Intelligent black hole detection in mobile AdHoc networks

ABSTRACT


INTRODUCTION
A mobile ad hoc network (MANET) is a collection of mobile devices that are connected via wireless links; these devices dynamically constitute a temporary network without a need for a central management or network infrastructure. Each mobile device in the MANET communicates directly with other mobile devices within its radio range, while it can communicate with nodes that are located outside its radio range through intermediate nodes. Moreover, all the nodes must cooperate in forwarding the packets in the network [1]- [3]. MANETs have many distinct characteristics: dynamic network topology, no infrastructure, multi-hop routing, limited resources, and limited bandwidth [4]- [10]. There are various applications for MANETs ranging from the battlefield to classrooms [5], [11]- [13]. The Ad hoc On-Demand Distance Vector (AODV) is a reactive routing protocol that is specifically developed for MANETs. AODV is based on two mechanisms for routing, which are: route discovery and route maintenance [5], [8], [14]. The widespread use of MANETs is being challenged by many factors, in particular, the issue of security. Nodes are assumed to trust each other and to work closely with each other to perform the routing operations. This trust assumption violates the security principles of networks [3], [4], [14]. There are many types of attacks that can threaten MANETs. Black hole attacks can greatly compromise the network resources and degrade its performance [6]. In these attacks, malicious nodes join the network, claim that they have the best path to destination nodes during the routing discovery operation, and finally, simply drop all the data packets that go through them. Networks employ several mechanisms to protect themselves from attacks. Unfortunately, these measures do not guarantee full protection from attacks. Hence, a second line of defence that has the ability to detect emerging vulnerabilities is needed. Many systems have been developed for this purpose, most notably intrusion detection systems (IDSs). However, these network-based IDSs cannot deal easily with the huge amount of data passing through the network. Therefore, a focused feature selection strategy for deciding on the most important features might be beneficial. Then, these selected features can be fed into a learning model to build an effective detection mechanism. The use of a focused dataset will improve the accuracy and speed of detections [3], [15], [16].
Several techniques have been proposed for the detection and the prevention of such attacks. Generally, these techniques are divided into two categories: securing existing protocol or using intrusion detection systems (IDS) [8]. P. Raj et al. [17] proposed a secure AODV routing protocol known as the Detection, Prevention and Reactive AODV (DPRAODV). In addition to the basic AODV operation, the proposed protocol developed introduced the dynamic threshold value. According to the proposed protocol, the dynamic threshold value is calculated and updated when the RREP packet is received from the replying node the first time. The main drawback of this technique is that it is only based on a high destination sequence number feature to differentiate a malicious node from a normal node. In addition to that, the network overhead will be increased due to the exchange of ALARM messages. Moreover, in large networks, the use of this technique will require a lot of time as all the nodes in the network will have to be notified. Mistry et al. [18] proposed a solution to black hole attacks based on the original AODV. Their approach depends mainly on modifying the functionality of the source node. This technique increases the end-to-end delay.
Khamayseh et al. [11] proposed a MI-AODV protocol, which is built on top of the original AODV protocol. According to the proposed protocol, the original AODV is extended to have extra structures, where each node has a Trust Table containing the addresses of the trust nodes. In addition to that, the RREP is extended to have an additional field (trust field), which is used to indicate if the replying node is reliable or not. The authors in [8] proposed an improvement to the original AODV protocol to enhance its security against black hole attacks. In the proposed protocol, each node in the MANET has two tables, namely a Suspect Table and a Black Table. These tables are designed to contain the addresses of the intermediate nodes which failed to send the data through them. In addition to that, there is an additional acknowledgement packet. Khare et al. [19] proposed a Secure Ad-hoc On-Demand Distance Vector routing (SAODV) protocol. As in the original AODV, the source node in the proposed protocol tries to discover the route to the destination node by flooding the RREQ message across the network. The neighbouring nodes receive the RREQ and send the RREP back to the source node if they have a valid route in their routing table. According to the SAODV protocol, the source node does not select the route from the first reply. The main drawback of using this technique is that it increases the end-to-end delay.
Intrusion Detection Systems (IDSs) can be classified into two main types: anomaly-based and signature-based (Misuse detection model) [20]. An IDS depends heavily on the existence and availability of good and representative datasets. For this purpose, in 1999, a special dataset, known as the KDDCUP'99, was collected from real network traces [21]. Feature reduction is used to reduce the complexity and computation time of the model, where using one of the feature reduction techniques will lead to an increase in the performance of the IDS. In [20], Wa'el et al. proposed the Rough Set Classification Parallel Genetic Algorithm (RSC-PGA), which is a hybrid model for feature reduction. This model was tested using the KDDCUP'99 dataset. The authors in [22] employs rough theory to deal with vagueness and uncertainty in decision systems. This tool is used to identify the relevant features from all decision system features, thereby contributing to the building of an efficient rule set for classification. In the proposed model, the features are selected according to the calculation of both the discernibility matrix and information gain, where the classification produced using the selected features of both methods gives better and more accurate results than the use of the selected features using each method individually.
In order to compare the performances of different classifiers in intrusion detection, the authors in [23] analysed the C4.5 and Naïve Bayes (NB) classifiers using the KDDCUP'99 dataset. The authors reduced the 41 KDD features to 11 features and 7 features using the information gain measure. The NB and C4.5 classifiers were evaluated on the dataset using all the features, the selected 11 features and the selected 7 features. The results of the experiments showed that, in general, the overall performance of the C4.5 was better than that of the NB, where the C4.5 had the lowest error rate and the highest classification accuracy. On the other hand, the C4.5 increased the true positive rate and achieved better detection rates. Moreover, the results for both classifiers showed that their performance became more efficient when the information gain technique was used to select the relevant features. Results show that the information gain is a successful measure for selecting the most relevant features [24], [25]. Researchers in [20] proposed a set of relevant features that contribute to the detection of DoS attacks. For this purpose, they applied the NSL KDD dataset to the C4.5 algorithm with a 6-fold cross validation using the Orange canvas data mining tool to analyse this dataset. The performance was measured in terms of the accuracy and classification time. The obtained results showed that the increase in the relevant features set reduced the classification time and increased the classification accuracy.
The authors in [26] proposed a detection technique for selected black hole attacks by deploying several IDS nodes in MANET. The IDS nodes perform an anti-black hole function that estimates a suspicious value of the node. This is calculated based on the abnormal difference between the RREP and RREQ messages transmitted from the node. In [27], the authors proposed the IDAD technique, which is based on both Intrusion Detection and Anomaly Detection. This technique assumes that the activities of any node in the network is monitored. In addition, it assumes that the anomalous activities of an intruder can be identified from the normal activities of the normal nodes. The audit data, which is a pre-collected set of anomalous activities, should be available to the IDAD system, where this system compares every activity in the network with the audit data to detect the black hole node.
From the previous works, it was noted that many of the proposed techniques for securing an existing protocol against black hole attacks lacked a full understanding of the behaviour of the network with regards to black hole attacks. Moreover, most of the IDS-based techniques use either the KDDCUP'99 dataset or the NSL KDD dataset. The latter is a subset of the original KDD dataset. Both datasets are out-dated and were collected for wired domain attacks. A new MANET-oriented dataset with a focused and effective feature selection mechanism was created by [28]. This dataset is utilized to design two techniques to secure the AODV protocol against black hole attacks.
This paper is divided into 4 sections; Section 1 presents an overview of MANETS and black hole attacks. Moreover, it presents and discusses previous studies in relation to this research. Section 3 describes the proposed schemes: the BDD-AODV protocol, and Hybrid protocol. The results of the proposed solution are presented in Section 4. Finally, Section 5 concludes this work and suggests some ideas for future work.

PROPOSED SCHEMES
A host-based IDS was used by the nodes in the MANET, with each node being equipped with an IDS to collect the audit data. Meanwhile, an anomaly-based detection scheme was used for the detection task. This work proposed two techniques to detect and prevent black hole attacks. These techniques use the dataset developed by [28]. The general framework considered in this paper is shown in Figure 1. The detection phase is considered in this work.

Figure 1. Proposed Intrusion Detection Model
To examine the ability of the dataset in [28] to detect black hole attacks, two routing protocols were proposed, namely: the BDD-AODV protocol and the Hybrid protocol, where these protocols depend on the BDD features. The following subsections demonstrate the working mechanisms of the BDD-AODV protocol and the Hybrid protocol.

BDD-AODV protocol
The BDD-AODV protocol modifies the behaviour of the original AODV, where each node is required to have three tables: a Trust Table, a Black Table, Table maintains the following statistics about the on-going activities of the network for the reply node: count of RREP from this node, count of maximum destination sequence number from the RREP of this node, and count of the low hop count reply from the RREP of this node. Moreover, the RREP in the BDD-AODV protocol has two extra fields, namely, the replying node and the replying hop count. Figure 2 depicts the BDD-AODV algorithm.

Hybrid protocol
The Hybrid protocol combines both BDD-AODV and MI-AODV [11] protocols to derive a more realistic and effective detection mechanism. In the MI-AODV protocol, the trust field is used to indicate if the replying node is reliable or not. It is given a value of either 0, 1 or 2. In the Hybrid protocol, each node is provided with two tables, namely, a Trust Table and a Black Table. In addition to that, every source node in the network is provided with a Count Table. The processes for the handling of the RREQ in the BDD-AODV protocol and Hybrid protocol are similar. Figure 3 shows the algorithm for the handling of the RREQ messages.

SIMULATION AND ANALYSIS OF RESULTS
To evaluate the performance of the proposed protocols, simulation experiments were conducted. GloMoSim simulator was used to evaluate the performance of four different protocols, namely, the Hybrid protocol, BDD-AODV protocol, MI-AODV protocol, and original AODV protocol. Table 1 summarizes the simulation parameters. Four performance matrices were measured: Packet Delivery Ratio (PDR), Dropped Packets Ratio, Average End-to-End Delay and Overhead. Eight different scenarios that were simulated in this research. These scenarios were simulated with different parameters, where these parameters had a direct impact on the black hole attack. These parameters are: the total number of nodes, the number of black hole nodes, and the pause time (2 pause time values were tested: 0 and 10. A pause time of 0 indicates a high mobility, while a pause time of 10 indicates a slow mobility).

High mobility scenarios
In all the following figures, the blue line represents the original AODV protocol, the red line represents the MI-AODV protocol, the green line represents the BDD-AODV protocol, and the orange line represents the Hybrid protocol. Figure 5 shows an improvement in the Packets Delivery Ratio (PDR) for all the 4 protocols for a network that was being attacked by 1 and 2 black hole(s). The obtained results show that the Hybrid protocol in the network, which was attacked by one black hole node, had the highest packet delivery ratio. As shown in Figure 5, the PDR increased when the number of nodes increased. As a result of increasing the number of normal nodes in the network, the source node had a better chance of receiving the RREP messages from the normal and reliable nodes. It was noted that the existence of a second black hole node caused a slight decrease in the packet delivery ratio. As shown in Figure 6, the number of dropped packets decreased as the number of nodes increased from 20 to 40. Within this interval, each source node was surrounded by more normal neighbors, while the number of black hole nodes in the network was fixed at 2. Therefore, the source nodes in the network had the chance to receive more alternative active routes to the destination from the normal and reliable nodes. The agreement between the results of the dropped packets and packet delivery ratio could be observed. Moreover, increasing the number of black holes led to increase in the number of dropped packets. Figure 7 shows the end-to-end delay results for the Hybrid, BDD-AODV, MI-AODV and orginal AODV protocols when the network was attacked by 1 and 2 black holes. On the other hand, Figure 7 shows the end-to-end delay results when the network was attacked by two black hole nodes. According to the results in both figures, the Hybrid and BDD-AODV protocols increased the end-to-end delay compared to both the MI-AODV and original AODV protocols. For a network attacked by one black hole, the original AODV achieved the best end-to-end delay result, while the Hybrid protocol acheived the highest end-to-end delay result. As shown in Figure 7, the end-to-end delay increased for all the protocols when the number of nodes increased. This increase in the number of nodes decreased the chances of the destination node becoming the neighbour of the source node. Therefore, the packets were transmitted over several hops in order to reach the destination node. Moreover, the Hybrid and BDD-AODV protocols were required to perform more operations to detect and avoid the black hole node, and hence, increased the delay. A similar pattern was obtained in the case of a network being attacked by two black hole nodes. The original AODV achieved the best end-to-end delay compared to the other three protocols, while the Hybrid protocol achieved the highest end-to-end delay result. As shown in Figure 8(a), the overhead increased as the number of nodes increased from 20 to 40 nodes. This could be interpreted to mean that the increase in the number of nodes in the network led to an increase in the number of control packets (e.g. RREQ and RREP) that were exchanged through the network. The original AODV achieved a significantly higher overhead against all the other protocols due to the existence of the black hole and the lack of any detection and prevention mechanism.

Low Mobility Scenarios
The performance of the tested protocols was evaluated under the assumption of low mobility. As shown in Figure 9, for networks attacked by one black hole and two black hole nodes, the Hybrid and the BDD-AODV protocols outperformed both the MI-AODV and the original AODV protocols in terms of the packet delivery ratio.  Figure 9(a) shows the packet delivery ratio results for a network that was being attacked by one black node. The packet delivery ratio increased when the number of nodes in the network increased from 20 to 40 nodes. Within this interval, increasing the number of nodes in the network led to a decrease in the chances of the black hole nodes to obtain RREQ messages. Thus, the chances of the black hole nodes dropping data packets also decreased. Moreover, increasing the number of normal nodes in the network increased the possible number of node neighbours, hence increasing its chances of getting to the destination node(s) successfully. Figure 9(b) shows that the packet delivary ratio increased when the number of nodes increased from 20 to 40 nodes. The addition of a second black hole had a negative effect on the packet delivery ratio. 1975 Figure 10 shows that the dropped packets ratio for all the protocols decreased as the number of nodes increased from 20 to 40 nodes. Again, adding a second black hole increased the number of dropped packets for both cases. From Figure 9 to Figure 10, the agreement between the dropped packets results and packet delivery ratio results can be observed, where the protocol which had a high dropped packets ratio was the protocol with a low delivery ratio.  Figure 11 shows the end-to-end delay results for a network being attacked by one and two black hole nodes. The Hybrid and BDD-AODV protocols worked properly with a pause time of 10, where these two protocols increased the end-to-end delay compared to the MI-AODV and original AODV protocols. As shown in Figure 11(a), the end-to-end delay increased for all the protocols when the number of nodes increased from 20 to 40 nodes. The Hybrid protocol achieved the highest end-to-end delay results compared to the other three protocols, while the original AODV achieved the lowest end-to-end delay results. This difference in the results was due to the difference in the packets delivery ratio obtained from each protocol, where increasing the packets delivery ratio required more time, thereby increasing the end-to-end delay results.
For a network attacked by two black hole nodes, the original AODV showed the best end-to-end delay compared with the other protocols. The Hybrid protocol showed the highest end-to-end delay results. Figure 11(b) shows the end-to-end delay results for a network being attacked by two black hole nodes. Any increase in the PDR resulted in an increase in the end-to-end delay. As the Hybrid protocol had the highest PDR, hence it had the highest end-to-end delay. For a pause time of 10, the Hybrid and BDD-AODV protocols outperformed the MI-AODV and the original AODV protocols with respect to the overhead. Figure 12 shows the overhead results for networks being attacked by one black hole and two black holes. As shown by Figure 12, the overhead increased as the number of nodes increased from 20 to 40 nodes. This indicated that increasing the number of nodes in the network will lead to an increase in the number of control packets (e.g. RREQ and RREP) exchanged through the network. Figure 12(b) shows that the overhead results for the original AODV was significantly higher than the overhead for the other three protocols. This was due to the impact of black hole nodes in the original AODV and the absence of any detection and prevention mechanism. Decreasing the impact of black hole in the network led to a decrease in the network overhead.

CONCLUSION AND FUTURE WORK
A common threat to MANETs is black hole attacks. This paper was built on top of the work done in [28] to enhance the security level in MANETS. To fully utilize the BDD dataset, a BDD-AODV protocol was proposed, which depends on the features of the BDD dataset to build its prevention and detection mechanisms. The BDD-AODV protocol modifies the behaviour of the original AODV, making it more secure against black hole attacks, where it checks the reliability of the node that sends the RREP message. The Hybrid protocol was created by combining the MI-AODV and BDD-AODV protocols, including all the features of the BDD dataset. In other words, the working mechanism of the MI-AODV protocol was combined with the working mechanism of the BDD-AODV protocol in order to create a Hybrid protocol. As in the BDD-AODV protocol, each node in the MANET has a Trust Table, a Black Table, and a Count  Table. Simulation results showed that the BDD-AODV and the Hybrid protocols reduced the impact of black hole attacks and outperformed both the original AODV and MI-AODV protocols in terms of the PDR, dropped packets ratio, and overhead, while the end-to-end delay was maintained in some intervals.
The cooperative and selective black hole nodes were not considered in this work. The cooperative black hole problem occurs when more than one black hole cooperates together. On the other hand, the selective black hole attacks select a set of data packets to be dropped, delivered to the destination node, or modified. It is proposed that the behaviour of cooperative and selective black holes be studied and the BDD dataset be expanded to include the relevant features that contribute to the detection of these attacks. Moreover, it is proposed that the BDD-AODV and Hybrid protocols be enhanced with certain mechanisms to solve these two problems. In addition, the experimental results showed that the end-to-end delay in the Hybrid and BDD-AODV protocols was higher than the delay in the original AODV. Therefore, there is a need for further improvements in order to reduce the delay values.