Research ArticleFAPRP A Machine Learning Approach to Flooding AttacksPrevention Routing Protocol in Mobile Ad Hoc Networks
Ngoc T Luong 12 Tu T Vo 1 and Doan Hoang 3
1Faculty of Information Technology Hue University of Sciences Hue University Hue 530000 Vietnam2Faculty of Mathematics and Informatics Teacher Education Dong Thap University Dong Thap 870000 Vietnam3Faculty of Engineering and Information Technology the University of Technology Sydney Sydney 2007 Australia
Correspondence should be addressed to Doan Hoang doanhoangutseduau
Received 6 July 2018 Revised 9 November 2018 Accepted 29 November 2018 Published 10 January 2019
Guest Editor Jiageng Chen
Copyright copy 2019 Ngoc T Luong et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Request route flooding attack is one of the main challenges in the security of Mobile Ad Hoc Networks (MANETs) as it is easy toinitiate anddifficult to prevent Amalicious node can launch an attack simply by sending an excessively high number of route request(RREQ) packets or useless data packets to nonexistent destinations As a result the network is rendered useless as all its resourcesare used up to serve this storm of RREQ packets and hence unable to perform its normal routing duty Most existing researchefforts on detecting such a flooding attack use the number of RREQs originated by a node per unit time as the threshold to classifyan attacker These algorithms work to some extent however they suffer high misdetection rate and reduce network performanceThis paper proposes a new flooding attacks detection algorithm (FADA) for MANETs based on a machine learning approach Thealgorithm relies on the route discovery history information of each node to capture similar characteristics and behaviors of nodesbelonging to the same class to decide if a node is malicious The paper also proposes a new flooding attacks prevention routingprotocol (FAPRP) by extending the original AODV protocol and integrating FADA algorithm The performance of the proposedsolution is evaluated in terms of successful attack detection ratio packet delivery ratio and routing load both in normal and underRREQ attack scenarios using NS2 simulationThe simulation results show that the proposed FAPRP can detect over 99 of RREQflooding attacks for all scenarios using route discovery frequency vector of sizes larger than 35 and performs better in terms ofpacket delivery ratio and routing load compared to existing solutions for RREQ flooding attacks
1 Introduction
A Mobile Ad Hoc Network (MANET) [1] is a collectionof wireless mobile devices (called nodes) that dynamicallyform an ad hoc network in situations such as disaster rescueurgent conference or military mission without the supportof a network infrastructure The topology of the networkmay change frequently because nodes can join or leave thenetwork at will In a MANET nodes coordinate amongthemselves to maintain the connections among them Datatransfer from a source node to a non-neighbor destinationnode is routed through intermediate nodes A node can actas a host and a router at the same time A network routingprotocol in a MANET specifies how nodes in the networkcommunicatewith each other It enables the nodes to discoverand maintain the routes between any two of them Many
routing protocols have been developed for MANETs suchas ad hoc on-demand distance vector (AODV) [2] dynamicdestination sequenced distance vector (DSDV) [3] and zonerouting protocol (ZRP) [4] They are classified into threegroups proactive reactive and hybrid routing protocolsWith proactive routing protocols the routes between nodesneed to be established before data packets can be sentThese protocols are suitable for fixed topology networks Incontrary reactive routing protocols are suitable for dynamictopology networks as nodes only try to discover routes ondemand In complex network topologies hybrid routingprotocols are often used [5] MANETs are thus essentialin infrastructureless situations for communication howeverthey suffer from various types of Denial of Service (DoS)attacks that deny user services or resources heshe wouldnormally expect to receive Disrupting routing services at the
HindawiWireless Communications and Mobile ComputingVolume 2019 Article ID 6869307 17 pageshttpsdoiorg10115520196869307
2 Wireless Communications and Mobile Computing
network layer is an example of DoS [6 7] where a maliciousnode (MN) tries to deplete resources of other nodes Othertypes of DoS include Blackhole [8] Sinkhole [9] Grayhole[10] Whirlwind [11] Wormhole [12] and flooding attacks[13] Flooding attack is a particular form of DoS attacks inMANETs where malicious nodes mimic legitimate nodes inall aspects except that they do route discoveries much morefrequently with the purpose of exhausting the processingresources of other nodes This type of attacks is simpleto perform with on-demand routing protocols typically asAODV [14] Among HELLO RREQ and DATA floodingattacks route request (RREQ) flooding attack is the mosthazardous because it is easy to create a storm of request routepackets and cause widespread damageThis paper focuses onthe request route flooding attack
Previous researches on RREQ flooding attacks mainlyfocus on detection algorithms that rely on the sendingfrequency of RREQ packets [13 15ndash20] Every node usesa fixed (or dynamic) threshold value to detect an attackThe threshold is calculated based on the number of RREQsoriginated by node per unit time A node labels a neighbornode malicious if it receives more RREQs than the allowedthreshold from its neighbors These algorithms howeverhave many weaknesses in dealing with the dynamics ofMANETs These include the following (1) An algorithmwith a fixed threshold is not flexible and is not able to copewith dynamic environments where optimal threshold valuesvary (2) Even with dynamic threshold algorithms where thethreshold takes into account other factors such as networktraffic mobility speed and frequency of malicious nodeattacks misclassifications rates are still high In high mobilityenvironments the connection state of network nodes changesvery frequently a node may not be able to capture accurateand adequate information to distill it to a single threshold (3)A normal node may be mistaken for a malicious node evenif it legitimately sends out a high number of route requests inresponse to a high priority event Or (4) amalicious nodemayavoid the threshold detection mechanism simply by sendingRREQ packets at a frequency just lower than the thresholdvalue
In this paper we propose and investigate a differentapproach for detecting flooding attacks Our solution relieson the route discovery history information of each node toclassify a node as malicious or normal The route discoveryhistory of each node is represented by a route discovery fre-quency vector (RDFV) The route discovery histories revealsimilar characteristics and behaviors of nodes belongingto the same class This feature is exploited to differentiateabnormal behavior from a normal one RDFV is defined asthe feature vector for detecting malicious nodes in MANETenvironment We propose a flooding attack detection algo-rithm to detect malicious node based on RDFV We proposea novel flooding attacks prevention routing protocol byincorporating the FADA algorithm and extending the AODVprotocol We evaluate the performance of our solution interms of successful detection ratio packet delivery ratio androuting load both in normal and under RREQ attack scenar-ios using NS2 simulationThe simulation results showed thatour approach can detect over 99 of RREQ flooding attacks
had better packet delivery ratio and routing load compared toexisting solutions for RREQ flooding attacks and introducednegligible overhead relative to AODV for normal scenariosThe main contributions of the paper are as follows
(1) It introduced a new route discovery history measurethe vector of route discovery frequency to capture thebehavior of MANET nodes
(2) It proposed a flooding attack detection algorithm a k-nearest neighbors-basedmachine learning algorithmusing RDFV dataset to detect malicious nodes
(3) It proposed a flooding attack prevention routingprotocol by integrating FADA into the originalAODVprotocol
(4) It evaluated the effectiveness and the performanceof the proposed solution for high-speed mobilityMANETs under RREQ flooding attacks
The remainder of this paper is structured as followsSection 2 presents a review of the related work on detection offlooding attacks Section 3 presents our solution and a novelflooding attacks prevention routing protocol by improvingAODVprotocol using FADA Section 4 presents the results ofevaluating the performance of the proposed solution relativeto existing solutions Section 5 concludes the paper
2 Related Works
21 Overview of AODV AODV is a popular reactive routingprotocol in which a node only initiates the process for findinga path to the destination if it wants to send data Basicallywhen the source node (NS) wants to communicate with thedestination node (ND) without an already discovered routeto the destination NS starts a route discovery process bybroadcasting a route request (RREQ) packet containing thedestination address The nodes that receive the packet will inturn broadcast it When ND receives the packet it will send aroute reply (RREP) packet back to source node Once a routehas been discovered HELLO and RERR packets can be usedto maintain the status of the route
Figure 1 describes the route discovery process of AODVsource node (N7) discovers route to destination node (N11) bybroadcasting an RREQ to its neighbor nodes When a nodereceives the RREQ packet for the first time it broadcasts thepacket and sets up a reverse path to the source If the nodereceives the same RREQ subsequently it simply drops thepacket When N11 gets a RREQ it unicasts a RREP packetto the source node through the established reverse N11 997888rarrN10 997888rarr N9 997888rarr N7 When N7 gets a RREP it establishessuccessfully a new path to N11 with 3 hops routing cost andadds the new entry to its routing table
22 Flooding Attacks on AODV Flooding attack is a formof DoS attacks in which malicious nodes broadcast falsepackets in the network to exhaust the resources and disruptthe network operation Depending on the type of packet usedto flood the network flooding attack can be categorized intothree categories RREQ DATA and HELLO flooding attack
Wireless Communications and Mobile Computing 3
RREQRREQRREQ
RREQ RREQ
RREQ
RREQ RREQ
RREQ RREP
Node Range transmission
1 2 3 45
6 7 8
9 10 11
RREQ7
Q
R
Q R
Q
RR
Figure 1 Description of route discovery process of AODV in the MANET
In RREQ flooding attack a malicious node continuouslyand excessively broadcasts fake RREQ packets which causesa broadcast storm and floods The RREQ flooding attackis considered most harmful in MANET because it canruin the route discovery process by exhausting the channelbandwidths and the processing resources of affected nodesIn DATA flooding attack a malicious node can excessivelybroadcast data packets to any nodes in the networkThis typeof attacks has more impact on the nodes participating in thedata routing to the destinations In HELLO flooding attacknodes periodically broadcast HELLO packets to announcetheir existence to their neighbors A malicious node abusesthis feature to broadcast HELLO packets excessively andforces its neighbors to spend their resources on processingunnecessary packets This type is only detrimental to theneighbors of amalicious node Figure 2 shows the behavior ofmalicious nodes (M) in a MANET for these types of attacks
23 Review on Related Research This section summarizesrelated work on threshold-based machine learning-basedhash function-based and digital-signature-based approachesin detecting and preventing flooding attacks in MANETsTable 1 summarizes these methods and their drawbacks
231 On Fixed Threshold-Based Approach Solutions aresimple with a fixed threshold for mitigating the impact ofRREQ flooding attacks However with a static thresholdthese methods are not suitable for dynamic environmentswhere nodes are highlymobile and frequently broadcast routerequest packets In [15] Gada used three fixed thresholdsRREQ ACCEPT LIMIT RREQ BLACKLIST LIMIT andRATE RATELIMITThe default value of RATE-RATELIMITis 10 If the rate of receiving request packets is greater thanRREQ ACCEPT LIMIT but less than RREQ BLACKLISTLIMIT packets are simply dropped and not processed Ifit is greater than RREQ BLACKLIST LIMIT the source isdeclared as a malicious nodeThe weakness of this solution isthat it may lead to blacklisting of normal nodes false positive[16] and cause excessive end-to-end delay by dropping
legitimate request packets once the RREQ ACCEPT LIMITthreshold is crossed
In [16] Song et al proposed a simple technique usingan Effective Filtering Scheme (EFS) to detect maliciousnodes This solution uses two limit values RATE LIMIT andBLACKLIST LIMIT If the detected RREQ rate is higher thanthe RATE LIMIT and the BLACKLIST LIMIT themaliciousnode is declared and it will be put into the black list Ifthe rate of RREQs originated by a node is between theRATE LIMIT and the BLACKLIST LIMIT the RREQ packetis added to a ldquodelay queuerdquo waiting to be processed Herethe authors set the RATE LIMIT threshold to 5 and set theBLACKLIST LIMIT up to 10
In [13 17] the authors developed flooding attack preven-tion (FAP) that prevents RREQ andDATAflooding attacks inMANETsThey argued that the priority of a node is adverselyproportional to its broadcast frequency of RREQ Hencenodes that generate a high frequency of route requests willhave a low priority and may be removed out of the routingprocess It is suggested that a node should not originate morethan 10 RREQ packets per second and hence the thresholdof FAP is set at 15 for a good margin
232 On Dynamic Threshold-Based Approach Solutionswith dynamic thresholds are more flexible as they cancope with the dynamic environment of MANETs In [18]Mohammad proposed an improved protocol called B-AODVIn this method each node employs a balance index (BI) foracceptance or rejection of RREQ packets If the RREQ rate ishigher than the BI value a malicious node is defined and theRREQ packet is droppedThe results showed that B-AODV isresilience against RREQflooding attacksThemain drawbackof B-AODV is that it may drop legitimate request packetsof the node moving at high speed as the number of requestpacketsmay be higher than the balance index value [19] Alsothe method does not have a confirmation mechanism whichcan identify the node properly as a malicious node
In [19] Gurung proposed a new mechanism calledMitigating Flooding Attack Mechanism The mechanism is
4 Wireless Communications and Mobile Computing
Table 1 Summary of drawbacks of related works for detecting flooding attacks
Ref Name Year Method Drawback
[15] Proposed-AODV 2004
Fixed thresholdIt uses static threshold value which is not suitable for high mobility
environmentMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold[13] FAP 2005[16] EFS 2006
[18] B-AODV 2016 Dynamicthreshold
It can drop valid request packets of the node moving with highmobility speed if the number of request packets is greater than BI
valueMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[19] F-IDS 2017 Dynamicthreshold
Performance varies Using new control packets (ALERT) will increasecommunication overhead and limit the performance when operating
in network environment without attacksMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[20] SMA2AODV 2017 Dynamicthreshold
Malicious node can pass the security mechanism by transmitting theRREQ packets at a frequency lower than the threshold
[21] SVMT 2013 SVM The proposed algorithm uses fixed threshold to detect maliciousnodes
[22] kNN-AODV 2014 kNN The algorithm for building training data sets was not presented orjustified
RREQ RREQ
RREQB RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
MA
C
RRB
Q
RR
(a) RREQ flooding
HELLO
HELLO
HELLO
M
DATA
O
(b) HELLO and DATA flooding
Figure 2 Description of flooding attacks in the MANET
based on a dynamic threshold and consists of three phasesIt deploys special Flooding Intrusion Detection System (F-IDS) nodes to detect and prevent flooding attack The F-IDS nodes are set in the promiscuous mode to monitor thebehavior of nodes in the network The proposed mechanismhas several features (1) it uses a dynamic threshold (2) ithas a confirmation mechanism in which the special F-IDSnode confirms the node as a malicious node by sending adummy reply packet and waits for the data packets and(3) it has a recovery mechanism that allows the node toparticipate in the network after the expiry of the blockingtime period However the use of several F-IDS nodes tomonitor their neighbors and to communicate among themlimits the performance of the overall network especiallywhen the network is not under attack
In [20] Tu introduced security mobile agents (SMA) todetect flooding attacks An improved protocol SMA2AODVis proposed by integrating these SMAs into the discoveryroute process of the AODV protocol During the trainingperiod SMA agents are used to collect information fordetermining the minimal time-slot (the minimum time-slotfor successfully discovering a path from a source node to adestination node) of the system (TSmin) After the trainingphase node Ni checks the security of the RREQ packetreceived from source node Nj before broadcasting it to theneighbors If route discovery time-slot is smaller than theminimal time-slot of the system (T lt TSmin) a floodingattack is said to have occurred with Nj as the attacker Ni thenadds Nj to its black list All RREQ packets of nodes in theblack list will be dropped The drawback of this method is
Wireless Communications and Mobile Computing 5
Table 2 Description of symbols
Variable Descriptionti Route discovery time ith
Ti Inter-route discovery time ith
VNs Vector of route discovery frequency of NS nodem Size of vector of route discovery frequencyk Cutoff value for kNN algorithm
that TSmin is only valid if no malicious node exists during thetraining period
233 OnMachine LearningApproach In [21] Patel proposedthe use of support vector machine (SVM) algorithm fordetecting and preventing flooding attacks The behavior ofevery node is collected and passes to the support vectormachine to decide if a node is malicious based on a thresholdlimit
In [22] Wenchao proposed a new intrusion detectionsystem based on k-nearest neighbors (kNN) classificationalgorithm in wireless sensor network to separate abnormalnodes from normal nodes by observing their behaviors Anm-dimensional vector is used to represent nodes and theirbehaviors such as the number of routing messages that canbe sent over a period of time the number of nodes withdifferent destinations in the sending routing packets and thenumber of nodes with the same source node in the receivingrouting packets The paper shows that the system achieveshigh detection accuracy but it does not provide justificationsor the algorithm for building training datasets
3 The Proposed FAPRP Solution
This section we present our algorithms and routing protocolfor detecting flooding attacks in MANETs First we define afeature vector that represents the behavior of a node based onits history of route discovery the route discovery frequencyvector Second we describe an algorithm for obtainingthe training dataset which describes the normal behaviorand the abnormal behavior of nodes for normalmaliciousclassificationThird we present our flooding attack detectionalgorithm and finally we present our proposed AODV-basedflooding attacks prevention routing protocol Table 2 definessymbols used in the paper
31 Route Discovery Frequency Vector In order to detectRREQ flooding attacks with kNN the crucial problem is theselection of a feature vector that maximizes the separationof the normal and the malicious data classes and produceshighly reliable classification The selected features should beable to succinctly capture the inherent behavior of a nodeperforming RREQ requests and the time-related networkactivities through their historical data records in order to dif-ferentiate ldquonormalrdquo from ldquomaliciousrdquo behavior We proposea route discovery frequency vector as the feature vector forthis purpose To quantify this vector we define the followingterms
Definition 1 Route discovery time (ti) is the duration from thetime a node first broadcasts a route discovery packet to thetime it receives the corresponding route response Assumingthat node Ni receives the 119894th RREQ packet from the sourcenode Ns at time si and Ni receives the route response packetat time ei the route discovery time (ti) is defined by
119905119894 = 119890119894 minus 119904119894 (1)
Definition 2 Inter-route discovery time (Ti) is the durationfrom the end of a route discovery to the beginning of the nextroute discovery Assuming that the nodeNi receives the i+1thRREQ packet from the source node Ns at time si+1 the inter-route discovery time (Ti) is defined by (2)
119879119894 = 119904119894+1 minus 119890119894 (2)
In AODV routing protocol route discovery frequencyof a node depends on how frequent the node has to finda path to the required destination All normal nodes haveroute discovery frequencies within a range but maliciousnodes have higher route discovery frequencies as their aimis to flood the network Consider Figure 2(a) it showsthree normal nodes A B C and one malicious node MFigure 3(a) shows the route discovery history of the normalnode (C) as recorded by the normal node (A) Figure 3(b)shows route discovery history of the malicious node (M) thatis also recorded by the normal node (A) The figures showthat node C sent 6 RREQ packets and node M sent 13 RREQpackets over roughly the same duration
We use a m-dimensional vector 119881119873119894 (a1 a2 a3 am) torepresent route discovery history of node Ni where m is thesize of the vector and ai is the i
th inter-route discovery time
Example 1 Route discovery history of the malicious nodeshown in Figure 3(b) is represented by the route discovery fre-quency vector119881119872 (1198791 1198792 1198793 1198794 1198795 1198796 1198797 1198798 1198799 11987910 11987911 11987912)of size 12
Figure 4 shows typical vectors of size 40 of the routediscovery frequency of normal and malicious nodes by NS2simulation It can be seen that the inter-route discovery timevalues for all normal nodes (N1 to N5) are generally larger(gt 1 sec) than those for malicious nodes (M1 to M5) as theyhave low route discovery frequencies However there arecases where the malicious inter-route discovery times (Ti)are indistinguishable from the normal ones One reason forthis is the mobility of nodes in the environment a recordingnode may not receive RREQ packets from a malicious nodeuntil some later time Other reason for the overlapping
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Wireless Communications and Mobile Computing
network layer is an example of DoS [6 7] where a maliciousnode (MN) tries to deplete resources of other nodes Othertypes of DoS include Blackhole [8] Sinkhole [9] Grayhole[10] Whirlwind [11] Wormhole [12] and flooding attacks[13] Flooding attack is a particular form of DoS attacks inMANETs where malicious nodes mimic legitimate nodes inall aspects except that they do route discoveries much morefrequently with the purpose of exhausting the processingresources of other nodes This type of attacks is simpleto perform with on-demand routing protocols typically asAODV [14] Among HELLO RREQ and DATA floodingattacks route request (RREQ) flooding attack is the mosthazardous because it is easy to create a storm of request routepackets and cause widespread damageThis paper focuses onthe request route flooding attack
Previous researches on RREQ flooding attacks mainlyfocus on detection algorithms that rely on the sendingfrequency of RREQ packets [13 15ndash20] Every node usesa fixed (or dynamic) threshold value to detect an attackThe threshold is calculated based on the number of RREQsoriginated by node per unit time A node labels a neighbornode malicious if it receives more RREQs than the allowedthreshold from its neighbors These algorithms howeverhave many weaknesses in dealing with the dynamics ofMANETs These include the following (1) An algorithmwith a fixed threshold is not flexible and is not able to copewith dynamic environments where optimal threshold valuesvary (2) Even with dynamic threshold algorithms where thethreshold takes into account other factors such as networktraffic mobility speed and frequency of malicious nodeattacks misclassifications rates are still high In high mobilityenvironments the connection state of network nodes changesvery frequently a node may not be able to capture accurateand adequate information to distill it to a single threshold (3)A normal node may be mistaken for a malicious node evenif it legitimately sends out a high number of route requests inresponse to a high priority event Or (4) amalicious nodemayavoid the threshold detection mechanism simply by sendingRREQ packets at a frequency just lower than the thresholdvalue
In this paper we propose and investigate a differentapproach for detecting flooding attacks Our solution relieson the route discovery history information of each node toclassify a node as malicious or normal The route discoveryhistory of each node is represented by a route discovery fre-quency vector (RDFV) The route discovery histories revealsimilar characteristics and behaviors of nodes belongingto the same class This feature is exploited to differentiateabnormal behavior from a normal one RDFV is defined asthe feature vector for detecting malicious nodes in MANETenvironment We propose a flooding attack detection algo-rithm to detect malicious node based on RDFV We proposea novel flooding attacks prevention routing protocol byincorporating the FADA algorithm and extending the AODVprotocol We evaluate the performance of our solution interms of successful detection ratio packet delivery ratio androuting load both in normal and under RREQ attack scenar-ios using NS2 simulationThe simulation results showed thatour approach can detect over 99 of RREQ flooding attacks
had better packet delivery ratio and routing load compared toexisting solutions for RREQ flooding attacks and introducednegligible overhead relative to AODV for normal scenariosThe main contributions of the paper are as follows
(1) It introduced a new route discovery history measurethe vector of route discovery frequency to capture thebehavior of MANET nodes
(2) It proposed a flooding attack detection algorithm a k-nearest neighbors-basedmachine learning algorithmusing RDFV dataset to detect malicious nodes
(3) It proposed a flooding attack prevention routingprotocol by integrating FADA into the originalAODVprotocol
(4) It evaluated the effectiveness and the performanceof the proposed solution for high-speed mobilityMANETs under RREQ flooding attacks
The remainder of this paper is structured as followsSection 2 presents a review of the related work on detection offlooding attacks Section 3 presents our solution and a novelflooding attacks prevention routing protocol by improvingAODVprotocol using FADA Section 4 presents the results ofevaluating the performance of the proposed solution relativeto existing solutions Section 5 concludes the paper
2 Related Works
21 Overview of AODV AODV is a popular reactive routingprotocol in which a node only initiates the process for findinga path to the destination if it wants to send data Basicallywhen the source node (NS) wants to communicate with thedestination node (ND) without an already discovered routeto the destination NS starts a route discovery process bybroadcasting a route request (RREQ) packet containing thedestination address The nodes that receive the packet will inturn broadcast it When ND receives the packet it will send aroute reply (RREP) packet back to source node Once a routehas been discovered HELLO and RERR packets can be usedto maintain the status of the route
Figure 1 describes the route discovery process of AODVsource node (N7) discovers route to destination node (N11) bybroadcasting an RREQ to its neighbor nodes When a nodereceives the RREQ packet for the first time it broadcasts thepacket and sets up a reverse path to the source If the nodereceives the same RREQ subsequently it simply drops thepacket When N11 gets a RREQ it unicasts a RREP packetto the source node through the established reverse N11 997888rarrN10 997888rarr N9 997888rarr N7 When N7 gets a RREP it establishessuccessfully a new path to N11 with 3 hops routing cost andadds the new entry to its routing table
22 Flooding Attacks on AODV Flooding attack is a formof DoS attacks in which malicious nodes broadcast falsepackets in the network to exhaust the resources and disruptthe network operation Depending on the type of packet usedto flood the network flooding attack can be categorized intothree categories RREQ DATA and HELLO flooding attack
Wireless Communications and Mobile Computing 3
RREQRREQRREQ
RREQ RREQ
RREQ
RREQ RREQ
RREQ RREP
Node Range transmission
1 2 3 45
6 7 8
9 10 11
RREQ7
Q
R
Q R
Q
RR
Figure 1 Description of route discovery process of AODV in the MANET
In RREQ flooding attack a malicious node continuouslyand excessively broadcasts fake RREQ packets which causesa broadcast storm and floods The RREQ flooding attackis considered most harmful in MANET because it canruin the route discovery process by exhausting the channelbandwidths and the processing resources of affected nodesIn DATA flooding attack a malicious node can excessivelybroadcast data packets to any nodes in the networkThis typeof attacks has more impact on the nodes participating in thedata routing to the destinations In HELLO flooding attacknodes periodically broadcast HELLO packets to announcetheir existence to their neighbors A malicious node abusesthis feature to broadcast HELLO packets excessively andforces its neighbors to spend their resources on processingunnecessary packets This type is only detrimental to theneighbors of amalicious node Figure 2 shows the behavior ofmalicious nodes (M) in a MANET for these types of attacks
23 Review on Related Research This section summarizesrelated work on threshold-based machine learning-basedhash function-based and digital-signature-based approachesin detecting and preventing flooding attacks in MANETsTable 1 summarizes these methods and their drawbacks
231 On Fixed Threshold-Based Approach Solutions aresimple with a fixed threshold for mitigating the impact ofRREQ flooding attacks However with a static thresholdthese methods are not suitable for dynamic environmentswhere nodes are highlymobile and frequently broadcast routerequest packets In [15] Gada used three fixed thresholdsRREQ ACCEPT LIMIT RREQ BLACKLIST LIMIT andRATE RATELIMITThe default value of RATE-RATELIMITis 10 If the rate of receiving request packets is greater thanRREQ ACCEPT LIMIT but less than RREQ BLACKLISTLIMIT packets are simply dropped and not processed Ifit is greater than RREQ BLACKLIST LIMIT the source isdeclared as a malicious nodeThe weakness of this solution isthat it may lead to blacklisting of normal nodes false positive[16] and cause excessive end-to-end delay by dropping
legitimate request packets once the RREQ ACCEPT LIMITthreshold is crossed
In [16] Song et al proposed a simple technique usingan Effective Filtering Scheme (EFS) to detect maliciousnodes This solution uses two limit values RATE LIMIT andBLACKLIST LIMIT If the detected RREQ rate is higher thanthe RATE LIMIT and the BLACKLIST LIMIT themaliciousnode is declared and it will be put into the black list Ifthe rate of RREQs originated by a node is between theRATE LIMIT and the BLACKLIST LIMIT the RREQ packetis added to a ldquodelay queuerdquo waiting to be processed Herethe authors set the RATE LIMIT threshold to 5 and set theBLACKLIST LIMIT up to 10
In [13 17] the authors developed flooding attack preven-tion (FAP) that prevents RREQ andDATAflooding attacks inMANETsThey argued that the priority of a node is adverselyproportional to its broadcast frequency of RREQ Hencenodes that generate a high frequency of route requests willhave a low priority and may be removed out of the routingprocess It is suggested that a node should not originate morethan 10 RREQ packets per second and hence the thresholdof FAP is set at 15 for a good margin
232 On Dynamic Threshold-Based Approach Solutionswith dynamic thresholds are more flexible as they cancope with the dynamic environment of MANETs In [18]Mohammad proposed an improved protocol called B-AODVIn this method each node employs a balance index (BI) foracceptance or rejection of RREQ packets If the RREQ rate ishigher than the BI value a malicious node is defined and theRREQ packet is droppedThe results showed that B-AODV isresilience against RREQflooding attacksThemain drawbackof B-AODV is that it may drop legitimate request packetsof the node moving at high speed as the number of requestpacketsmay be higher than the balance index value [19] Alsothe method does not have a confirmation mechanism whichcan identify the node properly as a malicious node
In [19] Gurung proposed a new mechanism calledMitigating Flooding Attack Mechanism The mechanism is
4 Wireless Communications and Mobile Computing
Table 1 Summary of drawbacks of related works for detecting flooding attacks
Ref Name Year Method Drawback
[15] Proposed-AODV 2004
Fixed thresholdIt uses static threshold value which is not suitable for high mobility
environmentMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold[13] FAP 2005[16] EFS 2006
[18] B-AODV 2016 Dynamicthreshold
It can drop valid request packets of the node moving with highmobility speed if the number of request packets is greater than BI
valueMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[19] F-IDS 2017 Dynamicthreshold
Performance varies Using new control packets (ALERT) will increasecommunication overhead and limit the performance when operating
in network environment without attacksMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[20] SMA2AODV 2017 Dynamicthreshold
Malicious node can pass the security mechanism by transmitting theRREQ packets at a frequency lower than the threshold
[21] SVMT 2013 SVM The proposed algorithm uses fixed threshold to detect maliciousnodes
[22] kNN-AODV 2014 kNN The algorithm for building training data sets was not presented orjustified
RREQ RREQ
RREQB RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
MA
C
RRB
Q
RR
(a) RREQ flooding
HELLO
HELLO
HELLO
M
DATA
O
(b) HELLO and DATA flooding
Figure 2 Description of flooding attacks in the MANET
based on a dynamic threshold and consists of three phasesIt deploys special Flooding Intrusion Detection System (F-IDS) nodes to detect and prevent flooding attack The F-IDS nodes are set in the promiscuous mode to monitor thebehavior of nodes in the network The proposed mechanismhas several features (1) it uses a dynamic threshold (2) ithas a confirmation mechanism in which the special F-IDSnode confirms the node as a malicious node by sending adummy reply packet and waits for the data packets and(3) it has a recovery mechanism that allows the node toparticipate in the network after the expiry of the blockingtime period However the use of several F-IDS nodes tomonitor their neighbors and to communicate among themlimits the performance of the overall network especiallywhen the network is not under attack
In [20] Tu introduced security mobile agents (SMA) todetect flooding attacks An improved protocol SMA2AODVis proposed by integrating these SMAs into the discoveryroute process of the AODV protocol During the trainingperiod SMA agents are used to collect information fordetermining the minimal time-slot (the minimum time-slotfor successfully discovering a path from a source node to adestination node) of the system (TSmin) After the trainingphase node Ni checks the security of the RREQ packetreceived from source node Nj before broadcasting it to theneighbors If route discovery time-slot is smaller than theminimal time-slot of the system (T lt TSmin) a floodingattack is said to have occurred with Nj as the attacker Ni thenadds Nj to its black list All RREQ packets of nodes in theblack list will be dropped The drawback of this method is
Wireless Communications and Mobile Computing 5
Table 2 Description of symbols
Variable Descriptionti Route discovery time ith
Ti Inter-route discovery time ith
VNs Vector of route discovery frequency of NS nodem Size of vector of route discovery frequencyk Cutoff value for kNN algorithm
that TSmin is only valid if no malicious node exists during thetraining period
233 OnMachine LearningApproach In [21] Patel proposedthe use of support vector machine (SVM) algorithm fordetecting and preventing flooding attacks The behavior ofevery node is collected and passes to the support vectormachine to decide if a node is malicious based on a thresholdlimit
In [22] Wenchao proposed a new intrusion detectionsystem based on k-nearest neighbors (kNN) classificationalgorithm in wireless sensor network to separate abnormalnodes from normal nodes by observing their behaviors Anm-dimensional vector is used to represent nodes and theirbehaviors such as the number of routing messages that canbe sent over a period of time the number of nodes withdifferent destinations in the sending routing packets and thenumber of nodes with the same source node in the receivingrouting packets The paper shows that the system achieveshigh detection accuracy but it does not provide justificationsor the algorithm for building training datasets
3 The Proposed FAPRP Solution
This section we present our algorithms and routing protocolfor detecting flooding attacks in MANETs First we define afeature vector that represents the behavior of a node based onits history of route discovery the route discovery frequencyvector Second we describe an algorithm for obtainingthe training dataset which describes the normal behaviorand the abnormal behavior of nodes for normalmaliciousclassificationThird we present our flooding attack detectionalgorithm and finally we present our proposed AODV-basedflooding attacks prevention routing protocol Table 2 definessymbols used in the paper
31 Route Discovery Frequency Vector In order to detectRREQ flooding attacks with kNN the crucial problem is theselection of a feature vector that maximizes the separationof the normal and the malicious data classes and produceshighly reliable classification The selected features should beable to succinctly capture the inherent behavior of a nodeperforming RREQ requests and the time-related networkactivities through their historical data records in order to dif-ferentiate ldquonormalrdquo from ldquomaliciousrdquo behavior We proposea route discovery frequency vector as the feature vector forthis purpose To quantify this vector we define the followingterms
Definition 1 Route discovery time (ti) is the duration from thetime a node first broadcasts a route discovery packet to thetime it receives the corresponding route response Assumingthat node Ni receives the 119894th RREQ packet from the sourcenode Ns at time si and Ni receives the route response packetat time ei the route discovery time (ti) is defined by
119905119894 = 119890119894 minus 119904119894 (1)
Definition 2 Inter-route discovery time (Ti) is the durationfrom the end of a route discovery to the beginning of the nextroute discovery Assuming that the nodeNi receives the i+1thRREQ packet from the source node Ns at time si+1 the inter-route discovery time (Ti) is defined by (2)
119879119894 = 119904119894+1 minus 119890119894 (2)
In AODV routing protocol route discovery frequencyof a node depends on how frequent the node has to finda path to the required destination All normal nodes haveroute discovery frequencies within a range but maliciousnodes have higher route discovery frequencies as their aimis to flood the network Consider Figure 2(a) it showsthree normal nodes A B C and one malicious node MFigure 3(a) shows the route discovery history of the normalnode (C) as recorded by the normal node (A) Figure 3(b)shows route discovery history of the malicious node (M) thatis also recorded by the normal node (A) The figures showthat node C sent 6 RREQ packets and node M sent 13 RREQpackets over roughly the same duration
We use a m-dimensional vector 119881119873119894 (a1 a2 a3 am) torepresent route discovery history of node Ni where m is thesize of the vector and ai is the i
th inter-route discovery time
Example 1 Route discovery history of the malicious nodeshown in Figure 3(b) is represented by the route discovery fre-quency vector119881119872 (1198791 1198792 1198793 1198794 1198795 1198796 1198797 1198798 1198799 11987910 11987911 11987912)of size 12
Figure 4 shows typical vectors of size 40 of the routediscovery frequency of normal and malicious nodes by NS2simulation It can be seen that the inter-route discovery timevalues for all normal nodes (N1 to N5) are generally larger(gt 1 sec) than those for malicious nodes (M1 to M5) as theyhave low route discovery frequencies However there arecases where the malicious inter-route discovery times (Ti)are indistinguishable from the normal ones One reason forthis is the mobility of nodes in the environment a recordingnode may not receive RREQ packets from a malicious nodeuntil some later time Other reason for the overlapping
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 3
RREQRREQRREQ
RREQ RREQ
RREQ
RREQ RREQ
RREQ RREP
Node Range transmission
1 2 3 45
6 7 8
9 10 11
RREQ7
Q
R
Q R
Q
RR
Figure 1 Description of route discovery process of AODV in the MANET
In RREQ flooding attack a malicious node continuouslyand excessively broadcasts fake RREQ packets which causesa broadcast storm and floods The RREQ flooding attackis considered most harmful in MANET because it canruin the route discovery process by exhausting the channelbandwidths and the processing resources of affected nodesIn DATA flooding attack a malicious node can excessivelybroadcast data packets to any nodes in the networkThis typeof attacks has more impact on the nodes participating in thedata routing to the destinations In HELLO flooding attacknodes periodically broadcast HELLO packets to announcetheir existence to their neighbors A malicious node abusesthis feature to broadcast HELLO packets excessively andforces its neighbors to spend their resources on processingunnecessary packets This type is only detrimental to theneighbors of amalicious node Figure 2 shows the behavior ofmalicious nodes (M) in a MANET for these types of attacks
23 Review on Related Research This section summarizesrelated work on threshold-based machine learning-basedhash function-based and digital-signature-based approachesin detecting and preventing flooding attacks in MANETsTable 1 summarizes these methods and their drawbacks
231 On Fixed Threshold-Based Approach Solutions aresimple with a fixed threshold for mitigating the impact ofRREQ flooding attacks However with a static thresholdthese methods are not suitable for dynamic environmentswhere nodes are highlymobile and frequently broadcast routerequest packets In [15] Gada used three fixed thresholdsRREQ ACCEPT LIMIT RREQ BLACKLIST LIMIT andRATE RATELIMITThe default value of RATE-RATELIMITis 10 If the rate of receiving request packets is greater thanRREQ ACCEPT LIMIT but less than RREQ BLACKLISTLIMIT packets are simply dropped and not processed Ifit is greater than RREQ BLACKLIST LIMIT the source isdeclared as a malicious nodeThe weakness of this solution isthat it may lead to blacklisting of normal nodes false positive[16] and cause excessive end-to-end delay by dropping
legitimate request packets once the RREQ ACCEPT LIMITthreshold is crossed
In [16] Song et al proposed a simple technique usingan Effective Filtering Scheme (EFS) to detect maliciousnodes This solution uses two limit values RATE LIMIT andBLACKLIST LIMIT If the detected RREQ rate is higher thanthe RATE LIMIT and the BLACKLIST LIMIT themaliciousnode is declared and it will be put into the black list Ifthe rate of RREQs originated by a node is between theRATE LIMIT and the BLACKLIST LIMIT the RREQ packetis added to a ldquodelay queuerdquo waiting to be processed Herethe authors set the RATE LIMIT threshold to 5 and set theBLACKLIST LIMIT up to 10
In [13 17] the authors developed flooding attack preven-tion (FAP) that prevents RREQ andDATAflooding attacks inMANETsThey argued that the priority of a node is adverselyproportional to its broadcast frequency of RREQ Hencenodes that generate a high frequency of route requests willhave a low priority and may be removed out of the routingprocess It is suggested that a node should not originate morethan 10 RREQ packets per second and hence the thresholdof FAP is set at 15 for a good margin
232 On Dynamic Threshold-Based Approach Solutionswith dynamic thresholds are more flexible as they cancope with the dynamic environment of MANETs In [18]Mohammad proposed an improved protocol called B-AODVIn this method each node employs a balance index (BI) foracceptance or rejection of RREQ packets If the RREQ rate ishigher than the BI value a malicious node is defined and theRREQ packet is droppedThe results showed that B-AODV isresilience against RREQflooding attacksThemain drawbackof B-AODV is that it may drop legitimate request packetsof the node moving at high speed as the number of requestpacketsmay be higher than the balance index value [19] Alsothe method does not have a confirmation mechanism whichcan identify the node properly as a malicious node
In [19] Gurung proposed a new mechanism calledMitigating Flooding Attack Mechanism The mechanism is
4 Wireless Communications and Mobile Computing
Table 1 Summary of drawbacks of related works for detecting flooding attacks
Ref Name Year Method Drawback
[15] Proposed-AODV 2004
Fixed thresholdIt uses static threshold value which is not suitable for high mobility
environmentMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold[13] FAP 2005[16] EFS 2006
[18] B-AODV 2016 Dynamicthreshold
It can drop valid request packets of the node moving with highmobility speed if the number of request packets is greater than BI
valueMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[19] F-IDS 2017 Dynamicthreshold
Performance varies Using new control packets (ALERT) will increasecommunication overhead and limit the performance when operating
in network environment without attacksMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[20] SMA2AODV 2017 Dynamicthreshold
Malicious node can pass the security mechanism by transmitting theRREQ packets at a frequency lower than the threshold
[21] SVMT 2013 SVM The proposed algorithm uses fixed threshold to detect maliciousnodes
[22] kNN-AODV 2014 kNN The algorithm for building training data sets was not presented orjustified
RREQ RREQ
RREQB RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
MA
C
RRB
Q
RR
(a) RREQ flooding
HELLO
HELLO
HELLO
M
DATA
O
(b) HELLO and DATA flooding
Figure 2 Description of flooding attacks in the MANET
based on a dynamic threshold and consists of three phasesIt deploys special Flooding Intrusion Detection System (F-IDS) nodes to detect and prevent flooding attack The F-IDS nodes are set in the promiscuous mode to monitor thebehavior of nodes in the network The proposed mechanismhas several features (1) it uses a dynamic threshold (2) ithas a confirmation mechanism in which the special F-IDSnode confirms the node as a malicious node by sending adummy reply packet and waits for the data packets and(3) it has a recovery mechanism that allows the node toparticipate in the network after the expiry of the blockingtime period However the use of several F-IDS nodes tomonitor their neighbors and to communicate among themlimits the performance of the overall network especiallywhen the network is not under attack
In [20] Tu introduced security mobile agents (SMA) todetect flooding attacks An improved protocol SMA2AODVis proposed by integrating these SMAs into the discoveryroute process of the AODV protocol During the trainingperiod SMA agents are used to collect information fordetermining the minimal time-slot (the minimum time-slotfor successfully discovering a path from a source node to adestination node) of the system (TSmin) After the trainingphase node Ni checks the security of the RREQ packetreceived from source node Nj before broadcasting it to theneighbors If route discovery time-slot is smaller than theminimal time-slot of the system (T lt TSmin) a floodingattack is said to have occurred with Nj as the attacker Ni thenadds Nj to its black list All RREQ packets of nodes in theblack list will be dropped The drawback of this method is
Wireless Communications and Mobile Computing 5
Table 2 Description of symbols
Variable Descriptionti Route discovery time ith
Ti Inter-route discovery time ith
VNs Vector of route discovery frequency of NS nodem Size of vector of route discovery frequencyk Cutoff value for kNN algorithm
that TSmin is only valid if no malicious node exists during thetraining period
233 OnMachine LearningApproach In [21] Patel proposedthe use of support vector machine (SVM) algorithm fordetecting and preventing flooding attacks The behavior ofevery node is collected and passes to the support vectormachine to decide if a node is malicious based on a thresholdlimit
In [22] Wenchao proposed a new intrusion detectionsystem based on k-nearest neighbors (kNN) classificationalgorithm in wireless sensor network to separate abnormalnodes from normal nodes by observing their behaviors Anm-dimensional vector is used to represent nodes and theirbehaviors such as the number of routing messages that canbe sent over a period of time the number of nodes withdifferent destinations in the sending routing packets and thenumber of nodes with the same source node in the receivingrouting packets The paper shows that the system achieveshigh detection accuracy but it does not provide justificationsor the algorithm for building training datasets
3 The Proposed FAPRP Solution
This section we present our algorithms and routing protocolfor detecting flooding attacks in MANETs First we define afeature vector that represents the behavior of a node based onits history of route discovery the route discovery frequencyvector Second we describe an algorithm for obtainingthe training dataset which describes the normal behaviorand the abnormal behavior of nodes for normalmaliciousclassificationThird we present our flooding attack detectionalgorithm and finally we present our proposed AODV-basedflooding attacks prevention routing protocol Table 2 definessymbols used in the paper
31 Route Discovery Frequency Vector In order to detectRREQ flooding attacks with kNN the crucial problem is theselection of a feature vector that maximizes the separationof the normal and the malicious data classes and produceshighly reliable classification The selected features should beable to succinctly capture the inherent behavior of a nodeperforming RREQ requests and the time-related networkactivities through their historical data records in order to dif-ferentiate ldquonormalrdquo from ldquomaliciousrdquo behavior We proposea route discovery frequency vector as the feature vector forthis purpose To quantify this vector we define the followingterms
Definition 1 Route discovery time (ti) is the duration from thetime a node first broadcasts a route discovery packet to thetime it receives the corresponding route response Assumingthat node Ni receives the 119894th RREQ packet from the sourcenode Ns at time si and Ni receives the route response packetat time ei the route discovery time (ti) is defined by
119905119894 = 119890119894 minus 119904119894 (1)
Definition 2 Inter-route discovery time (Ti) is the durationfrom the end of a route discovery to the beginning of the nextroute discovery Assuming that the nodeNi receives the i+1thRREQ packet from the source node Ns at time si+1 the inter-route discovery time (Ti) is defined by (2)
119879119894 = 119904119894+1 minus 119890119894 (2)
In AODV routing protocol route discovery frequencyof a node depends on how frequent the node has to finda path to the required destination All normal nodes haveroute discovery frequencies within a range but maliciousnodes have higher route discovery frequencies as their aimis to flood the network Consider Figure 2(a) it showsthree normal nodes A B C and one malicious node MFigure 3(a) shows the route discovery history of the normalnode (C) as recorded by the normal node (A) Figure 3(b)shows route discovery history of the malicious node (M) thatis also recorded by the normal node (A) The figures showthat node C sent 6 RREQ packets and node M sent 13 RREQpackets over roughly the same duration
We use a m-dimensional vector 119881119873119894 (a1 a2 a3 am) torepresent route discovery history of node Ni where m is thesize of the vector and ai is the i
th inter-route discovery time
Example 1 Route discovery history of the malicious nodeshown in Figure 3(b) is represented by the route discovery fre-quency vector119881119872 (1198791 1198792 1198793 1198794 1198795 1198796 1198797 1198798 1198799 11987910 11987911 11987912)of size 12
Figure 4 shows typical vectors of size 40 of the routediscovery frequency of normal and malicious nodes by NS2simulation It can be seen that the inter-route discovery timevalues for all normal nodes (N1 to N5) are generally larger(gt 1 sec) than those for malicious nodes (M1 to M5) as theyhave low route discovery frequencies However there arecases where the malicious inter-route discovery times (Ti)are indistinguishable from the normal ones One reason forthis is the mobility of nodes in the environment a recordingnode may not receive RREQ packets from a malicious nodeuntil some later time Other reason for the overlapping
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Wireless Communications and Mobile Computing
Table 1 Summary of drawbacks of related works for detecting flooding attacks
Ref Name Year Method Drawback
[15] Proposed-AODV 2004
Fixed thresholdIt uses static threshold value which is not suitable for high mobility
environmentMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold[13] FAP 2005[16] EFS 2006
[18] B-AODV 2016 Dynamicthreshold
It can drop valid request packets of the node moving with highmobility speed if the number of request packets is greater than BI
valueMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[19] F-IDS 2017 Dynamicthreshold
Performance varies Using new control packets (ALERT) will increasecommunication overhead and limit the performance when operating
in network environment without attacksMalicious node can pass the security mechanism by transmitting
RREQ packets at a frequency lower than the threshold
[20] SMA2AODV 2017 Dynamicthreshold
Malicious node can pass the security mechanism by transmitting theRREQ packets at a frequency lower than the threshold
[21] SVMT 2013 SVM The proposed algorithm uses fixed threshold to detect maliciousnodes
[22] kNN-AODV 2014 kNN The algorithm for building training data sets was not presented orjustified
RREQ RREQ
RREQB RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
RREQ
MA
C
RRB
Q
RR
(a) RREQ flooding
HELLO
HELLO
HELLO
M
DATA
O
(b) HELLO and DATA flooding
Figure 2 Description of flooding attacks in the MANET
based on a dynamic threshold and consists of three phasesIt deploys special Flooding Intrusion Detection System (F-IDS) nodes to detect and prevent flooding attack The F-IDS nodes are set in the promiscuous mode to monitor thebehavior of nodes in the network The proposed mechanismhas several features (1) it uses a dynamic threshold (2) ithas a confirmation mechanism in which the special F-IDSnode confirms the node as a malicious node by sending adummy reply packet and waits for the data packets and(3) it has a recovery mechanism that allows the node toparticipate in the network after the expiry of the blockingtime period However the use of several F-IDS nodes tomonitor their neighbors and to communicate among themlimits the performance of the overall network especiallywhen the network is not under attack
In [20] Tu introduced security mobile agents (SMA) todetect flooding attacks An improved protocol SMA2AODVis proposed by integrating these SMAs into the discoveryroute process of the AODV protocol During the trainingperiod SMA agents are used to collect information fordetermining the minimal time-slot (the minimum time-slotfor successfully discovering a path from a source node to adestination node) of the system (TSmin) After the trainingphase node Ni checks the security of the RREQ packetreceived from source node Nj before broadcasting it to theneighbors If route discovery time-slot is smaller than theminimal time-slot of the system (T lt TSmin) a floodingattack is said to have occurred with Nj as the attacker Ni thenadds Nj to its black list All RREQ packets of nodes in theblack list will be dropped The drawback of this method is
Wireless Communications and Mobile Computing 5
Table 2 Description of symbols
Variable Descriptionti Route discovery time ith
Ti Inter-route discovery time ith
VNs Vector of route discovery frequency of NS nodem Size of vector of route discovery frequencyk Cutoff value for kNN algorithm
that TSmin is only valid if no malicious node exists during thetraining period
233 OnMachine LearningApproach In [21] Patel proposedthe use of support vector machine (SVM) algorithm fordetecting and preventing flooding attacks The behavior ofevery node is collected and passes to the support vectormachine to decide if a node is malicious based on a thresholdlimit
In [22] Wenchao proposed a new intrusion detectionsystem based on k-nearest neighbors (kNN) classificationalgorithm in wireless sensor network to separate abnormalnodes from normal nodes by observing their behaviors Anm-dimensional vector is used to represent nodes and theirbehaviors such as the number of routing messages that canbe sent over a period of time the number of nodes withdifferent destinations in the sending routing packets and thenumber of nodes with the same source node in the receivingrouting packets The paper shows that the system achieveshigh detection accuracy but it does not provide justificationsor the algorithm for building training datasets
3 The Proposed FAPRP Solution
This section we present our algorithms and routing protocolfor detecting flooding attacks in MANETs First we define afeature vector that represents the behavior of a node based onits history of route discovery the route discovery frequencyvector Second we describe an algorithm for obtainingthe training dataset which describes the normal behaviorand the abnormal behavior of nodes for normalmaliciousclassificationThird we present our flooding attack detectionalgorithm and finally we present our proposed AODV-basedflooding attacks prevention routing protocol Table 2 definessymbols used in the paper
31 Route Discovery Frequency Vector In order to detectRREQ flooding attacks with kNN the crucial problem is theselection of a feature vector that maximizes the separationof the normal and the malicious data classes and produceshighly reliable classification The selected features should beable to succinctly capture the inherent behavior of a nodeperforming RREQ requests and the time-related networkactivities through their historical data records in order to dif-ferentiate ldquonormalrdquo from ldquomaliciousrdquo behavior We proposea route discovery frequency vector as the feature vector forthis purpose To quantify this vector we define the followingterms
Definition 1 Route discovery time (ti) is the duration from thetime a node first broadcasts a route discovery packet to thetime it receives the corresponding route response Assumingthat node Ni receives the 119894th RREQ packet from the sourcenode Ns at time si and Ni receives the route response packetat time ei the route discovery time (ti) is defined by
119905119894 = 119890119894 minus 119904119894 (1)
Definition 2 Inter-route discovery time (Ti) is the durationfrom the end of a route discovery to the beginning of the nextroute discovery Assuming that the nodeNi receives the i+1thRREQ packet from the source node Ns at time si+1 the inter-route discovery time (Ti) is defined by (2)
119879119894 = 119904119894+1 minus 119890119894 (2)
In AODV routing protocol route discovery frequencyof a node depends on how frequent the node has to finda path to the required destination All normal nodes haveroute discovery frequencies within a range but maliciousnodes have higher route discovery frequencies as their aimis to flood the network Consider Figure 2(a) it showsthree normal nodes A B C and one malicious node MFigure 3(a) shows the route discovery history of the normalnode (C) as recorded by the normal node (A) Figure 3(b)shows route discovery history of the malicious node (M) thatis also recorded by the normal node (A) The figures showthat node C sent 6 RREQ packets and node M sent 13 RREQpackets over roughly the same duration
We use a m-dimensional vector 119881119873119894 (a1 a2 a3 am) torepresent route discovery history of node Ni where m is thesize of the vector and ai is the i
th inter-route discovery time
Example 1 Route discovery history of the malicious nodeshown in Figure 3(b) is represented by the route discovery fre-quency vector119881119872 (1198791 1198792 1198793 1198794 1198795 1198796 1198797 1198798 1198799 11987910 11987911 11987912)of size 12
Figure 4 shows typical vectors of size 40 of the routediscovery frequency of normal and malicious nodes by NS2simulation It can be seen that the inter-route discovery timevalues for all normal nodes (N1 to N5) are generally larger(gt 1 sec) than those for malicious nodes (M1 to M5) as theyhave low route discovery frequencies However there arecases where the malicious inter-route discovery times (Ti)are indistinguishable from the normal ones One reason forthis is the mobility of nodes in the environment a recordingnode may not receive RREQ packets from a malicious nodeuntil some later time Other reason for the overlapping
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 5
Table 2 Description of symbols
Variable Descriptionti Route discovery time ith
Ti Inter-route discovery time ith
VNs Vector of route discovery frequency of NS nodem Size of vector of route discovery frequencyk Cutoff value for kNN algorithm
that TSmin is only valid if no malicious node exists during thetraining period
233 OnMachine LearningApproach In [21] Patel proposedthe use of support vector machine (SVM) algorithm fordetecting and preventing flooding attacks The behavior ofevery node is collected and passes to the support vectormachine to decide if a node is malicious based on a thresholdlimit
In [22] Wenchao proposed a new intrusion detectionsystem based on k-nearest neighbors (kNN) classificationalgorithm in wireless sensor network to separate abnormalnodes from normal nodes by observing their behaviors Anm-dimensional vector is used to represent nodes and theirbehaviors such as the number of routing messages that canbe sent over a period of time the number of nodes withdifferent destinations in the sending routing packets and thenumber of nodes with the same source node in the receivingrouting packets The paper shows that the system achieveshigh detection accuracy but it does not provide justificationsor the algorithm for building training datasets
3 The Proposed FAPRP Solution
This section we present our algorithms and routing protocolfor detecting flooding attacks in MANETs First we define afeature vector that represents the behavior of a node based onits history of route discovery the route discovery frequencyvector Second we describe an algorithm for obtainingthe training dataset which describes the normal behaviorand the abnormal behavior of nodes for normalmaliciousclassificationThird we present our flooding attack detectionalgorithm and finally we present our proposed AODV-basedflooding attacks prevention routing protocol Table 2 definessymbols used in the paper
31 Route Discovery Frequency Vector In order to detectRREQ flooding attacks with kNN the crucial problem is theselection of a feature vector that maximizes the separationof the normal and the malicious data classes and produceshighly reliable classification The selected features should beable to succinctly capture the inherent behavior of a nodeperforming RREQ requests and the time-related networkactivities through their historical data records in order to dif-ferentiate ldquonormalrdquo from ldquomaliciousrdquo behavior We proposea route discovery frequency vector as the feature vector forthis purpose To quantify this vector we define the followingterms
Definition 1 Route discovery time (ti) is the duration from thetime a node first broadcasts a route discovery packet to thetime it receives the corresponding route response Assumingthat node Ni receives the 119894th RREQ packet from the sourcenode Ns at time si and Ni receives the route response packetat time ei the route discovery time (ti) is defined by
119905119894 = 119890119894 minus 119904119894 (1)
Definition 2 Inter-route discovery time (Ti) is the durationfrom the end of a route discovery to the beginning of the nextroute discovery Assuming that the nodeNi receives the i+1thRREQ packet from the source node Ns at time si+1 the inter-route discovery time (Ti) is defined by (2)
119879119894 = 119904119894+1 minus 119890119894 (2)
In AODV routing protocol route discovery frequencyof a node depends on how frequent the node has to finda path to the required destination All normal nodes haveroute discovery frequencies within a range but maliciousnodes have higher route discovery frequencies as their aimis to flood the network Consider Figure 2(a) it showsthree normal nodes A B C and one malicious node MFigure 3(a) shows the route discovery history of the normalnode (C) as recorded by the normal node (A) Figure 3(b)shows route discovery history of the malicious node (M) thatis also recorded by the normal node (A) The figures showthat node C sent 6 RREQ packets and node M sent 13 RREQpackets over roughly the same duration
We use a m-dimensional vector 119881119873119894 (a1 a2 a3 am) torepresent route discovery history of node Ni where m is thesize of the vector and ai is the i
th inter-route discovery time
Example 1 Route discovery history of the malicious nodeshown in Figure 3(b) is represented by the route discovery fre-quency vector119881119872 (1198791 1198792 1198793 1198794 1198795 1198796 1198797 1198798 1198799 11987910 11987911 11987912)of size 12
Figure 4 shows typical vectors of size 40 of the routediscovery frequency of normal and malicious nodes by NS2simulation It can be seen that the inter-route discovery timevalues for all normal nodes (N1 to N5) are generally larger(gt 1 sec) than those for malicious nodes (M1 to M5) as theyhave low route discovery frequencies However there arecases where the malicious inter-route discovery times (Ti)are indistinguishable from the normal ones One reason forthis is the mobility of nodes in the environment a recordingnode may not receive RREQ packets from a malicious nodeuntil some later time Other reason for the overlapping
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Wireless Communications and Mobile Computing
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
41 42 43 44 45
(a) Route discovery history of normal node (C)
Time
N1 N2 N3 N4 N5 N6
M1 1 M2 2 M3 3 M4 4 M5 5 M6 6
N7 N8 N9 N10 N11 N12 N13
M7 7 M8 8 M9 9 M10 10 M11 11M12 12 M13 13
41 42 43 44 45 46 47 48 49 410 411 412
(b) Route discovery history of malicious node (M)
Figure 3 Route discovery history recorded at normal node (A)
0
5
10
15
20
0 5 10 15 25 30 35 40
Inte
r-Ro
ute D
iscov
ery T
ime (
Sec)
20Size of vector (m)
N1N2N3N4N5
M1M2M3M4M5
Figure 4 An example describes vectors of route discovery frequency of 5 normal nodes (N1 to N5) and 5 malicious nodes (M1 to M5)
region is when a malicious node floods the network at afrequency close to the rate at which a normal node cangenerate RREQs As demonstrated in Section 4 our proposedalgorithm successfully recognizes these abnormal cases basedon route discovery frequency feature
32 Algorithm for Obtaining a Training Dataset We useNS2 [23] version 235 to build a training dataset of NVC(normal) andMVC (malicious) vector classesThe simulationscenario is set up with 100 normal nodes and 1 maliciousnode operated in the area of 2000m x 2000m Normal nodesmove under random waypoint model with maximum speeds0ms 10ms 20ms 30ms and 40ms scenarios a maliciousnode is positioned at the center (1000m x 1000m) as shownin Figure 5 Other simulation parameters include AODVrouting protocol 50 UDP connections and constant bit rate(CBR) traffic type the first data source commences at time 0other data sources commence at 5 seconds apart after the firstand the malicious node respectively floods f packets everysecond (f may take on different values 2 5 10 50 and 100)
The training process proceeds as follows
Step 1 Select the dimension or size (m) of the feature vectors
Step 2 Set the frequency of flooding to 2 initially (f = 2 persecond)
Step 3 For each of the mobile scenarios (0ms 10ms 20ms30ms and 40ms) simulate the MANET as follows Eachnode records the inter-route time of a source node (Ti) onreceiving a RREQ from the source node Add Ti to themalicious history frequency vector if the source is maliciousotherwise it is added to the normal history frequency vectorAt the end of this step for each scenario two sets of vectorsare established
(i) 100 malicious vectors 119881119895119872(1198791198721 1198791198722 1198791198723 119879119872119898 ) forall119895 =1100(ii) 100 normal vectors 119881119895(sum50119894=1 119879119894150 sum50119894=1 119879119894250 sum50119894=1 119879119894350 sum50119894=1 11987911989411989850)forall119895 = 1100
Step 4 At the end of Step 3 for all 5 scenarios 100 averagevectors for MVC and 100 vectors for NVC are obtained forthis particular flooding frequency (f=2)
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 7
Figure 5 Static network topology simulation for training 50 UDPs connections and malicious node positioned at the square in the center
0
1
2
3
4
5
6
7
8
Inte
r-Ro
ute D
iscov
ery
Tim
e (Se
c)
1
Size of vector (m)60595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111098765432
Figure 6 Two vectors class black (+) for NVC and red (Δ) for MVC
Step 5 The algorithm continues to establish MVC vectorsand NVC vectors for other flooding frequencies (f = 5 1050 and 100)
As a result of the training process a training dataset withMVC and NVC vectors is shown in Figure 6 The trainingdataset is used to classify an unknown sample vector V (inthe next section) In Figure 6 each vector is of size 60 It canbe seen that there is an overlap between the two classes due tonodemobility as well as the closeness of the rate of generationof RREQ packets of malicious and normal nodes
33 FloodingAttackDetectionAlgorithm (FADA) All normalnodes collect route discovery information of source nodes inthe network On receiving a RREQ packet a node employsthe route discovery frequency vector (VNs) and uses amachine learning algorithm to determine if the source nodeis normal or malicious The kNN-Classifier based on kNN[24] algorithm is utilized to classify the two classes based onthe route discovery frequency vectors for NVC or MVCThekNN algorithm is theoretically mature with low complexitythat is widely used for data mining The main idea is that if
most of its k-nearest neighbors belong to a class the samplebelongs to the same class In kNN the nearest neighborrefers to the distance between two samples and variousdistance metrics can be used based on the feature vector thatrepresents the samples One of the most popular choices isthe Euclidean in (3) to calculate the distance between V1and V2 Algorithm 1 describes our algorithm for recognizingmalicious nodes
119889 (1198811 1198812) = radic 119898sum119894=1
(1198811 [119894] minus 1198812 [119894])2 (3)
34 FAPRP A Novel Flooding Attacks Prevention RoutingProtocol In the original AODV protocol as intermediatenodes accept all RREQ route discovery packets from anysource nodes hackers may exploit this vulnerability to per-formRREQflooding attacksWe propose the flooding attacksprevention routing protocol by introducing the floodingattacks detection algorithm into the route request phase of theAODV protocol as described in Figure 7 Similar to AODVpath discovery is entirely on-demand for FAPRP When a
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Wireless Communications and Mobile Computing
Input Two class NVC and MVC vector of route discovery frequency (VNs)Output True if VNs in NVC else return FalseBegin
MAX VECTOR = 500Double Array disMVC [MAX VECTOR] disNVC [MAX VECTOR]For int vt = 1 to MAX VECTOR do disMVC[vt] = Euclidean (VNs MVCVectors[vt])disNVC[vt] = Euclidean (VNs NVCVectors[vt])
Sort (disMVC and disNVC ASC) ascending sortint k1 = k2 = 0While (k1 + k2 lt k)
if (disNVC[k1] lt disMVC[k2]) k1++else k2++
Return (k1 gt k2)End
Algorithm 1 Flooding attack detection algorithm using kNN
source node needs to send data packets to a destination nodeto which it has no available route NS broadcasts a RREQpacket to its neighborsThe intermediate node (Ni) receivinga RREQ packet from a preceding node (Nj) checks securityas follows
First duplicate RREQ packets received by a node aredropped similar to the AODV protocol Ni may receivemultiple RREQ packets coming from its neighboring nodesbut it only handles the first RREQ packet using the twoparameters broadcast id and src add (source address) in theRREQ packet
Second unlike AODV routing protocol Ni adds theinformation (si and ei) to the route discovery history (RDH)of the source node Each intermediate node stores the routediscovery counter of all source nodes If the value of theCounters[NS] equals x the source nodeNS has initiated routediscovery x times to this point If the route history is full Nishifts all elements of RDH one position to the left and addsthe new element (si ei) to the rightmost position
In MANET a source node sends and receives packetsthrough its neighbor nodes If all neighbor nodes of thesource node reject packets it will be isolated and cannotcommunicate with the other nodes in its network [13] Forthis reason in FAPRP routing protocol only the source nodersquosneighbor nodes deploy FADA algorithm to detect RREQflooding attack Ni uses the source node address and thepreceding node address to determine if it is a neighbor of thesource NS On receiving RREQ packets the protocol works asfollows
Step A If Ni is a neighbor of the source node NS
(i) Ni measures all Ti values in VNs using RDH of thesource node
(ii) If the route discovery frequency vector of source node(VNs) is not full Ni ignores the security check and goto Step B
(iii) Else Ni uses FADA to classify NS using its featurevector VNs
(a) If VNs is in MVC the source node is classifiedmalicious the RREQ packet is dropped and thealgorithm terminates
(b) Else go to Step B
Step B If Ni is not a neighbor of NS it executes othercommands similar to AODV as follows
(i) Ni saves broadcast id and src add values into its cacheand adds a reverse route to source node into itsrouting table
(ii) If Ni is destination or has a route toward thedestination it unicasts a RREP packet back to itsneighbor from which it received the RREQ packet(Nj) otherwise it rebroadcasts the RREQ packet
When the destination node gets a RREQ it updates thetime instance ei in the RDH of source node and unicasts aRREP packet to the source node through the reverse routeIn the AODV protocol there is no order information for theroute response in the RREP packet Therefore Ni assumesthat the RREP packet received is the response to the lastroute discoveryThus once the intermediate node receives anRREP packet it updates ei in the RDH of source node that isit sets i=Counters[NS] It increases the hop count field by 1before forwarding the RREP packet back to the source node
Example 2 Figure 8 describes how an intermediate node (Ni)handles the RREQ and RREP packets First on receivingRREQ packet at time p1 Ni increases Counters[NS] to 1(Counters[NS]=1) and records s1=e1=p1 Second on receivingthe RREP packet at time p2 Ni updates e1=p2 Next at time p3Ni receives the RREQ packet increases the Counters[NS] by1 (Counters[NS]=2) and records s2=e2=p3 Similarly at time
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 9
FADA
Starts route discovery(Broadcasts RREQ)
Classifies VNs vector using kNN-Classifier
VNs is full
Sour
ce
no
Measures all T values in VNsusing RDH of source node
yes
Attacks Detection Drops RREQ
is normal nodeAccepts RREQ
Generates and sends RREP packet
VNs in MVC
Irsquom a neighbor of the source
yes
Irsquom destination
Has a fresh route to destination
yes
no
yes
Rebroadcasts RREQ
no
RREQ
yes
Drops RREQ
no
Saves broadcast_id and src_add into its cache and adds a new route to back source node to its routing table
no
yes
no
The End
Begin
C
Ns
node
(M)
Inte
rmed
iate
des
tinat
ion
node
(C)
Did C process
Counters[M]++ i = Counters[M]= CURRENT_TIMEMC = C
Adds MC and C values to RDH of 3
a preceding node (ND)C receives RREQ packet from
Figure 7 Request route process of FAPRP routing protocol
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Wireless Communications and Mobile Computing
timeJ1 J2 J3 J4 J5
(M1 1) (M22) (M3 3)
N2=0 N3gt0N1gt0
41gt0 42gt0
Figure 8 Route discovery history of the source node and 1 destination node
timeRREQ RREQ RREQ RREQJ1 J2 J3 J4
(M11) (M22) (M33) (M44)N1=0 N2=0 N3=0 N4=0
41gt0 42gt0 43gt0
(a) Ni receives 4 RREQ packets
time
RREQ RREQ RREQ RREQ RREP RREPJ1 J2 J3 J4 J5 J6
(M11) (M22) (M33) (M4 4)N1=0 N2=0 N3=0 N4gt0
41gt0 42gt0 43gt0
(b) Ni receives 2 RREP packets
time
RREQ RREQ RREQ RREQ RREP RREP RREQ RREPJ1 J2 J3 J4 J5 J6 J7 J8
(M11) (M22) (M33) (M4 4) (M55)N1=0 N2=0 N3=0 N4gt0 N5gt0
41gt0 42gt0 43gt0 44gt0
(c) Ni receives a RREQ and a RREP packet
Figure 9 Route discovery history of a source and 3 destination nodes
p4 on receiving the next RREQ packet Counters[NS] is setto 3 and s3=e3=p4 Finally Ni records RREP at time p5 andupdates e3=p5 Because p1ltp2 ltp3ltp4ltp5 Ti gt 0 foralli = 12 35 Discussion RREQs may originate from the same NS tomany destination nodes (ND1 ND2 NDn) In this case FADAonly keeps the counter for NS regardless of the destinationsThis case is of interest because in detecting a malicious nodeFADA only wants to see how often that node generates RREQand does not care about the destinations
Example 3 Using a network topology with n nodes consist-ing of one source node NS and three destination nodes ND1ND2 and ND3 Assume that NS made route discovery seventimes to three destination nodes ND1 ND2 and ND3 Becauseof the mobile and noisy environment 3 RREQ packets werelost and Ni received only 4 RREQ packets at p1 p2 p3 andp4 respectively The value of Counters[NS] at Ni was then 4which meant that as far as Ni was concerned NS has routediscovered 4 times up to that point Figure 9(a) shows theRDH of the NS source node as recorded in Ni
After p4 Ni receives two RREP response packets to thesource at p5 and p6 When receiving RREP at time p5Ni updates e4=p5 and Ni continues to update e4=p6 whenreceiving RREP packet at p6 Figure 9(b) shows the RDH ofthe NS source node after receiving two RREP packets
Finally Ni receives another RREQ packet from the NSat time p7 and a RREP packet at time p8 On receiving thislast RREQ Ni increases Counters[NS] by 1 (Counters[NS]=5)
and sets s5=e5=p7 and on receiving the last RREP packet Niupdates e5=p8 Figure 9(c) shows the RDH of the NS sourcenode at p8
Thus based on the RDH of the source node Ni cancompute all Ti in VNs and use kNN-Classifier to decide if thesource node is normal or malicious In addition all Ti valuesare larger than zero and it does not depend on the order ofRREQ packets and the number of destination nodes
4 Performance Evaluation by Simulation
In this section we use NS2 [23] version 235 to evaluate theimpact of RREQflooding attacks onAODVand the proposedFAPRP protocol
41 Simulation Settings Similar to [13] our simulation sce-narios cover a 1000 meter by 1000 meter flat space accom-modating 50 normal mobile nodes We consider 2 scenariosone with a malicious positioned at the center (Figure 10(a))and the other with two malicious nodes positioned as shownin Figure 10(b) Each malicious node may flood the networkat the rate of 10 or 20 packets per second
The randomwaypoint [25] model is utilized as themobil-ity model The minimum node speed for the simulationsis 1 ms while the maximum is 30ms In each simulationscenario 20 sources transmit data at a constant bit rate (CBR)Each source transmits 512-byte data packets at the rate of 2packetssecond The first source emits data at time 0 and
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 11
Table 3 Simulation parameters
Parameters SettingSimulation area 1000 x 1000 (m2)Simulation time 500 (second)Number of normal nodes 50 (nodes)Node transmission range (R) 250 (m)Number of malicious nodes 1 2 (nodes)Attacks frequency 10 20 (packetsecond)Maximum speeds 110 120 and 130 (ms)Transport protocol UDPTraffic type CBR (constant bit rate)Number of traffic 20Data rate 2 (packetsecond)Packet size 512 (bytes)Queue type FIFO (DropTail)Routing protocols AODV B-AODV [18] FAPRPSize of vector (m) 10 15 20 25 30 35 40 and 60Cutoff value (k) 10 15 20 25 30 35 40 45 and 50Distance type Euclid
1000m
1000
m
(500 500)
(a) 1 node1000m
1000
m
(500 700)
(500 300)
(b) 2 nodes
Figure 10 Malicious nodes location
the following sources transmit data at 10 seconds apart Allparameters are described in Table 3
We evaluate the original AODV the B-AODV and theFAPRP and compare their performance with and withoutRREQ flooding attacks in terms of attacks detection ratiopacket delivery ratio end-to-end delay and routing loadmetrics [18 26]
(i) Attacks detection ratio (ADR) is calculated using(4) AT is the number of RREQ packets that areaccepted true the packets come from normal nodesAF is the number of RREQ packets that are acceptedfalse the packets come from malicious nodes DT isthe number of RREQ packets that are dropped truethe packets come from malicious nodes DF is thenumber of RREQ packets that are dropped false thepackets come from normal nodes
119860119863119877 = 119860119879 + 119863119879119860119879 + 119860119865 + 119863119879 + 119863119865 lowast 100 (4)
(ii) Packet delivery ratio (PDR) is the ratio of the receivedpackets by the destination nodes to the packets sent
by the source nodes (5) where n is number of datapackets that are received by destination nodes andm is number of data packets that are sent by sourcenodes
119875119863119877 = sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894sum119898119895=1119863119860119879119860119904119890119899119905119895 lowast 100 (5)
(iii) End-to-end delay (ETE) is the average delay betweenthe sending time of a data packet by the CBR sourceand its reception at the corresponding CBR receiver(6) where 119863119890119897119886119910119894119863119860119879119860 is the delay time for sendingith data packet to its destination successfully andn is number of data packets that are received bydestination nodes
119864119879119864 = sum119899119894=1119863119890119897119886119910119894119863119860119879119860119899 (6)
(iv) Routing load (RL) is the ratio of the overheadcontrol packets sent (or forwarded) to successfullydeliver data packets (7) where n is number of data
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
12 Wireless Communications and Mobile Computing
Table 4 AODV performances under flooding attacks
Level Number PDR () RL (pkt) ETE (Sec)of MN 10ms 20ms 30ms 10ms 20ms 30ms 10ms 20ms 30ms
0pkts 0 8626 8468 8210 492 572 702 0506 0574 0627
10pkts 1 7263 6868 6413 2545 2861 3061 1032 1232 13042 2640 2342 1795 15896 19642 26339 3188 3049 3333
20pkts 1 2875 2557 1963 14055 17148 22857 3292 3013 30592 1206 1123 878 52418 58718 89882 3668 2952 4973
Standard deviation values0pkts 0 309 222 177 091 088 085 014 010 011
10pkts 1 392 743 210 186 610 146 019 035 0062 231 545 338 2326 5929 5684 065 062 068
20pkts 1 269 625 380 2113 4505 4426 032 037 0652 125 191 377 5713 9070 47489 133 082 150
packets that are received by destination nodes and119892 is number of overhead control packets that aresent or forwarded Routing discovery packets includelegitimate RREQ fake RREQ RREP HELLO andRERR packets
119877119871 = sum119892119895=1 119862119874119873119879119877119874119871 119875119860119862119870119864119879119900V119890119903ℎ119890119886119889119895sum119899119894=1119863119860119879119860119903119890119888119894119890V119890119889119894
(7)
42 Simulation Results
421 Effects of Flooding Attacks on the Original AODVProtocol In this section we evaluate the performance of theAODV protocol with and without RREQ flooding attacksWe simulate 75 scenarios to evaluate the impact on theperformance of AODV in terms of the above 4 definedmetrics under various conditions including node mobilityspeeds flooding frequencies and malicious nodes The mainpurpose of an RREQ flooding attack is to inject a largenumber of fake RREQ packets into the network making itless efficient in delivering legitimate packets This effect isequivalent to handling excessive overhead packets causing adecrease in the networkrsquos packet delivery ratio an increasein the average end-to-end packet delay and an increase inthe networkrsquos routing loadThe simulation average results areshown in Table 4
Figure 11 shows that the packet delivery ratio decreasesthe routing load increases and the end-to-end delay increaseswhen the intruder floods attacking packets Figure 11(a)shows that without flooding attack the AODV packet deliv-ery ratio is above 8210 (177 standard deviation) andmostpackets reach their destination nodes However the packetdelivery ratio reduced drastically to 1206 (125 standarddeviation) when the intruder uses 2 malicious nodes andfloods 20 packets every second Figure 11(b) shows that theaverage end-to-end delay increases as the flooding attackfrequency increasesWhen the attacker uses 1 malicious nodeand broadcasts 10 RREQ packets every second the averageend-to-end delay changes from 0506s before the attack to1032s after the attack for the 10ms scenario When the 2malicious nodes broadcast 20 RREQ packets every second
the average end-to-end delay changes from 0627s beforethe attack to 4973s after the attack for the 30ms scenarioFigure 11(c) shows that the routing load increases as theflooding attack frequency increases When the attacker uses1 malicious node and broadcasts 10 RREQ packets everysecond the routing load changes from 492pkt before theattack to 2545pkt after the attack for the 10ms scenarioWhen the 2 malicious nodes broadcast 20 RREQ packetsevery second the routing load changes from 702pkt beforethe attack to 89882pkt after the attack for the 30ms scenario
422 Flooding Attacks Detection Performance of FAPRP Inthis section we evaluate the malicious node detection per-formance of the proposed solution Malicious node detectionratio is defined in (4) 216 scenarios are simulated RDFV ofsize 10 15 20 25 30 35 40 and 60 the cutoff values of kfor the kNN are set at 10 15 20 25 30 35 40 45 and 50Nodes move in a RandomWay Point pattern with a specifiedmaximum speed of 10ms 20ms and 30ms 20 source-destination UDP connections are set up among nodes Theintruder uses 2 malicious nodes and floods 20 packets everysecond
The results in Figure 12 show that by making use ofthe route discovery history feature vector and the kNNmachine data mining algorithm our method achieves muchhighermalicious nodes detection ratios than those of existingalgorithms and lower mistaken rates The complexity of theoverall detection algorithm is proportional to the size of theroute discovery frequency vector We see that the detectionrate of FAPRP is above 990 and the mistaken rate is below10 for all scenarios using RDFV vector sizes larger than35 Figure 12(d) shows that the average of the maximumsuccessful detection rate of FAPRP is above 9977 when thecutoff value is 25 and RDFV vector size is 60 In brief theproposed solution is effective in detecting the RREQ floodingattacks
423 Performance Evaluation of AODV B-AODV andFAPRP In this section we simulate 135 scenarios to eval-uate the performance of the AODV B-AODV and FAPRPprotocols under RREQ flooding attacks The cutoff value
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 13
0 10 20 30 40 50 60 70 80 90
v1-10 v1-30
Pack
et D
elive
ry R
atio
()
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(a) Packet delivery ratio
0
1
2
3
4
5
v1-10 v1-30
End-
to-E
nd d
elay
(sec
)
v1-20Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
(b) End-to-end delay
0
200
400
600
800
1000
1200
1400
Rout
ing
Load
(pkt
)
Mobility Speed (ms)
Normal 1MN-10pkts 1MN-20pkts
2MN-10pkts 2MN-20pkts
v1-10 v1-30v1-20
(c) Routing load
Figure 11 AODV performance under RREQ flooding attacks
(k) is 25 and vector size (m) is 60 All nodes move in aRandom Way Point pattern with specified maximum speedsof 10ms 20ms and 30ms Each of 2 malicious nodes floods20 packets every second 20 pairs of communicating nodesare set up among source nodesThe simulation average resultsare shown in Table 5
(a) Packet Delivery RatioThe results in Figure 13(a) show thatthe average packet delivery ratio formobility speed by AODVis about 8435 (186 standard deviation) in the absence of amalicious nodeWhen there is onemalicious node the packetdelivery ratio is about 2465 (218 standard deviation) and1069 for two malicious nodes (09 standard deviation)This is due to RREQflooding of the fake route request packetsby the malicious node resulting in a high consumptionof bandwidth and buffer overloads at intermediate nodeswith fake RREQs For B-AODV in normal scenarios theaverage packet delivery ratio is about 5868 (316 standarddeviation) In flooding scenarios B-AODV average packetdelivery ratio is above 5932 when the intruder uses oneor two malicious nodes When our proposed solution is
deployed the packet delivery ratio for normal scenariosand high mobility speed is about 8308 (247 standarddeviation) Under flooding scenarios FAPRP packet deliveryratio is above 8206 when the intruder uses one or twomalicious nodes 273 maximum standard deviation Inbrief our solution is more efficient compared to AODV andB-AODV under normal network operation scenarios andmore effective in handlingRREQflooding attackswith highercorrect detection rates
(b) End-to-End Delay The results in Figure 13(b) show thatwith AODV the average end-to-end delay is about 0569sunder normal scenarios The end-to-end delays are about3121s and 3864s for one and two malicious nodes respec-tively This high end-to-end delay is caused by the broadcast-ing of selective fake route request packets by the maliciousnodes For B-AODV under normal scenarios the averageend-to-end delay is about 1091s Under flooding scenariosB-AODV end-to-end delay is about 1056s with onemaliciousnode and 1145s with two malicious nodes This is caused bythe failure of B-AODV in detecting and preventing flooding
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
14 Wireless Communications and Mobile Computing
Table 5 AODV B-AODV and FAPRP performances
10msPDR () RL (pkt) ETE (sec)
MN AODV BAODV FAPRP AODV BAODV FAPRP AODV BAODV FAPRP0 8626 5989 8473 492 311 469 0506 0790 05261 2875 5501 8394 14055 413 605 3292 0865 05662 1206 5930 8380 52418 598 734 3668 0921 0598
20ms0 8468 5820 8377 572 342 554 0574 1142 06391 2557 5661 8341 17148 460 687 3013 1120 06262 1123 6296 8296 58718 625 823 2952 1187 0680
30ms0 8210 5796 8075 702 357 660 0627 1342 07031 1963 5750 7992 22857 488 805 3059 1185 08132 878 5569 7941 89882 709 928 4973 1327 0798
Average0 8435 5868 8308 589 337 561 0569 1091 06231 2465 5637 8242 18020 454 699 3121 1056 06682 1069 5932 8206 67006 644 828 3864 1145 0692
Standard deviation values0 186 316 247 079 033 069 006 006 0071 218 541 220 1787 047 080 025 013 0102 090 235 273 14654 048 089 043 019 007
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(a) 1-10ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(b) 1-20ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
(c) 1-30ms mobility speed
10 15 20 25 30 35 40 60Size of Vector (m)
k=10k=15k=20k=25k=30
k=35k=40k=45k=50
97 975
98 985
99 995 100
Mal
icio
us N
ode D
etec
tion
Ratio
()
(d) Average of mobility speed
Figure 12 Malicious nodes successful detection ratio
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 15
0 21Number of malicious nodes
0 10 20 30 40 50 60 70 80 90
Pack
et D
elive
ry R
atio
()
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(a) Packet delivery ratio
0 21Number of malicious nodes
0 05
1 15
2 25
3 35
4 45
5 55
End-
to-E
nd D
elay
(sec
)
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
(b) End-to-end delay
0 21Number of malicious nodes
AODV (1-10ms)AODV (1-20ms)AODV (1-30ms)
BAODV (1-10ms)BAODV (1-20ms)BAODV (1-30ms)
FAPRP (1-10ms)FAPRP (1-20ms)FAPRP (1-30ms)
0
200
400
600
800
1000
1200
Rout
ing
Load
(pkt
)
(c) Routing load
Figure 13 AODV B-AODV and FAPRP performances under RREQ flooding attacks
attacks resulting in lower packet delivery ratios and longerroute discovery delays For our proposed solution the averageend-to-end delay for normal scenarios and mobility speed isabout 0623s Under flooding attacks FAPRP average end-to-end delays are about 0668s and 0692s when intruder usesone and two malicious nodes respectively Clearly FAPRPachieves shorter end-to-end delay compared to AODVunderflooding attack scenarios and B-AODV under both normaland flooding attack scenarios
(c) Routing Load The results in Figure 13(c) show that theaverage routing load for high mobility speed by AODV isabout 589pkt in the absence of a malicious nodeThe routingloads are about 1802pkts and 67006pkts for one and two onemalicious nodes respectivelyThe high routing load is causedby the broadcasting of selective fake route request packetsby the malicious nodes For B-AODV in normal scenariosthe routing load is about 337pkt B-AODV average routingload in attacks state is about 454pkt when the intruder usesonemalicious node and 644pkt for twomalicious nodes Forour proposed solution the routing load for normal scenarioand high mobility speed is about 561pkt Under flooding
attacks FAPRP average routing load is about 699pkts and828pkts when the intruder uses one and two maliciousnodes respectively B-AODV routing load is however betteras compared to AODV as it dropsmany route request packetsdue to mistake detection Overall FAPRP performs as well asAODV in the routing load measure under both normal andflooding attack scenarios due to its high correct detection rateand low mistake rate
5 Conclusion
In this paper we introduced the flooding attack detectionalgorithm based on our proposed route discovery frequencyhistory feature vector and the kNN data mining algorithmto detect and isolate the malicious nodes in the networkWe introduced a new FAPRP protocol by integrating FADAinto the route request phase of AODV Using route discoveryfrequency vector sizes larger than 35 the simulation resultsshow that FADA achieves higher misbehaving detectionratio (above 990) as compared with existing algorithmsand lower mistaken rate (below 10) Furthermore theproposed solution is efficient in that it improves the network
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
16 Wireless Communications and Mobile Computing
performance in terms of higher packet delivery ratio smallerend-to-end delay and reduced routing load compared toAODV and B-AODV protocols
In the future we will extend the proposed solution formitigating the effects of other flooding attacks
Data Availability
The data used to support the findings of this study areincluded within the article
Conflicts of Interest
The authors declare that there are no conflicts of interestregarding the publication of this paper
Acknowledgments
This research was supported by the DThU (Dong ThapUniversity) Vietnam under the PhD Thesis (62480101)supervised by theHueUniversity of Sciences HueUniversity
Supplementary Materials
We submit the source code for the AODV B-AODV andFAPRP protocols and analysis files (tcl awk) for the sim-ulation with this revision ID file name description are asfollows 1 aodv ccrar source code ofAODV routing protocolfor simulation in NS235 2 fdaodv ccrar source code ofFDAODV routing protocol for malicious node simulationin NS235 3 baodv ccrar source code of BAODV routingprotocol for simulation in NS235 4 fdbaodv ccrar sourcecode of FDBAODV routing protocol for malicious nodesimulation in NS235 5 faprp ccrar source code of FAPRProuting protocol for simulation in NS235 6 fdfaprp ccrarsource code of FDFAPRP routing protocol for maliciousnode simulation in NS235 7 scenrar 15 network topologiesfor simulation 8 TCLrar (TCL source code is used towrite simulation script in ns2) analysis files (awk) for thesimulation 9 DATArar all simulation data 10 Figuresrarall scripts (gnuplot) to create the figures in the paper(Supplementary Materials)
References
[1] J Hoebeke I Moerman B Dhoedt and P Demeester ldquoAnoverview of mobile ad hoc networks Applications and chal-lengesrdquo Journal of the Communications Network vol 3 no 3pp 60ndash66 2004
[2] C E Perkins and E M Royer ldquoAd-hoc on-demand distancevector routingrdquo in Proceedings of the 2nd IEEE Workshop onMobile Computing Systems and Applications (WMCSA rsquo99) pp90ndash100 New Orleans La USA February 1999
[3] C Perkins and P Bhagwat ldquoHighly dynamic destination-sequenced distance-vector routing (DSDV) for mobile com-putersrdquo in Proceedings of the Conference on CommunicationsArchitectures Protocols and Applications (SIGCOMM rsquo94) pp234ndash244 London UK 1994
[4] Z J Haas M R Pearlman and P Samar ldquoThe Zone RoutingProtocol (ZRP) for AdHocNetworksrdquo INTERNET-DRAFT pp1ndash11 2002
[5] E Alotaibi and B Mukherjee ldquoA survey on routing algorithmsfor wireless Ad-Hoc and mesh networksrdquo Computer Networksvol 56 no 2 pp 940ndash965 2012
[6] R Di Pietro S Guarino N V Verde and J Domingo-FerrerldquoSecurity in wireless ad-hoc networks - A surveyrdquo ComputerCommunications vol 51 pp 1ndash20 2014
[7] R Mitchell and I-R Chen ldquoA survey of intrusion detection inwireless network applicationsrdquo Computer Communications vol42 pp 1ndash23 2014
[8] M Wazid and A K Das ldquoA Secure Group-Based BlackholeNode Detection Scheme for Hierarchical Wireless Sensor Net-worksrdquo Wireless Personal Communications vol 94 no 3 pp1165ndash1191 2017
[9] E C H Ngai J Liu and M R Lyu ldquoAn efficient intruderdetection algorithm against sinkhole attacks in wireless sensornetworksrdquo Computer Communications vol 30 no 11-12 pp2353ndash2364 2007
[10] S Gurung and S Chauhan ldquoA novel approach for mitigatinggray hole attack in MANETrdquo Wireless Networks vol 24 no 2pp 565ndash579 2018
[11] T L Ngoc and T T Vo ldquoWhirlwind A new method to attackRouting Protocol in Mobile Ad hoc Networkrdquo InternationalJournal of Network Security vol 19 no 5 pp 832ndash838 2017
[12] T T Vo N T Luong and D Hoang ldquoMLAMAN a novelmulti-level authentication model and protocol for preventingwormhole attack in mobile ad hoc networkrdquoWireless Networks2018
[13] Y Ping D Zhoulin Y Zhong and Z Shiyong ldquoResistingflooding attacks in ad hoc networksrdquo in Proceedings of theInternational Conference on Information Technology Codingand Computing (ITCCrsquo05) vol 2 pp 657ndash662 Las Vegas NVUSA April 2005
[14] H Ehsan and F A Khan ldquoMalicious AODV Implementationand analysis of routing attacks in MANETsrdquo in Proceedings ofthe 11th IEEE International Conference on Trust Security andPrivacy inComputing andCommunications TrustCom-2012 pp1181ndash1187 UK June 2012
[15] D Gada R Gogri P Rathod et al ldquoA distributed securityscheme for ad hoc networksrdquoTheCrossroads Journal vol 11 no1 pp 1ndash14 2004
[16] J-H Song F Hong and Y Zhang ldquoEffective filtering schemeagainst RREQ flooding attack in mobile ad hoc networksrdquo inProceedings of the 7th International Conference on Parallel andDistributed Computing Applications and Technologies PDCAT2006 pp 497ndash502 Taiwan December 2006
[17] P Yi Y Hou Y P Zhong and Z L Dai ldquoFlooding attack anddefence in ad hoc networksrdquo Journal of Systems Engineering andElectronics vol 17 no 2 pp 410ndash416 2006
[18] M J Faghihniya S M Hosseini and M Tahmasebi ldquoSecurityupgrade against RREQ flooding attack by using balance indexon vehicular ad hoc networkrdquoWireless Networks vol 23 no 6pp 1863ndash1874 2017
[19] S Gurung and S Chauhan ldquoA novel approach for mitigatingroute request flooding attack in MANETrdquo Wireless Networksvol 24 no 8 pp 2899ndash2914 2018
[20] VThanh Tu and LThai Ngoc ldquoSMA2AODV Routing protocolreduces the harm of flooding attacks inmobile ad hoc networkrdquoJournal of Communications vol 12 no 7 pp 371ndash378 2017
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Wireless Communications and Mobile Computing 17
[21] M Patel S Sharma and D Sharan ldquoDetection and preventionof flooding attack using SVMrdquo in Proceedings of the 3rd Inter-national Conference on Communication Systems and NetworkTechnologies CSNT 2013 pp 533ndash537 India April 2013
[22] W Li P Yi Y Wu L Pan and J Li ldquoA New IntrusionDetection System Based on KNN Classification Algorithm inWireless Sensor Networkrdquo Journal of Electrical and ComputerEngineering vol 2014 Article ID 240217 8 pages 2014
[23] DARPA The network simulator NS2 1995 httpswwwisiedunsnamns
[24] S K Sahu P Kumar and A P Singh ldquoModified K-NNalgorithm for classification problems with improved accuracyrdquoInternational Journal of Information Technology vol 10 no 1pp 65ndash70 2018
[25] J Yoon M Liu and B Noble ldquoRandom waypoint consideredharmfulrdquo in Proceedings of the 22nd Annual Joint Conference onthe IEEE Computer and Communications Societies (INFOCOMrsquo03) vol 2 pp 1312ndash1321 San Francisco Calif USA March-April 2003
[26] S Gurung and S Chauhan ldquoA dynamic threshold basedalgorithm for improving security and performance of AODVunder black-hole attack in MANETrdquo Wireless Networks pp 1ndash11 2017
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom