&RRSHUDWLYH6HFXULW\$JHQWVIRU0$1(7

Vaishali Mohite Lata Ragha

Information Technology Computer Department
K. J. Somaiya Institute of Engineering & Information Terna Engineering College, Mumbai University
Technology, Mumbai University Mumbai, India
Mumbai, India lata.ragha@gmail.com
mvaishali123@gmail.com

$EVWUDFW² $ PRELOH DG KRF QHWZRUN 0$1(7 LV D FROOHFWLRQ
RI DXWRQRPRXV QRGHV WKDW FRPPXQLFDWH ZLWK HDFK RWKHU E\
IRUPLQJ D PXOWLKRS UDGLR QHWZRUN DQG PDLQWDLQLQJ
FRQQHFWLRQV LQ D GHFHQWUDOL]HG PDQQHU 6HFXULW\ UHPDLQV D
PDMRU FKDOOHQJH IRU WKHVH QHWZRUNV GXH WR WKHLU IHDWXUHV RI
RSHQ PHGLXP G\QDPLFDOO\ FKDQJLQJ WRSRORJLHV UHOLDQFH RQ
FRRSHUDWLYH DOJRULWKPV DEVHQFH RI FHQWUDOL]HG PRQLWRULQJ
SRLQWV DQG ODFN RI FOHDU OLQHV RI GHIHQFH $G KRF RQGHPDQG
are essential for the flexibility of MANETs, they introduce
specific security concerns that are absent or less severe in
wired networks. MANETs are vulnerable to various types of
attacks. These include passive eavesdropping, active
interfering, impersonation, and denial-of service. Intrusion
prevention measures such as strong authentication and
redundant transmission can be used to improve the security
GLVWDQFH YHFWRU URXWLQJ $2'9 LV D YHU\ SRSXODU URXWLQJ
DOJRULWKP WKH\ HQDEOHV G\QDPLF VHOIVWDUWLQJ PXOWL KRS
URXWLQJ EHWZHHQ SDUWLFLSDWLQJ PRELOH QRGHV ZLVKLQJ WR
HVWDEOLVK DQG PDLQWDLQ DQ $G +RF QHWZRUN $Q LQWHUPHGLDWH
QRGH ZKLFK WDNHV SDUW LQ SDFNHWV IRUZDUGLQJ PD\ EHKDYH
PDOLFLRXVO\DQGGURSSDFNHWVZKLFKJRHVWKURXJKLWLQVWHDGRI
IRUZDUGLQJWKHPWRWKHIROORZLQJQRGHZKHUHDPDOLFLRXVQRGH
IDOVHO\ DGYHUWLVHV JRRG SDWKV WR D GHVWLQDWLRQ QRGH GXULQJ WKH
URXWH GLVFRYHU\ SURFHVV VXFK EHKDYLRU LV FDOOHG EODFNKROH
DWWDFN 7KLV DWWDFN EHFRPHV PRUH VHYHU ZKHQ D JURXS RI
PDOLFLRXV QRGHV FRRSHUDWH WR HDFK RWKHU +RZHYHU LW LV
YXOQHUDEOHWRWKHZHOONQRZQFRRSHUDWLYHEODFNKROHDWWDFN,Q
WKLV SDSHU D 'HWHFWLQJ PHFKDQLVP LV SUHVHQWHG DJDLQVW D
FRRUGLQDWHG DWWDFN E\ FRRSHUDWLYH EODFNKROH QRGHV LQ D
0$1(7SOXVDPHWKRGWRVHFXUHWKHKLVWRU\UHFRUGVRISDFNHW
GHOLYHU\ LQIRUPDWLRQ DW HDFK FRQWDFW VR WKDW RWKHU QRGHV FDQ
of an ad hoc network. However, these techniques can
address only a subset of the threats. Moreover, they are
costly to implement. The dynamic nature of ad hoc
networks requires that prevention techniques should be
complemented by detecting techniques, which monitor
security status of the network and identify malicious
behavior.
One of the most critical problems in MANETs is
the security vulnerabilities of the routing protocols. A set of
nodes in a MANET may be compromised in such a way that
it may not be possible to detect their malicious behavior
easily. Such nodes can generate new routing messages to
advertise non-existent links, provide incorrect link state
information, and flood other nodes with routing traffic, thus
inflicting Byzantine failure in the network one of the most
GHWHFW LQVLGHU DWWDFNV JUD\KROH DWWDFN E\ DQDO\]LQJ WKHVH
SDFNHW GHOLYHU\ UHFRUGV DQG DYRLG WKH EODFNKROH DQG WKH
FRRSHUDWLYH EODFNKROH DWWDFNV E\ XVLQJ &RRSHUDWLYH 6HFXULW\
$JHQWV
 source initiated on-demand routing protocol. However,
.H\ZRUGV &RRSHUDWLYH %ODFNKROH $WWDFN 0$1(7 $2'9
&RRSHUDWLYH6HFXULW\$JHQWV'DWD5RXWLQJ,QIRUPDWLRQ
I. INTRODUCTION
A MANET is a collection of wireless hosts that can
be rapidly deployed as a multi-hop packet radio network
without the aid of any established infrastructure or
centralized administrator. Such networks can be used to
enable next generation battlefield applications, including
situation awareness systems for maneuvering war fighters,
and remotely deployed unmanned micro-sensor networks.
MANETs have some special characteristic features such as
unreliable wireless media (links) used for communication
between hosts, constantly changing network topologies and
memberships, limited bandwidth, battery, lifetime, and
computation power of nodes etc. While these characteristics
978-1-4673-4805-8/12/$31.00 2012
c IEEE
widely used.
Routing protocols in MANETs is the DGKRF RQ
GHPDQGGLVWDQFHYHFWRU(AODV) routing protocol [1]. It is a
AODV is vulnerable to the well-known blackhole attack. In
[2], the authors have assumed that the blackhole nodes in a
MANET do not work as a group and have proposed a
solution to identify a single blackhole. However, their
proposed method cannot be applied to identify a cooperative
blackhole attack involving multiple malicious nodes.
In this paper, a mechanism is proposed to identify
cooperative blackhole nodes cooperating as a group in an ad
hoc network. The proposed technique works with slightly
modified AODV protocol and makes use of the GDWDURXWLQJ
LQIRUPDWLRQ WDEOH in addition to the cached and current
routing table.
Recent work proposed in [3], [4] rely on the
introduction of a trusted examiner called ferry node, which
moves around in the network and validates the packet
delivery probability to determine the presence of the
blackhole attack. In this paper, without relying on a third-
party ferry node, we introduce a scheme that generates the
549
un-forgeable packet delivery records in each contact and
exploits the history of the packet delivery records to perform
blackhole attack Detecting. In particular, when two nodes
encounter each other, they will record the number of packets
exchanged between them, and generate the secure records
for each other with their private keys. In our scheme, when a
node reveals its history packet records to its neighboring
nodes, these nodes perform check and analyse the records to
decide the sanity of this node.
Various attacks against wireless ad hoc networks
can be conducted. They are qualified passive ones, if they
are limited to the listening of the network traffic to take
note, or active if the traffic is modified by the intruder.
Security attacks can be internal when the malicious node
belongs to the network, or external if not. Deny of service
attacks are easy to carry out, and difficult to detect. Their
principle is the violation and the non-respect of the network
protocol specification and their finality is the disturbance of
the correct network operation. The no relaying of the traffic
(of control or data) by an intermediate node constitutes a
behavioral deviation, whose consequence is the violation of
the objective for which the network is deployed. Such
malicious behavior is called the blackhole attack [5]. In this
work we explained a solution that checks good forwarding
of the traffic by an intermediate node and the Cooperative
Security Agents are used to detect and isolate the
Cooperative Blackhole Attack.
Vulnerability of MANET is explained in
section II. In section III impacts of cooperative blackhole
attacks are explained. Architecture and workflow of
Cooperative Security Agents are described in section IV.
Implementation details are shown in section V.
II. VULNERABILITY OF MANET
$%ODFNKROH$WWDFN
A malicious node that incorrectly sends the RREP
(route reply) that it has a latest route with minimum hop
count to destination and then it drops all the receiving
packets, this is called as blackhole attack.
They drop the packets by sending false route reply
messages to the route request. To perform blackhole attack,
malicious node waits for RREQ messages from neighboring
nodes. When the malicious node receives an RREQ
message, immediately sends a false RREP message with a
high sequence number and minimum hop count without
checking its routing table to make an entry in the routing
table of the source node, before other nodes replies to
absorb transmitted data from source to that destination and
drop them instead of forwarding. Blackhole attack in AODV
protocol [6] can be performed in 2 ways:
1) Blackhole attack caused by RREP.
2) Blackhole attack caused by RREQ.

550 2012 World Congress on Information and Communication Technologies
%&RRSHUDWLYH%ODFNKROH$WWDFN
In the case of multiple malicious nodes that work
together with cooperatively, the effect will be more. This
type of attack is known as cooperative blackhole attack [7].
Two phases:
1) First phase: The malicious node exploits the ad hoc
routing protocol such as AODV [8] to advertise
itself as having a valid route to a destination node,
with the intention of intercepting packets, even
though the route is spurious.
2) Second phase: The attacker node drops the
intercepted packets without forwarding them.
There is a more subtle form of this attack when an
attacker node suppresses or modifies packets
originating from some nodes, while leaving the
data packets from other nodes unaffected.
This makes it difficult for other nodes to detect the
malicious node. In this work, a defense mechanism has been
proposed against a cooperative blackhole attack that relies
on AODV routing protocol.
In the standard AODV protocol when the source
node 6wants to communicate with the destination node ',
the source node 6 broadcasts the 5RXWH5HTXHVW (RREQ)
packet. Each neighboring active node updates its routing
table with an entry for the source node 6, and checks if it is
the destination node or whether it has the current route to
the destination node [9].
If an intermediate node does not have the current
route to the destination node, it updates the RREQ packet by
increasing the hop count, and floods the network with the
RREQ to the destination node 'until it reaches node 'or
any other intermediate node that has the current route to '
The destination node ' or any intermediate node
that has the current route to ', initiates a 5RXWH5HSO\
(RREP) in the reverse direction. Node 6 starts sending data
packets to the neighboring node that responded first, and
discards the other responses. This works fine when the
network has no malicious nodes. However, the security
threat arising out of the situation where multiple blackhole
nodes act in coordination has not been addressed.
III. IMPACT OF COOPERATIVE BLACKHOLE ATTACK
$ 5HVRXUFH&RQVXPSWLRQ$WWDFN
In this attack, an attacker tries to consume or waste
away resources of other nodes present in the network. The
resources that are targeted are battery power, bandwidth,
and computational power, which are only limitedly
available in ad hoc wireless networks [10].
Different form:
1) Unnecessary requests for routes,
2) Very frequent generation of beacon packets,
3) Forwarding of stale packets to nodes.
 Using up the battery power of another node by
keeping that node always busy by continuously pumping
packets to that node is known as a sleep deprivation attack.
 3) The number of forwarding packets to node $ and the
%3DFNHW'URSSLQJ$WWDFN
A packet drop attack is a type of denial-of-service
attack in which a router that is supposed to relay packets
instead discards them. This usually occurs from a router
becoming compromised from a number of different causes.
Because packets are routinely dropped from a lossy
It includes:
1) The IDs of node %and node $,
2) The number of receiving packets from node $,
current time-stamp W in the record. Then node % signs the
record using its private key. The format of the record
generated by node %is as follows:
UHFRUG= $%W1UHF1VHQG(5.%(+($_%_W_1UHF_1VHQG))

network, the packet drop attack is very hard to detect and + The hash function, $ node $’s ID, %node %’s ID, W
prevent. timestamp

&*UD\KROH$WWDFN 1UHF  the number of receiving packets from node %

An attack where some nodes switch their states 1UHFHLYH
from blackhole honest intermittently and vice versa. The 1VHQGthe number of forwarding packetsto node %1VHQG
grayhole attack is a variant of the blackhole attack in which
a malicious node, selectively, destroys packets of the traffic
that passes through it. This method can easily be adapted to
thwart such attacks.
IV. COOPERATIVE SECURITY AGENT 
Cooperative Security Agents are used to detect and
avoid the Cooperative Blackhole Attack. They work with
nodes for detecting cooperative blackhole attacks. Also they
generate and send alert notification to other nodes for
(5.% The encryption using2node %’s private key.
5HFRUG It includes the signature ofnode %and thus it can
prevent fabrication or modification. Without %’s private
key, other nodes cannot forge the record.
After the record is generated, node %will send the
record tonode $. And node $stores this information in its
memory.Similarly, node $will generate the record for node
% to store in its memory. Particularly, there are two tables
generated at each node for storing such records, 5HFHLYLQJ
avoiding cooperative blackhole attacks. 5HFRUG7DEOH557and 6HOI5HFRUG7DEOH657.

'DWD5RXWLQJ,QIRUPDWLRQ
The mechanism modifies the AODV protocol by
introducing data routing information (DRI) table. In the
proposed scheme, two bits of additional information are sent
by the nodes that respond to the RREQ message of a source
node during route discovery process.
Each node maintains an additional data routing
information (DRI) table.
ARCHITECTURE:
In this architecture of cooperative security agents
we pass DRI and SRT-RRT table as an input to Cooperative
Security Agents. Based on these inputs the CSAs use cross
checking and detection flow mechanisms for detecting
cooperative blackhole attack, once it is detected that can be
avoided by passing alert notification in the MANET.

(QWULHVLQ'5,WDEOHDUH
x Bit 1- ‘true’
x Bit 0- ‘false’.
‘From’- The information on routing data packet IURPthe
node.
‘Through’- The information on routing data packet
through the node.

5HFRUGRI3DFNHWGHOLYHU\
This is a method to secure the history records of
packet delivery information at each contact so that other
nodes can detect insider attacks by analyzing these packet
delivery records.
We use node $ and node % as an example to
illustrate how this recording process is carried out in our 
scheme. Figure 1. Architecture of Cooperative Security Agents
Node % generates the packet record for node $ as
follows:

2012 World Congress on Information and Communication Technologies 551

% %ODFNKROH'HWHFWLQJ
The Blackhole Detecting component is used to
collect network node ID and analyse these IDs. If the type
of node ID is correspondence with the one listed in the
block table, then the system drops this node ID
immediately. Thus, it would reduce time required for the
blackhole Detection about this node ID and improve the
system performance.
1) &URVV &KHFNLQJThe scheme relies on reliable
nodes (nodes through which source has routed data
previously and knows them to be trustworthy) to
transfer data packets.
2) 'HWHFWLQJ)ORZ We illustrate our detection flow
by showing how node $performs sanity checking
of node %during the encounter of node $and %.
agent adds a new rule to the block table, i.e., the alert level
is changed from moderate level to serious level; otherwise,
Security Agent discards these alert messages and regards
these messages as false alert messages.
Each Security Agent has three modules:
1) Block- It is used to drop bad node ID (Blackhole)
sent out from the source node
2) Communication- This module is used to send
warning messages about some specific attack
detected by itself to other Security Agents
3) Cooperation modules-It is used to gather alert
messages and has to decide these alert messages
are either true alerts or false alerts.

& $OHUWFOXVWHULQJDQGWKUHVKROGFRPSXWDWLRQDQG
FRPSDULVRQ
This component is used to identify the level of
spacious node ID delivered from intrusion Detecting
component. There are three levels of alerts illustrated in
table 3. They are serious, moderate, and slight alerts.
Levels:
1) Serious: Drop node ID & sends an alert
notification to other CSAs.
2) Moderate: Threshold check is used to make a
decision ofon whether to drop the node ID & send
an alert notification to other CSAs or not.
3) Slight: Do not care 

' 7KUHVKROG&KHFNLQJ
7KUHVKROG= ȝ +Ȝ ×ı
ȝ- Mean with respect to detected moderate alerts from
different sources during a period of time  Figure 2. The workflow of the Cooperative Security Agent
ı-The standard deviation
Ȝ- Dynamically determined by the network manager. One of the MANET’s regions suffers from DoS
attack, then Cooperative Security Agent sends alert message
' ,QWUXVLRQ UHVSRQVH DQG EORFNLQJ-Two modules in this to other Cooperative Security Agent. Cooperative Security
component: Agent could gather the same type of attack sent from other
1) Communication Modules- It is used to send an Cooperative Security Agent. Then it makes a judgment to
alert notification to other IDSs, if the level of determine the trustworthiness of this alert message by
alert about the node ID is either serious or majority vote method. Thus, the proposed system keeps the
moderate level but over threshold. MANET from single point of failure.
2) Block Model - Then block module is triggered
to block or drop this bad Node ID (Blackhole).
V. IMPLEMENTATION
( &RRSHUDWLYH RSHUDWLRQ This component is used to
receive alert messages delivered from other Security The proposed scheme will be implemented by
Agents. After receiving these alerts, the cooperative agent using ns(Network Simulator). We have considered the
makes a judgment by executing majority vote and the simulation parameters as shown in table I.
formula is described as
Then Security Agent accepts this alert message and
regards this type of packet as a bad mode ID. If the value of
the majority vote is larger than 0.5, then the cooperative

552 2012 World Congress on Information and Communication Technologies

 TABLE I Simulation parameters setup

Figure 4. MANET with Cooperative Blackhole Attack

SNAPSHOTS:

$0$1(7ZLWKRXW%ODFNKROH$WWDFN &'HWHFWLRQRI&RRSHUDWLYH%ODFNKROH$WWDFN
 
In figure 3 we have considered node 0 as source Cooperative Security Agents detect this
and node 6 as destination. Hence the path between source cooperative blackhole attack and send notification to all
and destination is 0-1-2-6. other nodes for avoiding this attack. Then the path can be
changed as 0-4-5-6 as shows in figure 5.

Figure 3. MANET without Blackhole Attack

Figure 5. Detection of Cooperative Blackhole Attack

%0$1(7ZLWK&RRSHUDWLYH%ODFNKROH$WWDFN Table II shows the comparison of existing

 techniques in terms of time delay, network overhead,
Figure 4 shows that node 1 and node 2 have detection of blackhole attack and cooperative blackhole
formed a Cooperative Blackhole attack. attack

2012 World Congress on Information and Communication Technologies 553

 TABLE II COMPARISION TABLE REFERENCES
7HFKQLTXHV 7LPH 1HWZRUN %ODFNKROH &RRSHUDWLYH
[1] Jaydip Sen, Sripad Koilakonda, Arijit Ukil, "A Mechanism for
'HOD\ 2YHUKHDG $WWDFN %ODFNKROH
Detection of Cooperative Black Hole Attack in Mobile Ad Hoc
$WWDFN Networks", Second International Conference on Intelligent Systems,
Checks the shared Yes No Yes No Modelling and Simulation. IEEE - 2011
hops from RREP’s [2] Yanzhi Ren, Mooi Choo Chuah, Jie Yang, Yingying Chen, "Detecting
and maintains last Blackhole Attacks in Disruption-Tolerant Networks through Packet
packet sequence Exchange Recording", IEEE Wireless Communications, Vol. - 11,
numbers that are 2010.
sent and received [3] Abderrahmane Baadache, Ali Belmehdi, “Avoiding Black hole and
[12]. Cooperative Black hole Attacks in Wireless Ad hoc Networks”,
Secured ETX Yes Yes Yes No (IJCSIS) International Journal of Computer Science and Information
metric ( Expected Security, Vol. 7, No. 1, 2010.
Transmission [4] H.A. Esmaili, M.R. Khalili Shoja, Hossein gharaee, “Performance
Count) [13]. Analysis of AODV under Blackhole Attack through Use of OPNET
Compares the Yes No Yes No Simulator”, World of Computer Science and Information Technology
RREP sequence Journal (WCSIT), Vol. 1, No. 2, pp. 49-52, 2011.
numbers with [5] Al-Shurman, M., Yoo, S. and Park, S, "Blackhole Attack in Mobile
threshold value Ad Hoc Networks", ACM Southeast Regional Conference, pp. 96-97,
using dynamic 2004.
learning method [6] Osathanunkul, K.; Ning Zhang, "A countermeasure to blackhole
[14]. attacks in mobile ad hoc networks," IEEE International Conference
Using SRREQ and Yes Yes Yes No on Networking, Sensing and Control (ICNSC), pp.508-513, April
SRREP based on 2011.
the random [7] Sen, J.; Koilakonda, S.; Ukil, A., "A Mechanism for Detecting of
numbers Cooperative Blackhole Attack in Mobile Ad Hoc Networks”, Second
generation [15]. International Conference on Intelligent Systems, Modelling and
Collect Route Yes No Yes No Simulation (ISMS), pp.338-343, Jan. 2011.
Reply Table [8] Payal N. Raj1 and Prashant B. Swadas2, “DPRAODV: A Dynamic
(CRRT) [16]. Learning System against Blackhole Attack in AODV based
MANET”, IJCSI International Journal of Computer Science Issues,
Cooperative No No Yes Yes
Vol. 2, 2009.
Security Agent
[9] Latha Tamilselvan, V. Sankaranarayanan, “Prevention of Co-operative
Blackhole Attack in MANET”, Journal of Networks, Vol 3, No 5, 13-
VI. CONCLUSION 20, May 2008.
[10] Songbai Lu; Longxuan Li; Kwok-Yan Lam; Lingyan Jia, "SAODV:
A security method has been proposed to detect A MANET Routing Protocol that can Withstand Blackhole Attack",
International Conference on Computational Intelligence and
blackhole and cooperative blackhole nodes in a MANET Security, vol.2, pp.421-425, Dec. 2009.
and thereby identify a secure routing path from a source [11] Deng H., Li W. and Agrawal, D.P., "Routing security in wireless ad
node to a destination node by avoiding the blackhole nodes. hoc networks," IEEE Communications Magazine, vol.40, no.10, pp.
The implementation of this method includes three steps: 70- 75, October 2002.
[12] Al-Shurman M., Yoo S. and Park S., "Blackhole Attack in Mobile Ad
The analysis of the un-forgeable packet delivery records: Hoc Networks", ACM Southeast Regional Conference, pp. 96-97,
2004.
1. SRT and RRT: Secure the history records of packet [13] Osathanunkul, K. Ning Zhang, "A countermeasure to blackhole attacks
delivery information at each contact so that other in mobile ad hoc networks," IEEE International Conference on
nodes can detect insider attacks by analyzing these Networking, Sensing and Control (ICNSC), pp. 508-513, April
packet delivery records. 2011.
[14] Payal N. Raj, Prashant B. Swadas, “DPRAODV: A Dynamic Learning
2. Data Routing Information: Two bits of additional System against Blackhole Attack in AODV based MANET”, IJCSI
International Journal of Computer Science Issues, Vol. 2, pp. 26-32,
information are sent by the nodes that respond to the 2009.
RREQ message of a source node during route [15] Songbai Lu, Longxuan Li, Kwok-Yan Lam, Lingyan Jia, "SAODV: A
discovery process. MANET Routing Protocol that can Withstand Blackhole Attack",
International Conference on Computational Intelligence and Security,
3. Cooperative Security Agents: They detect and vol.2, pp. 421-425, Dec. 2009.
generate alert notification for other nodes for avoiding [16] Tamilselvan L., Sankaranarayanan V., "Prevention of Blackhole
Attack in MANET", The 2nd International Conference on Wireless
cooperative blackhole attack Broadband and Ultra Wideband Communications, pp. 24-30, Aug.
2007.
This mechanism can effectively detect malicious
nodes and mitigate the negative impact caused by the
blackhole and cooperative blackhole attack.

554 2012 World Congress on Information and Communication Technologies