost impossible to detect the attack as the

participating nodes won’t even know the presence of wormhole.

2. Exposed Type of Wormhole attack

The exposed attack is more sophisticated attack, as in this type, the wormhole attacker increments the hop count, is visible to

the other nodes, and it behaves like a normal node while receiving and forwarding routing messages during route discovery.

Though the attacker receives the message from victim node like a normal node but maliciously transmit the message to other

location in the network, then reflows the message from that location, keeping the destination node in doubt of the location of the

message origination. Henceforth the destination node will not get information about the distance between participating nodes. The

key aspect of this attack lies in the mode of transmission, which we will discuss in next section.

To understand the exposed type of wormhole attack, take a look at the hop count field in the Figure 2(b), where the attacker

nodes X and Y, participate in the route discovery process visibly and increments the hop count by one. Both source and

destination know about the intermediate nodes X and Y but are unable to recognize the distance between them, for them it seems

to be, that both X and Y are immediate neighbours.

Message format [source id, destination id, hop count]

Figure 2. Hidden and exposed wormhole attack

B. Modes of wormhole attack

A common mode of wormhole attack discussed by Khalil, I., Bagchi, S. and Shroff, N.B., (2005) [11] include a long-range

directional wireless link or a direct wired link, which is used to transmit the message with great power to another point in the

network without informing other nodes about the transmission. This mode of attack is more difficult to launch, since it needs

dedicated hardware ability. Where as in other mode of attack, there is no need of any special hardware. During this mode the

malicious node encapsulates the original RREQ message in another RREQ message created by itself destined to its colluding

partner node to hide the original RREQ from the nodes that lies in between them [12].

1. Direct mode of wormhole attack

To get familiarize with first mode of attack, we take a closer look at Figure 3 (a), where wormhole node X is using a special

directional antenna for transmitting the messages directly to the colluding partner. Node S is broadcasting a route request for route

acquisition towards node D, nodes X and Y are wormhole attackers having a high range directional wireless or dedicated wired

link between them. Node X tunnels the route request to Y, which is a genuine neighbour of D. Node Y forwards the message to its

neighbours, including D. Node D receives two route requests S-X-Y-D and S-1-2-3-D. Out of these two routes, the first one




seems to be faster and short in comparison with second, which eventually will be chosen by the node D. Henceforth, resulting in

direct tunnel based wormhole being created between X and Y on the route between S and D.

2. Encapsulated mode of wormhole attack

Consider Figure 3 (b) for second mode of attack, during which source node S and destination node D try to find the optimal path

between them, in the existence of the two wormhole nodes X and node Y. Node S start route discovery by sending a route request

(RREQ) to its neighbours, node 1 and node X, both receives the RREQ message, node 1 forwards the message, but node X

encapsulates it in another RREQ message created by node X destined to its partner attacker node Y over the route that exists

between X and Y (including 4-5-6). Node 4, 5, and 6 thinks that node X is communicating with Y, as the RREQ received is

originated from node X and destined to node Y. The intermediate nodes are unfamiliar about the encapsulated original RREQ.

When node Y receives the RREQ packet it expands the packet, and rebroadcasts the original message again, which reaches D.

The point to ponder is that because of packet encapsulation, the hop count is not incremented during the transmission between X

and Y over nodes 4-5-6. Alongside, the RREQ travels from S to D through 1-2-3. Node D receives two route requests, the first is

seemingly three hops long (S-X-Y-D), and the second is four hops long (S-1-2-3-D). Node D will choose the first route since it

seems to be the shortest though actuality it is six hops long. In this way the attacker nodes X and Y have involved themselves in

the route set up from S to D. Since the wormhole route appears to be shorter and faster, we can say that all the shortest route

finding protocols are vulnerable to wormhole attack.

Figure 3 direct and encapsulated mode of transmission under wormhole attack

C. Properties of Wormhole nodes

Wormholes are very difficult to detect, as they do not participate in the route acquisition process, are hidden from other nodes,

can modify the mutable contents of message without alarming participating nodes, can create an illusion of close neighbourhood,

and still can remain undetected. Moreover, it can lure a sender to send more traffic though the wormhole tunnel, and can modify,

record, copy, change, manipulate, or even drop these messages later. There are several symptoms of wormhole existence as stated

by Lee, G., Seo, J. and Kim, D.K., (2008) [13] such as, Low hop count replies, longer propagation time, larger delay per hop,

RREQ/ RREP is captured and not delivered over normal route, bigger transmission range , wormhole node that is not a neighbour,

more load on certain nodes, modified routing or data messages etc.

IV. LITERATURE REVIEW

Worm hole attack not only affect the End to End delay of the network adversely, but also compromise the authenticity of the

whole communication system. There are various studies that propose the methods for detection and avoidance mechanisms of

worm hole attack. Kannhavong, B., Nakayama, H., Nemoto, Y., Kato, N., & Jamalipour, A., (2007) [7] presented survey of various

approaches to detect and avoid the BH attack, and have summarized the methods to show comparison between them. Hu, Y.C.,

Perrig, A. and Johnson, D.B., (2006) [9] have discussed various approaches for avoiding and detecting worm hole in AODV based

mobile ad hoc networks. However, there is a need of elaborative study and comparison of various approaches and to find the gap in

the approach. So this paper presents various approaches and categorizes them in the major detection and prevention methods.

A. Routing Message or Routing Table Modification based Approach

There are various approaches to detect and prevent wormhole attack in MANET, one popular approach is to modify the routing

messages or table to detect malicious nodes, like Gupta, S., Kar, S. and Dharmaraja, S. (2011) [14] suggested a modification in

hello packet to introduce a new packet called Hound packet, to keep record of neighbours within vicinity of the current node.

similarly, Khan, Z.A. and Islam, M.H., (2012) [15] modified the routing table to include a column of complete path from source to

all other nodes.

B. Alternative Route Based Approach

Finding an alternative route is quite easy when we detect a malicious node in the path, such detection method is suggested by

Geetha, S.B. and Patil, V.C., (2015) [16] by introducing a new type of node called Auxiliary Node (AN) which timely broadcast the

route discovery beacons (RDB) and maximize the routes by providing Additional Supportive Routes (ASR). Whereas Gupta, C.

and Pathak, P., (2016) [17] suggested a method to find an alternative route to the destination, when source node detect a malicious

attacker as it is providing a shorter path towards destination. In this case the new alternative route which might not be shortest one

is chosen for data transmission.




C. Cluster Based Approach

Cluster based approach is based upon division of the network in clusters to differentiate the neighbours of different cluster

heads, similar approaches are given by Chatterjee, P., Sengupta, I. and Ghosh, S.K., (2012) [18], in which they proposed a Secure

Trusted Auction Oriented Clustering based Routing Protocol (STACRP), to provide trusted framework divided into 1- hop disjoint

clusters. Jamaesha, S.S. and Bhavani, (2018) [19] suggested a modified and improved secure location aware routing protocol using

clustering technique, to predict the possible movement of the attacker node using particle swarm optimization.

D. Node Authentication System Based Approach

Node Authentication system based approaches suggest node authentication by the source node by calculating the difference of

source sequence number, like proposed by Gandhewar, N. and Patel, R., (2012) [20] or by authenticating the location of the nodes

in the network, as suggested by Biswas, J., et. al.,(2014) [21] or by embedding digital certificate in HELLO packet, as proposed by

P. Yadav and M. Hussain, (2017) [22]

E. Cryptography and Hashing Based Approach

Cryptographic Approaches including digital signature and public key sryptography are mostly applied in securing the network,

Woungang, I.et. al., (2012) [23] proposed substituting the AES part of the scheme by the Triple Data Encryption Standard (TDES),

yielding the AODV-WADR-TDES routing algorithm, Patel, A., et. al., (2015) [24] proposed a Hash based Compression Function

(HCF) which is a secure hash function used to compute a value of hash field for RREQ packet. Ghayvat, H. et. al., (2016) [25]

proposed a security approach using digital signature and hash chain algorithm to mitigate the wormhole attack.

F. Distance and Location Based Approach

Distance and location based approaches try to find the location of attacker node and by calculating the distance from source

node. one of the popular approach is given by Hu, Y.C. et. al. (2003) [9], suggesting the use of Packet leashes to show the

maximum allowed distance of a packet from a sender. The packet leashes can restrict the transmission distance of a packet, and

prevent the packet from traversing a longer path introduced by a wormhole. While sending a packet sender adds a leash to a packet,

which when received at the receiver end is extracted to compare the sending time with the leash to detect a wormhole attack. In

geographical leash based system, leash is having a sending time and location attached to it. A real time attacker detection is

achieved using this system, since an end-to-end delay is extracted as the sending time and the receiving time is directly used to

detect the wormhole attack. Similar approaches are given by Li, Z., et. al. (2011) [26] to estimate the distance of fake neighbour by

detecting collision of signal sequences at the two receivers. Y. Wei and Y. Guan, (2013) [27] proposed a lightweight location

verification system in sensor networks. Pagnin, E. et. al. (2015) [28] suggested an approach that allows a node to verify that another

node is a physical next-hop neighbour, and also detects legitimate neighbours who make dishonest claims as to who their

neighbours are. Teotia, V., et. al. (2015) [29] proposed a scheme, called Cell-based Open Tunnel Avoidance (COTA) and

implemented on the location aided routing protocol (LAR1), leading to the so-called COTA-LAR1 scheme. Moskvin, D.A. and

Ivanov, D.V. (2015) [30] proposed a geographical location based solution for detecting malicious nodes, by finding the distance

between nodes using GPS locations. Ahsan, M.S., et. al. (2017) [31] proposed Area Border Router and Sensing Aware Nodes based

scheme that monitors the signal strength of nodes, if distance found greater than default distance, attack is detected.

G. Round Trip Time and Delay Per Hop Based Approach

Round trip time and delay per hop based approach is based on the time taken by a message to complete a trip to destination.

Chiu, H.S. and Lui, K.S. [32] described the Delay Per Hop Indication (DelPHI) solution for detecting wormhole attacks. The idea is

to allow the source node to receive the route reply packets on many routes and calculates the round trip time (RTT) per route. It is

assumed that a route with a small number of hops has a small RTT, so the route that has a higher RTT per hop count than a

precalculated threshold is considered a wormhole route. However, in dynamic environments where the network loads are

unpredictable and nodes move rapidly, the RTTs are highly variable, the proposed solution becomes less reliable. Choi, S. (2008) et

al. [33] suggested to use the fact that for a RREQ or Route Reply (RREP) in Dynamic Source Routing (DSR) protocol, traveling a

wormhole link is slower than traveling a normal link. Therefore, after collecting the sending and receiving time, the source node

computes a time delay per hop, i.e. Delayperhop = (sending time – receiving time)/ hop count, and the presence of a wormhole is

confirmed if delay per hop is greater than the threshold. Shin, S. Y. and Halim, E. H., (2012) [34] proposes a method to create

multiple routes and calculating round-trip time (RTT) of all listed routes to destination. The RTT and number of hops of all listed

routes are compared in order to detect suspicious route. Agrawal, N. and Mishra, N., (2014) [35] presents a RTT estimator based

wormhole detection mechanism. Khobragade, S. and Padiya, P., (2016) [36] proposed a technique Using Authentication Based

Delay Per Hop Technique for detection of wormhole attack is done using number of hops and delay of each node in different paths

available in network. Bundela, A. S et. al.(2016) [37] considered delay, packet delivery ratio, routing overhead, throughput and

energy of nodes factors to detect wormhole attack. Verma, R. et. al. (2017) [38] proposed a round trip time and packet delivery

ratio based methodology for wormhole detection. When an intermediate node responds to RREQ, source node determines its PDR

and round trip time from other paths, if the RTT is less than threshold and PDR is less than 1, then the intermediate node is

considered as wormhole node.

H. Trust Based Approach

Trust based approaches to detect wormhole attacks include calculating a trust factor like Ojha, M. and Kushwah, R.S., (2015)

[39] observes the trust based threshold value of path, to detect wormhole link and the nodes on that link are identified as wormhole

nodes. Dubey, M., et. al. (2015) [40] designed a reputation base trust allocation system which will identify the faulty node using

node packet delivery ratio base analysis, if it is less than certain limit that means node is faulty and will search for new route using




Location Aided Routing (LAR). Parbin, S. and Mahor, L. (2016) [41] proposed a trust and reputation management scheme to find

out the trusted location in MANET environment. Sharma, P.K. and Sharma, V., (2016) [42] proposed a trust based routing

protocol that computes truthfulness of the path before it is selected for data delivery. Agrwal, S.L. et. al. (2016) [43] presents an

Individual Trust Managing Technique to prevent against sink-hole attack. Kaneria, P. and Rajavat, A. (2016) [44] introduce trusted

AODV routing protocol in which trust value is calculated using tangent hyperbolic function. Singh, U., et. al. (2016) [45] proposed

TSAODV and focuses on trust based computing to mitigate the effects of black hole, wormhole and collaborative black hole

attacks. Trust value is computed on the basis of route request, route reply and data packets. After calculation get trust values

between 0 to 1. If trust value is greater than 0.5 then the nodes are considered as reliable otherwise malicious. Sharma, S. and

Sharma, R. M. (2017) [46] proposed a new routing protocol naming extended prime product number (EPPN) based on the hop

count model, where hop count between source & destination is obtained depending upon the current active route. If the calculated

hop count is greater than the received hop count, then the trust mechanism will be used to identify the suspected nodes

I. Intrusion Detection System Based Approach

Intrusion detection techniques are also applied in the wormhole detecting systems, like Patidar, K. and Dubey, V., (2014) [47]

presented an intrusion detection system based on the concept of specification-based detection system to detect wormhole attacks

along routes in ad hoc networks. Rmayti, M., et. al., (2014) [48] proposes an intrusion detection mechanism using watchdog

mechanism based on two Bayesian filters: Bernoulli and Multinomial. Author used these two models in a complementary manner

to successfully detect the packet dropping attacks in mobile ad hoc networks. Khan, A. et. al., (2014) [49] presents a technique

NWLID: Normalized Wormhole Local Intrusion Detection Algorithm including intermediate neighbour node discovery

mechanism, packet drop calculator, individual node receiving packet estimator followed by isolation technique for the confirmed

Wormhole nodes. Emami, A.B et. al., (2015) [50] presents the modification of Negative Acknowledgement (NACK) based

Intrusion Detection System (IDS) in the form of Selective Negative Acknowledgement (SNACK). SNACK creates less routing

overhead due to selective acknowledgement system.

J. Genetic and Artificial Neural Network Based Approach

Genetic and Artificial Neural Networks based approaches are much more adaptive to this type of attack, similar approaches are

presented in Barani, F. and Gerami, S. (2013) [51] as a one-class Support Vector Machine for dynamic anomaly detection, called

ManetSVM. In another improvement Barani, F., (2014) [52] proposed an approach based on genetic algorithm (GA) and artificial

immune system (AIS), called GAAIS, for dynamic intrusion detection in AODV-based MANETs. GAAIS is able to adapting itself

to network topology changes using two updating methods: partial and total. Jamali, S. and Fotohi, R, (2017) [53] proposed a two

phase fuzzy logic system based artificial immune system called Defending Against Wormhole Attack (DAWA). In phase one, the

system selects the efficient routes using fuzzy logic; in phase two, it identifies the immune route among the selected routes using

artificial immune system.

K. Neighbour Information Based Approach

Neighbour information based methods involve the use of neighbour information for detecting a wormhole attack. Shi Z. et al.

(2013) [54] proposed a wormhole attack resistant secure neighbour discovery (SND) scheme based on local time information and

antenna direction with signature-based authenticated exchange of information between the network nodes. A novel random delay

multiple access (RDMA) protocol is used to secure neighbour discovery and attack resistant operation of the network. D. Sasirekha

and N. Radha, (2017) [55] proposed Attack Aware Alert (A3AODV) system that utilizes the effectiveness of round trip time based

detection method and anomaly based detection of wormhole and sinkhole in a mobile Adhoc network. The proposed system

collects the RTT from neighbours and calculate the difference in it, if it exceeds the threshold then a wormhole is detected.

V. SECURING AGAINST WORMHOLE ATTACK

In this section we will present two secure methods in detail that are used to defend against wormhole attack. Both of the methods

are used for comparison with the proposed work. One of the method is proposed by Zapata, M.G. and Asokan, N., (2002) [56]

proposed an improved and Secure AODV extension (SAODV) by including a new digital signature based message verification

system. Digital Signature are used to verify the constant fields of routing messages, while hashing is used to verify the variable

field (Hop Count). Every node has a key pair of public key and private key based on an asymmetric cryptographic system. When

a node generates a RREQ message, it includes signature that can be used by any intermediate node generating a RREP for the

corresponding RREQ. Any node generating a RREP should include the signature received from source and lifetime of the route

towards destination, to verify having a route to destination. Hash chains are used to validate the hop count in the received RREP

or RREQ messages in such a way that every node calculates a hash value on the current hop count and compares it with hash

provided in the received message. During a wormhole attack, the attacker node will collaborate with its partner attacker to tunnel

the data packets, but in SAODV the neighbour nodes are verified using hash chains and if any node is not verified then it is

considered as attacker. Hence, in SAODV, wormhole attack will be detected in early phase. This approach improves the security

mechanism of AODV however, degrades the performance by incorporating the extensive hash chain based cryptographic

methods. Repetition of signature verification slows down message exchanges and overload the system, compromising with

limited power and resources.

Another method is proposed by Obaidat, M.S. et. al. (2014) [57] presented a wormhole attack detection and exclusion system,

based on AODV and named it as E- HSAM, which uses AES as encryption standard. This approach works on finding the attacker

and then choosing an alternate path. E-HSAM approach is refined form of HSAM presented by Mamatha, G.S. and Sharma, S.C.,




(2010), which stated the use of packet counter to detect a packet dropping or modification attack. The author suggested to use a

hash code to calculate hash of the packet before it is sent, and then splitting the packets in sub-packets. These sub-packets are sent

through normal routes following intermediate nodes. When the destination receives the sub-packets, it assembles them to form

original packet and then calculates hash code on it. If the original hash code received matches with the calculated hash code, the

destination generates and sends to source, an acknowledgement (ACK) message to confirm that the packets have been received

successfully. If the ACK contains a confidentiality lost field set, that means hash code and packets are being compromised. The

total allotted time is also taken into consideration to detect a probable attack. If the ACK is not received by the sender within

approved time, then it is presumed that the packet is vanished. To improve the functionality of E-HSAM author have used the

fake packets, which are sent to destination to detect an attack, before sending the actual data. This way if the attack occurs, the

original information will not be compromised. The end to end communication is secured by AES encryption to avoid message

tampering and RRER message modification. The use of AES has introduced routing overhead, but the detection of broken link

and packet delivery ratio is improved.

VI. PROPOSED APPROACH

In this section we present the proposed CNBWH- AODV, which is a Cooperative neighbour based wormhole detection

approach based on AODV. CNBWH–AODV has two modules for detecting and preventing hidden and exposed type of tunnel or

encapsulation mode wormhole attack. The first module verifies the neighbour nodes and second module authenticate secure

message transmission. The first module is Neighbour Data Collection and Verification Module, that will discover and verify the

one hop neighbours of nodes participating in route discovery. The second module is Testing and Authentication Module, which

will check the presence of wormhole node and authenticate message integrity during communication.

Wormhole attack is a very influential attack; it enables attacker nodes to send messages to a distant location in the network

using intermediate nodes as slaves that are not aware of being part of a wormhole tunnel. There are two types of wormhole attack,

namely exposed wormhole attack and hidden wormhole attack, which are already explained in previous section. Our approach

enables the secure communication in both of these types of attack. In this section we will present two cases to demonstrate the

situation of attack and method of defending against these two types of wormhole attack.

A. CASE I: Exposed Wormhole Attack

It is considered when route reply is generated by wormhole attacker in exposed type attack. In this case the attacker is visible to

all the other neighbour nodes, and it also increments the hop count during route discovery. Consider the Figure 2 (b) and Figure 4

to understand this type of attack.


Figure 4: Reply by Wormhole Node (Exposed Attack)

I. Neighbour Data Collection and Verification Module

In exposed attack, the wormhole replies to normal HELLO messages and shows its presence by timely exchanging neighbour

information; while tunnels the routing and data messages to its colluding partner. In this case there is a need for nodes to identify

the attacker node before they fall prey for the wormhole node. In our approach we have introduced a new 1 hop neighbour table

to collect the information of neighbours. During route discovery or route maintenance, nodes receive RREQ and RREP messages

and also exchange information using Hello messages to know about the other nodes in the network. The hello messages are

generally used to discover immediate neighbours, we have collected that information and kept it in a new table named as 1 hop

neighbour table for only one hop neighbours in this Neighbour Data Collection and Verification Module. This table will be

updated when route discovery starts and after every RREQ received, and will be used when Initiator Node (IN) will launch

Testing and Authentication Module for the Suspected Node (SN). To understand the structure of 1 hop neighbour table, consider

Table 1 that shows the 1 hop neighbour table for source node S from Figure 4.

Table 1: One hop table of Node S

Node (S)

1 hop

Neighbour

(10)

(X)

(7)




(1)

(17)

2. Testing and Authentication Module

In our proposed CNBWH-AODV, we capture that route reply at the first node that receive it and initiate the Testing and

Authentication Module at this node, which will be further referred as Initiator Node (IN), and the node which has generated a

RREP will be a Suspected Node (SN) until it is verified by IN. As shown in the Figure 5, the Node X, that generated a RREP

message is considered as Suspected Node (SN), the node S that received the RREP at 1 hop is selected as Initiator Node (IN).

Equation 1 and 2 show the selection of IN and SN,

SIN = {S} ----- (1)

SSN = {X} ----- (2)

Where SIN denotes the set of Initiator Node (IN), and SSN denotes the set of Suspected Node (SN). When we have marked the

IN and SN, only two steps remains in the Testing and Authentication Module.

Step 1 Select the Cooperative Neighbour Node (CN) and Next Hop Neighbour Node (NHN)

Step 2 Verification of SN and CN by IN in Testing and Authentication Module

Step 1 Selecting Cooperative Neighbour Node (CN) and Next Hop Node (NHN)

To identify the CN’s and NHN we take a look at the neighbour table of Node S to find the neighbours of S. Cooperative Node

(CN) is that node which will be used to check the suspected node (SN) and it should be a common neighbour of both SN and IN.

A Next Hop Node (NHN) is that node which is exactly 2 hop away from IN, and it a common neighbour of any one CN and SN.

So that the message forwarded by SN can be verified by NHN. The 1 hop neighbours of Node S are shown in Table 1. Node S

will request all its one hop neighbours to share their table having 1 hop neighbours, in exchange it will get neighbour table of

Node 10, X, 7, 1 & 17, considering Figure 4. As we now know that the Node X is a Suspected Node (SN), so we try to find the

common neighbours of IN Node S, and SN Node X from the received tables of neighbouring node. One hop tables of Node 10, X,

7, 1 & 17 are given below in Table 2.

Table 2: One hop tables of Node 10, X, 7, 1 & 17

Node (10)

1 hop

Neighbour

Node (X)

1 hop

Neighbour

Node (7)

1 hop

Neighbour

Node (1)

1 hop

Neighbour

Node (17)

1 hop

Neighbour

(S) (10) (S) (S) (S)

(X) (S) (X) (7) (1)

(7) (11) (8)

(11) (8) (2)

(Y) (1 ) (18)

(17)

We can easily find the common cooperative nodes (CN) of SN Node X and IN Node S from their 1 hop neighbour tables, by

intersection operation of neighbour Set of SN node X = {10, S, 7, 11} and neighbour Set of IN node S = {10, X, 7, 1, 17}.

Equation 3 and 4 represent the neighbour set of SN node and IN node respectively, where NSN denote the neighbour set of (SN)

and NIN denote the neighbour set of (IN). Equation 5 represent the set of Common Cooperative Nodes (CN’s) of IN and SN,

NSN = Neighbour Set of (SN) node X={10,S,7,11,Y}--(3)

NIN= Neighbour Set of (IN) node S = {10,X,7,1,17} --(4)

SCN = NSN ∩ NIN = {10, 7} ----- (5)

where SCN denote the set of cooperative nodes, and it can be found out by intersection of Neighbour set of SN and Neighbour set

of IN. From (5) we find that node 10 and node 7 are CN’s. Moreover, from 1 hop neighbour tables of Node 10 and Node 7 (Now

CN’s) and Node X we can find the common next hop neighbour (NHN), by intersection operation of neighbour Set of Node 10 =

{S, X}, neighbour Set of Node 7 = {S, X, 11, 8, 1} and neighbour set of Node X = {10, S, 7, 11, Y}, and subtracting the IN and

SN from this result, as these two nodes will be common nodes in sets of CN and SN. Equation 6 and 7 represent the neighbour set

of node 10 and node 7, denoted by NCNn. Equation 8 represent the intersection operation of CN and SN to find the set of NHN,

represented by SNHN,

NCN1 = Neighbour Set of (CN1) node 10 = {S, X} -(6)

NCN2 = Neighbour Set of (CN2) node 7={S,X,11,8,1}-(7)

SNHN = {{NCN1∩NSN}+{NCN2∩NSN}}-{SIN}-{SSN}-(8)

SNHN={{S,X}∩{10,S,7,11,Y}+{S,X,11,8,1}∩{10,S,7,11, Y}} -{S}- {X}

SNHN={{S}+{S,11}} -{S}- {X}

SNHN = {11}-- (9)




From (9) we found that the node 11, exists in 1hop table of Node 7 (CN) and Node X (SN), hence it can be called as Next Hop

Neighbour of NHN of SN. As shown in Figure 5, Node S is IN, Node X is SN, Node 10 and Node 7 are Cooperative Nodes (CN1,

CN2), node 11 is the Next Hop Neighbour (NHN) of SN.

Figure 5: selecting IN, SN, CN and NHN in Exposed Wormhole Attack


Now when we know the SN, IN, CN and NHN in the path, the next step is to verify the wormhole attacker by generating

Verification Test Data Messages (FDATA). IN prepares data messages with different random numbers and send them to the

Destination Node or Next Hop Node (NHN) through different paths through Suspected Node (SN) or Cooperative Neighbour

(CN) as intermediate nodes. There can be different possible paths, CNBWH-AODV approach finds a safe path towards

destination while at the same time avoiding any wormhole in the path. For a generalized approach, we choose one path from IN to

NHN through SN, second path from IN to NHN through CN, third path from IN to destination through CN. The objective of

choosing different paths is to find a suitable and safe path within minimum time. The reply from destination may take longer time

to reach the IN in comparison to the reply from NHN. However, we still choose one path to be verified by destination only, in

case if the verification from NHN fails, then also CNBWH-AODV approach will be able to find an alternative safe path towards

destination. Verification here means that the FDATA messages have successfully reached the destination or NHN and are not

modified or replaced. When it happens, destination or NHN will generate acknowledgement message having the same random

number to complete the verification process. The verification of available paths starts when Initiator Node (IN) prepares

Verification Test Data Messages (FDATA) that will include one random number in first message and random number +1 in

second message and random number +2 in the third message and so on along with the same dummy data.

For evaluation of proposed CNBWH-AODV we choose a general scenario having three different paths. Figure 6 shows the

situation when Initiator Node (IN) prepares three Verification Test Data Messages (FDATA) with three numbers (20,21,22),

created randomly and send them to Cooperative Nodes (CN1, CN2), and Suspected Node (SN). These FDATA data messages

contain fake data that is not originally related to the actual data packet. So, in case of attack, the original data will not be

compromised. If IN receives the reply messages of these FDATA messages from any of the possible path, that path will be chosen

for final data sending process, however there can be three cases in this situation.

Figure 6: IN prepares and sends FDATA messages

Case 1: If the IN receives the verification message from destination via CN2 only and other two messages are not received

due to loss during congestion or route error, then it can be assumed that the other paths may contain a wormhole attacker or the

paths are not properly connected. In this case we will not choose those paths from which reply is not received. We assume that

both SN and CN1 are suspected to be malicious node as the reply from them is not received. Figure 7 shows the sending of

FDATA message by IN via CN1, SN and CN2 towards NHN and Destination. The sent FDATA message is received at

destination while at the same time; messages from CN1 and SN are not forwarded to NHN.




Figure 7: Sent data from IN reached DN via CN2

Figure 8 shows the verification reply sent by Destination via CN2. It shows that the data message is received at destination

and the path from IN to Destination via CN2 is now verified and can be used for data transmission, while the nodes CN1 and SN

will be treated as suspected Worm hole attacker nodes.

Figure 8: Verification by the destination via CN2

Case 2: if the IN receives the verification message from the NHN from the path via CN2 only, that means the SN and

CN1 have not forwarded the FDATA messages or they have forwarded the message to some point in the network from where the

reply is not received yet. In this case we assume that SN and CN1 both are suspected for message tunnelling or dropping and they

will not be selected for data transmission. As only the path via CN2 is verified by NHN, so it will be chosen as the alternate path.

Figure 9 shows the sending of FDATA messages via CN1, SN, and CN2, it also shows FDATA message is forwarded by CN2 to

NHN, while at the same time CN1 has forwarded data to SN is tunnelling the data message to its partner node.

Figure 9: Sent data from IN reached NHN via CN2

Figure 10 shows the generation of verification message by NHN and sending it through CN2. As NHN has replied by

verification message, it can be assumed that it is a reliable node. Figure 10 also shows that IN has not received any reply from

NHN via SN and CN1, so we assume that the data messages are lost due to congestion, or may be forwarded to some place in the

network far from NHN. However, we avoid such paths which are not verified by the NHN or destination. So only path through

CN2 to NHN will be selected as the path from IN which is now verified, and it can be used for further communication, while the

node SN and CN1 will be treated as suspected wormhole node.




Figure 10: Verification by the NHN via CN1

Case 3: if the IN receives the verification message from the NHN through SN node only, that means the SN has forwarded the

FDATA message to NHN, hence we can be sure that it is not a suspected wormhole attacker. Figure 11 shows the sending of

FDATA message via CN1, SN, CN2 and it also shows receiving of FDATA message at NHN, while at the same time the message

from CN1 has reached SN and CN2 has forwarded the FDATA message to another node but not NHN.

Figure 11: Sent data from IN reached NHN via SN

Figure 12 shows the generation of verification message at NHN and sending it back to source via SN only, on the other hand

FDATA message forwarded by CN2 has not reached the destination. Hence the only verification message is received from NHN

via SN, so it is referred as safe path for further data transmission. The important point to ponder at this case is that, if the SN is a

wormhole, it would have forwarded the FDATA message to its colluding attacker, which must not be the next hop neighbour of

SN. If the NHN has received data message from SN, it proves that it is not a wormhole node.

Figure 12: Verification by the NHN via SN

After the verification is received from any one or two paths, the shortest path will be chosen for final data transmission. Our

proposed approach is capable of finding a shortest path avoiding any wormhole attacker in the network.

B. CASE II: Hidden Wormhole Attack

During a hidden wormhole attack, the attacker node does not show its presence to its neighbours, does not responds to

HELLO message, does not reply to any route request, it remains hidden but receives routing and data messages from neighbour

nodes and forwards them to its colluding partner, which might be located close to destination. In this type of attack, the attacker

does not increment the hop count during route discovery, so destination node will not know about its presence. The location of the

attacker plays a key point role in attack effectiveness.

For a general scenario consider the Figure 13 and Figure 2 (a) to understand this type of attack, in which one attacker node is

close to destination while the other is at 2 hop distant from source. In this situation when the first attacker node X captures the




route request message from the neighbour node 11, hop count in route request is already incremented by 1. Now it tunnels this

route request to its partner, from there it is delivered to destination. When destination receives this request it assumes that node 11

is 1 hop distant away from itself and replies to this route request choosing the shortest path available. Here comes the role of our

proposed approach. In CNBWH-AODV, whenever a route reply is received by any node it checks the node that generated it and

follows a test and authentication module that verifies the originator of the RREP. In the next section we will test this situation of

hidden wormhole attack.


Figure 13: Reply by Destination Node (Hidden Attack)

Our proposed approach has two modules, first is Neighbour Data Collection and Verification Module and second Is Testing and

Authentication Module.

1. Neighbour Data Collection and Verification Module

Our proposed CNBWH-AODV uses the 1 hop neighbour information to verify the location of the node that generates the

route reply. So we will use the new 1 hop neighbour table to collect the information of neighbours and to keep the entries of only

those neighbours which are at single hop distance from any node. Like in the previous case we have made a table for source, in

this case attack will be first checked at node 11. Hence, Table 3 presents the 1 hop neighbour table of node 11 from Figure 13.

Table 3: One Hop Table of Node 11

Node (11)

1 hop

Neighbour

(10)

(S)

(7)

(D)

Check the table of node 11, it shows node D as its 1 hop neighbour. Due to wormhole tunnel, node 11 is tricked to assume that

destination node D is its immediate neighbour.

2. Testing and Authentication Module

After the Neighbour Data Collection module, Testing and Authentication Module will be launched by the Initiator Node (IN)

against the Suspected Node (SN). The initiator node is the first node which receives the route reply from the node that generated

it. Here in this case as we can see in the Figure 13, the reply is generated by destination node and received by node 11, so

Destination node is marked as Suspected Node (SN) and node 11 is marked as Initiator Node (IN). Equation 10 and 11 show the

selection of IN and SN,

SIN = {11} ----- (10)

SSN = {D} ----- (11)

where SIN denotes the set of Initiator Node (IN), and SSN denotes the set of Suspected Node (SN). After IN and SN is

identified, only two steps remains in Testing and Authentication Module. These are given below:

Step 1 Select the Cooperative Neighbour Node (CN) and Next Hop Neighbour Node (NHN)


Step 1 Selecting Cooperative Node (CN) and Next Hop Node (NHN)

To identify the CN’s and NHN we take a look at the neighbour table of Node 11 to find its 1 hop neighbours, which are shown in

Table 3. Node 11 will request all its 1 hop neighbours to share their 1 hop neighbours table, in exchange it will get neighbour

table of Node 10, S, 7, & D. Note that node D is also assumed as 1 hop neighbour, due to wormhole tunnel. As we know that the

Node 11 is an Initiator Node (IN), so we try to find the common neighbours of IN Node 11, and SN Node D from the received

tables of node 11 and node D. One hop tables of Node 10, S, 7, & D are given below in Table 4.




Table 4: One hop tables of Node 10, S, 7 & D

Node

(10)

1 hop

Neighbo

ur

Node

(S)

1 hop

Neighb

our

Node

(7)

1 hop

Neighb

our

Node

(D)

1 hop

Neighb

our

(S) (10) (S) (16)

(11) (11) (11) (11)

(7) (1) (15)

(1) (8) (4)

(17) (D) (6)

Now we try to find the common cooperative neighbours (CN) of IN node 11 and SN node D, by intersection operation of

Neighbour Set of node 11 = {10, S, 7, D}, denoted by NIN in Equation 12 and Neighbour Set of node D = {16, 11, 15, 4, 6},

denoted by NSN in Equation 13. SCN denote the set of cooperative nodes, given in equation 14, is found by intersection of NIN and

NSN.

NIN = Neighbour Set of (IN) node 11={10, S, 7, D }--(12)

NSN= Neighbour Set of (SN) node D={16, 11, 15, 4, 6}-(13)

SCN = NSN ∩ NIN = {NULL} ----- (14)

Figure 14 selecting IN, SN, CN and NHN in Hidden Wormhole Attack

Equation 14 shows the result of intersection operation as NULL, that means there are no common neighbours between, IN

node 11 and SN node D. This concludes that the node 11 and node D are not immediate neighbours, and are tricked to assume

each other as 1 hop neighbours by a wormhole attacker. Hence we can say that the route reply is not received from a genuine

neighbour and it’s a wormhole attack. It also shows that the nodes are located on separate dedicated wired link or wireless out of

band or in band tunnel, that is why they do not share a common neighbour, when having a 1 hop distance.

Wormhole attacker can be anywhere in the network, for example if one of the attacker is situated close to source and another

attacker is away from destination, then the route request will be captured before any increment in hop count, and then will be

tunnelled to this partner attacker. This partner attacker located away from destination will forward or reply the route request from

that point, which will be forwarded again by any other node to destination, in this case the destination will generate the route

reply and this will be checked by that neighbour node. Consider the Figure 15, in which the reply is generated by destination and

received by node 13, in this case node 13 will launch test and authentication module and will find that the destination is surely its

1 hop neighbour, then will send back this route reply towards source, following backward path. When source node will receive

this route reply, it will check again for the authenticity of the node that sent the route reply, and will know that node 13 is not its 1

hop neighbour, hence the wormhole will be detected in every situation, whether the wormhole is close to source or destination, or

it is away from both source and destination.

Figure 15 wormhole attack when attacker is away from source or destination




So in short we can say that if the wormhole attacker is exposed, it will be identified by using FDATA messages and if

wormhole attacker is hidden, there will be no common neighbour between the nodes before and after the attacker, hence this route

will automatically be opted out during route discovery process. In every case our proposed CNBWH-AODV will work and find

the attacker.

Algorithm

Step 1 Source node starts route discovery

Step 2 Route request is forwarded by all intermediate nodes; all nodes prepare 1 hop table under neighbour data collection

module.

Step 3 Route Reply is generated

If route reply is generated by intermediate node

(Exposed mode attack)

If route reply is generated by destination node

(Hidden mode attack)

Step 4 Selecting IN, SN, CN and NHN under testing and authentication module

The node generating route reply is marked as Suspected Node (SN) and its immediate neighbour is marked as Initiator

node (IN). One or more common neighbour of IN and SN are selected to behave as Cooperative Nodes (CN) from 1 hop

table. One or more common neighbour of CN is selected as Next Hop Neighbour (NHN)

Step 5 if the CN and NHN are NULL, then drop the route reply as it is hidden wormhole attack, else IN catches RREP generated

by SN and initiate verification process

Step 6 Testing and Authentication Module

IN sends Verification Test Data Messages (FDATA) to destination and NHN having different random numbers via

different paths to verify the nodes.

Step 6.1 If reply from destination only is received via any CN, then the SN will be regarded as suspected node, continue to step 8

Step 6.2 If reply from NHN only is received via SN, then other path from CN will be regarded as suspected path, continue to step

7

Step 6.3 If reply from NHN only is received via any CN, then SN will be regarded as suspected node, continue to step 7

Step 7 Selecting IN, SN, CN and NHN

The destination node is marked as Suspected Node (SN) and its immediate neighbour is marked as Initiator node (IN). one

or more common neighbour of IN and SN are selected to behave as Cooperative Nodes (CN) from 1 hop table. One or

more common neighbour of CN is selected as Next Hop Neighbour (NHN)

Step 7.1 Send verification message to destination, setting reply by destination only field in the verification message

If reply is received continue to step 8

If reply is not received go to step 1

Step 8 Send data from source to destination

VII. RESULTS AND DISCUSSION

The simulations have been performed in NS2 in 1400x1000 area for 21 nodes and over 2 wormhole nodes. The performance

is compared on throughput, end to end delay and packet delivery fraction.

Figure 16 shows the throughput of the proposed CNBWH-AODV in comparison to E-HSAM, SAODV and AODV with

wormhole. The throughput of network is the total data transmits in a period of time. The CNBWH-AODV outperforms in the

presence of wormhole node.




Figure 16 Throughput

Figure 17 shows the Packet Delivery Fraction of the proposed CNBWH-AODV in comparison to E-HSAM, SAODV and

AODV with wormhole. The PDF is calculated as the ratio between the number of packets generated by the source and the number

of packets successfully acknowledged by the destination. CNBWH-AODV shows least effect of wormhole on PDF in presence of

wormhole while the PDF drops drastically in case of E-HSAM, as E-HSAM is not able to detect the wormhole unless the packet

is received by destination, which in this case are modified by the attacker. The graph shows the activity of wormhole node, as

soon as the wormhole node is introduced in the system PDF is dropped, but in CNBWH-AODV we have detected and avoided

wormhole completely so PDF is not affected.

Figure 17 Packet Delivery Fraction

Figure 18 shows the End to End Delay of the CNBWH-AODV in comparison to E-HSAM, SAODV and AODV with

wormhole. The End to End Delay denotes to the time occupied for a message while travelling in the network from source to

destination. In the presence of wormhole attack, overall E2E delay is reduced, as the packets travel through tunnel are supposed to

reach the destination first. In E-HSAM approach, alternate route is chosen after the destination informs the source that original

messages are not being received. So the E2E delay is increased, but in CNBWH-AODV messages are send only through the

shortest path as well as the authenticity of the path is tested before the actual data transmission. Hence it reduces E2E delay in

comparison to E-HSAM, SAODV and AODV under wormhole.

0

100

200

300

400

500

600

700

1 2 3 4 5 6 7 8 9 10

Bytes

Time

THROUGHPUTWORMHOLE AODV CNBWH-AODV

E-HSAM SAODV

0

20

40

60

80

100

120

1 2 3 4 5 6 7 8 9 10

PDF

Time

PACKET DELIVERY FRACTIONWORMHOLE AODV CNBWH-AODV

E-HSAM SAODV




Figure 18 End to End Delay

VIII. CONCLUSION

We have presented an adaptive, responsive and cooperative neighbour based approach to completely identify and eradicate both

hidden and exposed type wormhole attacks. Our approach uses the information of 1 hop neighbours to verify the location of

attacker, and once it is identified it is discarded to participate in further communication, and all the replies generated by wormhole

attacker will be dropped. Results shown by simulation graphs represents the enriched performance of the proposed approach in

the presence of wormhole attack. The throughput is improved; the packet delivery fraction is also good. In the proposed

CNBWH-AODV approach the packets were delivered to the destination by avoiding the attacking node, thus the end to end delay

is reduced in comparisons to E-HSAM and SAODV. Overall performance of the system is improved and the worm hole nodes are

detected and avoided completely.

REFERENCES

[1]. Abdelaziz, A. K., Nafaa, M., & Salim, G. (2013, April). Survey of routing attacks and countermeasures in mobile ad hoc

networks. In Computer Modelling and Simulation (UKSim), 2013 UKSim 15th International Conference on (pp. 693-698).

IEEE

[2]. D'Innocenzo, A., Di Benedetto, M.D. and Smarra, F., 2013, December. Fault detection and isolation of malicious nodes in

MIMO Multi-hop Control Networks. In Decision and Control (CDC), 2013 IEEE 52nd Annual Conference on (pp. 5276-

5281). IEEE.

[3]. Macker, J. "Mobile ad hoc networking (MANET): Routing protocol performance issues and evaluation considerations."

IETF (1999).

[4]. Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004). Security in mobile ad hoc networks: challenges and solutions. IEEE

wireless communications, 11(1), 38-47.

[5]. Perkins, C., Belding-Royer, E. and Das, S., 2003. Ad hoc on-demand distance vector (AODV) routing (No. RFC 3561).

[6]. Clausen, T. and Jacquet, P., 2003. Optimized link state routing protocol (OLSR) (No. RFC 3626).

[7]. Kannhavong, B., Nakayama, H., Nemoto, Y., Kato, N., &Jamalipour, A. (2007). A survey of routing attacks in mobile ad

hoc networks. IEEE Wireless communications, 14(5).

[8]. Choi, S., Kim, D.Y., Lee, D.H. and Jung, J.I., 2008, June. WAP: Wormhole attack prevention algorithm in mobile ad hoc

networks. In Sensor Networks, Ubiquitous and Trustworthy Computing, 2008. SUTC'08. IEEE International Conference on

(pp. 343-348). IEEE

[9]. Hu, Y.C., Perrig, A. and Johnson, D.B., 2006. Wormhole attacks in wireless networks. IEEE journal on selected areas in

communications, 24(2), pp.370-380.

[10]. Chiu, H.S. and Lui, K.S., 2006, January. DelPHI: wormhole detection mechanism for ad hoc wireless networks. In Wireless

pervasive computing, 2006 1st international symposium on (pp. 6-pp). IEEE.

[11]. Khalil, I., Bagchi, S. and Shroff, N.B., 2005, June. LITEWORP: a lightweight countermeasure for the wormhole attack in

multihop wireless networks. In Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference

on (pp. 612-621). IEEE.

[12]. Nouri, M., Aghdam, S.A. and Aghdam, S.A., 2011, November. Collaborative techniques for detecting wormhole attack in

MANETs. In Research and Innovation in Information Systems (ICRIIS), 2011 International Conference on (pp. 1-6). IEEE

[13]. Lee, G., Seo, J. and Kim, D.K., 2008, April. An approach to mitigate wormhole attack in wireless ad hoc networks. In

Information Security and Assurance, 2008. ISA 2008. International Conference on (pp. 220-225). IEEE.

0

5

10

15

20

25

30

35

1 2 3 4 5 6 7 8 9 10

Packets

Time

END TO END DELAYWORMHOLE AODV CNBWH-AODV

E-HSAM SAODV




[14]. Gupta, S., Kar, S. and Dharmaraja, S., 2011, April. WHOP: Wormhole attack detection protocol using hound packet. In

Innovations in information technology (IIT), 2011 international conference on (pp. 226-231). IEEE.

[15]. Khan, Z.A. and Islam, M.H., 2012, October. Wormhole attack: A new detection technique. In Emerging Technologies

(ICET), 2012 International Conference on (pp. 1-6). IEEE.

[16]. Geetha, S.B. and Patil, V.C., 2015, December. Elimination of energy and communication tradeoff to resist wormhole attack

in MANET. In Emerging Research in Electronics, Computer Science and Technology (ICERECT), 2015 International

Conference on (pp. 143-148). IEEE.

[17]. Gupta, C. and Pathak, P., 2016, March. Movement based or neighbor based technique for preventing wormhole attack in

MANET. In Colossal Data Analysis and Networking (CDAN), Symposium on (pp. 1-5). IEEE.

[18]. Chatterjee, P., Sengupta, I. and Ghosh, S.K., 2012. STACRP: a secure trusted auction oriented clustering based routing

protocol for MANET. Cluster Computing, 15(3), pp.303-320.

[19]. Jamaesha, S.S. and Bhavani, S., 2018. A secure and efficient cluster based location aware routing protocol in MANET.

Cluster Computing, pp.1-8.

[20]. Gandhewar, N. and Patel, R., 2012, November. Detection and Prevention of sinkhole attack on AODV Protocol in Mobile

Adhoc Network. In Computational Intelligence and Communication Networks (CICN), 2012 Fourth International


[21]. Biswas, J., Gupta, A. and Singh, D., 2014, December. WADP: A wormhole attack detection and prevention technique in

MANET using modified AODV routing protocol. In Industrial and Information Systems (ICIIS), 2014 9th International


[22]. P. Yadav and M. Hussain, "A secure AODV routing protocol with node authentication," 2017 International conference of

Electronics, Communication and Aerospace Technology (ICECA), Coimbatore, 2017, pp. 489-493.

[23]. Woungang, I., Dhurandher, S.K., Koo, V. and Traore, I., 2012, December. Comparison of two security protocols for

preventing packet dropping and message tampering attacks on AODV-based mobile ad Hoc networks. In Globecom

Workshops (GC Wkshps), 2012 IEEE (pp. 1037-1041). IEEE.

[24]. Patel, A., Patel, N. and Patel, R., 2015, April. Defending against wormhole attack in MANET. In Communication Systems

and Network Technologies (CSNT), 2015 Fifth International Conference on (pp. 674-678). IEEE.

[25]. Ghayvat, H., Pandya, S., Shah, S., Mukhopadhyay, S.C., Yap, M.H. and Wandra, K.H., 2016, November. Advanced AODV

approach for efficient detection and mitigation of wormhole attack in MANET. In Sensing Technology (ICST), 2016 10th

International Conference on (pp. 1-6). IEEE.

[26]. Li, Z., Pu, D., Wang, W. and Wyglinski, A. 2011, "Forced collision: Detecting wormhole attacks with physical layer

network coding," in Tsinghua Science and Technology, vol. 16, no. 5, pp. 505-519, Oct. 2011, IEEE.

[27]. Y. Wei and Y. Guan, "Lightweight Location Verification Algorithms for Wireless Sensor Networks," in IEEE Transactions

on Parallel and Distributed Systems, vol. 24, no. 5, pp. 938-950, May 2013.

[28]. Pagnin, E., Hancke, G. and Mitrokotsa, A., 2015. Using distance-bounding protocols to securely verify the proximity of two-

hop neighbours. IEEE Communications Letters, 19(7), pp.1173-1176.

[29]. Teotia, V., Dhurandher, S.K., Woungang, I. and Obaidat, M.S., 2015, June. Wormhole prevention using COTA mechanism

in position based environment over MANETs. In Communications (ICC), 2015 IEEE International Conference on (pp.

7036-7040). IEEE.

[30]. Moskvin, D.A. and Ivanov, D.V., 2015. Methods of protecting self-organizing networks against attacks on traffic routing.

Automatic Control and Computer Sciences, 49(8), pp.745-750.

[31]. Ahsan, M.S., Bhutta, M.N.M. and Maqsood, M., 2017, December. Wormhole attack detection in routing protocol for low

power lossy networks. In Information and Communication Technologies (ICICT), 2017 International Conference on (pp. 58-

67). IEEE.

[32]. Chiu, H.S. and Lui, K.S., 2006, January. DelPHI: wormhole detection mechanism for ad hoc wireless networks. In Wireless

pervasive computing, 2006 1st international symposium on (pp. 6-pp). IEEE.

[33]. Choi, S., Kim, D.Y., Lee, D.H. and Jung, J.I., 2008, June. WAP: Wormhole attack prevention algorithm in mobile ad hoc

networks. In Sensor Networks, Ubiquitous and Trustworthy Computing, 2008. SUTC'08. IEEE International Conference on

(pp. 343-348). IEEE.

[34]. Shin, S. Y. and Halim, E. H., 2012 "Wormhole attacks detection in MANETs using routes redundancy and time-based hop

calculation," 2012 International Conference on ICT Convergence (ICTC), Jeju Island, 2012, pp. 781-786., IEEE.

[35]. Agrawal, N. and Mishra, N., 2014, November. RTT based Wormhole Detection using NS-3. In Computational Intelligence

and Communication Networks (CICN), 2014 International Conference on (pp. 861-866). IEEE.

[36]. Khobragade, S. and Padiya, P., 2016, October. Detection and Prevention of Wormhole Attack Based on Delay Per Hop

Technique for Wireless Mobile Ad-hoc Network. In Signal Processing, Communication, Power and Embedded System

(SCOPES), 2016 International Conference on (pp. 1332-1339). IEEE.

[37]. Bundela, A.S., Sharma, G., Panse, P. and Solanki, S., 2016, March. A secure routing in ad-hoc network. In Colossal Data

Analysis and Networking (CDAN), Symposium on (pp. 1-5). IEEE.

[38]. Verma, R., Sharma, R. and Singh, U., 2017, April. New approach through detection and prevention of wormhole attack in

MANET. In Electronics, Communication and Aerospace Technology (ICECA), 2017 International conference of (Vol. 2,

pp. 526-531). IEEE.




[39]. Ojha, M. and Kushwah, R.S., 2015, October. Improving Quality of Service of trust based system against wormhole attack by

multi-path routing method. In Soft Computing Techniques and Implementations (ICSCTI), 2015 International Conference

on (pp. 33-38). IEEE.

[40]. Dubey, M., Patheja, P.S. and Lokhande, V., 2015, September. Reputation based trust allocation and fault node identification

with data recovery in manet. In Computer, Communication and Control (IC4), 2015 International Conference on (pp. 1-6).

IEEE.

[41]. Parbin, S. and Mahor, L., 2016, July. Analysis and prevention of wormhole attack using trust and reputation management

scheme in MANET. In Applied and Theoretical Computing and Communication Technology (iCATccT), 2016 2nd

International Conference on (pp. 225-228). IEEE.

[42]. Sharma, P.K. and Sharma, V., 2016, April. Survey on security issues in MANET: Wormhole detection and prevention. In

Computing, Communication and Automation (ICCCA), 2016 International Conference on (pp. 637-640). IEEE.

[43]. Agrwal, S.L., Khandelwal, R., Sharma, P. and Gupta, S.K., 2016, October. Analysis of detection algorithm of Sinkhole

attack & QoS on AODV for MANET. In Next Generation Computing Technologies (NGCT), 2016 2nd International


[44]. Kaneria, P. and Rajavat, A. 2016, "Detecting and avoiding of worm hole attack on MANET using trusted AODV routing

algorithm," 2016 Symposium on Colossal Data Analysis and Networking (CDAN), Indore, 2016, pp. 1-5.

[45]. Singh, U., Samvatsar, M., Sharma, A. and Jain, A.K., 2016, March. Detection and avoidance of unified attacks on MANET

using trusted secure AODV routing protocol. In Colossal Data Analysis and Networking (CDAN), Symposium on (pp. 1-6).

IEEE.

[46]. Sharma, S. and Sharma, R. M., 2017 "EPPN: Extended Prime Product Number based wormhole DETECTION scheme for

MANETs," 2017 11th International Conference on Intelligent Systems and Control (ISCO), Coimbatore, 2017, pp. 251-254

[47]. Patidar, K. and Dubey, V., 2014, March. Modification in routing mechanism of AODV for defending blackhole and

wormhole attacks. In IT in Business, Industry and Government (CSIBIG), 2014 Conference on (pp. 1-6). IEEE.

[48]. Rmayti, M., Begriche, Y., Khatoun, R., Khoukhi, L. and Gaiti, D., 2014, November. Denial of service (DoS) attacks

detection in MANETs using Bayesian classifiers. In Communications and Vehicular Technology in the Benelux (SCVT),

2014 IEEE 21st Symposium on (pp. 7-12). IEEE.

[49]. Khan, A., Shrivastava, S. and Richariya, V., 2014, January. Normalized Worm-hole Local Intrusion Detection Algorithm

(NWLIDA). In Computer Communication and Informatics (ICCCI), 2014 International Conference on (pp. 1-6). IEEE.

[50]. Emami, A.B., Samet, S., Azarpira, A. and Farrokhtala, A., 2015, May. SNACK: An efficient intrusion detection system in

Mobile Ad-Hoc Network based on the Selective-Negative Acknowledgement algorithm. In Electrical and Computer

Engineering (CCECE), 2015 IEEE 28th Canadian Conference on (pp. 903-907). IEEE.

[51]. Barani, F. and Gerami, S., 2013, August. ManetSVM: Dynamic anomaly detection using one-class support vector machine

in MANETs. In Information Security and Cryptology (ISCISC), 2013 10th International ISC Conference on (pp. 1-6). IEEE.

[52]. Barani, F., 2014, February. A hybrid approach for dynamic intrusion detection in ad hoc networks using genetic algorithm

and artificial immune system. In Intelligent Systems (ICIS), 2014 Iranian Conference on (pp. 1-6). IEEE.

[53]. Jamali, S. and Fotohi, R., 2017. DAWA: Defending against wormhole attack in MANETs by using fuzzy logic and artificial

immune system. The Journal of Supercomputing, 73(12), pp.5173-5196.

[54]. Shi, Z., Sun, R., Lu, R., Qiao, J., Chen, J. and Shen, X., 2013. A wormhole attack resistant neighbor discovery scheme with

rdma protocol for 60 ghz directional network. IEEE Transactions on Emerging Topics in Computing, 1(2), pp.341-352.

[55]. Sasirekha, D. and Radha, N., 2017, October. Secure and attack aware routing in mobile ad hoc networks against wormhole

and sinkhole attacks. In Communication and Electronics Systems (ICCES), 2017 2nd International Conference on (pp. 505-

510). IEEE.

[56]. Zapata, M.G. and Asokan, N., (2002), September. Securing ad hoc routing protocols. In Proceedings of the 1st ACM

workshop on Wireless security (pp. 1-10). ACM.

[57]. Obaidat, M.S., Woungang, I., Dhurandher, S.K. and Koo, V., 2014. A cryptography‐based protocol against packet dropping

and message tampering attacks on mobile ad hoc networks. Security and Communication Networks, 7(2), pp.376-384.


MITIGATING WORMHOLE ATTACK IN WIRELESS MOBILE …1*Suyash Bhardwaj, 2Dr. Vivek Kumar 1Ph.D. Scholar,...

Documents

Transcript of MITIGATING WORMHOLE ATTACK IN WIRELESS MOBILE …1*Suyash Bhardwaj, 2Dr. Vivek Kumar 1Ph.D. Scholar,...