A detection and prevention system against collaborative attacks in Mobile Ad hoc Networks

Accepted Manuscript A Detection and Prevention System against collaborative attacks in Mobile Ad hoc Networks Farrukh Aslam Khan, Muhammad Imran, Haider Abbas, Muhammad Hanif Durad PII: DOI: Reference:

S0167-739X(16)30240-0 http://dx.doi.org/10.1016/j.future.2016.07.010 FUTURE 3112

To appear in:

Future Generation Computer Systems

Received date: 29 February 2016 Revised date: 20 July 2016 Accepted date: 22 July 2016 Please cite this article as: F.A. Khan, M. Imran, H. Abbas, M.H. Durad, A Detection and Prevention System against collaborative attacks in Mobile Ad hoc Networks, Future Generation Computer Systems (2016), http://dx.doi.org/10.1016/j.future.2016.07.010 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

A Detection and Prevention System against Collaborative Attacks in Mobile Ad hoc Networks Farrukh Aslam Khan1, Muhammad Imran2,3, Haider Abbas1,4, Muhammad Hanif Durad2 1

2

King Saud University, Riyadh, Saudi Arabia. Department of Computer and Information Sciences, Pakistan Institute of Engineering and Applied Sciences, Nilore, Islamabad, Pakistan. 3 Department of Computer Science, National University of Computer and Emerging Sciences, A.K. Brohi Road, H-11/4, Islamabad, Pakistan. 4 National University of Sciences and Technology, Islamabad, Pakistan Email: {fakhan, hsiddiqui}@ksu.edu.sa

Abstract: Mobile Ad hoc Networks (MANETs) are vulnerable to various kinds of attacks due to their dynamic nature and lack of a central point of control. Collaborative attacks occur when multiple attackers synchronize their actions to disrupt a target network. Wormhole attack is one of the most severe collaborative attacks that can harm the network in several ways. It is very difficult to detect this attack as it is launched by two or more nodes in collaboration. Wormhole attack works in two phases. In the first phase, the malicious nodes try to convince other legitimate nodes to transfer data through them in order to get involved in more routes. In the second phase, the malicious nodes exploit data in a variety of ways. In this paper, we propose a Detection and Prevention System (DPS) to detect and block malicious nodes in MANETs. For this purpose, some special nodes called DPS nodes are deployed in the network, which continuously monitor the behavior of other nodes. When a DPS node finds a node with a suspicious behavior, it declares that suspicious node as a wormhole node by broadcasting a message. All data and control messages are discarded by the network from a node that has been declared as wormhole. NS-2 simulations show that the proposed DPS considerably reduces the number of packets dropped by the malicious nodes with very low false positive rate.


Keywords - Mobile Ad hoc Network (MANET); Wormhole Attack; Statistical Analysis; Malicious Nodes; Detection and Prevention System.

1.

Introduction

With the rapid development of technology, wireless communication networks have appeared in many forms. Mobile Ad hoc Networks (MANETs) have the capabilities of self-configuration and selfmaintenance [1]. In MANETs, each node works as a router and can communicate with other nodes directly or indirectly with the help of its neighbors. MANETs can be deployed in disaster areas to collect critical information, in battlefield to communicate among soldiers, and in hazardous areas in the form of sensor networks. Due to the lack of a central point of control, it is more likely that malicious nodes join the network and launch various types of attacks [2, 3, 4]. An attack can be launched by a single node or multiple nodes in a cooperative manner. The attacker node can be external (node outside the network) or internal (compromised node inside the network). The internal attackers are more dangerous and are



difficult to detect than external attackers. In some attacks, multiple attackers synchronize their actions to disrupt a target network. These types of attacks are called Collaborative Attacks (CA) [5]. Out of many such attacks, wormhole attack is one of the most severe security threats in wireless ad hoc networks [625], and its detection and prevention is a very challenging issue [26, 17]. The wormhole attack is possible even if the attacker has not compromised any hosts and all the communication provides authenticity and confidentiality [6]. It is a serious threat for routing protocols such as Ad hoc On-demand Distance Vector (AODV) [27] and Dynamic Source Routing (DSR) [28] etc. Generally, this attack is launched by two or more malicious nodes having a private channel called tunnel between them. A malicious node at one end of the tunnel captures the control packet and sends it to the other malicious node through the tunnel; the second malicious node rebroadcasts the packet locally. The route through the tunnel is selected based on having better metrics (e.g. less time or less number of hops as compared to the other routes) for communication between the source and the destination. The wormhole attack works in two phases. In the first phase, the wormhole nodes attempt to participate in more routes. In the second phase, these nodes start exploiting the data packets transmitted through them. The working of wormhole attack in the AODV protocol is shown in Figure 1. In the figure, the source node S wants to send data to the destination node D. For this purpose, S will broadcast a Route Request (RREQ) message to find route to the destination D. From node G, the RREQs will move on to two different routes. The first one is through the nodes H, I, J, K and then D. Each node on the route will increase the hop count in the RREQ by one. So, the normal path will be S-G-H-I-J-K-D with the hop count of 5 as shown in Figure 1 (a). On the other side, the RREQ broadcasted by G will be encapsulated by the wormhole node W1. W1 then sends it to W2 in the form of data packet (as both W1 and W2 have already established a virtual tunnel between them), so the hop count will not be increased at nodes X, Y and Z. The node W2 will rebroadcast the RREQ after extracting it from the data packet. This RREQ will reach D through K with a hop count of 4. Since this route has less number of hops, the destination D will update the path by considering it as the shorter path as shown in Figure 1(b). The Route Reply (RREP) message will move towards the source, in the same way as RREQ, without increasing the hop count between W2 and W1. After getting involved in the route, the wormholes can disrupt the network functionality by modifying, dropping, or sending the data to a third party. During the past few years, several authors have proposed solutions to overcome the problem of wormhole attack. Most of the solutions are based on time interval between sending and receiving packets. For example, if the time interval is longer than normal, the packet is dropped. These solutions require a clock and will not work properly when there is more traffic on some links [13, 15, 20, 29] or the nodes have different processing capabilities [13]. Some authors proposed location-based solutions, where a node tries



to detect wormhole nodes by analyzing the location of each node. These solutions require additional hardware such as GPS etc. to determine the location of the node, which makes these solutions more expensive. Some solutions are based on the neighborhood nodes. In these types of solutions, each node makes a list of its neighboring nodes. These lists are then sent to other nodes and compared with their lists to detect wormhole nodes. These solutions reduce the performance of the network when nodes change their positions constantly, e.g. in a mobile network. Some relatively better and recent solutions are the statistical solutions, which try to detect the wormhole attack by analyzing different factors that can be used to detect the wormholes. There is no extra hardware required in such solutions. The only problem with these types of solutions is the extra processing and delay in communication, which can be reduced by selecting proper factors for analysis. After analyzing various types of existing solutions and keeping in mind their advantages and disadvantages, we propose a Detection and Prevention System (DPS) based on statistical analysis that uses fixed nodes (called DPS nodes) for the detection and prevention of wormhole attack without requiring any additional hardware. In the proposed system, DPS nodes calculate the suspicious values of their neighbors with the help of RREQs. When the suspicious value of a node approaches a reasonable number, the DPS node broadcasts a threat or block message with suspicious node’s ID. On receiving a block message, the normal node adds the suspicious node into the block list and rejects all the traffic from it. In order to test the performance of our proposed technique, Network Simulator-2 (NS-2) [30] simulations are performed and the results are compared with another existing technique. The results of our experiments show that the proposed DPS considerably reduces the number of packets dropped by the malicious nodes with a very low false positive rate. The remainder of the paper is organized as follows: In section II, the related work is presented. Section III presents a brief overview of previous techniques against wormhole attack in MANETs. Section IV gives the details of our proposed system, while in section V, the simulation results are discussed. Finally, section VI concludes the paper with possible future directions.
<<

2.

Figure 1

>>

Related Work

Several researchers have proposed different solutions to deal with wormhole attacks. Most of the solutions are time-based, statistical, or neighborhood-based solutions. Here, we briefly discuss the current state-of-the-art and recent solutions for wormhole attack detection in MANETs. Hu et al. [6] introduced the temporal leash approach. Leash is additional information attached with the packet, which contains



information about the time to detect wormhole nodes. Chiu and Lui [15] proposed an AODV based protocol called DelPHI (Delay Per Hop Indication). It works by analyzing the delay between sending and receiving a packet. Jiao et al. [31] proposed a solution in which each node has a subminiature timer that records the difference of time between sent and received packets to find the wormhole nodes. Alam and Chan [13] proposed RTT-TC based on round-trip time and the topological comparisons, which isolates wormholes on the observations that the two fake neighbors have long round-trip time as compared to the average round trip time. Shi et al. [32] also proposed a time-based approach in which after the route discovery process, the source node estimates the hop count on the basis of time. Chaurasia and Singh [23] proposed MAODV (Modified AODV) similar to DelPHI [15]. Wougang et al. [33] proposed a method called TSMI (Timed and Secured Monitoring Implementation) in which routes are blacklisted if packets are tampered or the delivery rate is below a certain value. Azer et al. [34] proposed a decentralized approach in which some parameters are measured, on the basis of which some penalty is added to the paths containing wormhole nodes to avoid the communication through them. Su [14] proposed WARP (Wormhole Avoidance Routing Protocol) that selected single path from multiple paths on the basis of the first hop field. Azer [7] proposed another approach that worked on the principle that the wormhole nodes get involved in routing in repeated ways for different sources and destinations. A similar approach by the same author was presented in [18] with little modification in the cost function. Su and Chiang [35] proposed a solution that worked on the basic principle that a node cannot send a RREP if it has not broadcasted a RREQ for a specific route. Biswas et al. [36] proposed WADP (Wormhole Attack Detection and Prevention) technique by modifying AODV protocol, which detects and verifies the wormhole nodes by the authentication process. Patel et al. [22] proposed a technique based on Hash based Compression Function (HCF) in which hash is calculated and appended with RREQ by the source and intermediate nodes. The destination node verifies the attached hash values. Patidar and Dubey [25] proposed a technique that makes use of variance in routing information between neighbors to detect wormhole attacks. Khalil et al. [11] proposed LiteWorp in which every node in the network maintained the list of its one-hop neighbors and two-hop neighbors to find malicious nodes. A similar solution was presented by Lee et al. [12], which was also based on one-hop and two-hop neighbors. Choi et al. [37] proposed WAP (Wormhole Attack Prevention) in which all nodes were set in the promiscuous mode to record the time duration of RREQ broadcast between the neighboring nodes. Hayajneh et al. [16] proposed DeWorm that worked on the idea to find alternate route to the destination, which did not go through the wormhole. Jain and Jain [17] proposed a mechanism based on the trust model to find malicious nodes. Gupta et al. [38] proposed WHOP in which the source node would send a special packet called the hound packet to the



destination to check the presence of wormhole nodes. Anju and Sminesh [21] proposed a technique in which wormhole nodes were identified through a clustering approach. Eidie et al. [39] proposed WANI (Wormhole Avoidance using Neighbor Information) in which the information of 1-hop and 2-hop neighbors was collected to find suspicious nodes. Singh et al [24] proposed a technique for the DSR protocol to detect misbehaving nodes in the routes and prevent the wormhole attack by selecting alternate routes. There are also some location-based solutions [6, 40, 41], key-based solutions [42-44] and graphbased solutions [19] for detecting wormhole attacks in MANETs. All of the above solutions are implemented by protocol modification, by using special hardware, or by using extra nodes to monitor the network traffic. Each method has its own strengths and weaknesses e.g. the protocol modification may have extra overhead or cause delay in the route discovery process. The use of special hardware can be expensive or resource hungry. The use of extra nodes can increase the deployment cost but does not have the threat of wormhole declaration by a single (normal or malicious) node. From the above discussion, we see that the both the type of solution as well as its implementation play an important role in the effectiveness of the solution. Based on the above observations, we propose a technique based on statistical analysis by using some special nodes, which do not get involved in routing and do not require any additional hardware. The details of the proposed technique are given in the next section.

3.

Proposed Detection and Prevention System (DPS) for Wormhole Attacks

in MANETs Since the wormhole nodes try to attract more traffic towards them, they show some deviation from the normal behavior of the nodes. These nodes behave differently from the normal nodes i.e. they are involved in most of the routes, have longer propagation delay, may have bigger transmission range, and only forward the RREQ to its colluding node. Therefore, the number of RREQs broadcasted by a wormhole node is comparatively less than the RREQs broadcasted by its neighbors. The following reasons support this argument: (i) The wormhole node only forwards the RREQ through a private channel and does not broadcast it. (ii) Each RREQ in the network is only broadcasted by one of the two wormhole nodes, which have established a tunnel. (iii) Encapsulated RREQ causes many normal nodes to rebroadcast the RREQ with less hop count. (iv) Some encapsulated RREQs are lost due to the movement of nodes that form the tunnel. The proposed DPS works on the basic principle that “the wormhole node broadcasts less number of RREQs than the normal nodes”. We make the following two assumptions for our solution:








All the DPS nodes are reachable to one another so that they can communicate without the involvement of normal nodes.




There exists an authentication mechanism in MANETs where a node ID cannot be forged and the Threat or Block message sent by a DPS node cannot be modified or counterfeited.

Our detection and prevention system has the following three different types of nodes that perform different tasks according to their roles: Normal Nodes: These are the common nodes in the network, which send data packets to each other in order to transfer the information. In order to block the malicious nodes, each normal node maintains a Block Table, which lists the malicious nodes announced by the DPS nodes as shown in Figure 2 (a). These nodes simply drop all the packets (RREQs, RREPs, HELLO messages, and data packets) received from the malicious nodes. Figure 2 (a) shows that nodes 51 and 52 are declared malicious by the DPS nodes 63 and 54 respectively. Malicious (Wormhole) Nodes: These nodes capture the RREQ from one part of the network and broadcast it to the other part of the network without increasing the hop count and then send the RREP back to the same path to get involved in more routes. The source node considers that the route through these (malicious) nodes is the shortest path, and thus starts communication through it. DPS Nodes: These are the nodes that try to detect the wormhole nodes and then block them with the help of processes running on them. Each DPS node maintains an Analysis Table as shown in Figure 2(b). The status field in the Analysis Table shows whether the node is currently in the range of the DPS node or not. The nodes that move out of the range of the DPS node (i.e. whose RREQs cannot be detected by the DPS node) are set as inactive. According to Figure 2(b), nodes 43 and 31 are active, whereas the node 41 is inactive. The RREQ count field shows that the neighboring nodes 43, 31 and 41 have broadcasted 6, 6 and 5 RREQs respectively. The Suspicious Value field in the Analysis Table represents the current suspicious value of the respective node as calculated by the DPS node. Wormhole Threat and Wormhole Confirmed fields show that either this or any other DPS node has broadcasted a Threat or Block message against the malicious node. The Threat and Block messages are shown in Figure 2(c) and 2(d) respectively. According to the table, only the node 41 is declared as a wormhole threat, whereas no node is yet announced as a wormhole node.
<<

Figure 2

>>




The number of DPS nodes depends upon two factors: network area and transmission range. To achieve best results, DPS nodes should be deployed in such a way that they cover the whole network area and communicate with one another directly. For example, a network deployed in 1000 x 1000 meters area having 250 meters range of each node can be monitored with 9 DPS nodes. We can estimate the number of DPS nodes by the following simple formula: DPS Nodes = ((X/r)-1) * ((Y/r)-1)

(1)

Here, X and Y are length and width of the network area, respectively, whereas r is the transmission range of a DPS node in which it can send and receive messages to/from other nodes. In DPS, we use the following four system parameters for different purposes whose values are predefined: Max_Req_Count: When the RREQ count of a single node reaches Max_Req_Count, the DPS node initiates the process of calculating suspicious value for each node in its Analysis Table. Min_Req_Count: During the Suspicious Value calculation process, when a DPS node finds a node with status Active and RREQ count less than Min_Req_Count, the Suspicious Value of that node is incremented. This value is set to almost half or less than half of the Max_Req_Count. Min_Threat_Value: When the Suspicious Value of a node becomes equal to Min_Threat_Value, the DPS node issues a threat message to alert the other DPS nodes. This value is set to half of the Max_Threat_Value. Max_Threat_Value: When the Suspicious Value of a node becomes equal to Max_Threat_Value, the DPS node broadcasts a block message to alert the normal nodes and other DPS nodes. The DPS nodes in the system perform the following four tasks:


Route Request (RREQ) Counting




Suspicious Value Calculation




Threat Message Broadcasting




Block Message Broadcasting

3.1 Route Request Counting: Whenever a DPS node receives a RREQ, route request counting starts. As each DPS node keeps record of its neighbors in the Analysis Table, whenever it receives a RREQ from a node, it first checks whether the



node that is broadcastting the RRE EQ is already included in its Analysis Table. If it is not found in i the Analysis Table T then a new entry iss created in which w the stattus is set to active, a RREQ Q count is sett to 1, Suspiciouus Value is sett to 0, and Wormhole W Threeat and Worm mhole Confirm med fields aree set to No. On O the other hannd, if the bro oadcasting noode is alreaddy present in the Analysiss Table, thenn it will checck its Wormholee Confirmed value if it is Yes. It meanns that the DP PS node had already declaared that nodee as a wormholee node so therre was no neeed for furtherr processing. If I the Wormhhole Confirmeed field is Noo, then it checks the t Status fielld of the nodee and changess it to active if i it is inactivee. Then it incrrements the RREQ R count by one. If the new n value is less than thee Max_Req_C Count, then thhe process will w terminate here. v is equal to the Max_R Req_Count, then t the suspiicious value calculation c prrocess However,, if the new value starts. Alggorithm 1 sho ows the compllete flow of RREQ R countinng process.

3.2 Susppicious Valu ue Calculatiion The Suspiicious Value calculation c prrocess checkss all nodes in the Analysis Table whosee status is actiive. If there is a node that has h RREQ count c value less l than Minn_Req_Countt, then its Suuspicious Vallue is incrementted by one. If the new Suuspicious Valuue is equal too the Min_Thhreat_Value and a the Worm mhole Threat fieeld is No, theen the DPS node n will brooadcast a thrreat message,, which incluudes the ID of o the maliciouss node and itss own as shoown in Figuree 2(a). After sending the Threat T messaage, the Worm mhole Threat fieeld of the maalicious node is set to Yess. Then the process p of Suuspicious Valuue calculationn will continue for f other nod des in the Anaalysis Table. If the new Suuspicious Vallue of a nodee becomes equual to Max_Threeat_Value an nd its Wormhoole Confirmeed field is Noo, then the DP PS node will broadcast a Block 



message, which contains the ID of the malicious node and its own as shown in Figure 2(b). After sending the Block message, the Wormhole Confirmed field is set to Yes. To reduce the false positive rate, if there is a node that has Suspicious Value more than zero but shows normal behavior i.e. the RREQ forwards are more than the Min_Req_Count, then its Suspicious Value is decremented by one. This condition reduces the chances of legitimate nodes being declared as wormhole nodes due to isolation from the network. At the end of the Suspicious Value calculation process, the status of all the nodes in the table are set to inactive and the RREQ Count is set to zero. Algorithm 2 shows the complete flow of the Suspicious Value calculation process.


3.3 Threat Message Broadcasting When the Suspicious Value of a node reaches Min_Threat_Value, the DPS node broadcasts a Threat message if not done before. When a normal node receives the Threat message, it simply ignores it. On the other hand, when a DPS node receives a Threat message, it searches the malicious node ID (contained in the Threat message) in its Analysis Table. If the ID is not found, then it creates a new entry for it and sets the Suspicious Value equal to Min_Threat_Value and the Wormhole Threat is set to Yes. Then it rebroadcasts the Threat message. If the malicious node ID is already present in the Analysis Table, then its Wormhole Threat field is checked. If the Wormhole Threat field is Yes, it means that the DPS node has already broadcasted the Threat message for that malicious node, and so the process terminates. If the Wormhole Threat field is No, then the Suspicious Value of the malicious node is set to Min_Threat_Value



and the Wormhole Threat field is set to Yes, and then this Threat message is rebroadcasted. Algorithm 3 shows the complete process of the Threat message at the DPS nodes. The purpose of the Threat message is to inform the other DPS nodes in the network about the possible threat of the wormhole attack. So, if the wormhole node moves to another region, the DPS nodes in that region will already have the Suspicious Value information (calculated in the previous region). Therefore, it will start calculating the Suspicious Value from that point (i.e. from the Min_Threat_Value). The DPS node’s ID is included in the Threat message for authentication purposes.

3.4 Block Message Broadcasting When the Suspicious Value of a node reaches Max_Threat_Value, the DPS node broadcasts a Block message if not done before. When a normal node receives a Block message from a DPS node, it adds the malicious node ID with the announcer DPS node ID in its Block Table if not added before. On the other hand, when a DPS node receives a Block message, it searches the malicious node ID (contained in the Block message) in its Analysis Table. If the ID is not found then it creates a new entry for it and sets the Suspicious Value equal to Max_Threat_Value, and Wormhole Threat and Wormhole Confirmed fields both are set to Yes. Then it rebroadcasts the Block message. If the malicious node ID is already present in the Analysis Table, then its Wormhole Confirmed field is checked. If it is Yes, then it means that the DPS node has already broadcasted the Block message for that malicious node; hence the process terminates. If the Wormhole Confirmed field is No, then the Suspicious Value of the malicious node is set to Max_Threat_Value, Wormhole Threat and Wormhole Confirmed fields are set to Yes, and then this Block message is rebroadcasted. Algorithms 4 and 5 show the complete process of Block message at the DPS and normal nodes, respectively. The purpose of the Block message is to inform the normal and DPS nodes in the network about the wormhole attack and to spread the message throughout the network with the help 



of DPS nodes, as the normal nodes cannot rebroadcast the Block message. The DPS node’s ID is included in the Threat message for authentication purposes.

A flowchart of the proposed DPS is shown in Figure 3.
<<

4.

Figure 3

>>

Experimentation and Analysis

In this paper, all the experiments are performed in NS-2 (Network Simulator 2) version 2.34, to evaluate the performance of the proposed DPS for wormhole attack in MANETs. All the experiments are performed with parameter values shown in Tables 1 and 2.






4.1.

Performance of DPS

To measure the performance of the proposed DPS, experiments are performed with 50 normal and 18 DPS nodes at fixed locations (shown encircled in Figure 4) using AODV Protocol. The wormhole attack is implemented using virtual tunnel (shown by a solid line in the figure) between the two malicious nodes in which a malicious node encapsulates the RREQ and sends it to the other malicious node in the form of data packet, which extracts the RREQ from the data packet and rebroadcasts it. This RREQ has less hop counts as compared to the others, so the other nodes update their routes and broadcast it. In this way, the wormhole nodes get involved in more routes and start dropping the data packets that they receive. Table 1: Simulation Parameters

Parameter

Value

Simulation Ares

1000 x 1750

Protocol

AODV Protocol

Normal Nodes

50 (randomly deployed mobile nodes)

Wormhole Nodes

0, 2, 4, 8 (fixed /mobile)

Simulation Time

500 (seconds)

Transmission Range

250 (meters)

Mobility

0-20 m/sec (random movement)

Max Connections

20 Pairs (40 nodes)

Traffic Type

UDP – CBR (constant bit rate)

Packet Size

512 bytes

Maximum Speed

20 meters/second

Pause Time

0, 5, 10, 15 and 20 seconds


Table 2: DPS Parameters

Parameter

Value

DPS Nodes

18 (fixed)

Max_Req_Count

7

Min_Req_Count

3

Min_Threat_Value

5

Max_Threat_Value

10




There are two major use case scenarios for wormholes; one for fixed wormhole nodes and the other for mobile wormhole nodes. To detect a malicious node with fixed position is a relatively easy task because the monitoring node will continue to observe its behavior until it is declared as malicious. We are dealing with MANETs in which all nodes (including malicious nodes) are free to move from one place to another. So, when a malicious node moves away from one monitoring node and enters the region of another monitoring node, the previous statistics of that malicious node maintained by the first monitoring node become useless. To overcome this situation, in our proposed system, the DPS nodes share the information about the malicious nodes with each other in the form of Threat Message. In our experiments, each major



use case scenario has four cases; Case-0, Case-1, Case-2 and Case-3 having 0, 2, 4 and 8 wormhole nodes respectively, as shown in Figure 4(a-d). Each case is tested against different pause time values (0, 5, 10, 15 and 20). For each pause time, simulations have been executed multiple times and their average is used for further calculations. In each simulation, the numbers of packets sent, received, and dropped are recorded. In addition to that, the time of detection, false positive, true positive, and number of wormhole nodes are also recorded. In mobile scenarios, after 50 seconds, the wormhole nodes start moving towards new locations. In Figure 4, the solid rectangle represents the current location of the wormhole node, while the dotted rectangle represents the new location after moving.
<<

Figure 4

>>

Figure 5(a-d) shows the results of packet drop rate of AODV with and without DPS for 0, 2, 4 and 8 wormhole nodes, respectively. In Figure 5(a), the average packet drop rate for AODV with and without DPS is 11.96% and 11.64% respectively. So the packet drop rate with DPS is about 2.72% more as compared to the packet drop rate without DPS when there is no wormhole node present. Figure 5(b) shows the difference in packet drop rates between fixed and mobile wormhole nodes with and without DPS for 2 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes without using DPS is 27.34% and 27.10% respectively. After using the DPS nodes, the average packet drop rate falls to 12.47% and 12.59% for fixed and mobile wormholes respectively. So there is 54.38% and 53.54% decrease in packet drop rate after using DPS for fixed and mobile wormhole nodes respectively. Figure 5(c) shows the difference in packet drop rates between fixed and mobile wormhole nodes with and without DPS for 4 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes without using DPS is 36.14% and 35.83% respectively. After using DPS nodes, the average packet drop rate falls to 13.84% and 13.91% for fixed and mobile wormholes respectively. Hence, there is 61.70% and 61.17% decrease in packet drop rate after using DPS nodes for fixed and mobile wormhole nodes respectively.

<<

Figure 5

>>

Figure 5(d) shows the difference in packet drop rates between fixed and mobile wormhole nodes with and without DPS for 8 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes without using DPS is 40.72% and 41.46% respectively. After using DPS, the average packet drop rate falls to 13.55% and 13.45 for fixed and mobile wormholes, respectively. Hence, there is 66.72% and 67.55% decrease in the packet drop rate after using the DPS for fixed and mobile wormhole nodes respectively. From Figure 5, we can see that the packet drop rate is significantly reduced when we use the



proposed DPS (Detection and Prevention System). From Figure 5(b-d), it is notable that at some pause times, the packet drop rate for mobile wormhole nodes is less as compared to the fixed wormhole nodes. This is because when the wormhole node is moving, there are more chances for wormholes to attract traffic towards them from other links, which they cannot get when they are fixed. But on the other hand, the link between mobile wormhole nodes is broken very often, so they get fewer packets from a connection as compared to fixed wormhole nodes.

4.2.

Comparison of DPS with Su-Chiang IDS

We compare our proposed DPS with another well-known Intrusion Detection System (IDS) proposed by Su and Chiang [24] for the detection of wormhole attacks. The similarity of this technique (Su-Chiang IDS) with our technique is that it also uses external nodes for wormhole detection. We implemented this technique and performed the experiments for each scenario as shown in Figure 4. We measure the performance of both the techniques for packet drop rate, detection time, and false positive rate. The details of each performance measure are given below. Packet Drop Rate: Figure 6 (a-d) shows the results of packet drop rate of AODV with DPS and AODV with Su-Chiang IDS for 0, 2, 4 and 8 wormhole nodes respectively. In Figure 6 (a), the average packet drop rate with DPS and Su-Chiang IDS is 11.96% and 13.32% respectively. So, the packet drop rate with DPS is about 10.21% less as compared to the packet drop rate with Su-Chiang IDS when there is no wormhole node present. Figure 6(b) shows the difference in packet drop rates between fixed and mobile wormhole nodes with DPS and Su-Chiang IDS for 2 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 17.64% and 19.27% respectively. While using the DPS, the average packet drop rate falls to 12.47% and 12.59% for fixed and mobile wormholes respectively. So there is 29.30% and 34.66% reduction in the packet drop rate by using DPS for fixed and mobile wormhole nodes, respectively. Figure 6(c) shows the difference in packet drop rates between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 4 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 22.64% and 22.66% respectively. While using the DPS, the average packet drop rate falls to 13.84% and 13.91% for fixed and mobile wormholes respectively. So there is 38.86% and 38.61% reduction in packet drop rate with DPS for fixed and mobile wormhole nodes, respectively. Figure 6(d) shows the difference in packet drop rates between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 8 wormhole nodes. The average packet drop rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 25.87% and 28.39% respectively. While using the DPS, the average packet drop rate falls to 13.55% and 13.45% for fixed and





mobile wormholes respectively. So there is 47.62% and 52.62% reduction in packet drop rate with DPS for fixed and mobile wormhole nodes, respectively. <<

Figure 6

>>

False Positive Rate: Figure 7(a) shows the difference in false positive rates between fixed and mobile wormhole nodes with DPS and Su-Chiang IDS for 2 wormhole nodes. The average false positive rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 6.39% and 5.45% respectively. While using the DPS, the average false positive rate falls to 0.13% and 0.40% for fixed and mobile wormholes, respectively. So, there is 97.96% and 92.66% reduction in the false positive rate by using the DPS for fixed and mobile wormhole nodes, respectively. Figure 7(b) shows the difference in false positive rates between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 4 wormhole nodes. The average false positive rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 7.72% and 7.32% respectively. While using the DPS, the average false positive rate falls to 0.52% and 0.13% for fixed and mobile wormholes respectively. So, there is 93.14% and 98.22% reduction in the false positive rate with DPS for fixed and mobile wormhole nodes, respectively. Figure 7(c) shows the difference in false positive rates between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 8 wormhole nodes. The average false positive rate for fixed and mobile wormhole nodes with Su-Chiang IDS is 9.59% and 12.26% respectively. While using the DPS, the average false positive rate falls to 0.39% and 0.13% for fixed and mobile wormholes, respectively. So, there is 95.82% and 98.93% reduction in the false positive rate with DPS for fixed and mobile wormhole nodes, respectively.

Wormhole Detection Time: Figure 8(a) shows the difference in wormhole detection time between fixed and mobile wormhole nodes with DPS and Su-Chiang IDS for 2 wormhole nodes. The average detection time for fixed and mobile wormhole nodes with Su-Chiang IDS is 198 and 250 seconds, respectively. While using the DPS, the average detection time falls to 122 and 124 seconds for fixed and mobile wormholes, respectively. So, there is 38.38% and 50.40% reduction in detection time by using the DPS for fixed and mobile wormhole nodes, respectively. Figure 8(b) shows the difference in wormhole detection time between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 4 wormhole nodes. The average detection time for fixed and mobile wormhole nodes with Su-Chiang IDS is 259 and 283 seconds, respectively. While using the DPS, the average detection time falls to 133 and 143 seconds for fixed and mobile wormholes, respectively. Thus, there is 48.64% and 49.46% reduction in detection time with DPS for fixed and mobile wormhole nodes, respectively. Figure 8(c) shows the difference in wormhole detection time between fixed and mobile wormhole nodes with Su-Chiang IDS and with DPS for 8 wormhole



nodes. The average detection time for fixed and mobile wormhole nodes with Su-Chiang IDS is 302 and 357 seconds, respectively. While using the DPS the average detection time falls to 152 and 173 seconds for fixed and mobile wormholes, respectively. Hence, there is 49.66% and 51.54% reduction in detection time with DPS for fixed and mobile wormhole nodes, respectively. <<

Figure 7

<<

Figure 8

>> >>

Table 3: Comparison of DPS and other existing solutions

Solution

Based On

Basic Protocol

Temporal Leashes (2006) [6]

Time

Tesla

Special Hardware

Affected by Congestion

Yes

Yes

Delay in Route Discovery Process

Handles Mobility

Blocks Wormhole Nodes

No

Yes

Yes

Geographical Leashes (2006) [6]

Location

Tesla

Yes

No

No

Yes

Yes

Azer (2011) [7]

Statistics

AODV

No

Yes

Yes

No

No

LiteWorp (2005) [11]

Neighbors

DSR

No

No

Yes

No

Yes

Jiao et al. (2010) [31]

Time

AODV

No

Yes

No

No

No

Azer et al. (2010) [34]

Statistics

AODV

Yes

Yes

Yes

No

Yes

Lee et al. (2008) [12]

Neighbors

None

No

No

No

Yes

Yes

Sharma et al. (2011) [42]

Signature

DSR

No

No

Yes

Yes

Yes

WHOP (2011) [38]

Neighbors

AODV

No

No

Yes

Yes

Yes

RTT-TC (2010) [13]

Time

AODV

No

Yes

No

Yes

Yes

WARP (2010) [14]

Statistics

AODV

No

Yes

No

Yes

No

Directional Antennas (2004) [40]

Location

None

Yes

No

No

No

Yes

DelPHI (2006) [15]

Time

AODV

No

Yes

Yes

No

No

WAP (2008) [37]

Neighbors

DSR

No

No

No

Yes

Yes

Shi et al. (2011) [32]

Time

AODV

No

Yes

Yes

No

Yes

Su and Chiang (2010) [35]

Statistics

AODV

No

No

No

Yes

Yes

WODEM (2007) [41]

Location

AODV

Yes

No

No

Yes

No

DeWorm (2009) [16]

Neighbors

DSR

No

No

Yes

No

No

Jain et al. (2010) [17]

Neighbors

DSR

No

No

No

Yes

No

Anju and Sminesh (2014) [21]

Neighbors

AODV

No

Yes

Yes

Yes

Yes

WADP (2014) [36]

Statistics

AODV

No

No

Yes

No

No

Patel et al. (2015) [22]

Statistics

AODV

No

No

Yes

No

No

WANI (2015) [39]

Neighbors

AODV

No

No

Yes

Yes

Yes

MAODV (2013) [23]

Time

AODV

No

Yes

Yes

No

No

Singh et al. (2013) [24]

Neighbors

DSR

No

No

Yes

No

No

Patidar and Dubey (2014) [25]

Statistics

AODV

No

No

Yes

No

No

TSMI (2013) [33]

Time

AODV

No

Yes

Yes

No

No

Proposed DPS


Statistics

AODV

No

No

No

Yes

Yes




Table 3 shows the comparison of the proposed DPS with other existing solutions presented by different researchers on the basis of the following parameters: Special hardware requirement: Is there any special hardware like GPS or tightly synchronized clock required or not? Congestion: Does the congestion on some links affect the results or not (i.e. increase in delay per hop due to congestion will result in declaring the legitimate node as wormhole)? Delay in route discovery process: Are there any additional calculations or messages (acknowledgements or verifications etc.) involved, causing delay in actual data transfer? Handles mobility: Is the proposed solution able to handle the mobile wormhole nodes or not (e.g. when a wormhole node moves from one location to the other, the system remembers its previous record or does all the calculations again)? Blocks wormhole node: Is the proposed system able to block the wormhole node within the whole network, once detected? The generic comparison of DPS with other techniques on the basis of the above-mentioned benchmarks shows that our proposed system performs better than the other techniques as it does not require any special hardware and is not affected by the congestion in the network. Also, it does not add any additional delay in the routing process and is able to detect fixed and mobile wormhole nodes, and has the ability to block malicious nodes so that they do not further harm the network. In addition, the proposed DPS does not involve any extra computations and has very low false positive rate.


5.

Conclusion

A detection and prevention system (DPS) against wormhole attacks in Mobile Ad hoc Networks (MANETs) is presented in this paper. Wormhole attack is a collaborative attack in which two or more nodes collude to disrupt the normal flow of packets in a network. The proposed DPS works on the principle that the wormhole nodes broadcast less number of route requests (RREQs) as compared to their neighboring nodes. In the proposed system, some additional nodes (DPS nodes) that do not involve in the normal routing process are deployed at fixed locations to analyze the route requests broadcasted by their neighboring nodes. If a node broadcasts less number of RREQs as compared to the other neighbors, its Suspicious Value is incremented by one. When the Suspicious Value of a node reaches a predefined threshold, it is declared as a wormhole node. After the declaration of the wormhole node, all the nodes in the network add it into their Block tables and ignore all the traffic coming from these nodes. The proposed DPS has a very high detection rate and also has the ability to detect mobile wormhole nodes. The proposed DPS provides the following benefits: i) the normal nodes are not affected i.e. there is no extra processing required for the detection of malicious nodes and no extra delay is added. ii) The threat that a



compromised node spreads false information of declaring a normal node as wormhole is minimized. iii) The DPS nodes do not take part in normal data transfer so their batteries live for longer durations. The simulations results show that the proposed DPS increases the throughput of a network by reducing the packet drop rate with very low false positive rate. In the future, we would like to modify the proposed DPS so that it can also be used to detect and prevent other similar attacks. The number of DPS nodes can also be minimized to reduce the overall network cost. This can be achieved by deploying the DPS nodes in an optimal way without compromising their effectiveness. We also plan to model our system mathematically, which would help us in setting different values to certain variables on the basis of number of nodes and number of connections among them.

Acknowledgement The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project no. RGP-214.

References [1] M. Nekovee, R. S. Saksena. Simulations of large-scale WiFi-based wireless networks: Interdisciplinary challenges and applications, Future Generation Computer Systems, Vol. 26, Issue 3, March 2010, pp. 514–520. [2] M. Imran, F. A. Khan, H. Abbas, M. Iftikhar, Detection and Prevention of Black Hole Attacks in Mobile Ad hoc Networks, in: Proceedings of Security in Ad Hoc Networks (SecAN) Workshop, 13th International Conference on Ad-Hoc and Wireless Networks (Ad Hoc Now 2014), Benidorm, Spain, June 22-27, 2014. [3] Hamed Janzadeh, Kaveh Fayazbakhsh, Mehdi Dehghan, Mehran S. Fallah, A secure credit-based cooperation stimulating mechanism for MANETs using hash chains, Future Generation Computer Systems, Volume 25, Issue 8, September 2009, Pages 926-934. [4] H. Ehsan, F. A. Khan, Malicious AODV: Implementation and Analysis of Routing Attacks in MANETs", in: Proceedings of 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), June 25-27, 2012, Liverpool, UK, Pages 1181-1187. [5] Jian-Ming Chang, Po-Chun Tsou, Isaac Woungang, Han-Chieh Chao, Chin-Feng Lai, Defending Against Collaborative Attacks by Malicious Nodes in MANETs: A Cooperative Bait Detection Approach, IEEE Systems Journal, Vol. 9, Issue 1, March 2015 [6] Yih-Chun Hu, Adrian Perrig, and David B. Johnson, Wormhole attacks in wireless networks, IEEE Journal on Selected Areas in Communications 24 (2), March 2006, pp. 370-380. [7] M. A. Azer, Wormhole attacks mitigation in ad hoc networks, in: Proceedings of 6th International Conference on Availability, Reliability and Security (ARES), 22-26 Aug. 2011, pp. 561-568. 


[8] Mohit Jain and Himanshu Kandwal, A survey on complex wormhole attack in wireless ad hoc networks, in: Proceedings of 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies (Washington, DC, USA), ACT '09, 2009, pp. 555-558. [9] Khin Sandar Win, Analysis of detecting wormhole attack in wireless networks, International Journal of Electrical, Computer, Energetic, Electronic and Communication Engineering Vol:2, No:12, 2008, pp. 422-429. [10] Marianne Azer, Sherif El-Kassas, and Magdy S. El-Soudani, A full image of the wormhole attackstowards introducing complex wormhole attacks in wireless ad hoc networks, International Journal of Computer Science and Information Security, Vol. 1, No. 1, May 2009, pp. 41-52. [11] I. Khalil, S. Bagchi, and N.B. Shro, LITEWORP: a lightweight countermeasure for the wormhole attack in multihop wireless networks, in: Proceedings of 2005 International Conference on Dependable Systems and Networks (DSN'05), 28 June-1 July 2005, pp. 612-621. [12] Gunhee Lee, Jungtaek Seo, Dong-kyoo Kim, An approach to mitigate wormhole attack in wireless ad hoc networks, in: Proceedings of International Conference on Information Security and Assurance, 2008. (ISA 2008), pp. 220-225. [13] M.R. Alam and K.S. Chan, RTT-TC: A topological comparison based method to detect wormhole attacks in MANET, in: Proceedings of 12th IEEE International Conference on Communication Technology (ICCT), Nanjing, China, 2010, pp. 991-994. [14] Ming-Yang Su, Warp: A wormhole-avoidance routing protocol by anomaly detection in mobile ad hoc networks, Computers & Security, 29 (2), March 2010, pp. 208-224. [15] Hon Sun Chiu and King-Shan Lui, Delphi: wormhole detection mechanism for ad hoc wireless networks, in: Proceedings of 1st International Symposium on Wireless Pervasive Computing, 16-18 Jan. 2006. [16] T. Hayajneh, P. Krishnamurthy, and D. Tipper, DeWorm: A simple protocol to detect wormhole attacks in wireless ad hoc networks, in: Proceedings of Third International Conference on Network and System Security, 2009. (NSS '09), Gold Coast, QLD, Australia, 19-21 Oct. 2009, pp. 73-80. [17] Shalini Jain and Satbir Jain, Detection and prevention of wormhole attack in mobile ad hoc networks, International Journal of Computer Theory and Engineering Vol. 2, no. 1, 2010, pp. 78-86. [18] M. A. Azer, S.M. El-Kassas, and M. S. El-Soudani, Immuning routing protocols from the wormhole attack in wireless ad hoc networks, in: Proceedings of Fourth International Conference on Systems and Networks Communications, 2009. ICSNC '09, 2009, pp. 30-36. [19] Dezun Dong, Zhenjiang Li, Yunhao Liu, Mo Li, and Xiangke Liao, Topological detection on wormholes in wireless ad hoc and sensor networks, IEEE/ACM Transactions on Networking, 19 (2011), no. 6, 1787-1796.





[20] Muhammad Imran, Farrukh Aslam Khan, Tauseef Jamal, Muhammad Hanif Durad, Analysis of Detection Features for Wormhole Attacks in MANETs, International Workshop on Cyber Security and Digital Investigation (CSDI 2015), August 17-20, 2015, Belfort, France. Procedia Computer Science (Elsevier), Volume 56, 2015, Pages 384-390. [21] J. Anju, and C. N. Sminesh. An Improved Clustering-Based Approach for Wormhole Attack Detection in MANET, in: Proceedings of 3rd IEEE International Conference on Eco-friendly Computing and Communication Systems (ICECCS), 2014. [22] Anal Patel, Nimisha Patel, and Rajan Patel. Defending against Wormhole Attack in MANET, in: Proceedings of Fifth International Conference on Communication Systems and Network Technologies (CSNT 2015), IEEE, 2015. [23] Umesh Kumar Chaurasia, and Varsha Singh. MAODV: Modified wormhole detection AODV protocol, in: Proceedings of Sixth International Conference on Contemporary Computing (IC3), 2013 IEEE, 2013. [24] Yudhvir Singh, Avni Khatkar, Prabha Rani, Deepika, Dheer Dhwaj Barak, Wormhole Attack Avoidance Technique in Mobile Ad hoc Networks, in: Proceedings of Third International Conference on Advanced Computing and Communication Technologies (ACCT 2013), IEEE, 2013. [25] Kriti Patidar, Vandana Dubey, Modification in routing mechanism of AODV for defending blackhole and wormhole attacks, in: Proceedings of 2014 Conference on IT in Business, Industry and Government (CSIBIG), Indore, India, 8-9 March 2014, IEEE, 2014. [26] William R. Claycomb and Dongwan Shin, A novel node level security policy framework for wireless sensor networks, Journal of Network and Computer Applications, Volume 34, Issue 1, January 2011, Pages 418–428. [27] C.E. Perkins and E.M. Royer, Ad-hoc on-demand distance vector routing, in: Proceedings of second IEEE Workshop on Mobile Computing Systems and Applications (WMCSA '99), 1999, pp. 90-100. [28] David B. Johnson, David A. Maltz, and Josh Broch, DSR: the dynamic source routing protocol for multihop wireless ad hoc networks, in: Ad Hoc Networking, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2001, pp. 139-172. [29] Reshmi Maulik and Nabendu Chaki, A study on wormhole attacks in MANET, International Journal of Computer Information Systems and Industrial Management Applications 3 (2011), 271-279. [30] “The Network Simulator - NS-2” At: http://www.isi.edu/nsnam/ns/ (last accessed on: 22 May 2016) [31] Wen-Cheng Jiao, Jing Peng, and Jian-Ling Zheng, Research and improvement of AODV protocol in ad hoc network, in: Proceedings of 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM 2010), 2010, pp. 1-3. [32] Fei Shi, Dongxu Jin, Weijie Liu, and JooSeok Song, Time-based detection and location of wormhole attacks in wireless ad hoc networks, in: Proceedings of 10th International Conference on Trust, 



Security and Privacy in Computing and Communications (TrustCom 2011), IEEE, 2011, pp. 17211726. [33] Isaac Woungang, Mohammad S. Obaidat, Sanjay Kumar Dhurandher, Issa Traore, A timed and secured monitoring implementation against wormhole attacks in AODV-based Mobile Ad Hoc Networks, in: Proceedings of International Conference on Computer, Information and Telecommunication Systems (CITS), IEEE, 2013. [34] M. A. Azer, S. M. El-Kassas, and M.S. El-Soudani, An innovative approach for the wormhole attack detection and prevention in wireless ad hoc networks, in: Proceedings of International Conference on Networking, Sensing and Control (ICNSC 2010), 2010, pp. 366-371. [35] Ming-Yang Su and Kun-Lin Chiang, Prevention of wormhole attacks in mobile ad hoc networks by intrusion detection nodes, in: Proceedings of the 5th international conference on wireless algorithms, systems, and applications (WASA'10), 2010, pp. 253-260. [36] Biswas, Juhi, Ajay Gupta, and Dayashankar Singh, WADP: A wormhole attack detection and prevention technique in MANET using modified AODV routing protocol, in: Proceedings of 9th International Conference on Industrial and Information Systems (ICIIS 2014), IEEE, 2014. [37] Sun Choi, Doo-Young Kim, Do hyeon Lee, and Jae il Jung, WAP: Wormhole attack prevention algorithm in mobile ad hoc networks, in: Proceedings of IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, (SUTC '08), 2008, pp. 343-348. [38] S. Gupta, S. Kar, and S. Dharmaraja, WHOP: Wormhole attack detection protocol using hound packet, in: Proceedings of 2011 International Conference on Innovations in Information Technology (IIT 2011), pp. 226-231. [39] Eidie, Sepide, Behzad Akbari, and Pedram Poshtiban. "WANI: Wormhole avoidance using neighbor information, in: Proceedings of 7th Conference on Information and Knowledge Technology (IKT 2015), IEEE, 2015. [40] Lingxuan Hu and David Evans, Using directional antennas to prevent wormhole attacks, in: Proceedings of 11th Annual Network and Distributed System Security Symposium, 2004. [41] Ji-Hoon Yun, Il-Hwan Kim, Jae-Han Lim, and Seung-Woo Seo, WODEM: wormhole attack defense mechanism in wireless sensor networks, in: Proceedings of the 1st international conference on ubiquitous convergence technology (ICUCT'06), 2007, pp. 200-209. [42] Pallavi Sharma and Aditya Trivedi, Prevention of wormhole attack in ad-hoc network, in: Proceedings of International Conference on Electronics, Information and Communication Engineering (ICEICE), 13-17, December 2011, IJCA, no. 5, 13-17. [43] Liao, Lijun, and Mark Manulis. Tree-based group key agreement framework for mobile ad-hoc networks. Future Generation Computer Systems, Volume 23, Issue 6, July 2007, Pages 787–803





[44] Chafika Benzaid, Karim Lounis, Ameer Al-Nemrat, Nadjib Badache, Mamoun Alazab, Fast authentication in wireless sensor networks, Future Generation Computer Systems, Volume 55, February 2016, Pages 362–375

Captions: Figure 1: Working of Wormhole Attack (a) Normal Path (b) Updated Path Figure 2: DPS tables and messages (a) Block Table (b) Analysis Table (c) Threat Message (d) Block Message Figure 3: Flowchart of the proposed DPS Figure 4: Wormhole Scenarios (a) No Wormhole Node (b) 2 Wormhole Nodes (c) 4 Wormhole Nodes (d) 8 Wormhole Nodes Figure 5: Packet Drop Rate for different scenarios Figure 6: Comparison of packet drop rate between DPS and Su-Chiang IDS Figure 7: Comparison of false positive rate between DPS and Su-Chiang IDS Figure 8: Comparison of detection time between DPS and Su-Chiang IDS






Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

Figure Click here to download high resolution image

*Biographies (Text)

Biographies F ar rukh Aslam K han Farrukh Aslam Khan is an Associate Professor at the Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia. He did his MS in Computer System Engineering from GIK Institute of Engineering Sciences and Technology, Pakistan, and Ph.D. in Computer Engineering from Jeju National University, South Korea, in 2003 and 2007 respectively. He has over 60 publications in refereed international journals and conferences. His research interests include computer networks and security, E-health, routing, and performance evaluation of wireless ad hoc and sensor networks. He is the founding director of Wireless Networking and Security (WiNGS) research group at National University of Computer and Emerging Sciences (NUCES), Islamabad, Pakistan. He has successfully supervised two PhD students and sixteen MS theses students at NUCES. He has served as Guest Editor and reviewer of several reputed international journals. He has also served as TPC member of various international conferences and workshops.

M uhammad Imran Muhammad Imran completed his MS in Computer Science from National University of Computer and Emerging Sciences, Islamabad, Pakistan. He is currently a PhD student at Pakistan Institute of Engineering and Applied Sciences (PIEAS), Islamabad, Pakistan. His research interests include Network Security, Software-Defined Networking, and performance evaluation of Wireless Ad hoc and Sensor Networks.

H aider A bbas Haider Abbas is presently working as a Research Scientist at Centre of Excellence in Information Assurance, King Saud University, Saudi Arabia. He is also associated with National University of Sciences & Technology (NUST), Pakistan as an Assistant Professor and Security Masons, Sweden as Chief Executive Officer (CEO). He received his MS in Engineering and Management of Information Systems (2006) and PhD in Information Security (2010) from KTH- Royal Institute of Technology, Sweden. Dr. Abbas has received several research grants for ICT related projects from various research funding authorities and working on scientific projects in US, EU, KSA and Pakistan. His professional services include - but are not limited to - Guest Editorships, Industry Consultations, Workshops Chair, Technical Program Committee Member, Invited/Keynote Speaker and reviewer for several international journals and conferences.
M uhammad H anif Durad Muhammad Hanif Durad is an Associate Professor at Pakistan Institute of Engineering and Applied Sciences (PIEAS), Islamabad, Pakistan. He did his MSc in Physics from University of Punjab, Pakistan, MSc in Systems Engineering from Quaid-i-Azam University, Pakistan, and PhD in Computer Engineering from Beijing Institute of Technology (BIT), China
His research interests include Computer Networks and Security, Parallel and Grid Computing, and Computer Architecture


*Biographies (Photograph)







 




 





 
 












 


 
 





Highlights


A Detection and Prevention System (DPS) is proposed to detect collaborative attacks in MANETs.




Special nodes are deployed in the network that continuously monitor the behavior of other nodes.




The proposed system finds malicious nodes with the help of Route Request (RREQ) messages.




All data and control messages are discarded by the network from nodes that are declared as wormhole.




The proposed DPS considerably reduces the number of packets dropped by malicious nodes with very low false positive rate.