© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 252
MITIGATING WORMHOLE ATTACK IN
WIRELESS MOBILE ADHOC NETWORK
1*Suyash Bhardwaj, 2Dr. Vivek Kumar 1Ph.D. Scholar, 2Professor,
1,2Department of Computer Science, Faculty of Technology,
Gurukula Kangri Vishwavidyalaya, Haridwar, Uttarakhand, India
Abstract: Mobile Ad hoc Networks or MANETs are infrastructure less, rapidly deployable temporary networks used for a
communication in emergency situations or when the wired communication systems fail. It could be unfriendly environments,
rough terrain or disaster situation; MANET performs exceptionally well; however, it falls short when exposed to routing attacks.
To ensure the security and strength of the MANET in such unpredictable situations the requirement of a secure, effective,
scalable, swift, and efficient mechanism is obligatory. The generally used protocol under MANET is AODV, however AODV
performs well in any type of scenario except it is not secure from the attacks, from outside attackers as well from the inside
compromised nodes. These attacks are tough to detect, furthermore complicated to avoid. Such an attack is Wormhole attack.
In this paper, we propose a Novel Secure Cooperative Neighbour Based Approach in AODV (CNBWH-AODV) to identify and
prevent wormhole attack. The wormhole attack is very difficult to detect, since a wormhole captures a routing message from one
point of the network, tunnels it and then replay it at another point in the network. Wormhole node does not necessarily drop
routing or data messages, and does not require the full message to be delivered at the same time. The message can be delivered in
smaller parts or in bits using a high power wireless transmission antenna or direct wired connection. If a wormhole does not drop
or modify data, it is almost impossible to detect the attacker. The most important part of our approach is detecting a wormhole
attack without requiring any special hardware. Proposed approach uses the 1 hop neighbour information for identifying the
colluding attacker, using cooperative neighbours. This approach works for both hidden and exposed type of wormhole attacks,
and does not create any routing overhead. This approach is able to completely avoid the wormhole nodes and improves the
performance of the network as shown in the simulations under NS2.
Index Terms - MANET, AODV, Worm Hole Attack, Cooperative Neighbour Based Detection Mechanism.
I. INTRODUCTION
Communication devices and high speed network have become a part of our day to day life. Networks mediums have grown
from wired slow Ethernet base dial up connections to wireless 5G high speed internet communication. All these progressions have
given freedom to people to interact with each other, even when they are located at geographically distant locations. This freedom
of communication has brought both benefits as well as shortcomings. They are less secure and are prone to attacks, the privacy
and security is an issue with these infrastructure less networks [1]. Wireless mobile Adhoc network or MANET’s are highly
dynamic, easily deployable wireless systems that are not dependent on any central fixed structure. However, they consist of
mobile nodes or devices that are free to roam in the area and can be connected at the time of requirement in a random manner.
These devices are capable of behaving as routers, that are responsible for route discovery and route maintenance. They behave
like source and destination in such a manner, where the communication takes place between sender and receiver, through wireless
multi-hop communication network [2]
MANET’s are short lived in comparison to wired network, as such mobile devices are equipped with very limited resources
and battery power [3]. There are some distinct characteristics as shown by MANET such as lack of fixed infrastructure, weak
security, limited battery life, dynamic topology, and limited bandwidth. These characteristics make them more prone to attacks
yet provide the high adaptability, so they are very useful in different applications like video conferencing, departmental meeting,
resource sharing, search and rescue operations, military deployment, disaster management situations, electoral system, and many
more. Applications of MANET technology are limitless and they could include industrial, commercial as well as future military
networking applications. They can be properly combined with satellite-based information delivery systems such as GPS, to
provide a really flexible solution for setting up communication systems for fire, disaster and other safety or rescue operations.
There are also many other applications possible for MANET technology which are not yet comprehended or planned by the
technocrats. [4]
There are numerous different protocols which are already planned for routing in MANETs. Furthermore, these protocols may
be categorized into three categories: Reactive or On-Demand Routing Protocols, Proactive or Table-Driven Routing Protocols and
Hybrid Routing Protocols. The Reactive Protocols, like the Ad hoc On-Demand Distance Vector (AODV) routing protocol [5],
starts route discovery only when obligatory. In Proactive Routing Protocols, such as the Optimized Link State Routing (OLSR)
protocol [6] mobile nodes discover and update routes by exchanging network information in the fixed duration of time. Hybrid
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 253
Routing protocols are those protocols which combine the best features of both reactive and proactive type routing protocols.
Reactive and Proactive types of routing protocols depend on the route information provided by the neighbouring nodes, however,
does not provide any centralized or distributed mechanism for detection and prevention of attacks from these neighbouring nodes
[7]. Most of the routing protocols generally believe that the devices of the network are reliable and can be trusted, on the other
hand, a malicious node can initiate an attack to disrupt route discovery since the beginning of the network setup and can attack
data transmissions without being detected for a long time.
II. AODV OVERVIEW
The Adhoc On-Demand Distance Vector routing protocol (AODV) [5] is a reactive or on demand type routing protocols that
finds a route towards destination only when it is required. In AODV, active nodes contribute in the route selection process while
the nodes existing on inactive routes do not share routing table updates and information exchanges. The algorithm’s primary
objective is to broadcast discovery messages whenever essential, however, hello messages are regularly sent to immediate
neighbours to maintain local connectivity and general topology.
Network Communication in AODV depends on regular updating route table entries at nodes participating in an active session;
whereas all nodes maintain a sequence number counter which helps to replace stale stored routes. This scheme utilizes bandwidth
capably by diminishing the network burden for control and data messages, consequently confirms loop-free routing. In AODV the
Route Discovery procedure is started only when the source device or node wants to transfer messages to another node in the
network and there is no existing path between the source and the destination. The sequence number and the broadcast id are the
two counters maintained by each mobile node in the whole network. Subsequently, the route acquisition process starts with
spreading a Route Request (RREQ) message flooded by the source node to all the neighbours, whereas in reply neighbour can
send a Route Reply (RREP) message, when the neighbour has a path towards the destination, otherwise it can either drop or
forward the RREQ message to other neighbours after incrementing hop count by one, thus creating a backward route towards the
source. As shown in Figure 1 the source A broadcasts the RREQ and all the neighbours forwards the RREQ until it reaches the
destination H. Multiple RREQ received with the same sequence number are ignored by the intermediate nodes as well as
destination. Moreover, every node forwards the RREQ message when it does not have a route towards destination. If any node
possibly has a path or route reaching destination, it can generate a route reply message on behalf of the destination.
Figure 1: Route acquisition in AODV
When the first route request (RREQ) message is received at destination, a corresponding route reply (RREP) is unicasted
towards source using backward path, as shown in Figure 1. Further received RREQ messages with the same sequence number are
ignored. Additionally, this RREP updates the destination sequence number and sets up a final path from source to the destination.
Figure 1 denotes the final path formed when the RREP is sent by the destination H towards the source node A. When the route is
established, the data communication can be started by source in form of sending messages to destination using this path.
A. AODV vulnerabilities
There are many threats against routing protocol, some of these include Flooding Attack [7], Black Hole Attack [1][4][7], Gray
Hole Attack [4][7], Link Spoofing [4], Wormhole Attack [7], Replay Attack [7], Passive Eavesdropping [4] [7], Active
interfering, Impersonation [4], Selfish Node Attack [4] and Selective Forwarding attack [4].
III. WORM HOLE ATTACK
In AODV, route request is broadcasted by the nodes that receive it, while the route reply is unicasted to set the reverse path
towards the source. Every intermediate node plays a critical role in the route discovery process. During this process, if any
intermediate node is sending route request or route reply messages to its partner situated at some distant location in the same or
different network cluster, is actually using a dedicated link or hidden transmission tunnel to create a wormhole attack in the
network. For the duration of a wormhole attack, the attacker node obtains or intercepts messages from one place or point in the
system and tunnels the messages to another place in the system, and then forwards them from that location [8]. Attacker node
compromises the route discovery process and disables the node to build routes between nodes correctly. At the same time, the
network traffic concentrates in an attackers’ tunnel, making him able to read and modify passing data packets. Over time, more
and more routes in network will use this tunnel. However, the wormhole attacker reduces the hop count, so it is easy for it to send
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 254
messages earlier than normal routing process. As stated by [9] it is possible for an attacker to selectively unicast bits of messages
through the wormhole link in a nonstop routine, exclusive of the waiting for whole message to be acknowledged.
A wormhole attacks may give fabricated wrong route, if the source node selects this wrong route, attacker node has the
opportunity of sending the messages to another point in the network or just sinking them. These attacks are tough to perceive as
attacker nodes is able to imitate real nodes, and the attacker is not dropping the routing or data messages, else it has tunnelled
them to another point in the network [9]. quantified the severity of such attack by mentioning that these attacks are operative and
can pose a threat in secured networks, where authentication, integrity, confidentiality and non-repudiation are preserved.
A. Types of wormhole attack
The wormhole attacks are classified in two types, based on participation of malicious node in the route discovery process, that
is either exposed or hidden [10].
1. Hidden Type of Wormhole attack
In the hidden type of attack, an attacker node receives packets from one node and transmits them to another distant node
without updating the hop count. In this situation, when the destination node receives this packet, it believes that the sender is its
neighbour, as it does not know about the presence of intermediate attacker. Sometimes only one attacker is able to perform this
attack, however more number of attacking nodes will fool the compromised node to create the entries of neighbours that are
located at several hop distance as 1 hop neighbours. This will result in expanded routing table and overall routing will be
compromised.
For example, as presented in Figure 2 (a), the wormhole tunnel exists in between wormhole node X and node Y. Node X and
node Y does not increment the hop count, hence the destination node will assume that the message is received directly from
source, in this case node B, assumes that node A is its 1 hop neighbour, due to illusion created by wormhole nodes. In this
situation wormhole node remains hidden during route discovery, and it is almost impossible to detect the attack as the
participating nodes won’t even know the presence of wormhole.
2. Exposed Type of Wormhole attack
The exposed attack is more sophisticated attack, as in this type, the wormhole attacker increments the hop count, is visible to
the other nodes, and it behaves like a normal node while receiving and forwarding routing messages during route discovery.
Though the attacker receives the message from victim node like a normal node but maliciously transmit the message to other
location in the network, then reflows the message from that location, keeping the destination node in doubt of the location of the
message origination. Henceforth the destination node will not get information about the distance between participating nodes. The
key aspect of this attack lies in the mode of transmission, which we will discuss in next section.
To understand the exposed type of wormhole attack, take a look at the hop count field in the Figure 2(b), where the attacker
nodes X and Y, participate in the route discovery process visibly and increments the hop count by one. Both source and
destination know about the intermediate nodes X and Y but are unable to recognize the distance between them, for them it seems
to be, that both X and Y are immediate neighbours.
Message format [source id, destination id, hop count]
Figure 2. Hidden and exposed wormhole attack
B. Modes of wormhole attack
A common mode of wormhole attack discussed by Khalil, I., Bagchi, S. and Shroff, N.B., (2005) [11] include a long-range
directional wireless link or a direct wired link, which is used to transmit the message with great power to another point in the
network without informing other nodes about the transmission. This mode of attack is more difficult to launch, since it needs
dedicated hardware ability. Where as in other mode of attack, there is no need of any special hardware. During this mode the
malicious node encapsulates the original RREQ message in another RREQ message created by itself destined to its colluding
partner node to hide the original RREQ from the nodes that lies in between them [12].
1. Direct mode of wormhole attack
To get familiarize with first mode of attack, we take a closer look at Figure 3 (a), where wormhole node X is using a special
directional antenna for transmitting the messages directly to the colluding partner. Node S is broadcasting a route request for route
acquisition towards node D, nodes X and Y are wormhole attackers having a high range directional wireless or dedicated wired
link between them. Node X tunnels the route request to Y, which is a genuine neighbour of D. Node Y forwards the message to its
neighbours, including D. Node D receives two route requests S-X-Y-D and S-1-2-3-D. Out of these two routes, the first one
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 255
seems to be faster and short in comparison with second, which eventually will be chosen by the node D. Henceforth, resulting in
direct tunnel based wormhole being created between X and Y on the route between S and D.
2. Encapsulated mode of wormhole attack
Consider Figure 3 (b) for second mode of attack, during which source node S and destination node D try to find the optimal path
between them, in the existence of the two wormhole nodes X and node Y. Node S start route discovery by sending a route request
(RREQ) to its neighbours, node 1 and node X, both receives the RREQ message, node 1 forwards the message, but node X
encapsulates it in another RREQ message created by node X destined to its partner attacker node Y over the route that exists
between X and Y (including 4-5-6). Node 4, 5, and 6 thinks that node X is communicating with Y, as the RREQ received is
originated from node X and destined to node Y. The intermediate nodes are unfamiliar about the encapsulated original RREQ.
When node Y receives the RREQ packet it expands the packet, and rebroadcasts the original message again, which reaches D.
The point to ponder is that because of packet encapsulation, the hop count is not incremented during the transmission between X
and Y over nodes 4-5-6. Alongside, the RREQ travels from S to D through 1-2-3. Node D receives two route requests, the first is
seemingly three hops long (S-X-Y-D), and the second is four hops long (S-1-2-3-D). Node D will choose the first route since it
seems to be the shortest though actuality it is six hops long. In this way the attacker nodes X and Y have involved themselves in
the route set up from S to D. Since the wormhole route appears to be shorter and faster, we can say that all the shortest route
finding protocols are vulnerable to wormhole attack.
Figure 3 direct and encapsulated mode of transmission under wormhole attack
C. Properties of Wormhole nodes
Wormholes are very difficult to detect, as they do not participate in the route acquisition process, are hidden from other nodes,
can modify the mutable contents of message without alarming participating nodes, can create an illusion of close neighbourhood,
and still can remain undetected. Moreover, it can lure a sender to send more traffic though the wormhole tunnel, and can modify,
record, copy, change, manipulate, or even drop these messages later. There are several symptoms of wormhole existence as stated
by Lee, G., Seo, J. and Kim, D.K., (2008) [13] such as, Low hop count replies, longer propagation time, larger delay per hop,
RREQ/ RREP is captured and not delivered over normal route, bigger transmission range , wormhole node that is not a neighbour,
more load on certain nodes, modified routing or data messages etc.
IV. LITERATURE REVIEW
Worm hole attack not only affect the End to End delay of the network adversely, but also compromise the authenticity of the
whole communication system. There are various studies that propose the methods for detection and avoidance mechanisms of
worm hole attack. Kannhavong, B., Nakayama, H., Nemoto, Y., Kato, N., & Jamalipour, A., (2007) [7] presented survey of various
approaches to detect and avoid the BH attack, and have summarized the methods to show comparison between them. Hu, Y.C.,
Perrig, A. and Johnson, D.B., (2006) [9] have discussed various approaches for avoiding and detecting worm hole in AODV based
mobile ad hoc networks. However, there is a need of elaborative study and comparison of various approaches and to find the gap in
the approach. So this paper presents various approaches and categorizes them in the major detection and prevention methods.
A. Routing Message or Routing Table Modification based Approach
There are various approaches to detect and prevent wormhole attack in MANET, one popular approach is to modify the routing
messages or table to detect malicious nodes, like Gupta, S., Kar, S. and Dharmaraja, S. (2011) [14] suggested a modification in
hello packet to introduce a new packet called Hound packet, to keep record of neighbours within vicinity of the current node.
similarly, Khan, Z.A. and Islam, M.H., (2012) [15] modified the routing table to include a column of complete path from source to
all other nodes.
B. Alternative Route Based Approach
Finding an alternative route is quite easy when we detect a malicious node in the path, such detection method is suggested by
Geetha, S.B. and Patil, V.C., (2015) [16] by introducing a new type of node called Auxiliary Node (AN) which timely broadcast the
route discovery beacons (RDB) and maximize the routes by providing Additional Supportive Routes (ASR). Whereas Gupta, C.
and Pathak, P., (2016) [17] suggested a method to find an alternative route to the destination, when source node detect a malicious
attacker as it is providing a shorter path towards destination. In this case the new alternative route which might not be shortest one
is chosen for data transmission.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 256
C. Cluster Based Approach
Cluster based approach is based upon division of the network in clusters to differentiate the neighbours of different cluster
heads, similar approaches are given by Chatterjee, P., Sengupta, I. and Ghosh, S.K., (2012) [18], in which they proposed a Secure
Trusted Auction Oriented Clustering based Routing Protocol (STACRP), to provide trusted framework divided into 1- hop disjoint
clusters. Jamaesha, S.S. and Bhavani, (2018) [19] suggested a modified and improved secure location aware routing protocol using
clustering technique, to predict the possible movement of the attacker node using particle swarm optimization.
D. Node Authentication System Based Approach
Node Authentication system based approaches suggest node authentication by the source node by calculating the difference of
source sequence number, like proposed by Gandhewar, N. and Patel, R., (2012) [20] or by authenticating the location of the nodes
in the network, as suggested by Biswas, J., et. al.,(2014) [21] or by embedding digital certificate in HELLO packet, as proposed by
P. Yadav and M. Hussain, (2017) [22]
E. Cryptography and Hashing Based Approach
Cryptographic Approaches including digital signature and public key sryptography are mostly applied in securing the network,
Woungang, I.et. al., (2012) [23] proposed substituting the AES part of the scheme by the Triple Data Encryption Standard (TDES),
yielding the AODV-WADR-TDES routing algorithm, Patel, A., et. al., (2015) [24] proposed a Hash based Compression Function
(HCF) which is a secure hash function used to compute a value of hash field for RREQ packet. Ghayvat, H. et. al., (2016) [25]
proposed a security approach using digital signature and hash chain algorithm to mitigate the wormhole attack.
F. Distance and Location Based Approach
Distance and location based approaches try to find the location of attacker node and by calculating the distance from source
node. one of the popular approach is given by Hu, Y.C. et. al. (2003) [9], suggesting the use of Packet leashes to show the
maximum allowed distance of a packet from a sender. The packet leashes can restrict the transmission distance of a packet, and
prevent the packet from traversing a longer path introduced by a wormhole. While sending a packet sender adds a leash to a packet,
which when received at the receiver end is extracted to compare the sending time with the leash to detect a wormhole attack. In
geographical leash based system, leash is having a sending time and location attached to it. A real time attacker detection is
achieved using this system, since an end-to-end delay is extracted as the sending time and the receiving time is directly used to
detect the wormhole attack. Similar approaches are given by Li, Z., et. al. (2011) [26] to estimate the distance of fake neighbour by
detecting collision of signal sequences at the two receivers. Y. Wei and Y. Guan, (2013) [27] proposed a lightweight location
verification system in sensor networks. Pagnin, E. et. al. (2015) [28] suggested an approach that allows a node to verify that another
node is a physical next-hop neighbour, and also detects legitimate neighbours who make dishonest claims as to who their
neighbours are. Teotia, V., et. al. (2015) [29] proposed a scheme, called Cell-based Open Tunnel Avoidance (COTA) and
implemented on the location aided routing protocol (LAR1), leading to the so-called COTA-LAR1 scheme. Moskvin, D.A. and
Ivanov, D.V. (2015) [30] proposed a geographical location based solution for detecting malicious nodes, by finding the distance
between nodes using GPS locations. Ahsan, M.S., et. al. (2017) [31] proposed Area Border Router and Sensing Aware Nodes based
scheme that monitors the signal strength of nodes, if distance found greater than default distance, attack is detected.
G. Round Trip Time and Delay Per Hop Based Approach
Round trip time and delay per hop based approach is based on the time taken by a message to complete a trip to destination.
Chiu, H.S. and Lui, K.S. [32] described the Delay Per Hop Indication (DelPHI) solution for detecting wormhole attacks. The idea is
to allow the source node to receive the route reply packets on many routes and calculates the round trip time (RTT) per route. It is
assumed that a route with a small number of hops has a small RTT, so the route that has a higher RTT per hop count than a
precalculated threshold is considered a wormhole route. However, in dynamic environments where the network loads are
unpredictable and nodes move rapidly, the RTTs are highly variable, the proposed solution becomes less reliable. Choi, S. (2008) et
al. [33] suggested to use the fact that for a RREQ or Route Reply (RREP) in Dynamic Source Routing (DSR) protocol, traveling a
wormhole link is slower than traveling a normal link. Therefore, after collecting the sending and receiving time, the source node
computes a time delay per hop, i.e. Delayperhop = (sending time – receiving time)/ hop count, and the presence of a wormhole is
confirmed if delay per hop is greater than the threshold. Shin, S. Y. and Halim, E. H., (2012) [34] proposes a method to create
multiple routes and calculating round-trip time (RTT) of all listed routes to destination. The RTT and number of hops of all listed
routes are compared in order to detect suspicious route. Agrawal, N. and Mishra, N., (2014) [35] presents a RTT estimator based
wormhole detection mechanism. Khobragade, S. and Padiya, P., (2016) [36] proposed a technique Using Authentication Based
Delay Per Hop Technique for detection of wormhole attack is done using number of hops and delay of each node in different paths
available in network. Bundela, A. S et. al.(2016) [37] considered delay, packet delivery ratio, routing overhead, throughput and
energy of nodes factors to detect wormhole attack. Verma, R. et. al. (2017) [38] proposed a round trip time and packet delivery
ratio based methodology for wormhole detection. When an intermediate node responds to RREQ, source node determines its PDR
and round trip time from other paths, if the RTT is less than threshold and PDR is less than 1, then the intermediate node is
considered as wormhole node.
H. Trust Based Approach
Trust based approaches to detect wormhole attacks include calculating a trust factor like Ojha, M. and Kushwah, R.S., (2015)
[39] observes the trust based threshold value of path, to detect wormhole link and the nodes on that link are identified as wormhole
nodes. Dubey, M., et. al. (2015) [40] designed a reputation base trust allocation system which will identify the faulty node using
node packet delivery ratio base analysis, if it is less than certain limit that means node is faulty and will search for new route using
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 257
Location Aided Routing (LAR). Parbin, S. and Mahor, L. (2016) [41] proposed a trust and reputation management scheme to find
out the trusted location in MANET environment. Sharma, P.K. and Sharma, V., (2016) [42] proposed a trust based routing
protocol that computes truthfulness of the path before it is selected for data delivery. Agrwal, S.L. et. al. (2016) [43] presents an
Individual Trust Managing Technique to prevent against sink-hole attack. Kaneria, P. and Rajavat, A. (2016) [44] introduce trusted
AODV routing protocol in which trust value is calculated using tangent hyperbolic function. Singh, U., et. al. (2016) [45] proposed
TSAODV and focuses on trust based computing to mitigate the effects of black hole, wormhole and collaborative black hole
attacks. Trust value is computed on the basis of route request, route reply and data packets. After calculation get trust values
between 0 to 1. If trust value is greater than 0.5 then the nodes are considered as reliable otherwise malicious. Sharma, S. and
Sharma, R. M. (2017) [46] proposed a new routing protocol naming extended prime product number (EPPN) based on the hop
count model, where hop count between source & destination is obtained depending upon the current active route. If the calculated
hop count is greater than the received hop count, then the trust mechanism will be used to identify the suspected nodes
I. Intrusion Detection System Based Approach
Intrusion detection techniques are also applied in the wormhole detecting systems, like Patidar, K. and Dubey, V., (2014) [47]
presented an intrusion detection system based on the concept of specification-based detection system to detect wormhole attacks
along routes in ad hoc networks. Rmayti, M., et. al., (2014) [48] proposes an intrusion detection mechanism using watchdog
mechanism based on two Bayesian filters: Bernoulli and Multinomial. Author used these two models in a complementary manner
to successfully detect the packet dropping attacks in mobile ad hoc networks. Khan, A. et. al., (2014) [49] presents a technique
NWLID: Normalized Wormhole Local Intrusion Detection Algorithm including intermediate neighbour node discovery
mechanism, packet drop calculator, individual node receiving packet estimator followed by isolation technique for the confirmed
Wormhole nodes. Emami, A.B et. al., (2015) [50] presents the modification of Negative Acknowledgement (NACK) based
Intrusion Detection System (IDS) in the form of Selective Negative Acknowledgement (SNACK). SNACK creates less routing
overhead due to selective acknowledgement system.
J. Genetic and Artificial Neural Network Based Approach
Genetic and Artificial Neural Networks based approaches are much more adaptive to this type of attack, similar approaches are
presented in Barani, F. and Gerami, S. (2013) [51] as a one-class Support Vector Machine for dynamic anomaly detection, called
ManetSVM. In another improvement Barani, F., (2014) [52] proposed an approach based on genetic algorithm (GA) and artificial
immune system (AIS), called GAAIS, for dynamic intrusion detection in AODV-based MANETs. GAAIS is able to adapting itself
to network topology changes using two updating methods: partial and total. Jamali, S. and Fotohi, R, (2017) [53] proposed a two
phase fuzzy logic system based artificial immune system called Defending Against Wormhole Attack (DAWA). In phase one, the
system selects the efficient routes using fuzzy logic; in phase two, it identifies the immune route among the selected routes using
artificial immune system.
K. Neighbour Information Based Approach
Neighbour information based methods involve the use of neighbour information for detecting a wormhole attack. Shi Z. et al.
(2013) [54] proposed a wormhole attack resistant secure neighbour discovery (SND) scheme based on local time information and
antenna direction with signature-based authenticated exchange of information between the network nodes. A novel random delay
multiple access (RDMA) protocol is used to secure neighbour discovery and attack resistant operation of the network. D. Sasirekha
and N. Radha, (2017) [55] proposed Attack Aware Alert (A3AODV) system that utilizes the effectiveness of round trip time based
detection method and anomaly based detection of wormhole and sinkhole in a mobile Adhoc network. The proposed system
collects the RTT from neighbours and calculate the difference in it, if it exceeds the threshold then a wormhole is detected.
V. SECURING AGAINST WORMHOLE ATTACK
In this section we will present two secure methods in detail that are used to defend against wormhole attack. Both of the methods
are used for comparison with the proposed work. One of the method is proposed by Zapata, M.G. and Asokan, N., (2002) [56]
proposed an improved and Secure AODV extension (SAODV) by including a new digital signature based message verification
system. Digital Signature are used to verify the constant fields of routing messages, while hashing is used to verify the variable
field (Hop Count). Every node has a key pair of public key and private key based on an asymmetric cryptographic system. When
a node generates a RREQ message, it includes signature that can be used by any intermediate node generating a RREP for the
corresponding RREQ. Any node generating a RREP should include the signature received from source and lifetime of the route
towards destination, to verify having a route to destination. Hash chains are used to validate the hop count in the received RREP
or RREQ messages in such a way that every node calculates a hash value on the current hop count and compares it with hash
provided in the received message. During a wormhole attack, the attacker node will collaborate with its partner attacker to tunnel
the data packets, but in SAODV the neighbour nodes are verified using hash chains and if any node is not verified then it is
considered as attacker. Hence, in SAODV, wormhole attack will be detected in early phase. This approach improves the security
mechanism of AODV however, degrades the performance by incorporating the extensive hash chain based cryptographic
methods. Repetition of signature verification slows down message exchanges and overload the system, compromising with
limited power and resources.
Another method is proposed by Obaidat, M.S. et. al. (2014) [57] presented a wormhole attack detection and exclusion system,
based on AODV and named it as E- HSAM, which uses AES as encryption standard. This approach works on finding the attacker
and then choosing an alternate path. E-HSAM approach is refined form of HSAM presented by Mamatha, G.S. and Sharma, S.C.,
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 258
(2010), which stated the use of packet counter to detect a packet dropping or modification attack. The author suggested to use a
hash code to calculate hash of the packet before it is sent, and then splitting the packets in sub-packets. These sub-packets are sent
through normal routes following intermediate nodes. When the destination receives the sub-packets, it assembles them to form
original packet and then calculates hash code on it. If the original hash code received matches with the calculated hash code, the
destination generates and sends to source, an acknowledgement (ACK) message to confirm that the packets have been received
successfully. If the ACK contains a confidentiality lost field set, that means hash code and packets are being compromised. The
total allotted time is also taken into consideration to detect a probable attack. If the ACK is not received by the sender within
approved time, then it is presumed that the packet is vanished. To improve the functionality of E-HSAM author have used the
fake packets, which are sent to destination to detect an attack, before sending the actual data. This way if the attack occurs, the
original information will not be compromised. The end to end communication is secured by AES encryption to avoid message
tampering and RRER message modification. The use of AES has introduced routing overhead, but the detection of broken link
and packet delivery ratio is improved.
VI. PROPOSED APPROACH
In this section we present the proposed CNBWH- AODV, which is a Cooperative neighbour based wormhole detection
approach based on AODV. CNBWH–AODV has two modules for detecting and preventing hidden and exposed type of tunnel or
encapsulation mode wormhole attack. The first module verifies the neighbour nodes and second module authenticate secure
message transmission. The first module is Neighbour Data Collection and Verification Module, that will discover and verify the
one hop neighbours of nodes participating in route discovery. The second module is Testing and Authentication Module, which
will check the presence of wormhole node and authenticate message integrity during communication.
Wormhole attack is a very influential attack; it enables attacker nodes to send messages to a distant location in the network
using intermediate nodes as slaves that are not aware of being part of a wormhole tunnel. There are two types of wormhole attack,
namely exposed wormhole attack and hidden wormhole attack, which are already explained in previous section. Our approach
enables the secure communication in both of these types of attack. In this section we will present two cases to demonstrate the
situation of attack and method of defending against these two types of wormhole attack.
A. CASE I: Exposed Wormhole Attack
It is considered when route reply is generated by wormhole attacker in exposed type attack. In this case the attacker is visible to
all the other neighbour nodes, and it also increments the hop count during route discovery. Consider the Figure 2 (b) and Figure 4
to understand this type of attack.
Message format [source id, destination id, hop count]
Figure 4: Reply by Wormhole Node (Exposed Attack)
I. Neighbour Data Collection and Verification Module
In exposed attack, the wormhole replies to normal HELLO messages and shows its presence by timely exchanging neighbour
information; while tunnels the routing and data messages to its colluding partner. In this case there is a need for nodes to identify
the attacker node before they fall prey for the wormhole node. In our approach we have introduced a new 1 hop neighbour table
to collect the information of neighbours. During route discovery or route maintenance, nodes receive RREQ and RREP messages
and also exchange information using Hello messages to know about the other nodes in the network. The hello messages are
generally used to discover immediate neighbours, we have collected that information and kept it in a new table named as 1 hop
neighbour table for only one hop neighbours in this Neighbour Data Collection and Verification Module. This table will be
updated when route discovery starts and after every RREQ received, and will be used when Initiator Node (IN) will launch
Testing and Authentication Module for the Suspected Node (SN). To understand the structure of 1 hop neighbour table, consider
Table 1 that shows the 1 hop neighbour table for source node S from Figure 4.
Table 1: One hop table of Node S
Node (S)
1 hop
Neighbour
(10)
(X)
(7)
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 259
(1)
(17)
2. Testing and Authentication Module
In our proposed CNBWH-AODV, we capture that route reply at the first node that receive it and initiate the Testing and
Authentication Module at this node, which will be further referred as Initiator Node (IN), and the node which has generated a
RREP will be a Suspected Node (SN) until it is verified by IN. As shown in the Figure 5, the Node X, that generated a RREP
message is considered as Suspected Node (SN), the node S that received the RREP at 1 hop is selected as Initiator Node (IN).
Equation 1 and 2 show the selection of IN and SN,
SIN = {S} ----- (1)
SSN = {X} ----- (2)
Where SIN denotes the set of Initiator Node (IN), and SSN denotes the set of Suspected Node (SN). When we have marked the
IN and SN, only two steps remains in the Testing and Authentication Module.
Step 1 Select the Cooperative Neighbour Node (CN) and Next Hop Neighbour Node (NHN)
Step 2 Verification of SN and CN by IN in Testing and Authentication Module
Step 1 Selecting Cooperative Neighbour Node (CN) and Next Hop Node (NHN)
To identify the CN’s and NHN we take a look at the neighbour table of Node S to find the neighbours of S. Cooperative Node
(CN) is that node which will be used to check the suspected node (SN) and it should be a common neighbour of both SN and IN.
A Next Hop Node (NHN) is that node which is exactly 2 hop away from IN, and it a common neighbour of any one CN and SN.
So that the message forwarded by SN can be verified by NHN. The 1 hop neighbours of Node S are shown in Table 1. Node S
will request all its one hop neighbours to share their table having 1 hop neighbours, in exchange it will get neighbour table of
Node 10, X, 7, 1 & 17, considering Figure 4. As we now know that the Node X is a Suspected Node (SN), so we try to find the
common neighbours of IN Node S, and SN Node X from the received tables of neighbouring node. One hop tables of Node 10, X,
7, 1 & 17 are given below in Table 2.
Table 2: One hop tables of Node 10, X, 7, 1 & 17
Node (10)
1 hop
Neighbour
Node (X)
1 hop
Neighbour
Node (7)
1 hop
Neighbour
Node (1)
1 hop
Neighbour
Node (17)
1 hop
Neighbour
(S) (10) (S) (S) (S)
(X) (S) (X) (7) (1)
(7) (11) (8)
(11) (8) (2)
(Y) (1 ) (18)
(17)
We can easily find the common cooperative nodes (CN) of SN Node X and IN Node S from their 1 hop neighbour tables, by
intersection operation of neighbour Set of SN node X = {10, S, 7, 11} and neighbour Set of IN node S = {10, X, 7, 1, 17}.
Equation 3 and 4 represent the neighbour set of SN node and IN node respectively, where NSN denote the neighbour set of (SN)
and NIN denote the neighbour set of (IN). Equation 5 represent the set of Common Cooperative Nodes (CN’s) of IN and SN,
NSN = Neighbour Set of (SN) node X={10,S,7,11,Y}--(3)
NIN= Neighbour Set of (IN) node S = {10,X,7,1,17} --(4)
SCN = NSN ∩ NIN = {10, 7} ----- (5)
where SCN denote the set of cooperative nodes, and it can be found out by intersection of Neighbour set of SN and Neighbour set
of IN. From (5) we find that node 10 and node 7 are CN’s. Moreover, from 1 hop neighbour tables of Node 10 and Node 7 (Now
CN’s) and Node X we can find the common next hop neighbour (NHN), by intersection operation of neighbour Set of Node 10 =
{S, X}, neighbour Set of Node 7 = {S, X, 11, 8, 1} and neighbour set of Node X = {10, S, 7, 11, Y}, and subtracting the IN and
SN from this result, as these two nodes will be common nodes in sets of CN and SN. Equation 6 and 7 represent the neighbour set
of node 10 and node 7, denoted by NCNn. Equation 8 represent the intersection operation of CN and SN to find the set of NHN,
represented by SNHN,
NCN1 = Neighbour Set of (CN1) node 10 = {S, X} -(6)
NCN2 = Neighbour Set of (CN2) node 7={S,X,11,8,1}-(7)
SNHN = {{NCN1∩NSN}+{NCN2∩NSN}}-{SIN}-{SSN}-(8)
SNHN={{S,X}∩{10,S,7,11,Y}+{S,X,11,8,1}∩{10,S,7,11, Y}} -{S}- {X}
SNHN={{S}+{S,11}} -{S}- {X}
SNHN = {11}-- (9)
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 260
From (9) we found that the node 11, exists in 1hop table of Node 7 (CN) and Node X (SN), hence it can be called as Next Hop
Neighbour of NHN of SN. As shown in Figure 5, Node S is IN, Node X is SN, Node 10 and Node 7 are Cooperative Nodes (CN1,
CN2), node 11 is the Next Hop Neighbour (NHN) of SN.
Figure 5: selecting IN, SN, CN and NHN in Exposed Wormhole Attack
Step 2 Verification of SN and CN by IN in Testing and Authentication Module
Now when we know the SN, IN, CN and NHN in the path, the next step is to verify the wormhole attacker by generating
Verification Test Data Messages (FDATA). IN prepares data messages with different random numbers and send them to the
Destination Node or Next Hop Node (NHN) through different paths through Suspected Node (SN) or Cooperative Neighbour
(CN) as intermediate nodes. There can be different possible paths, CNBWH-AODV approach finds a safe path towards
destination while at the same time avoiding any wormhole in the path. For a generalized approach, we choose one path from IN to
NHN through SN, second path from IN to NHN through CN, third path from IN to destination through CN. The objective of
choosing different paths is to find a suitable and safe path within minimum time. The reply from destination may take longer time
to reach the IN in comparison to the reply from NHN. However, we still choose one path to be verified by destination only, in
case if the verification from NHN fails, then also CNBWH-AODV approach will be able to find an alternative safe path towards
destination. Verification here means that the FDATA messages have successfully reached the destination or NHN and are not
modified or replaced. When it happens, destination or NHN will generate acknowledgement message having the same random
number to complete the verification process. The verification of available paths starts when Initiator Node (IN) prepares
Verification Test Data Messages (FDATA) that will include one random number in first message and random number +1 in
second message and random number +2 in the third message and so on along with the same dummy data.
For evaluation of proposed CNBWH-AODV we choose a general scenario having three different paths. Figure 6 shows the
situation when Initiator Node (IN) prepares three Verification Test Data Messages (FDATA) with three numbers (20,21,22),
created randomly and send them to Cooperative Nodes (CN1, CN2), and Suspected Node (SN). These FDATA data messages
contain fake data that is not originally related to the actual data packet. So, in case of attack, the original data will not be
compromised. If IN receives the reply messages of these FDATA messages from any of the possible path, that path will be chosen
for final data sending process, however there can be three cases in this situation.
Figure 6: IN prepares and sends FDATA messages
Case 1: If the IN receives the verification message from destination via CN2 only and other two messages are not received
due to loss during congestion or route error, then it can be assumed that the other paths may contain a wormhole attacker or the
paths are not properly connected. In this case we will not choose those paths from which reply is not received. We assume that
both SN and CN1 are suspected to be malicious node as the reply from them is not received. Figure 7 shows the sending of
FDATA message by IN via CN1, SN and CN2 towards NHN and Destination. The sent FDATA message is received at
destination while at the same time; messages from CN1 and SN are not forwarded to NHN.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 261
Figure 7: Sent data from IN reached DN via CN2
Figure 8 shows the verification reply sent by Destination via CN2. It shows that the data message is received at destination
and the path from IN to Destination via CN2 is now verified and can be used for data transmission, while the nodes CN1 and SN
will be treated as suspected Worm hole attacker nodes.
Figure 8: Verification by the destination via CN2
Case 2: if the IN receives the verification message from the NHN from the path via CN2 only, that means the SN and
CN1 have not forwarded the FDATA messages or they have forwarded the message to some point in the network from where the
reply is not received yet. In this case we assume that SN and CN1 both are suspected for message tunnelling or dropping and they
will not be selected for data transmission. As only the path via CN2 is verified by NHN, so it will be chosen as the alternate path.
Figure 9 shows the sending of FDATA messages via CN1, SN, and CN2, it also shows FDATA message is forwarded by CN2 to
NHN, while at the same time CN1 has forwarded data to SN is tunnelling the data message to its partner node.
Figure 9: Sent data from IN reached NHN via CN2
Figure 10 shows the generation of verification message by NHN and sending it through CN2. As NHN has replied by
verification message, it can be assumed that it is a reliable node. Figure 10 also shows that IN has not received any reply from
NHN via SN and CN1, so we assume that the data messages are lost due to congestion, or may be forwarded to some place in the
network far from NHN. However, we avoid such paths which are not verified by the NHN or destination. So only path through
CN2 to NHN will be selected as the path from IN which is now verified, and it can be used for further communication, while the
node SN and CN1 will be treated as suspected wormhole node.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 262
Figure 10: Verification by the NHN via CN1
Case 3: if the IN receives the verification message from the NHN through SN node only, that means the SN has forwarded the
FDATA message to NHN, hence we can be sure that it is not a suspected wormhole attacker. Figure 11 shows the sending of
FDATA message via CN1, SN, CN2 and it also shows receiving of FDATA message at NHN, while at the same time the message
from CN1 has reached SN and CN2 has forwarded the FDATA message to another node but not NHN.
Figure 11: Sent data from IN reached NHN via SN
Figure 12 shows the generation of verification message at NHN and sending it back to source via SN only, on the other hand
FDATA message forwarded by CN2 has not reached the destination. Hence the only verification message is received from NHN
via SN, so it is referred as safe path for further data transmission. The important point to ponder at this case is that, if the SN is a
wormhole, it would have forwarded the FDATA message to its colluding attacker, which must not be the next hop neighbour of
SN. If the NHN has received data message from SN, it proves that it is not a wormhole node.
Figure 12: Verification by the NHN via SN
After the verification is received from any one or two paths, the shortest path will be chosen for final data transmission. Our
proposed approach is capable of finding a shortest path avoiding any wormhole attacker in the network.
B. CASE II: Hidden Wormhole Attack
During a hidden wormhole attack, the attacker node does not show its presence to its neighbours, does not responds to
HELLO message, does not reply to any route request, it remains hidden but receives routing and data messages from neighbour
nodes and forwards them to its colluding partner, which might be located close to destination. In this type of attack, the attacker
does not increment the hop count during route discovery, so destination node will not know about its presence. The location of the
attacker plays a key point role in attack effectiveness.
For a general scenario consider the Figure 13 and Figure 2 (a) to understand this type of attack, in which one attacker node is
close to destination while the other is at 2 hop distant from source. In this situation when the first attacker node X captures the
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 263
route request message from the neighbour node 11, hop count in route request is already incremented by 1. Now it tunnels this
route request to its partner, from there it is delivered to destination. When destination receives this request it assumes that node 11
is 1 hop distant away from itself and replies to this route request choosing the shortest path available. Here comes the role of our
proposed approach. In CNBWH-AODV, whenever a route reply is received by any node it checks the node that generated it and
follows a test and authentication module that verifies the originator of the RREP. In the next section we will test this situation of
hidden wormhole attack.
Message format [source id, destination id, hop count]
Figure 13: Reply by Destination Node (Hidden Attack)
Our proposed approach has two modules, first is Neighbour Data Collection and Verification Module and second Is Testing and
Authentication Module.
1. Neighbour Data Collection and Verification Module
Our proposed CNBWH-AODV uses the 1 hop neighbour information to verify the location of the node that generates the
route reply. So we will use the new 1 hop neighbour table to collect the information of neighbours and to keep the entries of only
those neighbours which are at single hop distance from any node. Like in the previous case we have made a table for source, in
this case attack will be first checked at node 11. Hence, Table 3 presents the 1 hop neighbour table of node 11 from Figure 13.
Table 3: One Hop Table of Node 11
Node (11)
1 hop
Neighbour
(10)
(S)
(7)
(D)
Check the table of node 11, it shows node D as its 1 hop neighbour. Due to wormhole tunnel, node 11 is tricked to assume that
destination node D is its immediate neighbour.
2. Testing and Authentication Module
After the Neighbour Data Collection module, Testing and Authentication Module will be launched by the Initiator Node (IN)
against the Suspected Node (SN). The initiator node is the first node which receives the route reply from the node that generated
it. Here in this case as we can see in the Figure 13, the reply is generated by destination node and received by node 11, so
Destination node is marked as Suspected Node (SN) and node 11 is marked as Initiator Node (IN). Equation 10 and 11 show the
selection of IN and SN,
SIN = {11} ----- (10)
SSN = {D} ----- (11)
where SIN denotes the set of Initiator Node (IN), and SSN denotes the set of Suspected Node (SN). After IN and SN is
identified, only two steps remains in Testing and Authentication Module. These are given below:
Step 1 Select the Cooperative Neighbour Node (CN) and Next Hop Neighbour Node (NHN)
Step 2 Verification of SN and CN by IN in Testing and Authentication Module
Step 1 Selecting Cooperative Node (CN) and Next Hop Node (NHN)
To identify the CN’s and NHN we take a look at the neighbour table of Node 11 to find its 1 hop neighbours, which are shown in
Table 3. Node 11 will request all its 1 hop neighbours to share their 1 hop neighbours table, in exchange it will get neighbour
table of Node 10, S, 7, & D. Note that node D is also assumed as 1 hop neighbour, due to wormhole tunnel. As we know that the
Node 11 is an Initiator Node (IN), so we try to find the common neighbours of IN Node 11, and SN Node D from the received
tables of node 11 and node D. One hop tables of Node 10, S, 7, & D are given below in Table 4.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 264
Table 4: One hop tables of Node 10, S, 7 & D
Node
(10)
1 hop
Neighbo
ur
Node
(S)
1 hop
Neighb
our
Node
(7)
1 hop
Neighb
our
Node
(D)
1 hop
Neighb
our
(S) (10) (S) (16)
(11) (11) (11) (11)
(7) (1) (15)
(1) (8) (4)
(17) (D) (6)
Now we try to find the common cooperative neighbours (CN) of IN node 11 and SN node D, by intersection operation of
Neighbour Set of node 11 = {10, S, 7, D}, denoted by NIN in Equation 12 and Neighbour Set of node D = {16, 11, 15, 4, 6},
denoted by NSN in Equation 13. SCN denote the set of cooperative nodes, given in equation 14, is found by intersection of NIN and
NSN.
NIN = Neighbour Set of (IN) node 11={10, S, 7, D }--(12)
NSN= Neighbour Set of (SN) node D={16, 11, 15, 4, 6}-(13)
SCN = NSN ∩ NIN = {NULL} ----- (14)
Figure 14 selecting IN, SN, CN and NHN in Hidden Wormhole Attack
Equation 14 shows the result of intersection operation as NULL, that means there are no common neighbours between, IN
node 11 and SN node D. This concludes that the node 11 and node D are not immediate neighbours, and are tricked to assume
each other as 1 hop neighbours by a wormhole attacker. Hence we can say that the route reply is not received from a genuine
neighbour and it’s a wormhole attack. It also shows that the nodes are located on separate dedicated wired link or wireless out of
band or in band tunnel, that is why they do not share a common neighbour, when having a 1 hop distance.
Wormhole attacker can be anywhere in the network, for example if one of the attacker is situated close to source and another
attacker is away from destination, then the route request will be captured before any increment in hop count, and then will be
tunnelled to this partner attacker. This partner attacker located away from destination will forward or reply the route request from
that point, which will be forwarded again by any other node to destination, in this case the destination will generate the route
reply and this will be checked by that neighbour node. Consider the Figure 15, in which the reply is generated by destination and
received by node 13, in this case node 13 will launch test and authentication module and will find that the destination is surely its
1 hop neighbour, then will send back this route reply towards source, following backward path. When source node will receive
this route reply, it will check again for the authenticity of the node that sent the route reply, and will know that node 13 is not its 1
hop neighbour, hence the wormhole will be detected in every situation, whether the wormhole is close to source or destination, or
it is away from both source and destination.
Figure 15 wormhole attack when attacker is away from source or destination
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 265
So in short we can say that if the wormhole attacker is exposed, it will be identified by using FDATA messages and if
wormhole attacker is hidden, there will be no common neighbour between the nodes before and after the attacker, hence this route
will automatically be opted out during route discovery process. In every case our proposed CNBWH-AODV will work and find
the attacker.
Algorithm
Step 1 Source node starts route discovery
Step 2 Route request is forwarded by all intermediate nodes; all nodes prepare 1 hop table under neighbour data collection
module.
Step 3 Route Reply is generated
If route reply is generated by intermediate node
(Exposed mode attack)
If route reply is generated by destination node
(Hidden mode attack)
Step 4 Selecting IN, SN, CN and NHN under testing and authentication module
The node generating route reply is marked as Suspected Node (SN) and its immediate neighbour is marked as Initiator
node (IN). One or more common neighbour of IN and SN are selected to behave as Cooperative Nodes (CN) from 1 hop
table. One or more common neighbour of CN is selected as Next Hop Neighbour (NHN)
Step 5 if the CN and NHN are NULL, then drop the route reply as it is hidden wormhole attack, else IN catches RREP generated
by SN and initiate verification process
Step 6 Testing and Authentication Module
IN sends Verification Test Data Messages (FDATA) to destination and NHN having different random numbers via
different paths to verify the nodes.
Step 6.1 If reply from destination only is received via any CN, then the SN will be regarded as suspected node, continue to step 8
Step 6.2 If reply from NHN only is received via SN, then other path from CN will be regarded as suspected path, continue to step
7
Step 6.3 If reply from NHN only is received via any CN, then SN will be regarded as suspected node, continue to step 7
Step 7 Selecting IN, SN, CN and NHN
The destination node is marked as Suspected Node (SN) and its immediate neighbour is marked as Initiator node (IN). one
or more common neighbour of IN and SN are selected to behave as Cooperative Nodes (CN) from 1 hop table. One or
more common neighbour of CN is selected as Next Hop Neighbour (NHN)
Step 7.1 Send verification message to destination, setting reply by destination only field in the verification message
If reply is received continue to step 8
If reply is not received go to step 1
Step 8 Send data from source to destination
VII. RESULTS AND DISCUSSION
The simulations have been performed in NS2 in 1400x1000 area for 21 nodes and over 2 wormhole nodes. The performance
is compared on throughput, end to end delay and packet delivery fraction.
Figure 16 shows the throughput of the proposed CNBWH-AODV in comparison to E-HSAM, SAODV and AODV with
wormhole. The throughput of network is the total data transmits in a period of time. The CNBWH-AODV outperforms in the
presence of wormhole node.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 266
Figure 16 Throughput
Figure 17 shows the Packet Delivery Fraction of the proposed CNBWH-AODV in comparison to E-HSAM, SAODV and
AODV with wormhole. The PDF is calculated as the ratio between the number of packets generated by the source and the number
of packets successfully acknowledged by the destination. CNBWH-AODV shows least effect of wormhole on PDF in presence of
wormhole while the PDF drops drastically in case of E-HSAM, as E-HSAM is not able to detect the wormhole unless the packet
is received by destination, which in this case are modified by the attacker. The graph shows the activity of wormhole node, as
soon as the wormhole node is introduced in the system PDF is dropped, but in CNBWH-AODV we have detected and avoided
wormhole completely so PDF is not affected.
Figure 17 Packet Delivery Fraction
Figure 18 shows the End to End Delay of the CNBWH-AODV in comparison to E-HSAM, SAODV and AODV with
wormhole. The End to End Delay denotes to the time occupied for a message while travelling in the network from source to
destination. In the presence of wormhole attack, overall E2E delay is reduced, as the packets travel through tunnel are supposed to
reach the destination first. In E-HSAM approach, alternate route is chosen after the destination informs the source that original
messages are not being received. So the E2E delay is increased, but in CNBWH-AODV messages are send only through the
shortest path as well as the authenticity of the path is tested before the actual data transmission. Hence it reduces E2E delay in
comparison to E-HSAM, SAODV and AODV under wormhole.
0
100
200
300
400
500
600
700
1 2 3 4 5 6 7 8 9 10
Bytes
Time
THROUGHPUTWORMHOLE AODV CNBWH-AODV
E-HSAM SAODV
0
20
40
60
80
100
120
1 2 3 4 5 6 7 8 9 10
Time
PACKET DELIVERY FRACTIONWORMHOLE AODV CNBWH-AODV
E-HSAM SAODV
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 267
Figure 18 End to End Delay
VIII. CONCLUSION
We have presented an adaptive, responsive and cooperative neighbour based approach to completely identify and eradicate both
hidden and exposed type wormhole attacks. Our approach uses the information of 1 hop neighbours to verify the location of
attacker, and once it is identified it is discarded to participate in further communication, and all the replies generated by wormhole
attacker will be dropped. Results shown by simulation graphs represents the enriched performance of the proposed approach in
the presence of wormhole attack. The throughput is improved; the packet delivery fraction is also good. In the proposed
CNBWH-AODV approach the packets were delivered to the destination by avoiding the attacking node, thus the end to end delay
is reduced in comparisons to E-HSAM and SAODV. Overall performance of the system is improved and the worm hole nodes are
detected and avoided completely.
REFERENCES
[1]. Abdelaziz, A. K., Nafaa, M., & Salim, G. (2013, April). Survey of routing attacks and countermeasures in mobile ad hoc
networks. In Computer Modelling and Simulation (UKSim), 2013 UKSim 15th International Conference on (pp. 693-698).
IEEE
[2]. D'Innocenzo, A., Di Benedetto, M.D. and Smarra, F., 2013, December. Fault detection and isolation of malicious nodes in
MIMO Multi-hop Control Networks. In Decision and Control (CDC), 2013 IEEE 52nd Annual Conference on (pp. 5276-
5281). IEEE.
[3]. Macker, J. "Mobile ad hoc networking (MANET): Routing protocol performance issues and evaluation considerations."
IETF (1999).
[4]. Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004). Security in mobile ad hoc networks: challenges and solutions. IEEE
wireless communications, 11(1), 38-47.
[5]. Perkins, C., Belding-Royer, E. and Das, S., 2003. Ad hoc on-demand distance vector (AODV) routing (No. RFC 3561).
[6]. Clausen, T. and Jacquet, P., 2003. Optimized link state routing protocol (OLSR) (No. RFC 3626).
[7]. Kannhavong, B., Nakayama, H., Nemoto, Y., Kato, N., &Jamalipour, A. (2007). A survey of routing attacks in mobile ad
hoc networks. IEEE Wireless communications, 14(5).
[8]. Choi, S., Kim, D.Y., Lee, D.H. and Jung, J.I., 2008, June. WAP: Wormhole attack prevention algorithm in mobile ad hoc
networks. In Sensor Networks, Ubiquitous and Trustworthy Computing, 2008. SUTC'08. IEEE International Conference on
(pp. 343-348). IEEE
[9]. Hu, Y.C., Perrig, A. and Johnson, D.B., 2006. Wormhole attacks in wireless networks. IEEE journal on selected areas in
communications, 24(2), pp.370-380.
[10]. Chiu, H.S. and Lui, K.S., 2006, January. DelPHI: wormhole detection mechanism for ad hoc wireless networks. In Wireless
pervasive computing, 2006 1st international symposium on (pp. 6-pp). IEEE.
[11]. Khalil, I., Bagchi, S. and Shroff, N.B., 2005, June. LITEWORP: a lightweight countermeasure for the wormhole attack in
multihop wireless networks. In Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference
on (pp. 612-621). IEEE.
[12]. Nouri, M., Aghdam, S.A. and Aghdam, S.A., 2011, November. Collaborative techniques for detecting wormhole attack in
MANETs. In Research and Innovation in Information Systems (ICRIIS), 2011 International Conference on (pp. 1-6). IEEE
[13]. Lee, G., Seo, J. and Kim, D.K., 2008, April. An approach to mitigate wormhole attack in wireless ad hoc networks. In
Information Security and Assurance, 2008. ISA 2008. International Conference on (pp. 220-225). IEEE.
0
5
10
15
20
25
30
35
1 2 3 4 5 6 7 8 9 10
Packets
Time
END TO END DELAYWORMHOLE AODV CNBWH-AODV
E-HSAM SAODV
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 268
[14]. Gupta, S., Kar, S. and Dharmaraja, S., 2011, April. WHOP: Wormhole attack detection protocol using hound packet. In
Innovations in information technology (IIT), 2011 international conference on (pp. 226-231). IEEE.
[15]. Khan, Z.A. and Islam, M.H., 2012, October. Wormhole attack: A new detection technique. In Emerging Technologies
(ICET), 2012 International Conference on (pp. 1-6). IEEE.
[16]. Geetha, S.B. and Patil, V.C., 2015, December. Elimination of energy and communication tradeoff to resist wormhole attack
in MANET. In Emerging Research in Electronics, Computer Science and Technology (ICERECT), 2015 International
Conference on (pp. 143-148). IEEE.
[17]. Gupta, C. and Pathak, P., 2016, March. Movement based or neighbor based technique for preventing wormhole attack in
MANET. In Colossal Data Analysis and Networking (CDAN), Symposium on (pp. 1-5). IEEE.
[18]. Chatterjee, P., Sengupta, I. and Ghosh, S.K., 2012. STACRP: a secure trusted auction oriented clustering based routing
protocol for MANET. Cluster Computing, 15(3), pp.303-320.
[19]. Jamaesha, S.S. and Bhavani, S., 2018. A secure and efficient cluster based location aware routing protocol in MANET.
Cluster Computing, pp.1-8.
[20]. Gandhewar, N. and Patel, R., 2012, November. Detection and Prevention of sinkhole attack on AODV Protocol in Mobile
Adhoc Network. In Computational Intelligence and Communication Networks (CICN), 2012 Fourth International
Conference on (pp. 714-718). IEEE.
[21]. Biswas, J., Gupta, A. and Singh, D., 2014, December. WADP: A wormhole attack detection and prevention technique in
MANET using modified AODV routing protocol. In Industrial and Information Systems (ICIIS), 2014 9th International
Conference on (pp. 1-6). IEEE.
[22]. P. Yadav and M. Hussain, "A secure AODV routing protocol with node authentication," 2017 International conference of
Electronics, Communication and Aerospace Technology (ICECA), Coimbatore, 2017, pp. 489-493.
[23]. Woungang, I., Dhurandher, S.K., Koo, V. and Traore, I., 2012, December. Comparison of two security protocols for
preventing packet dropping and message tampering attacks on AODV-based mobile ad Hoc networks. In Globecom
Workshops (GC Wkshps), 2012 IEEE (pp. 1037-1041). IEEE.
[24]. Patel, A., Patel, N. and Patel, R., 2015, April. Defending against wormhole attack in MANET. In Communication Systems
and Network Technologies (CSNT), 2015 Fifth International Conference on (pp. 674-678). IEEE.
[25]. Ghayvat, H., Pandya, S., Shah, S., Mukhopadhyay, S.C., Yap, M.H. and Wandra, K.H., 2016, November. Advanced AODV
approach for efficient detection and mitigation of wormhole attack in MANET. In Sensing Technology (ICST), 2016 10th
International Conference on (pp. 1-6). IEEE.
[26]. Li, Z., Pu, D., Wang, W. and Wyglinski, A. 2011, "Forced collision: Detecting wormhole attacks with physical layer
network coding," in Tsinghua Science and Technology, vol. 16, no. 5, pp. 505-519, Oct. 2011, IEEE.
[27]. Y. Wei and Y. Guan, "Lightweight Location Verification Algorithms for Wireless Sensor Networks," in IEEE Transactions
on Parallel and Distributed Systems, vol. 24, no. 5, pp. 938-950, May 2013.
[28]. Pagnin, E., Hancke, G. and Mitrokotsa, A., 2015. Using distance-bounding protocols to securely verify the proximity of two-
hop neighbours. IEEE Communications Letters, 19(7), pp.1173-1176.
[29]. Teotia, V., Dhurandher, S.K., Woungang, I. and Obaidat, M.S., 2015, June. Wormhole prevention using COTA mechanism
in position based environment over MANETs. In Communications (ICC), 2015 IEEE International Conference on (pp.
7036-7040). IEEE.
[30]. Moskvin, D.A. and Ivanov, D.V., 2015. Methods of protecting self-organizing networks against attacks on traffic routing.
Automatic Control and Computer Sciences, 49(8), pp.745-750.
[31]. Ahsan, M.S., Bhutta, M.N.M. and Maqsood, M., 2017, December. Wormhole attack detection in routing protocol for low
power lossy networks. In Information and Communication Technologies (ICICT), 2017 International Conference on (pp. 58-
67). IEEE.
[32]. Chiu, H.S. and Lui, K.S., 2006, January. DelPHI: wormhole detection mechanism for ad hoc wireless networks. In Wireless
pervasive computing, 2006 1st international symposium on (pp. 6-pp). IEEE.
[33]. Choi, S., Kim, D.Y., Lee, D.H. and Jung, J.I., 2008, June. WAP: Wormhole attack prevention algorithm in mobile ad hoc
networks. In Sensor Networks, Ubiquitous and Trustworthy Computing, 2008. SUTC'08. IEEE International Conference on
(pp. 343-348). IEEE.
[34]. Shin, S. Y. and Halim, E. H., 2012 "Wormhole attacks detection in MANETs using routes redundancy and time-based hop
calculation," 2012 International Conference on ICT Convergence (ICTC), Jeju Island, 2012, pp. 781-786., IEEE.
[35]. Agrawal, N. and Mishra, N., 2014, November. RTT based Wormhole Detection using NS-3. In Computational Intelligence
and Communication Networks (CICN), 2014 International Conference on (pp. 861-866). IEEE.
[36]. Khobragade, S. and Padiya, P., 2016, October. Detection and Prevention of Wormhole Attack Based on Delay Per Hop
Technique for Wireless Mobile Ad-hoc Network. In Signal Processing, Communication, Power and Embedded System
(SCOPES), 2016 International Conference on (pp. 1332-1339). IEEE.
[37]. Bundela, A.S., Sharma, G., Panse, P. and Solanki, S., 2016, March. A secure routing in ad-hoc network. In Colossal Data
Analysis and Networking (CDAN), Symposium on (pp. 1-5). IEEE.
[38]. Verma, R., Sharma, R. and Singh, U., 2017, April. New approach through detection and prevention of wormhole attack in
MANET. In Electronics, Communication and Aerospace Technology (ICECA), 2017 International conference of (Vol. 2,
pp. 526-531). IEEE.
© 2018 JETIR August 2018, Volume 5, Issue 8 www.jetir.org (ISSN-2349-5162)
JETIR1808187 Journal of Emerging Technologies and Innovative Research (JETIR) www.jetir.org 269
[39]. Ojha, M. and Kushwah, R.S., 2015, October. Improving Quality of Service of trust based system against wormhole attack by
multi-path routing method. In Soft Computing Techniques and Implementations (ICSCTI), 2015 International Conference
on (pp. 33-38). IEEE.
[40]. Dubey, M., Patheja, P.S. and Lokhande, V., 2015, September. Reputation based trust allocation and fault node identification
with data recovery in manet. In Computer, Communication and Control (IC4), 2015 International Conference on (pp. 1-6).
IEEE.
[41]. Parbin, S. and Mahor, L., 2016, July. Analysis and prevention of wormhole attack using trust and reputation management
scheme in MANET. In Applied and Theoretical Computing and Communication Technology (iCATccT), 2016 2nd
International Conference on (pp. 225-228). IEEE.
[42]. Sharma, P.K. and Sharma, V., 2016, April. Survey on security issues in MANET: Wormhole detection and prevention. In
Computing, Communication and Automation (ICCCA), 2016 International Conference on (pp. 637-640). IEEE.
[43]. Agrwal, S.L., Khandelwal, R., Sharma, P. and Gupta, S.K., 2016, October. Analysis of detection algorithm of Sinkhole
attack & QoS on AODV for MANET. In Next Generation Computing Technologies (NGCT), 2016 2nd International
Conference on (pp. 839-842). IEEE.
[44]. Kaneria, P. and Rajavat, A. 2016, "Detecting and avoiding of worm hole attack on MANET using trusted AODV routing
algorithm," 2016 Symposium on Colossal Data Analysis and Networking (CDAN), Indore, 2016, pp. 1-5.
[45]. Singh, U., Samvatsar, M., Sharma, A. and Jain, A.K., 2016, March. Detection and avoidance of unified attacks on MANET
using trusted secure AODV routing protocol. In Colossal Data Analysis and Networking (CDAN), Symposium on (pp. 1-6).
IEEE.
[46]. Sharma, S. and Sharma, R. M., 2017 "EPPN: Extended Prime Product Number based wormhole DETECTION scheme for
MANETs," 2017 11th International Conference on Intelligent Systems and Control (ISCO), Coimbatore, 2017, pp. 251-254
[47]. Patidar, K. and Dubey, V., 2014, March. Modification in routing mechanism of AODV for defending blackhole and
wormhole attacks. In IT in Business, Industry and Government (CSIBIG), 2014 Conference on (pp. 1-6). IEEE.
[48]. Rmayti, M., Begriche, Y., Khatoun, R., Khoukhi, L. and Gaiti, D., 2014, November. Denial of service (DoS) attacks
detection in MANETs using Bayesian classifiers. In Communications and Vehicular Technology in the Benelux (SCVT),
2014 IEEE 21st Symposium on (pp. 7-12). IEEE.
[49]. Khan, A., Shrivastava, S. and Richariya, V., 2014, January. Normalized Worm-hole Local Intrusion Detection Algorithm
(NWLIDA). In Computer Communication and Informatics (ICCCI), 2014 International Conference on (pp. 1-6). IEEE.
[50]. Emami, A.B., Samet, S., Azarpira, A. and Farrokhtala, A., 2015, May. SNACK: An efficient intrusion detection system in
Mobile Ad-Hoc Network based on the Selective-Negative Acknowledgement algorithm. In Electrical and Computer
Engineering (CCECE), 2015 IEEE 28th Canadian Conference on (pp. 903-907). IEEE.
[51]. Barani, F. and Gerami, S., 2013, August. ManetSVM: Dynamic anomaly detection using one-class support vector machine
in MANETs. In Information Security and Cryptology (ISCISC), 2013 10th International ISC Conference on (pp. 1-6). IEEE.
[52]. Barani, F., 2014, February. A hybrid approach for dynamic intrusion detection in ad hoc networks using genetic algorithm
and artificial immune system. In Intelligent Systems (ICIS), 2014 Iranian Conference on (pp. 1-6). IEEE.
[53]. Jamali, S. and Fotohi, R., 2017. DAWA: Defending against wormhole attack in MANETs by using fuzzy logic and artificial
immune system. The Journal of Supercomputing, 73(12), pp.5173-5196.
[54]. Shi, Z., Sun, R., Lu, R., Qiao, J., Chen, J. and Shen, X., 2013. A wormhole attack resistant neighbor discovery scheme with
rdma protocol for 60 ghz directional network. IEEE Transactions on Emerging Topics in Computing, 1(2), pp.341-352.
[55]. Sasirekha, D. and Radha, N., 2017, October. Secure and attack aware routing in mobile ad hoc networks against wormhole
and sinkhole attacks. In Communication and Electronics Systems (ICCES), 2017 2nd International Conference on (pp. 505-
510). IEEE.
[56]. Zapata, M.G. and Asokan, N., (2002), September. Securing ad hoc routing protocols. In Proceedings of the 1st ACM
workshop on Wireless security (pp. 1-10). ACM.
[57]. Obaidat, M.S., Woungang, I., Dhurandher, S.K. and Koo, V., 2014. A cryptography‐based protocol against packet dropping
and message tampering attacks on mobile ad hoc networks. Security and Communication Networks, 7(2), pp.376-384.