analysis of black hole and worm-hole attack using proposed ... -...
TRANSCRIPT
53
Chapter 6
Analysis of Black Hole and Worm-Hole
Attack Using Proposed Model
6.0 Introduction
In this chapter a well known attack for the mobile Adhoc environment known as the
blackhole attack is assumed. In blackhole attack [68], [69], and [70], an attacker node uses
its routing protocol to advertise that it has the shortest path to the destination node. In this
way an attacker will always have the situation in replying to the route request and thus
attract all the traffic on the network and intercept the data packet and thereafter it may
retain it or simply drop it.
6.1 Problem Definition for Black Hole Attack
There are 21 MANET workstations; with random mobility of (0-20) m/s, following a
random way point model during simulation shown in Figure 6.2 as white lines. Simulation
area is assumed to be 1 Sq. Kilometer. All nodes are AODV enabled, sending the route
request for mobile node 20. Figure 6.2 shows the simulation environment. Simulation
parameters are given in Table 6.1. To apply a blackhole attack, AODV parameters for a
normal and a malicious nodes are given in Table 6.2. MANET traffic generation parameters
for a normal and a malicious nodes are given in Table 6.3.
Initially simulation is carried out without malicious node. Then one malicious node
performing blackhole attack is inserted in the network. Node 6 is the malicious node in this
54
environment. The performance of the system is compared with and without the malicious
node.
Various features are generated after simulation. But few of them can be considered for
further evaluation. The performance evaluation of the network without malicious node and
with malicious node can be measured. But that is not required for this research as our
research is focused on designing an intrusion detection system.
Figure 6.1: Simulation environment
Table 6.1: Simulation parameters at a glance
Parameters Value
Simulation Area 1000*1000 ( meters)
Simulation Time 3600 Sec
Nodes 21
Mobility (0-20)m/sec
(Random)
Distribution Random
Trajectory Trajectory-5
Routing Protocol AODV
55
Table 6.2: AODV Parameters for malicious and normal node
Parameters Value
(Normal Node)
Value
(Malicious Node)
Route Discovery Parameters Default Custom Level
Route Request Retries 5 0
Route Request Rate Limit
(Packets/Sec)
10 0
Gratutious Route Reply Flag Enabled Enabled
Destination only Flag Enabled Enabled
Acknowledgement Required Enabled Enabled
Active Route Timeout 3 3
Hello Interval Uniform (1,1.1) Uniform (1,1.1)
Net Diameter 35 1000
Timeout Buffer 2 0
TTL Default Default
Packet Queue Size (packets) Infinity 0
Table 6.3: MANET Traffic generation parameters
Parameters Value
(Normal Node)
Value
(Malicious Node)
Start Time 10 10
Packet Inter Arrival Time Exponential(1) Exponential(1)
Packet Size Exponential(1024) bits Exponential(1024) bits
Destination IP Address Mobile Node 20 (192.168.3.20) Self
(192.168.3.5)
6.2 Results Comparison With and Without Malicious Node
Figure 6.2: Total routing traffic sent by the network and routing traffic received by the malicious node
56
Figure 6.3: Traffic forwarded by malicious node
Figure 6.4: Total packet drop by the network and packet drop by the malicious node
If we analyze the result from Figure 6.2 to Figure 6.4, we can easily conclude that, if
there is a blackhole attack applied in the network, though destination node is different (in
this case node 20), but malicious node (node 6) will receive a large volume of traffic and
the actual traffic forwarding rate is very slow. From Figure 6.5 the malicious node is
responsible for the maximum packet drop ratio in the network.
6.3 Feature Extraction for Black Hole Attack in MANET
On the basis of simulation carried out in section 6.1, following features can be extracted
[71], and [72]. The accuracy of the system can be checked when a blackhole attack is
applied. The simulation carried out in section 6.1 can be visualized in Figure 6.3 to Figure
57
6.5. The generated statistics exported to the spreadsheet for analysis, audit data file
generated using these features and can be accessed from Appendix A.
Ratio of Routing Traffic Received (RRTR) = (Total Routing Traffic Received by
malicious node / Total Routing Traffic Sent by complete N/W ) * 100;
Ratio of Routing Traffic Sent (RRTS) = (Routing Traffic sent by Malicious Node /
Routing Traffic Received by Malicious Node) *100;
Ratio of Packet Drop (RPD) = (Packet Drop by Malicious Node / Total Packet
Drop in N/W) *100;
6.4 Rules Set for Black Hole Attack in MANET
If ((RRTR > 50% ^ RRTS < 10%) ˅ PDR >40%)
Then
{Not A Friend};
*The dictionary of the above rule set may be changed according to the need of the
network; threshold value may be changed according to the experience and other
requirements of the network.
6.5 Training Data Set for Black Hole Attack in MANET
Table 6.4: Training data set for Black Hole attack
Input
Features
Train
Data Set
Function Parameters
(C,γ)
CPU Run Time
(in Sec)
Mis-
Classified
Support
Vector
3 3568 Linear DEFAULT 153.27 92 273
3 3568 Linear 0.5,0.5 36.39 1248 14
3 3568 Linear 1.0,0.5 2.90 2321 15
3 3568 Linear 1.0,1.0 13.07 2321 15
3 3568 Linear 2.0,1.0 2.89 2321 14
3 3568 Radial DEFAULT 2.36 56 938
3 3568 Radial 0.5,0.5 1.87 52 814
3 3568 Radial 1.0,0.5 2.17 39 792
3 3568 Radial 1.0,1.0 3.41 40 920
3 3568 Radial 2.0,1.0 2.67 37 900
3 3568 Sigmoid DEFAULT 1.44 1247 2494
3 3568 Sigmoid 0.5,0.5 1.54 1247 2494
58
3 3568 Sigmoid 1.0,0.5 1.36 1247 2494
3 3568 Sigmoid 1.0,1.0 1.39 1247 2494
3 3568 Sigmoid 2.0,1.0 1.47 1247 2494
6.6 Testing Data Set for Black Hole Attack in MANET
Table 6.5: Test data set for Black Hole attack
Input
Features
Test
Data Set
Function Correct Incorrect Accuracy Precision/Recall
3 3568 Linear 3476 92 97.42 99.78%/96.25%
3 3568 Linear 2320 1248 65.02 65.05%/99.91%
3 3568 Linear 1247 2321 34.95 50%/0.09%
3 3568 Linear 1247 2321 34.95 50%/0.09%
3 3568 Linear 1247 2321 34.95 50%/0.09%
3 3568 Radial 3512 56 98.43 98.63%/98.97%
3 3568 Radial 3516 52 98.54 98.84%/98.92%
3 3568 Radial 3529 39 98.91 99.39%/98.92%
3 3568 Radial 3528 40 98.88 99.35%/98.92%
3 3568 Radial 3531 37 98.96 99.39%/99.0%
3 3568 Sigmoid 2321 1247 65.05 65.05%/100%
3 3568 Sigmoid 2321 1247 65.05 65.05%/100%
3 3568 Sigmoid 2321 1247 65.05 65.05%/100%
3 3568 Sigmoid 2321 1247 65.05 65.05%/100%
3 3568 Sigmoid 2321 1247 65.05 65.05%/100%
6.7 Introduction to Worm-Hole Attack
A wormhole attack is composed of two attackers and a wormhole tunnel. To establish a
wormhole attack, attackers create a direct link, referred to as a wormhole tunnel between
them [73], [74]. A wormhole tunnel can be established by means of a wired link or a high
quality wireless out of band links, or a logical link via packet encapsulation. After building
a wormhole tunnel, one attacker receives and copies packets from its neighbors and
forwards them to the other colluding attacker through the wormhole tunnel. This latter node
receives these tunneled packets and replays them into the network in its vicinity. In a
wormhole attack using a wired link or a high quality wireless out-of-band link, attackers are
directly linked to each other, so that they can communicate quickly. However, they need
59
special hardware to support such communication. On the other hand, a wormhole using
packet encapsulation is relatively much slower. But it can be launched easily since it does
not need any special hardware or any special routing protocol.
6.8 Problem Definition for Worm-Hole Attack in MANET
Opnet Modeler is used for simulation; and the area is assumed to be 1 Sq. Kilometers.
There are 21 MANET workstations; with random mobility of (0-20) m/s, following a
random way point trajectory during simulation trajectory-5 (a predefined trajectory in
Opnet), all nodes are AODV enabled, sending the route request for mobile node 20. Figure
7.2 shows the environment of simulation with the parameters given in Table 7.1.
To apply wormhole attack, AODV parameters for normal and malicious nodes are given
in Table 7.2. MANET traffic generated parameters for normal and malicious nodes are
given in Table 7.3. Initially, simulation is carried out without malicious node. Then two
malicious node, node 6 and node 12 create a wormhole tunnel by increasing their
transmission range. Node 12 is far away from the network or may be part of another
network. Node 6 works as a source and node 12 works as a sink for wormhole tunnel. The
performance of the network is compared with and without malicious node.
Figure 6.5: Simulation environment
60
Table 6.6: Simulation parameters at a glance
Parameters Value
Simulation Area 1000*1000(in
meters)
Simulation Time 3600 Sec
Nodes 21
Mobility (0-20)m/sec
(Random)
Distribution Random
Trajectory Trajectory-5
Routing Protocol AODV
Table 6.7: AODV Parameters for malicious and normal node
Parameters Value
(Normal Node)
Value
(Malicious Node)
Route Discovery Parameters Default Custom Level
Route Request Retries 5 100
Route Request Rate Limit
(Packets/Sec)
10 1000
Gratuitous Route Reply Flag Enabled Enabled
Destination only Flag Enabled Enabled
Acknowledgement Required Enabled Enabled
Active Route Timeout 3 3
Hello Interval Uniform (1,1.1) Uniform (1,1.1)
Net Diameter 35 1
Timeout Buffer 2 2
TTL Default Default
Packet Queue Size (packets) Infinity Infinity
Table 6.8: MANET Traffic generation parameters
Parameters Value
(Normal Node)
Value
(Malicious Node)
Start Time 10 10
Packet Inter Arrival Time Exponential(1) Exponential(1)
Packet Size Exponential(1024) bits Exponential(1024) bits
Destination IP Address Mobile Node 20 (192.168.3.20) Mobile Node 12 (192.168.3.12)
Table 6.9: Wireless attribute
Parameters Normal Node Malicious Node Transmit Power 0.005 0.100
Packet Reception-Power Thresh hold -95 -95
61
6.9 Result Comparison With and Without Malicious Node
Figure 6.6: Routing traffic send (global network vs malicious node (source of wormhole tunnel))
Figure 6.7: Routing traffic received (global network vs malicious node (source of wormhole tunnel))
Figure 6.8: Total reply sent from destination but malicious node has no reply from destination (result not
generated for source node)
62
Figure 6.9: Total MANET traffic sent (global network vs malicious node (source of wormhole tunnel))
Figure 6.10: Packet drop global network vs malicious node (source of wormhole tunnel))
From Figure 6.6, it is clear that malicious node is not actively participating in the routing
process but actively receiving the routing information as shown in Figure 6.7. And Figure
6.8 shows that no reply received by the malicious node from the destination. It means,
generated values in Figure 6.6 are suspicious. The data traffic sent from the network and
data traffic is also sent from the malicious node but that malicious node never participated
in routing as shown in Figure 6.9. Figure 6.10 shows that maximum control packets
received by the malicious node are simply dropped.
63
6.10 Feature Extraction for Worm-Hole Attack in MANET
Following features can be extracted on the basis of simulation carried out in section 6.8
when wormhole attack is applied in the network. The result generated after simulation,
visualized forms are indicated in Figure 6.6 to Figure 6.10. Statistics generated are exported
to the spreadsheet for analysis; audit data file generated using following features can be
accessed from Appendix A.
Ratio of Routing Traffic Received (RRTR) = (Total Routing Traffic Received by
malicious node / Total Routing Traffic Sent by complete N/W ) * 100;
Ratio of Routing Traffic Sent (RRTS) = (Routing Traffic sent by Malicious Node /
Routing Traffic Received by Malicious Node) *100;
Route Request Ratio (RRReq) = (Route Request generated by malicious node/ Route
Request generated by Total Network)*100;
MANET Traffic Ratio (MTR) = (Malicious Node MANET Traffic Sent Ratio /
Malicious node MANET Traffic Received Ratio)*100;
Ratio of Packet Drop (PDR) = (Packet Drop by Malicious Node / Total Packet
Drop in N/W) *100;
6.11 Rules Set for Worm-Hole Attack in MANET
If (((RRTR > 50% ^ RRTS < 10% ^ RRReq < 5%) ^ MTR > 50%) ˅ PDR
>25%)
Then
{Not A Friend};
*The dictionary of the above rule set may be changed according to the needs of the
network; threshold value may be changed according to the experience and other
requirements of the network.
6.12 Training Data Set for Worm-Hole Attack in MANET
Table 6.10: Training data set for Worm-Hole attack
Input
Features
Train
Data Set
Function Parameters
(C,γ)
CPU Run Time
(in Sec)
Mis
Classified
Support
Vector
5 3590 Linear Default 0.54 44 347
5 3590 Linear 0.5,0.5 6.51 42 274
64
5 3590 Linear 1.0,0.5 22.36 42 274
5 3590 Linear 1.0,1.0 10.69 42 274
5 3590 Linear 2.0,1.0 12.52 42 274
5 3590 Radial Default 4.15 10 1479
5 3590 Radial 0.5,0.5 2.45 13 1001
5 3590 Radial 1.0,0.5 2.73 10 953
5 3590 Radial 1.0,1.0 4.55 9 1392
5 3590 Radial 2.0,1.0 4.65 6 1379
5 3590 Sigmoid Default 1.22 937 1874
5 3590 Sigmoid 0.5,0.5 1.19 937 1874
5 3590 Sigmoid 1.0,0.5 1.14 937 1874
5 3590 Sigmoid 1.0,1.0 1.20 937 1874
5 3590 Sigmoid 2.0,1.0 1.23 937 1874
6.13 Testing Data Set for Worm-Hole Attack in MANET
Table 6.11: Test data set for Worm-Hole attack
Input
Features
Test
Data Set
Function Correct Incorrect Accuracy Precision/Recall
5 1344 Linear 1329 15 98.88% 97.69%/98.45%
5 1344 Linear 1331 13 99.03% 98.19%/98.45%
5 1344 Linear 1331 13 99.03% 98.19%/98.45%
5 1344 Linear 1331 13 99.03% 98.19%/98.45%
5 1344 Linear 1331 13 99.03% 98.19%/98.45%
5 1344 Radial 1341 3 99.78% 99.74%/99.48%
5 1344 Radial 1340 4 99.70% 99.48%/99.48%
5 1344 Radial 1341 3 99.78% 99.74%/99.48%
5 1344 Radial 1342 2 99.85% 99.74%/99.74%
5 1344 Radial 1343 1 99.93% 100%/99.74%
5 1344 Sigmoid 958 386 71.28% 71.28%/88.26%
5 1344 Sigmoid 958 386 71.28% 71.28%/88.26%
5 1344 Sigmoid 958 386 71.28% 71.28%/88.26%
5 1344 Sigmoid 958 386 71.28% 71.28%/88.26%
5 1344 Sigmoid 958 386 71.28% 71.28%/88.26%
65
6.14 Results and Validation for Black Hole and Worm-Hole Attack
For a given test data set for blackhole attack, accuracy is observed to be very good in the
case of radial function. The accuracy of the proposed model for different kernel function
and cost (C) and gamma parameters are given in Table 6.5. The accuracy achieved in
blackhole attack is observed to be more than 98%. The model file generated with higher
accuracy is the detection engine for the blackhole attack. The performance comparison with
other models is given in Table 6.12 for blackhole attack. The performance of the model is
improved in comparison with the previously available models.
The accuracy of the system for wormhole attack is given in Table 6.11. The achieved
accuracy is observed to be more than 99% of radial function. The performance comparison
of the proposed framework is compared with the other models and given in Table 6.13. The
proposed detection engine is very good as compared with the existing conventional models.
Table 6.12: Result comparison with previous models for Black Hole attack
S.No. Model Accuracy
1. Aikaterini Mitrokotsa et. Al [83] 87.75%
2. 1-SVMDM (Hongmei Deng et. Al) [81] 85.58%
3. 2- SVMDM (Hongmei Deng et. Al)[81] 96.95%
4. Sophia Kaplantzis et. Al [84] 85%
5. J48 Model (Xia Wang et. Al) [85] 95.5%
6. Bayse Net Model (Xia Wang et. Al) [85] 95.1%
7. SVM Model (Xia Wang et. Al) [85] 98.2
8. Proposed Model 98.96%
Table 6.13: Result comparison with previous models for Worm-Hole attack
S.No. Model Accuracy
1. DelPHI (Hon Sun Chiu et. Al) [88] 89%
2. Farid Naït-Abdesselam et.Al.[87] 92%
3. Regular Distribution (Zhibin Zhao et. Al) [86] 94%
4. Stochastic Distribution (Zhibin Zhao et. Al) [86] 84%
5. Proposed Model 99.93%
66
6.15 Conclusion
In this chapter, blackhole and wormhole attacks are applied in Adhoc network using
AODV protocol. Adequate evidences are collected. Features are extracted and rule sets are
generated in detecting the intruder. SVMLIGHT
is used to train the data set and then test data
set is used to check the accuracy of the system. In this linear, radial and sigmoid functions
are used to train and generate the model file for testing the data set. When accuracy is the
best in function for different cost and gamma parameters, that model file (detection engine)
we plan to consider to deploy them at the appropriate layer. Accuracy of the system for
blackhole and wormhole attack is observed to be very good as compared with the existing
conventional models. The performance of the system is observed to better than satisfactory
for Adhoc network environment.