Detecting Black and Gray Hole Attacks in Mobile Ad Hoc Network Using an Adaptive Method

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 1, January 2012)

37

Detecting Black and Gray Hole Attacks in Mobile Ad

Hoc Network Using an Adaptive Method

Disha G. Kariya

1

, Atul B. Kathole

2

, Sapna R. Heda

3

1_{Jawaharlal Darda Institute of Engineering & Technology,Yavatmal, India} 2_{Jawaharlal Darda Institute of Engineering & Technology,Yavatmal, India}

1_{[email protected]} 2

[email protected]

3_{[email protected]}

Abstract— Black and gray hole attack is one sort of routing disturbing attacks and can bring huge harm to the network. As a result, an efficient algorithm to detect black and gray attack is important. This paper demonstrates an adaptive method to detecting black and gray hole attacks in ad hoc network based on a cross layer design. In network layer, a course-based method to overhear the next hop’s action is proposed. This scheme does not send out extra control packets and saves the system resources of the detecting node. In MAC layer, a collision rate reporting system is established to guess dynamic detecting threshold so as to lower the false positive rate under high network overwork. DSR protocol is preferred to test algorithm.

Keywords — Ad Hoc, Black Hole, Cross Layer Design, DSR,

Gray Hole, MANET.

I. INTRODUCTION

Mobile Ad Hoc Network (MANET) [1], [2] is one kind of new wireless network structures. Unlike devices in traditional Wireless LAN solutions, all nodes are movable and the topology of the network is changing dynamically in an Ad Hoc Networks, which brings great challenges to the security of Ad Hoc Network. As a result, attackers can take advantage of defect in routing protocols to carry out various attacks [2] [3]. Black hole attack and gray hole attacks [4] are two classical attacks under Ad Hoc networks, which could disturb routing protocol and bring about enormous damage to the network’s topology.

This paper, propose a new approach to detect black hole and gray hole attacks by modifying the detecting threshold according to the network’s overload. We control a cross layer method to improve the performance of our detection. While the mechanism presented in this paper applies to almost Ad Hoc protocols, we will focus our attention, without loss of generality, on DSR protocol [5] in network layer and IEEE 802.11 protocol in MAC layer.

The remainder of this paper is organized as follows: Section 2 presents the related researches. In Section 3, a course based detecting algorithm over DSR protocol is proposed.

Advantage and disadvantage are also discussed. In Section 4, an enhanced method is presented and the algorithm to estimate the detecting threshold is explained.

II. RELATED WORKS

An easy way to comply with the conference paper formatting requirements is to use this document as a template and simply type your text into it.

A. Black and Gray hole attack

Black hole attack disturbs the routing protocol by misleading other nodes about the routing information. A black hole node works in the following scheme: once receiving RREQ and RREP messages, the attacker replies RREP messages directly and claims that it is the destination node. The source node is likely to receive a pseudo-RREP from the attacker before the real RREP returns. Under these conditions, the source node sends data packets to the black hole instead of the destination node. When the source node transmits data packets through the black hole, the attacker discards them without sending back a RERR message. As for gray hole, its activities are similar to a black hole. A gray hole does not drop all data packets but just part of packets. The Gray Magnitude is defined as the percentage of the packets which are maliciously dropped by an attacker. For example, a gray hole is gray magnitude of 60% will drop a data packet with a probability of 60% and a classical black hole has a gray magnitude of 100%.

(2)

International Journal of Emerging Technology and Advanced Engineering

38

III. ROUTING PROTOCOLS FOR MANET

Many different routing protocols have been developed for MANETs. They can be classified into two types:

Table driven: Table driven routing protocols basically uses proactive schemes. They attempt to maintain steady up-to-date routing information from each node to every other node in the network.

These protocols require each node to maintain one or more tables to store routing information, and any changes in network topology need to be reflected by circulating updates throughout the network in order to maintain a steady network view.

On demand: A different approach from table driven routing is source-initiated on-demand routing. This type of routing creates routes only when preferred by the source node. When a node requires a route to a destination, it initiates a route discovery process within the network. This process is completed once a route is found or all possible route permutations have been examined.

Three main routing protocols for a MANET are destination-sequenced distance-vector routing protocol (DSDV), Ad Hoc On Demand Vector routing protocol (AODV), and Dynamic Source Routing protocol (DSR). DSDV is a table-driven routing protocol based on the classical Bellman-Ford routing mechanism. In this routing protocol, each mobile node in the system maintains a routing table in which all the possible destinations and the number of hops to them in the network are recorded. AODV builds on the DSDV algorithm described above and is an improvement since it typically minimizes the number of required broadcasts by creating routes on a demand basis, as opposed to maintaining a complete list of routes as in DSDV. It is an on demand route gaining system, since nodes that are not on a selected course do not maintain routing information or participate in routing table exchanges. DSR is different from AODV in the sense that each mobile node keeps track of the routes of which it is aware in a route cache. Upon receiving a search request for course, it consults with its route cache to see if it contains the required information. This protocol uses more memory while reducing the route discovery delay in the system. Effective operation of a MANET is dependent on maintaining appropriate routing information in a distributed fashion.

IV. DSRPROTOCOL

DSR is completely on-demand ad hoc network routing protocol collected of two parts: Route Discovery and Route Maintenance. Here, the basic form of Route Discovery and Route maintenance in DSR is described.

In DSR, when a node has a packet to send to some destination and does not currently have a route to that destination in its Route Cache, the node initiates Route Discovery to discover a route; this node is known as the initiator of the Route Discovery, and the destination of the packet is known as the Discovery's target. The initiator transmits a Route Request (RREQ) packet as a local broadcast, specifying the target and a unique identifier from the initiator.

Each node receiving the Route Request, if it has recently seen this request identifier from the initiator, rejects the Request. Otherwise, it appends its own node address to a list in the Request and rebroadcasts the Request. When the Route Request reaches its target node, the target sends a Route Replay (RREP) back to the initiator of the Request, including a copy of the gathered list of addresses from the Request. When the Replay reaches the initiator of the Request, it caches the new route in its Route Cache.

Route Maintenance is the means by which a node sending a packet along a particular route to some destination detects if that route has wrecked, for example because two nodes in it have moved too apart. DSR is based on source routing: when sending a packet, the initiator lists in the header of the packet the complete sequence of nodes through which the packet is forwarded. Each node along the route forwards the packet to the next hop indicated in the packet’s header, and attempts to confirm this by means of a link-layer acknowledgment or network layer acknowledgment. If, after a limited number of local retransmissions of the packet, a node in the route is unable to make this confirmation, it returns a Route Error to the original source of packet, identifying the link from itself to the next node was broken. The sender then removes this broken link from its Route Cache; for following packets to its destination, the sender may use any other route to its destination in its Cache, or it may attempt a new Route Discovery for that target if necessary.

V. DETECTION METHOD

(3)

International Journal of Emerging Technology and Advanced Engineering

39

Patcha et al [8] proposed a collaborative method for black hole attack prevention. A watchdog method is introduced to include a collaborative architecture to deal with collusion amongst nodes. In this algorithm, nodes in the network are classified into trusted, watchdog, and ordinary nodes. Every watchdog that is chosen should observe its normal node neighbors and decide whether they can be treated as trusted or malicious.

Gao et al [9] proposed to use aggregate signature algorithm [10] to trace packet dropping nodes. The proposal was consisted of three related algorithms: 1) the creating proof algorithm. 2) The checkup algorithm. 3) The diagnosis algorithm. The strengths of this suggestion are: 1) the reliability is satisfying, as proof on forwarded packets is used; 2) the application scope is wide, as bi-directional communication links are not necessary; 3) the security is satisfying, as it is hard for malicious nodes to flee detection; 4) the bandwidth overhead is low, as nodes do not need to check each other.

Shila et al [11] offered a solution to defend selective forwarding attack (gray hole attack) in Wireless Mesh Networks [12]. The first stage of the algorithm is Counter- Threshold Based and uses the detection threshold and packet counter to discover the attacks. The second stage is Query- Based and uses acknowledgment from the intermediate nodes to confine the attacker. In the first stage, two types of packets, Control packet and Control ACK packet, are used to detect the attacker. Furthermore, they determine the proper value of detection threshold based on the routing Expected Transmission Count metric ETX [13] to improve the performance under different network situation.

VI. ACOURSE BASED DETECTING METHOD

A. DetectionAlgorithm

[image:3.595.64.264.658.749.2]

The algorithm is based on a course based scheme. That is, a node does not observe every node in the neighbor, but only observes the next hop in current route path. For example, in Figure 1, S is the source node; D is the destination node; and P is a gray hole. Node S is sending data packets to node D through the course S, P, Q, D. In this system, Node S only watches Node P, which is the next hop; but does not care Node 1 and Node 2.

Fig 1: A course based detection scheme

To implement the algorithm, every node should maintain an FwdPacketBuffer, which is a packet digest buffer. The algorithm is divided into three steps:

• When a packet is forwarded out, its digest is added into the FwdPacketBuffer and the detecting node overhears.

• Once the action that the next hop forwards the packet is overheard, the digest will be freed from the FwdPacketBuffer.

• In a fixed period of time, the detecting node should calculate the overhear rate of its next hop and compare it with a threshold. The overhear rate in the Nth period of time is defined as OR (N), the percentage of the data packets which are actually received by the destination. We measure the overall throughput to analyze how gray hole attack impacts the performance of the whole network under different number of attackers and different gray magnitude.

( )

If the forwarding rate is lesser than the threshold, the detecting node will consider the next hop as a black or gray hole. Latter, the detecting node would avoid forwarding packets through this believe node.

B. Advantages of Algorithm

This method has several advantages:

• In this design, each node only depends on itself to detect a black or gray hole. The algorithm does not send out extra control packets so that Routing Packet Overhead (the ratio of total number of routing related transmissions and the total number of packet transmissions) remains the same as the standard DSR routing protocol.

• Not like other collaborative detecting architectures, this proposal requires no encryption on the control packets to avoid additional attacks on detection information sharing.

• There is no need to observe all neighbors’ behavior. Only the next hop in the route course should be observed. As a result, the system performance misuse on detection algorithm is lowered.

C. Analysis of False Positive Probability

(4)

International Journal of Emerging Technology and Advanced Engineering

40

We confirm this assumption by comparing false positive probability between different solutions. The cause of high false positive probability is hidden node problem in carrier-sensing multiple access with collision avoidance (CSMA/CA) protocol. A hidden node is a node which is beyond range of a packet sender (node S in Figure 2) but in the range of a packet receiver (Node P in Figure 2). In Figure 2, Node Q does not hear the data from Node S to Node P, and it is a hidden node. When Node Q transmits to node R, the transmission collides with that from Node P to node Q. Therefore, the hidden nodes guide to higher collision probability.

[image:4.595.67.265.396.516.2]

As for course based detection, black node problem will greatly increase the false positive probability. In Figure 2, Node S is source node and Node R is destination node. Packet 1 is transmitted from Node Q to Node R. At the same time, Packet 2 is transmitted from Node S to Node P. Consequently, Packet 1 and Packet 2 will collide at Node P. Then Node S will retransmit Packet 2; but Packet 1 will not be sent again because Packet 1 has been received by Node R successfully.

Fig 2: A collision problem with the course based detection scheme

As a result, Node P misses Packet 1 and treats it being dropped by Node Q deliberately. In summary, a high network overload leads to a high collision rate caused by hidden node problem, so that the probability that a detecting node fails to overhear its next hop increases consequently. Thus, the false positive probability rises in the end.

VII. DYNAMICTHRESHOLDANDADAPTIVEDETECTION

A. MAC Layer Collision Report Mechanism

To avoid the problem caused by hidden node problem, a cross-layer method should be planned. Two counters, collisionPacketNum and nonColPacketNum, are added to standard 802.11 protocol. If a collision occurs, collisionPacketNum increases 1; if a packet being received successfully, nonColPacketNum increase 1. In a fixed period of time, the collision rate is defined as following:

( ) ( )

The collision rate is reported to network layer, and meanwhile, two counters are reset to zero. In network layer (DSR protocol in this seminar), accumulated collision rate is calculated. The ACR (N) is planned to calculate dynamic threshold. Before we can surely use the formula below, we must evaluate whether accumulated collision rate actually reflects a node’s network overload. Let ACR (N) be the accumulated collision rate in the Nth

time period and RCR (N) be the reported collision rate in the Nth time period. The ACR (N) find as:

( )

{

( ( ) ( )) ( )

Equivalently, when N≥ 1:

( )

∑ ( )

( ) ( )

B. ThresholdCalculations

Let Pcol be the collision probability in the Nth time

period; and Pfrwd be the actual forward probability of a

node; and Povhr be the probability of a node overhearing

the next hop’s forward action. So,

( ) ( )

This mechanism is able to measure Povhr using

overhear rate, OR (N), and Pcol using accumulated

collision rate ACR (N). Substitute them into (5).

( ) ( )

Let Tf be the fixed detection threshold. If a node drops

packets in a probability higher than Tf, the detecting node

can blame it as a gray hole. Equivalently,

( ) ( ) (

( )) ( )

Finally, dynamic detection threshold is defined as Td

(N).

( ) ( ) (

( )) ( )

(5)

International Journal of Emerging Technology and Advanced Engineering

41

VIII. CONCLUSION

Wireless Ad Hoc network is likely to be attacked by the black and gray hole attack. To solve this problem, a course based method is presented to detect black and gray hole attack. After theoretically analyzing advantages and disadvantages of this method, an adaptive algorithm to improve the detection performance is planned.

In future, we intend to carry out detection of black and gray hole in mobile ad hoc network based on cross layer design.

References

[1] AJiwen CAI, Ping YI, Jialin CHEN, Zhiyang WANG, Ning LIU; An Adaptive Approach to Detecting Black and Gray Hole Attacks in Ad Hoc Network; 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[2] IETF MANET work group.

http://www.ietf.org/dyn/wg/charter/manetcharter.html

[3] L.D. Zhou; Z.J. Haas, Securing Ad Hoc Networks[J], IEEE Network, 13(6), 1999.

[4] Y.C. Hu; A. Perrig, A Survey of Secure Wireless Ad Hoc Routing[J], IEEE Security and Privacy, 2(3), 28-39, May 2004.

[5] H. Deng; W. Li; D. Agrawal, (2002). Routing Security in Wireless Ah Hoc Networks [J]. Communications Magazine, IEEE, 70 - 75.

[6] D.B. Johnson; D.A. Maltz; J. Broch; “DSR: The dynamic source routing protocol for multiple wireless ad hoc networks”. In: Perkins C, Ed, Ad Hoc Networking. Addison-Wesley, 2001. 139-172

[7] J.W. Cai; P. Yi, Y. Tian, Y.K. Zhou, N. Liu, The Simulation and Comparison of Routing Attacks on DSR Protocol[C], WiCOM 2009, in press.

[8] B. Sun; Y. Guan; J. Chen; U.W. Pooch, Detecting Black-hole Attack in Mobile Ad Hoc Networks[C]; 5th European Personal Mobile Communications Conference, 2003, 490-495.

[9] A. Patcha; A. Mishra; Collaborative security architecture for black hole attack prevention in mobile ad hoc networks[C]; Radio and Wireless Conference, 2003, 75-78.

[10]Spector, A. Z. 1989. Achieving application requirements. In Distributed Systems, S. Mullende

[11] D. Boneh; C. Gentry; B. Lynn; H. Shacham. “Aggregate and Verifiably Encrypted Signatures from Bilinear Maps”. Advances in Cryptology- EUROCRYPT’03: LNCS 2656. Berlin: Springer-Veralg, 2003. 416-432.

[12] D.M. Shila; T. Anjali; Defending selective forwarding attacks in WMNs, IEEE International Conference on Electro/Information Technology, 2008, 96-101.

[13] I.F. Akyildiz; X. Wang (2005). A Survey on Wireless Mesh Networks [J]. IEEE Communications Magazine, 43 (9), 23-30

[14] D.S.J.D. Couto; D. Aguayo; J. Bicket; R. Morris, “A

High-Throughput Path Metric for Multi-Hop Wireless routing,” in ACM Mobicom, 2003.

[15] J.W. Cai; P. Yi, Y. Tian, Y.K. Zhou, N. Liu, The Simulation and