CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK...

44
58 CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTION 4.1 INTRODUCTION TO SLBHAD The focus of this chapter is to detect and isolate Black Hole attack in the MANET (Khattak et al 2013). In order to do that, network layer parameter is considered. Initially, the Black Hole detection technique starts with the density based attack analyzer technique where it analyses the impact of Black Hole and Gray Hole attacks. In order to analyze these two attacks send fake RREP algorithm is used. Next, the network layer Black Hole attack detection technique is responsible for initializing Honeypot node. To implement the proposed SLBHAD technique, spoofed RREQ packets are generated by malicious node detection timer algorithm, sending spoofed RREQ algorithm, sending fake request algorithm are used. The Route Lookup in network layer technique is proposed to detect malicious node ids of the network. In order to implement this, modified route lookup algorithm is implemented. To isolate the Black Hole nodes from the network, the isolation in the network layer technique is used to isolate malicious node from the network. The isolated nodes are broadcasted throughout the network using broadcast packet technique. Various simulation parameters are used to implement this SLBHAD technique. The proposed technique is compared with other existing techniques in order to understand the efficiency of SLBHAD.

Transcript of CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK...

Page 1: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

58

CHAPTER 4

SINGLE LAYER BLACK HOLE ATTACK DETECTION

4.1 INTRODUCTION TO SLBHAD

The focus of this chapter is to detect and isolate Black Hole attack

in the MANET (Khattak et al 2013). In order to do that, network layer

parameter is considered. Initially, the Black Hole detection technique starts

with the density based attack analyzer technique where it analyses the impact

of Black Hole and Gray Hole attacks. In order to analyze these two attacks

send fake RREP algorithm is used. Next, the network layer Black Hole attack

detection technique is responsible for initializing Honeypot node.

To implement the proposed SLBHAD technique, spoofed RREQ

packets are generated by malicious node detection timer algorithm, sending

spoofed RREQ algorithm, sending fake request algorithm are used. The Route

Lookup in network layer technique is proposed to detect malicious node ids of

the network. In order to implement this, modified route lookup algorithm is

implemented. To isolate the Black Hole nodes from the network, the isolation

in the network layer technique is used to isolate malicious node from the

network. The isolated nodes are broadcasted throughout the network using

broadcast packet technique. Various simulation parameters are used to

implement this SLBHAD technique. The proposed technique is compared

with other existing techniques in order to understand the efficiency of

SLBHAD.

Page 2: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

59

4.2 DENSITY BASED ATTACK ANALYZER

The density based attack analyzer technique consists of two steps:

1) Attracting - where the nodes attract other nodes by falsely sending

information in the communication 2) Invading - where the node invades the

communication process and drops packets. The basic difference between

these two attacks is that the Gray Hole attack (Min & Jiliu 2009) initially

behaves like a normal node and participates in routing process. But after

sometime it drops the packet like Black Hole node, whereas Black Hole

attack drops all the packets. The simple flowchart for generating these attacks

is shown in Figure 4.1. It depicts the proposed technique, which simulates and

analyzes the Black Hole and Gray Hole attacks.

Figure 4.1 Simple Flowchart for Attack Generation

Attracting Step

Incoming Packets

AODV Protocolcoordination

Determine routes Increase Sequencenumber

Invading stepSelect route

RREQPackets

Handle other Packets

Attack

Send Fake Reply

Yes

No

Yes

No

Exit

Page 3: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

60

During the attracting step, the attacker has to identify whether the

incoming packets are AODV packets. Then, the attacker determines the route,

selects the routing process, and coordinates the routing, by sending RREQ

packets. During the Invading step, the attacker starts increasing its DSN and

itself advertises that it has the highest DSN compared to the other nodes in the

network. Thus, it induces an attack by sending a fake reply to the nodes in the

network. In order to simulate both the attacks, the existing AODV protocol is

modified. The modification done in an existing AODV protocol, which

creates attacks are discussed in section 4.2.1. The following two functions are

the most important one, in which a Black Hole or Gray Hole vulnerability can

be introduced.

AODV:: recv (Packet *p, Handler*)

AODV:: recvRequest (Packet *p)

The function “AODV:: recv” will be called for each and every

packet arriving at that routing agent. If the packet is an AODV packet, it will

be treated accordingly. Therefore, in this function, a routing agent can

maliciously drop a packet during certain kinds of attacks. The function

“AODV:: recvRequest” will be called receiving an AODV RREQ packet type

“AODVTYPE_RREQ”. On receiving this RREQ message from any of the

neighboring nodes, the routing agent will try to resolve the route and send a

RREP message, if a route is available. The algorithm steps for analyzing and

simulating the Black Hole and Gray Hole attacks are given in next section.

Page 4: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

61

4.2.1 Algorithm for analyzing Black Hole and Gray Hole attack

The algorithm is known as “send fake RREP algorithm” which is

responsible for generating fake RREP packets in the network.

Input: AODV RREQ packet.

Output: Fake RREP packet.

Step 1: If (AODV_Packet) {

Step 2: If (RREQ) { // If it is a RRREQ packet

Step 3: SendRouteReply; // Send normal reply

Step 4:} else if (Black Hole Attack) {

//Maliciously sending wrong route to generate Black Hole attack

Step 5: SendFakeRouteReply;

Step 6: } else if (Gray Hole Attack) {

//Gray Hole will send a genuine reply initially

Step 7: Resolve the Route;

Step 8: SendRouteReply ;}}}

//it is the packet I am forwarding

Step 9: If {No Attack} {

Step 10: Handle it in a Normal way

Step 11: } else if (Black Hole Attack) {

//Maliciously drop the packet

Step 12: Drop the Packet

Step 13: } else if (Gray Hole Attack) {

//Maliciously drop the packet

Step 14: Drop the Packet}}}

This algorithm call the function “AODV:: send Reply” with

appropriate parameters. Hence, an agent will try to send a fake reply for the

Page 5: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

62

purpose of attacking a neighboring node, by giving wrong routing

information; it calls “AODV:: send Reply” and passes wrong routing

information to the requesting node. In the proposed implementation, a

modified function “AODV:: sendFakeReply” is used for the purpose of

sending wrong information to simulate both attacks.

4.3 SLBHAD

The proposed network layer Black Hole detection technique has

been strongly influenced by the spoofing technique. In general, spoofing is a

technique, where a computer or people pretend to be another by false data,

and exploit the system in order to get illegitimate access. Wireless networks

suffer from various types of spoofing, such as MAC spoofing, Web Spoofing,

DNS (Domain Name System) Spoofing, Email Spoofing, IP Spoofing, and

URL Spoofing.

MAC Spoofing is a technique where the hacker changes the MAC

address of a network interface.

Web Spoofing is a technique where the reality of the browsing

session significantly differs from the mental model of a sophisticated user and

the attacker, misleading the victim of an online fraud.

Email Spoofing is a technique where an email is created with a

forged sender address. Spam and phishing are such types of email spoofing

techniques, which are used to mislead the recipients.

DNS Spoofing DNS Spoofing is a technique where an illegal data

is injected into the DNS, which causes the server to return an incorrect IP

address in order to divert the traffic to another computer.

Page 6: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

63

IP Spoofing IP spoofing is used to gain unauthorized access to a

network or computer, where a malicious attacker forcefully sends a forged IP

address. The forged IP address indicates that the message comes from a

trusted host.

URL Spoofing is a technique in which the malicious user creates

the fake or forged URL, which is exactly similar to the original and safe URL.

The objective of this research work is to develop a novel technique

which secures the network layer. In this work, no encryption or key exchange

algorithm is used. Encryption or key exchange techniques are difficult to

implement in MANET because of its dynamic nature. Instead, spoofed

AODV RREQ packets are used to detect the Black Hole attack in the

network. Figure 4.2 explains the SLBHAD architecture. The architecture

consists of collecting network layer audit data from the network layer,

malicious node detection layer, Route Lookup in the network layer, isolation

in the network layer, and finally broadcasts the malicious Black Hole node id

throughout the network.

Initially, the detection process starts with analyzing the network

layer audit data. The malicious node detection layer consists of initializing the

Black Hole detector, where it consists of the Black Hole detector node or

Honeypot node in the MANET which uses spoofed packets. When the Black

Hole node detects the spoofed RREQ packets from the detector/Honeypot

node, the Black Hole node replies that it has the route to the particular

destination address, which does not exist in reality.

Page 7: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

64

4.3.1 SLBHAD Architecture

Yes

Figure 4.2 SLBHAD Architecture

Initialize BlackHole detector

BroadcastSpoofed RREQ

packets

Check for replyfrom neighboring

nodes

Update routingtable with BlackHole information

Repeat

NetworkLayer

Trace Data

MaliciousNode Detection

Layer

Do not use theBlack Hole node

Update the BlackHole id in the list

BroadcastMalicious

Black Holenode id

Isolate the BlackHole node

Isolation inNetwork Layer

Lookup forDestination

Find the nextshortest hop

towardsdestination

Verify the replyfrom routing tablefor non existence

node

RouteLookup

In NetworkLayer

Verify if thenode id isexistence

Page 8: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

65

After initializing the Black Hole detector node it broadcasts the

spoofed RREQ packets (Figure 4.3), and waits for the reply from the

neighbors. If any node replies to this message, then that node id is updated in

the routing table. The Route Lookup in the network layer is responsible for

updating the malicious node details. This layer verifies whether the reply is

for non existence node id from the malicious node. Finally, the isolation in

network layer updates the Black Hole details in the list, and broadcasts it to

the network. Thus, the proposed technique acts as a Honeypot (Cristine et al

2008, Haifeng Wang & Qingkui Chen 2010) where a trap (spoofed RREQ

packet) is set to detect the malicious node.

4.3.2 Spoofed RREQ Packet Structure

As discussed in Chapter 1, the normal AODV RREQ packet

consists of several fields, such as the destination IP address, DSN, originating

IP address, originator DSN, and so on, while in normal routing, when a node

broadcasts a RREQ, the TTL value is set up to a maximum value, because the

lifetime of the active route is updated until it reaches the destination node.

The destination IP address is another field which is used to indicate the node

to which a route is desired. During the normal route discovery process, a valid

destination ID and a TTL are assigned to the nodes. But in the proposed

detection technique, during the communication process, initially the Black

Hole detector node (Honeypot) sends spoofed RREQ packets. The spoofed

RREQ packet contains invalid nonexistent DSN and a TTL of 1. By receiving

this packet the Black Hole node replies that it has a valid route to the

particular node.

Page 9: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

66

Field Description

F1

Other Fields of

RREQ packet.

. … . . . .

. … . . . .

. … . . . .

DSN Non Existent Address

TTL 1

Figure 4.3 Spoofed RREQ Packets

This malicious node id is stored by the Honeypot node, broadcast to

all other nodes in the network and then, finally isolated from the other nodes.

During the communication process, the RREQ messages generated by this

malicious node id are ignored and normal communication takes place. The

existing AODV does not have any types of security techniques which are

proposed in this thesis. The algorithms are included to detect the malicious

nodes in the AODV protocol in the proposed work. Initially, the malicious

node detection timer is invoked, in order to initiate the spoofed RREQ. This

spoofed RREQ invokes for a particular time interval. Hence, the proposed

SLBHAD technique periodically invokes the timer function to detect attacks.

This function also invokes the Send Spoofed Route Request (), which

broadcasts spoofed RREQ messages to the neighboring nodes in the network.

This algorithm invokes this function periodically. Hence this technique

schedules the call for particular time interval. The proposed algorithms use

the recursive functions to detect attacks. The Algorithm of the Malicious

Node Detection Timer is given below:

Page 10: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

67

Input : Routing layer Data

Output : Malicious RREQ Data

Step1: Function Malicious Node Detection Timer ()

Step 2: Begin

//Start sending spoofed RREQ packets

Step 3: SendSpoofedRouteRequest ();

Step 4: Interval (Malicious Node Detection Interval + Jitter)

// Schedule next call to this function at Interval

Step 5: Schedule (Malicious Node Detection Timer (), Interval)

Step 6: End.

The above mentioned malicious node detection timer algorithm isused to initiate send spoofed route request technique by malicious nodedetection layer/ Honeypot node.

The Algorithm for sending spoofed RREQ message is given below:

Step 1: Function SendSpoofedRouteRequest ()

Step 2: Begin

Step 3: aodv _rt_entry *rt;

//Create a non existing IP address

Step 4: Network Address (Non Existing node id);-

Step 5: rt = rtable.rt _lookup (Network Address);

Step 6: if (rt ==0) {

Step 7: rt = rtable. rt _add (Network Address);}

Step 8: SendFakeRequest (Network Address);

Step 9: End

Page 11: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

68

The above algorithm creates a non-existence IP address, by

checking the routing table entry, and adding the nonexistent routing address to

the routing table. Then, it broadcasts the spoofed RREQ packet to all the

nodes in the network. Additionally, it calls another function which originally

sends a fake request to all the nodes in the MANET. Hence this algorithm is

responsible for creating non existing IP address by Honeypot node and

initiates sends fake request.

The algorithm which originally sends fake request is given below:

Step 1: Function SendFakeRequest (Network Address)

Step 2: Begin

// Allocate a RREQ packet

Step 3: Spoofed RREQ _ Packet Create_ Default_ RREQ _Packet ()

// Fill out the RREQ packet with Spoofed Info

Step 4: Spoofed RREQ _ Packet->rq _TTL = 1;

Step 5: Spoofed RREQ _Packet->dst = Network Address;

Step 6: Broadcast (Spoofed RREQ _Packet);

Step 7: End

The above algorithm originally broadcasts a fake request to the

nodes in the network. It sets the TTL value to the minimum, and broadcasts

the fake RREQ packet. This fake request is received by all the neighbors in

the network, which is used to detect Black Hole nodes. The Black Hole nodes

receive this fake RREQ packet and responds. Other non malicious nodes do

not reply for these fake RREQ packets because in the routing table of the non

malicious nodes, the invalid DSN and TTL will not present.

Page 12: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

69

4.3.3 Malicious Node Detection

The malicious node detection technique is responsible for detecting

the Black Hole nodes in the network. Initially, the Black Hole detector

initializes the malicious node detection process. First, it broadcasts the

spoofed RREQ packets. As discussed above, the spoofed RREQ packet

contains the non existence source id and the TTL value set to 1. Then this

spoofed RREQ packet is broadcast to all the other nodes in the network. The

broadcasted Honeypot spoofed RREQ packet waits for the reply from the

neighbor nodes. If any neighbor replies to this packet, those nodes are marked

as Black Hole nodes in the routing table. The reason is, since the normal

nodes which are not malicious will not reply to this spoofed RREQ packet. So

the routing table updates this Black Hole node information by marking it as

malicious.

4.3.4 Route Lookup in Network Layer

In order to resolve the route, the AODV calls the modified Route

Lookup function. This algorithm is very important, because it detects the

Black Hole attacks by checking the node id. If the malicious node replies that,

it has the route towards the non-existence node, then that vulnerable (Black

Hole) node is marked as malicious. In order to find a Black Hole node, a

detection flag is set on the routing table. If the detection flag is true then, it is

observed that the malicious node id is marked. Thus, routing via the malicious

node is avoided. The algorithm is known as the modified Route Lookup,

where it verifies the non-existence node id. The steps are given below:

Page 13: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

70

Input: Black Hole node data/Normal node data

Output: Return Non existence node id.

Steps

Step1: Function On _ Modified_ Route_ Lookup (Address)

Step 2: Begin

Step 3: Detection Flag (false)

Step 4: R1 (Normal_ Route _Lookup (Non Existing node id) ;

Step 5: if (R1 & R1->flags =RTF_id) {

//There is a malicious node in the routing table

Step 6: Detection Flag (true)

Step 7: Malicious node id (R1->Next hop ;}

Step 8: for all routes R in Routing Table do {

// If the next hop of the returned route is via the

// Non Existing Node then just ignore it

Step 9: if (Detection Flag & R->next hop =Malicious node id) {

//Next Hop is a Black Hole-Avoid the route

Step 10: Continue ;}

Step 11: if (R->DST =Id) then break ;}

Step 12: return R;

Step 13: End.

The Route Lookup algorithm for the network layer is responsible

for updating the reply from the neighbor nodes. The node which replies to the

spoofed RREQ packet is identified as the Black Hole node. Then, the node is

marked as malicious in RTF and this information is updated in the routing

table. Hence the above route lookup algorithm is responsible which marks the

malicious node ids in the routing table.

Page 14: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

71

4.3.5 Isolation in Network Layer

The isolation technique is responsible for isolating the malicious

node from the network. This technique is important, because it prevents

broadcasting routes via the malicious node. A flag is set as malicious, and the

nodes which reply to the non-existence node id are marked as malicious.

Input: Reply from Non existence node id.

Output: Isolate Black Hole id.

The algorithm steps for isolating the malicious Black Hole node aregiven below.

Step 1: Function Isolate (Address)

Step 2: Begin

Step 3: Black Hole node id (false);

Step 4: If (reply is for non existence node)

Step 5: Black Hole node id (true);

//Avoid route via the Black Hole node

Step 6: End

The above algorithm is used to isolate the routing via malicious

Black Hole nodes. From the route lookup algorithm it gets the details of

malicious Black Hole node id from the network and avoids routing via it by

isolating these nodes.

4.3.6 Broadcast Packets

Finally, in the broadcast packet, this technique is responsible for

broadcasting the malicious node details in the network. This technique

collects the details of the Black Hole node ids from the network, and

broadcasts this information to the other nodes in the network. It gets the

Page 15: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

72

malicious node id as input from a Route Lookup module and checks for the

detection flag and the malicious node id flag. If both these flags are set true,

then the node id is broadcasted to the network.

Input: Black Hole node ids from Route Lookup module

Output: Broadcast Black Hole node id.

Algorithm steps for broadcasting malicious node id are givenbelow:

Step 1: Function broadcast (RTF_id)

Step 2: Begin

Step 3: for all nodes in the network {

//If the node id is the Black Hole id

Step 4: if (Detection Flag =True & Malicious node id=True)

Step 5: Broadcast (Malicious node)}

Step 6: End.

4.4 SIMULATION PARAMETERS

The various performance metrics are used to analyze the Black

Hole and Gray Hole attacks. PDF is useful metric where it signifies the

number of packets send from source node to the destination node.NRL is used

to know about the details of network load. If NRL is more it is observed that

the network load is increased by generating control packets. EED is used to

know how successfully the proposed technique works. For example, if EED is

low it is observed that the malicious Black Hole nodes are isolated from the

network. Hence the packet only travels through MANET.

1. PDF: The ratio of the data packets delivered to the

destinations, to those generated by the Constant Bit Rate

(CBR) sources, is known as the PDF.

Page 16: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

73

2. NRL: The number of routing packets transmitted per data

packet delivered at the destination. The hop wise

transmission of a routing packet is counted as one

transmission.

3. EED: This includes the time taken for a packet to be

transmitted from the source node to the destination node.

The delay can be due to queuing at the interface queue,

latency, retransmission delays, and propagation and transfer

times.

4. Overhead: Overhead is measured in terms of the total

generated routing packets. It is the count of the total packet

generated and forwarded at the network layer.

5. PDR: PDR is measured for totally dropped packets due to

various reasons, such as poor wireless channel, malicious

and intentional packet dropping.

In order to do the simulation, the various initial parameters used for

this simulation are given in Table 4.1. Since the experiments are conducted

for MANET, the wireless channel is used as channel type. The radio

propagation model is used to predict the behavior of radio wave propagation

in MANET. In that, the two ray ground model predicts the line of sight

component. The antenna type used is Omni directional antenna where it

covers all directions from the antenna with varying degrees of coverage. Drop

tail queue is used as a queue type because the packets are accepted till the

queue is empty and the incoming packets are dropped when the queue become

full. The random way point model is used as mobility model where it exhibits

the movement of mobile users and the location changes over time.

Page 17: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

74

Table 4.1 Simulation Environment

Parameters Values

Channel type Wireless Channel

Radio-propagation model Two Ray Ground Model

Antenna type Omni Antenna

Interface queue type Drop Tail/Pri Queue

MAC type 802.11

Maximum packet in Queue 50

Topographical Area 600 x 600 sq.m

Mobility scenario 10 m/s

Pause time 20 sec

Mobility Model Random Waypoint Model

The parameters in Table 4.2 are used as traffic parameters. The

traffic parameters are used to set the application and transport layer stuffs.

The application layer traffic agent used in this thesis work is CBR. CBR is

relating to the rate at which the output data consumed is constant.

Table 4.2 Traffic Parameters

Parameters Values

Traffic Agent CBR

Transport Agent User Datagram Protocol(UDP)

Traffic Source 7

CBR Rate 10 kbps

The following parameters in Table 4.3 are used as variable

parameters. The proposed technique uses AODV protocol and various types

of node densities. These parameters are considered as variable parameters.

Page 18: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

75

Table 4.3 Variable Parameters

Parameters Values

Routing protocols Normal AODV

AODV with Back Hole, Gray Hole 1,2,3 and 4

Number of Nodes 20,30,40,50,60

4.4.1 Density Based Attack Analyzer

In this work, the analysis, and implementation of both the Black

Hole and Gray Hole attacks are carried out. In order to clearly analyze and

understand the attacks, the following techniques have been implemented:

T1-Analysing normal AODV

T2-Analysing Black Hole AODV attack

T3-Analysing Gray Hole AODV attack

T4-Comparison of the Black Hole AODV attack and the

Gray Hole AODV attack

For all the above techniques, various types of node densities are

used in order to understand the behaviour of the attacks. Table 4.4 shows the

performance of the normal AODV. In Technique T1, the experiments have

been carried out without any attacking nodes, with varying node densities.

T1-Analysing normal AODV

In Table 4.4, all the measured values are tabulated in the

case of the Normal AODV protocol. All the simulations are

run 3 times, and the average values are tabulated

Page 19: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

76

Table 4.4 Analysis on Normal AODV

Protocol Nodes PDF NRL Routed PacketsDroppedPackets

AODV

20 97.60 0.38 620.33 7330 97.97 0.61 1008.67 6540 98.30 0.65 1079.67 4350 98.40 0.73 1206.67 3860 96.77 1.46 2399.00 87

From the above Table 4.4, the following observations are made:

Various node densities are considered such as 20, 30, 40, 50

and 60

The NRL shows an gradual increase, because of the increase

in density of nodes

The routed packets are increased

Table 4.5 displays the performance of the Black Hole attack for theAODV under various network densities and performance metrics.

T2-Analysing Black Hole AODV

In Table 4.5, all the measured values in the case of theAODV protocol under the Black Hole attack are tabulated.All the simulations were run 3 times and the average value istabulated.

When the MANET consists of 10% of Black Hole node,the PDF for 20 nodes gets decreased from 97.60% to67.73%

When the MANET consists of 20% of Black Hole nodes,the NRL gets increased from 1.46 Kbps to 2.23 Kbps in thecase of 60 normal nodes

Page 20: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

77

When the MANET consists of three Black Hole nodes, therouted packets get decreased from 2399 packets/sec to1304.67 packets/sec

Finally, the PDR also increased from 87 packets/sec to 1387

packets/sec when the network consists of 60% Black Hole

nodes in the network

Table 4.5 Analysis of the Black Hole AODV

Protocol Nodes PDF NRL Routed PacketsDroppedPackets

WithBlackHole 1

20 67.73 0.45 493.33 59030 54.13 1.12 938.00 79640 67.53 0.91 1003.67 58850 65.03 1.18 1323.00 60360 79.23 1.75 2355.33 413

WithBlackHole 2

20 44.13 0.72 430.00 983

30 35.17 1.17 652.00 1125

40 53.83 1.03 893.67 821

50 57.87 1.30 1097.00 707

60 54.00 2.23 1724.33 820

WithBlackHole 3

20 26.87 1.01 445.67 1271

30 19.93 1.79 596.67 1381

40 39.50 1.61 731.67 1057

50 27.07 2.24 839.00 1246

60 48.60 1.69 1304.67 897

WithBlackHole 4

20 22.53 110.7 350.67 135030 11.73 6.03 563.00 152340 20.13 5.33 764.00 138750 17.00 3.30 933.33 141360 39.17 2.26 1338.67 1052

Page 21: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

78

T3-Analysing Gray Hole AODV

In Table 4.6, all the measured values in the case of the

AODV protocol under the Gray Hole attack are tabulated.

All the simulations were run 3 times and the average value is

tabulated

When the MANET consists of 10% of Gray Hole node, the

PDF for 20 nodes gets decreased from 97.60% to 88.57%

When the MANET consists of 20% of Gray Hole nodes, the

NRL gets increased from 1.46 Kbps to 1.74 Kbps in the

case of 60 normal nodes

When the MANET consists of 30% of Gray Hole nodes, the

routed packets decreased from 620 packets/sec to 465

packets/sec. But for the other node densities, the Gray Hole

node initially accepts all the packets, and starts forwarding

them without dropping any packets. So the routed packets

seem to have increased more, compared to the normal

AODV without any attack.

Finally, the PDR also increased for the Gray Hole attacks

from 87 packets/sec to 303 packets/sec when the network

consists of 60% Gray Hole nodes in the network

Table 4.6 displays the performance of the Gray Hole attack for the

AODV under various network densities and performance metrics.

Page 22: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

79

Table 4.6 Analysis of the Gray Hole AODV

Protocol Nodes PDF NRL Routing PacketsDropped

Packets

WithGray

Hole 1

20 88.57 00.41 595.00 226

30 89.10 00.72 1075.00 227

40 88.13 00.74 1084.67 231

50 98.40 00.73 1206.67 38

60 96.77 10.46 2399.00 87

WithGray

Hole 2

20 84.83 0.40 551.33 283

30 80.57 0.79 1083.00 373

40 80.70 0.80 1076.00 355

50 96.87 0.83 1357.00 67

60 88.87 1.74 2594.00 227

WithGray

Hole 3

20 76.80 0.36 465.00 434

30 78.07 0.80 1070.67 415

40 81.23 0.69 941.00 329

50 94.00 0.78 1233.00 113

60 85.03 1.74 2516.00 291

WithGray

Hole 4

20 76.70 0.37 474.67 420

30 74.40 0.81 1011.33 476

40 76.53 0.71 926.67 409

50 86.57 0.88 1262.67 236

60 84.23 1.87 2664.67 303

4.4.2 Analyzing the Impact of the Black Hole and Gray Hole Attacks

The Figures in this section explain the impact of the Black Hole

and Gray Hole attacks.

Page 23: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

80

Figure 4.4 Numbers of Nodes vs. PDF for Black Hole Attacks

Figure 4.4 depicts the scenario of the PDF for Black Hole attacks.

A PDF is a standard measure of the throughput. The PDF for the normal

AODV and AODV with the Black Hole attack is depicted in Figure 4.4. In

general, without a malicious node, the AODV has a good PDF. From the

results in Figure 4.4, the following observations can be drawn for Black Hole

attacks.

The PDF decreases with increasing node densities and

percentage of Black Hole nodes

In the case of the Black Hole AODV, with 10% of malicious

nodes, the PDF decreases from 97.60% (0% malicious

nodes) to 67.73% (10% malicious nodes), when the nodes

are moving at a mobility of 10m/s

With 40% of malicious nodes, the PDF falls from 97.60% to

39.17%

Page 24: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

81

Figure 4.5 Numbers of Nodes vs. PDF for Gray Hole Attacks

From the results in Figure 4.5, the observations drawn for the Gray

Hole attacks are:

The PDF decreases with increasing node densities, and

percentage of Gray Hole nodes

In the case of the Gray Hole AODV, with 10% malicious

nodes, the PDF decreases from 97.60% (0% malicious

nodes) to 88.57 % (10% malicious nodes) when the nodes

are moving at a mobility of 10m/s

With 40% of malicious nodes, the PDF falls from 97.60% to

84.23%

Page 25: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

82

Figure 4.6 Numbers of Nodes vs. NRL for Black Hole Attacks

The NRL can be evaluated, based on messages like the RREQ and

RREP, with the statistics of the number of routed packets to that of received

packets.

From the results in Figure 4.6 observations such as the following

can be made:

No constant trend is observed in the NRL

In the case of the Black Hole AODV, the NRL shows an

increase compared to normal AODV

With 10% malicious nodes, the NRL increases from 0.38

Kbps to 1.75 Kbps. Likewise with 40% of malicious nodes,

the NRL shows an increase from 0.38 Kbps to 2.26 Kbps

Page 26: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

83

Figure 4.7 Numbers of Nodes vs. NRL for Gray Hole Attacks

From the results of Figure 4.7 the following observations can be

made:

For Gray Hole attacks, no constant trend is observed in NRL

for the Gray Hole attacks

In the case of the Gray Hole AODV, the NRL shows an

increase

With 10% malicious nodes, the NRL increases from 0.38

Kbps to 0.41 Kbps; likewise, with 40% malicious nodes, the

NRL shows an increase from 0.38 Kbps to 1.87 Kbps

Page 27: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

84

Figure 4.8 Number of Nodes vs. Dropped packets for Black Hole Attacks

The PDR is useful towards detecting packet drop attacks. From the

results in Figure 4.8 the following observations can be made:

The packet drop count increases with increasing node

densities, and percentage of Black Hole nodes

In the case of the Black Hole AODV, with 10% malicious

nodes, the packet drop count increases from 73 packets/sec

(0% malicious nodes) to 413 packets/sec (10% malicious

nodes) when the nodes are moving at a mobility of 10m/s

With 40% malicious nodes, the packet drop count has the

steepest increase from 73 packets/sec to 1052 packets/sec

Page 28: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

85

Figure 4.9 Number of Nodes vs. Dropped packets for Gray Hole Attacks

From the results in Figure 4.9 the following observations can be

drawn:

The packet drop count increases with increasing node

densities and percentage of Gray Hole nodes

In the case of the Gray Hole AODV, with 10% malicious

nodes, the packet drop count increases from 73 packets/sec

(0% malicious nodes) to 595 packets/sec (10% malicious

nodes) when the nodes are moving with the mobility of

10m/s

With 40% malicious nodes, the packet drop count has the

steepest increase from 43 packets/sec to 409 packets/sec

Page 29: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

86

Figure 4.10 Numbers of Nodes vs. Overhead for Black Hole Attacks

The Overhead is a useful metric for analyzing the extra bandwidth

consumed to deliver data packets. From the results in Figure 4.10 the

following observations can be drawn:

The Overhead increases with increasing node densities and

percentage of Black Hole nodes

In the case of the Black Hole AODV, with 20% malicious

nodes, the overhead increases

Page 30: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

87

Figure 4.11 Numbers of Nodes vs. Overhead for Gray Hole Attacks

From the results in Figure 4.11, the following observations can be

made:

The overhead increases with increasing node densities and

percentage of Gray Hole nodes

In the case of the Gray Hole AODV, with 20% malicious

nodes, the overhead increases

4.4.3 Comparing the Impact of the Black Hole and Gray Hole

Attacks

The impact of the Black Hole attack and Gray Hole attack is

compared in this section. Figure 4.12, compares the PDF for the Black Hole

and Gray Hole attacks in MANET. The PDF is significantly very less in the

case of Black Hole attacks compared to the Gray Hole attacks.

Page 31: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

88

Figure 4.12 Comparison of the PDF for Black Hole and Gray HoleAttacks

Figure 4.13, shows the NRL for both the Black Hole and Gray Hole

attacks. The Black Hole attack increases the routing load of the MANET

compared to the Gray Hole attack. Figure 4.14 shows the PDR for the Black

Hole and Gray Hole attacks. The AODV without any attack, the PDR is very

minimal. But the PDR for the Black Hole attack is the maximum, when

compared to the Gray Hole attacks. From the results the observation is that,

compared to the Gray Hole attacks, the Black Hole attack causes more

damage to the routing behaviour.

Page 32: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

89

Figure 4.13 Comparison of the NRL Ratio for the Black Hole and GrayHole Attacks

Figure 4.14 Comparison of the PDR for the Black Hole and Gray HoleAttacks

Page 33: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

90

As shown in Figures 4.12, 4.13, 4.14, the impacts of these two

attacks are considered under various network attributes, and also compared in

this work. Black Hole attacks are more vulnerable than Gray Hole attacks,

because the PDR is high for the Black Hole attacks compared to the Gray

Hole attacks; moreover the NRL also increases in the presence of Black Hole

attacks compared to the Gray Hole attacks. When compared to the PDF, the

delivery rate of the Black Hole attacks decreases compared to Gray Hole

attacks, the routing packets also decreased in the presence of Black Hole

attacks compared to that of Gray Hole attacks. Thus from the simulation

results it is understood that the Black Hole attacks cause more damage to

MANET compared to Gray Hole attacks. Hence, the solution to the Black

Hole attack is considered in this research.

4.4.4 Simulation Study for Detecting and Isolating Black Hole

Attacks

The simulation results for detecting and isolating Black Hole

attacks in MANETs are presented in this section. For each set of parameters,

the simulations are repeated 3 times, and the averages of the results are

calculated. The following parameters are considered for the experiments.

1. Normal AODV

2. AODV without any detection and Black Hole attacks

3. AODV with the proposed SLBHAD technique

For experiment 1, the simulation runs for 3 times and the average is

taken. For experiment 2, the simulation runs for 3 * 4 times (12 runs) (for 1,

2, 3 and 4 Black Holes) and the average is taken for every 3 runs. For

experiment 3, the simulation runs for 3 * 4 times (12 runs) (for 1, 2, 3 and 4

Black Holes) and the average is taken for each 3 runs. So, totally the

Page 34: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

91

simulations run 27 times to get the results shown in the next subsection. The

scenario generator available in NS-2, is used for generating 3 scenarios (for

three repetitions). In all the cases Nodes 0 to 7 are the CBR sources and node

7 to 13 are the sinks. Table 4.7 illustrates the AODV technique without any

detection techniques (with malicious nodes) applied.

Table 4.7 Analysis on AODV without any Detection technique

BlackHoles

PDF NRL EED No. ofPackets Sent

Dropped

Packets

1 67.73 0.45 68.24 493.33 590

2 44.13 0.72 49.17 430.00 983

3 26.87 1.01 42.34 445.67 1271

4 22.53 110.79 37.71 350.67 1350

Table 4.8 illustrates the proposed SLBHAD technique with

different network parameters.

Table 4.8 Analysis on AODV with the proposed SLBHAD technique

BlackHoles

PDF NRL EED No. ofPackets Sent

Dropped

Packets

1 89.03 0.48 52.37 721.00 229

2 73.37 0.53 42.52 631.67 470

3 61.30 0.53 38.86 505.33 683

4 48.87 0.62 32.03 481.33 895

From Tables 4.7, 4.8 the following observations are made:

Page 35: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

92

i. With the plain AODV, the PDF has a steep fall from 97.60

(0% malicious nodes) to 22.53% (40% malicious nodes).

The proposed SLBHAD technique increases the PDF to 89%

(1% malicious node).

ii. Similar results are observed in the PDR. The drop ratio is

reduced in the proposed SLBHAD technique. For the AODV

without any attack, the drop ratio is 11% (0% malicious

nodes).

iii. The number of packets sent has also increased with the

proposed technique

iv. The EED is decreased when there are 40% malicious nodes

in the network. This is because, the proposed detection

technique detects and isolates the Black Hole nodes from the

network. So the packets are routed only via normal nodes

v. The Normalized routing packets are also greatly reduced

with the proposed SLBHAD technique

From the above results it is concluded, that the SLBHAD leads to a

substantial improvement over the plain AODV, from the point of view of the

PDF. The details are presented in Figure 4.15, where a comparison

corresponding to 40% malicious nodes, with the PDF is given. The proposed

SLBHAD technique has got a good PDF compared to the normal AODV.

From the Figure 4.15 to Figure 4.20, the SLBHAD technique is denoted as

Detection_With_PRS, where PRS denotes Periodic Request Sending.

Page 36: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

93

Figure 4.15 Comparison of the PDF (40% Malicious Nodes)

Figure 4.16 presents a comparison of the dropped packets in the

presence of 40% malicious nodes. It is found that the proposed SLBHAD

technique performs considerably better than the normal AODV.

Figure 4.16 Comparison of the PDR (40% Malicious Nodes)

The overhead can be measured, based on the number of

transmissions of messages like RREQ, RREP, and RRER. The overhead

increases with increasing percentage of malicious nodes for the plain AODV.

The proposed technique consumes less amount of network resources.

Page 37: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

94

Figure 4.17 Comparison of the Overhead (40% Malicious Nodes)

Figure 4.17 provides a comparison of the overhead between the

AODV and the proposed SLBHAD technique. The overhead is measured in

terms of successfully received or forwarded packets at the routing layer. In

general, an increase in the overhead signifies poor performance.

Figure 4.18 Comparison of the NRL (30% Malicious Nodes)

Page 38: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

95

Figure 4.19 Comparison of the NRL (40% Malicious Nodes)

Figures 4.18 and 4.19 signify the performance of the NRL. Without

a detection technique, the NRL increases slightly up to 30% Black Holes in

the network. But after 30% the NRL increases exponentially, without

detection. The proposed detection process uses the SLBHAD detection

technique, and hence, there is a reduction in the NRL. Thus, the NRL reduces

for the proposed SLBHAD technique.

Figure 4.20 Comparison of the EED (40% Malicious Nodes)

From Figure 4.20, the following inferences can be drawn. In

general, the EED decreases, when the percentage of malicious nodes

Page 39: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

96

increases. In the proposed SLBHAD technique, the EED decreases

significantly, which indicates that the connection is established within the

lower number of hops. That is, when there is a malicious node in the network,

the proposed SLBHAD technique detects and isolates the malicious nodes

from the network. Hence, the communication is only via the normal nodes.

So, the EED is decreased.

4.5 COMPARING THE ACCURACY OF THE DETECTION

TECHNIQUE

Many research works have been carried out to secure the

(Hu et al 2004, Hu et al 2005) AODV routing protocol. The proposed

detection technique is compared with an existing single layer technique,

which uses the DAODV protocol. They use the anomaly detection technique,

which is based on the dynamic learning process. In their technique, they use

path finding features and path abnormality features to detect the abnormality

of the nodes. Table 4.9 displays the comparison of the DAODV with the

proposed SLBHAD technique.

Table 4.9 Analysis on DAODV

BlackHoles

PDF NRL EED No. of Packetssent

Dropped

1 70.64 0.49 66.14 450.00 500

2 54.23 0.62 47.23 390.00 560

3 30.56 0.96 40.56 375.00 1105

4 29.23 100.79 37.23 360.25 1256

Page 40: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

97

Figure 4.21 Comparison of the PDF (40% Malicious Nodes)

Figure 4.21 illustrates the PDF for AODV without any detection

techniques, and the DAODV with the SLBHAD technique. This technique is

compared with varying node densities i.e. 50,100,150,200. From the above

figure, it is observed that the PDF is better than in the existing DAODV and

AODV without any detection techniques.

Number of Nodes vs Packet Delivery Fraction

Number of Nodes

Pack

et D

eliv

ery

Frac

tion(

%)

Page 41: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

98

Figure 4.22 Comparison of the NRL (40% Malicious Nodes)

Figure 4.22 illustrates the NRL for the AODV without any

detection techniques, and the DAODV with the SLBHAD technique. This

technique is compared with varying node densities, i.e. 50,100,150, and 200.

The NRL is very much in the proposed SLBHAD technique compared to

other existing techniques.

Number of Nodes vs Normalized Routing Load

Page 42: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

99

Figure 4.23 Comparison of EED (40% Malicious Nodes)

The Figure 4.23 illustrates EED for AODV without any detection

techniques, DAODV with SLBHAD technique. This technique is compared

with varying node densities i.e., 50,100,150,200.The EED is very low in the

proposed technique because, after the isolation of Black Hole nodes the

packets only travel through normal nodes. In Figure 4.24 displays the

numbers of packets send from source to destination node. The packets routed

more compared to DAODV and AODV without any detection technique.

Number of Nodes vs End-to-End Delay

Number of Nodes

End

–to-

End

Del

ay in

sec

Page 43: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

100

Figure 4.24 Comparison of the number of packets sent (40% MaliciousNodes)

Figure 4.25 Comparison of the number of packets dropped (40%Malicious Nodes)

Finally, Figure 4.25 displays the dropped packets in the network.

The proposed SLBHAD technique drops a very minimal number of packets

compared to the other two techniques.

Number of Nodes vs Packets Sent

Number of Nodes

Number of Nodes

Pack

ets S

ent

Dro

pped

Pac

kets

Number of Nodes vs Dropped Packets

Page 44: CHAPTER 4 SINGLE LAYER BLACK HOLE ATTACK DETECTIONshodhganga.inflibnet.ac.in/bitstream/10603/55923/9/09_chapter4.pdf · Black Hole detector, where it consists of the Black Hole detector

101

4.6 SUMMARY

In this chapter, a novel technique is proposed to detect and isolate

the Black Hole attacks in MANETs. Initially, the density based attack

analyzer is used to analyze the network performance, when the attacks occur.

It is shown that the proposed SLBHAD technique improves the PDF

compared to the existing techniques. Moreover, that the proposed technique

reduces the NRL and EED. The existing AODV algorithm is modified, and

has Honeypot concepts incorporated in it.

The PDF for the proposed SLBHAD technique is 89.03%. The PDF

for existing AODV technique is 67.73% and DAODV is 70.64%. From this it

is observed that the proposed SLBHAD technique improves the PDF

significantly. When the network contains 40% of Black Hole nodes, the NRL

for AODV is 110.79, for DAODV NRL is 100.79, for the proposed SLBHAD

the NRL is 0.62. From this it is observed that the network load is very low in

the proposed SLBHAD technique. When the network contains 10% of Black

Hole nodes, the EED for AODV is 68.24 sec, for DAODV EED is 66.14 sec,

for the proposed SLBHAD the EED is 52.37 sec. From this it is known that

the proposed SLBHAD technique has very low EED. Hence the proposed

technique isolates Black Hole nodes and travels via normal nodes. The

simulation results based on extensive experiments illustrate the novelty and

the effectiveness of the proposed technique.