Thesis Ashraf V4

Anomaly detection system based on SVM (ADS-SVM)
for detecting blackhole attacks
A Thesis
Presented in Partial Fulfillment of the Requirements for

the Degree of Master of Science in the
Graduate School of Nile University
By
Ashraf Mohamed Abdelhamid, Degree. M.Sc.
*****
Nile University
Thesis Advisors:
Dr. Heba Kamal Aslan, Ph.D.
Dr. Marianne A. Azer, Ph.D.
2023
i
CERTIFICATION OF APPROVAL
Anomaly detection system based on SVM (ADS-SVM)

for detecting blackhole attacks
Doctor-Name (Committee Chair, Internal Committee Member)

Professor, Nile University
Doctor-Name (Supervisor)
Associate Professor, Nile University
TBD (External Committee Member)

Associate Professor, X University
Doctor-Name (Supervisor)
Assistant Professor, Nile University
June, 2023
Nile University
ii
© Copyright by
Ashraf Mohamed Abdelhamid
2023
iii
Abstract
In today's fast-paced world, Mobile Ad hoc Networks (MANETs) have become an essential part of
modern communication systems. These networks are typically used in situations where the need to
form a network arises suddenly, and there is a shortage of time or resources to configure devices,
build infrastructure, or have human interventions. MANETs have a wide range of applications
ranging from military operations and rescue missions to educational settings and disaster
management. One of the defining features of ad hoc networks is their high mobility, low resource
availability, and lack of infrastructure equipment for communication. Unlike traditional networks
that rely on dedicated equipment for specific functions, such as routers, servers, and firewalls,
every node in an ad hoc network performs multiple functions, including routing. The absence of
infrastructure equipment means that ad hoc networks are infrastructure-less, and they rely on each
other for routing and communication. MANETs use a hopping mechanism in which each node in a
network finds another node within its communication range and uses it as a hop for delivering the
message through another node and so on. This mechanism enables MANETs to operate efficiently
and effectively, even in situations where traditional networks would be impractical or impossible
to implement. However, the lack of dedicated equipment and infrastructure in MANETs makes
them more vulnerable to attacks than traditional networks. Every node in an ad hoc network
performs multiple functions, including routing, which makes them more susceptible to attacks.
One type of attacks that can occur in MANETs is the blackhole attack. In a blackhole attack, a
malicious node drops all the packets it receives without forwarding them to their intended
destination, which can disrupt the network's functioning and cause significant damage in critical
situations. To address this issue, the primary objective of this thesis is to propose a reliable and
effective solution for detecting blackhole attacks in MANETs using anomaly detection based on
iv
Support Vector Machine (SVM). The proposed detection system analyzes the traffic on the
network and identifies anomalies by checking node behaviors. In the case of blackhole attacks, the
attacking nodes exhibit behavioral characteristics that differ from those of normal nodes. These
behavioral characteristics can be effectively detected using the proposed detection system. The
proposed solution's effectiveness was tested using OMNET++ simulator, which generated traffic
under a blackhole attack. The generated traffic was then classified into malicious and non-
malicious categories, based on which the malicious node was identified. The results of the
proposed solution showed a very high level of accuracy in detecting blackhole attacks, which
validates its effectiveness in ensuring the integrity and security of MANETs. By detecting and
isolating malicious nodes, the proposed solution can help maintain the network's integrity and
ensure that critical information is transmitted securely and efficiently. This solution can be
particularly valuable in situations such as military operations and disaster management, where the
need for a reliable communication system is paramount. In conclusion, Mobile Ad hoc Networks
(MANETs) are a critical component of modern communication systems, with a wide range of
applications in various critical situations and the proposed solution provides a reliable and efficient
solution for detecting blackhole attacks in MANETs, which can be particularly valuable in critical
situations where time and resources are limited. The proposed detection method for black hole
attacks in Mobile Ad hoc Networks (MANETs), ADS-SVM, has been compared to three other
methods (Inception-CNN, BLSTM, and DBN) proposed by other researchers. Results show that
ADS-SVM outperforms the other methods with a detection accuracy of 99%, which is
significantly higher compared to 96% achieved by Inception-CNN, and lower accuracies achieved
by BLSTM and DBN (84% and 75.36% respectively). These findings suggest that ADS-SVM is a
v
highly effective method for detecting black hole attacks in MANETs and may outperform other
existing methods in terms of accuracy.
vi
Contents
Abstract..........................................................................................................................................................iv
Chapter 1: Introduction...............................................................................................................................1
1.1 Problem Definition........................................................................................................................1
1.2 Thesis Motivation..........................................................................................................................1
1.3 Thesis Structure............................................................................................................................2
Chapter 2: Background................................................................................................................................6
2.1 MANETs Characteristics.............................................................................................................6
2.2 MANETs Security Challenges......................................................................................................9
2.3 MANETs Routing Protocols.............................................................................................................15
2.4 Blackhole Attack.........................................................................................................................17
Chapter 3: Literature Survey....................................................................................................................20
3.1 Enhanced Routing Protocol Based............................................................................................20
3.2 Reputation and Trust Based.......................................................................................................24
3.3 Acknowledgment Based..............................................................................................................28
3.4 Intrusion Detection System Based.............................................................................................31
4.1 Proposed Solution.......................................................................................................................39
4.2 Data Generation..........................................................................................................................40
4.3 Data Collection............................................................................................................................42
4.4 Feature Selection.........................................................................................................................43
4.5 Data Processing...........................................................................................................................44
4.6 Machine learning using SVM.....................................................................................................46
Chapter 6: Conclusion and Future Work.................................................................................................59
6.1 Conclusion...................................................................................................................................59
6.2 Future work.................................................................................................................................60
Bibliography................................................................................................................................................61
vii
List of Figures
Fig. 2.1. Classification of MANETs Routing Protocols................................................................................29
Fig. 2.2. Malicious node (M) drops packets in a blackhole attack................................................................32
Fig. 3.1. Classification of the mitigation techniques proposed by other researchers.....................................36
Fig. 4.1. Methodology used in the thesis to mitigate blackhole attack..........................................................52
Fig. 4.2 A snapshot from OMNET++ while a node sending.........................................................................54
Fig. 4.3. Feature Selection based on malicious nodes' behaviors..................................................................57
Fig. 4.4 Support Vector Machine (SVM)……………………………………………………………………61
Fig. 5.1. Results of the simulator in absence of a blackhole attack...............................................................66
Fig. 5.2. Results of the simulator in presence of a blackhole attack..............................................................68
Fig. 5.3. Comparing the results to other researchers using machine learning detection system....................69
Fig. 5.4. Results of the simulator in presence of a blackhole attack……………………………………………………70
Fig. 5.5. Comparing the results to other researchers using machine learning detection system………………………..71
viii
ix
List of Tables
Table 4.1 The parameters configuration used to generate the data set in OMNET++ simulator.........55
Table 5.1 Data generated from OMNET++ simulator....................................................................................65
Table 5.2 Comparing the results to other researchers using machine learning detection system……………….70
x
Acronyms
Abbreviation Expression
MANET Mobile Ad hoc Network
SVM Support Vector Machine
IDS Intrusion Detection System
IPS Intrusion Prevention System
AODV Ad hoc On-Demand Distance Vector
DoS Denial of Service
QoS Quality of Service
DSDV Destination-Sequenced Distance Vector
OLSR Optimized Link State Routing
CGSR Cluster head Gateway Switch Routing
WRP Wireless Routing Protocol
TBRPF Topology Broadcast based on Reverse-Path Forwarding
QDRP Quality-Driven Routing Protocol
LMR Lightweight Mobile Routing
TORA Temporally-Ordered Routing Algorithm
DSR Dynamic Source Routing
LQSR Link Quality Source Routing
ZRP Zone Routing Protocol
BGP Border Gateway Protocol
EIGRP Enhanced Interior Gateway Routing Protocol
RReq Route Request
RRep Route Reply
MBDP-AODV Multicast-Enabled Backup Destination Protocol
SNRRM Selfish Node Removal using Reputation Model
NA-TRE Node Activity-based Trust and Reputation Estimation
AOMSR Ad hoc On-demand Multipath Secure Routing
SAODV Secure Ad hoc On-Demand Distance Vector
xi
Chapter 1: Introduction
1.1 Problem Definition
Mobile Ad hoc Networks (MANETs) are unique because they can be formed without fixed
infrastructure or support from administrators [1]. Instead, these networks are pre-configured to
work immediately. Wireless networks are divided into two categories: infrastructure and
infrastructure-less. In infrastructure networks, wireless devices are connected to fixed base
equipment that provides multiple services, such as routing, storage, and security. However, in
infrastructure-less networks like MANETs, nodes are self-configured and do not rely on fixed base
infrastructure [2].
Since MANETs lack sophisticated perimeter security functions like firewalls, border routers,
Intrusion Detection System (IDS), and Intrusion Prevention Systems (IPS), they face unique
security challenges [3]. Additionally, routing is a critical aspect of MANETs, as it ensures that
messages are delivered efficiently to their intended destination. However, traditional infrastructure
routing protocols are not effective for MANETs, as almost every node in the network performs the
routing function. This characteristic makes MANETs vulnerable to attacks, such as the blackhole
attack.
1.2 Thesis Motivation
The blackhole attack is a significant attack that dramatically affects the network's performance. In
this attack, the attacker's node acts as the shortest path to the destination and drops the packets it
receives, severely affecting the network delivery ratio. To address this issue, this thesis reviews
and categorizes different approaches to mitigate blackhole attacks in MANETs. The thesis also
1
develops a dataset using OMNET++ to analyze node behavior in the presence of an attack and
identifies malicious nodes using Anomaly Detection System based on SVM (ADS-SVM).
MANETs routing protocols can be divided into two main categories: proactive (table-driven) and
reactive (on-demand) [4] [5]. In table-driven routing protocols, routing information is maintained
regularly whenever there is any change, while in on-demand routing protocols, routing information
is collected only when needed [6]. One of the most well-known on-demand routing protocols is Ad
hoc On-Demand Distance Vector (AODV), which shows better performance among other on-
demand routing protocols [7]. However, it is vulnerable to blackhole attack.
The thesis's main contributions include are as follows:
 Reviewing and categorizing the different approaches and comparing the different
techniques used to mitigate the blackhole attacks in MANETs.
 Developing a data set for studying the blackhole attacks using OMNET++ in order to
thoroughly analyze the traffic in order to effectively study nodes behavior in presence of an
attack.
 Developing an Anomaly Detection System based on SVM (ADS-SVM) for identifying
malicious nodes.
1.3 Thesis Structure
The structure of this thesis is as follows: In Chapter 2, we explore the concept of mobile ad hoc
networks (MANETs) and their various applications, such as military operations, disaster response,
and vehicular communication. We also highlight the unique characteristics of MANETs, including
2
their decentralized nature and dynamic topology, which make them particularly challenging to
manage and secure.
Chapter 3 presents an overview of the existing literature on MANETs, including previous research
on routing protocols, security mechanisms, and performance evaluation. By reviewing the work of
other researchers, we can identify gaps in the current knowledge and build on existing research to
develop new solutions.
In Chapter 4, we describe our proposed solution for improving the security and reliability of
MANETs. We explain the methodology we used to design and test our solution, including the tools
and techniques we employed.
In Chapter 5, we summarize the key findings of our research and suggest areas for future work. By
providing a comprehensive overview of the current state of research on MANETs and proposing a
novel solution, we hope to contribute to the ongoing efforts to improve the performance, security,
and reliability of mobile ad hoc networks.
Finally, thesis conclusions and future work are depicted in Chapter 6.
3
Chapter 2: Background
Mobile ad hoc networks, or MANETs, possess distinct characteristics that set them apart from
traditional networks, particularly in terms of security considerations. To delve deeper into this
topic, this section will cover the various applications of MANETs, the security challenges they
present, and the most common types of attacks that can compromise their integrity.
2.1 MANETs Characteristics
Mobile Ad hoc Networks (MANETs) possess several distinctive characteristics that make them
suitable for specific applications [8]. These characteristics are crucial to the functionality and
effectiveness of MANETs and include the following:
 Lack of infrastructure: MANETs are defined as networks without a fixed infrastructure,
which means they can be formed quickly and inexpensively. This characteristic allows for
flexibility and adaptability in the network [9]. However, the lack of infrastructure also
makes MANETs more vulnerable to attacks than standard networks, which poses a
challenge in ensuring the overall security and reliability of the network.
 Cooperativeness: MANETs differ from standard networks in that they use a peer-to-peer
architecture instead of a client-server architecture. For MANETs to function effectively, all
nodes must cooperate by providing functions that would typically be performed by
infrastructure in standard networks. This cooperation is crucial to build trust and
confidence among the nodes, as it compensates for the lack of infrastructure security and
centralized management.
 Distributed management: The absence of centralized management and control in
MANETs means that functions such as node security, network topology, authenticating
4
new nodes, and data security are distributed among the nodes [10]. This decentralization of
functions has significant implications for the overall security and reliability of the network.
The lack of centralized management and control in MANETs means that nodes must
perform security functions, such as detecting and mitigating attacks, on their own. This
decentralization of security functions makes MANETs more vulnerable to attacks than
traditional networks. Additionally, the distributed nature of network topology management
means that nodes must work together to maintain an optimal network topology. This can be
a challenge, particularly in large and complex networks. Furthermore, authenticating new
nodes in MANETs is also a distributed function. Nodes must authenticate new nodes that
wish to join the network, and without centralized management, this can be a challenging
and time-consuming process. Finally, data security is another crucial function that is
distributed among the nodes in MANETs. Nodes must ensure the confidentiality, integrity,
and availability of data in a decentralized manner, which poses a significant challenge.
 Multi-hop routing: In MANETs, routing is one of the functions that nodes must perform
without centralized management. For a node to send a message to another node in the
network, it uses adjacent nodes as "hops" to reach the destination [11]. This process is
known as multi-hop routing. Multi-hop routing is a crucial function in MANETs, as it
enables communication between nodes that are not within direct communication range.
However, this routing process can be challenging in MANETs because of the lack of
infrastructure, which means that there are no fixed paths for routing messages. Instead,
nodes must dynamically establish routes based on the network topology and the availability
of adjacent nodes. Multi-hop routing in MANETs is also affected by other factors, such as
the mobility of nodes, link quality, and energy consumption. Nodes must adapt to changes
5
in the network topology, establish new routes, and maintain existing routes to ensure
reliable communication. Additionally, the use of multi-hop routing in MANETs can also
pose security challenges, such as the possibility of attacks on the routing protocol or the use
of malicious nodes to disrupt the routing process.
 Dynamic topology: In MANETs, nodes move in and out of the network unpredictably at
any time due to the absence of perimeter boundaries. Additionally, the lack of centralized
management means that networks can form autonomously at any time. The absence of
perimeter boundaries in MANETs means that nodes can join and leave the network at any
time, without prior notice or authorization. This characteristic makes MANETs highly
dynamic and adaptable to changing situations, but it also poses significant challenges in
ensuring the overall security and reliability of the network. Nodes that join the network can
be malicious and pose a threat to the security of the network, and nodes that leave the
network can disrupt the network topology and routing process [12]. Moreover, the lack of
centralized management in MANETs means that networks can form autonomously at any
time. This characteristic allows for flexibility and adaptability in the network, as nodes can
establish new networks quickly and inexpensively. However, it also poses a significant
challenge in ensuring the overall security and reliability of the network. Autonomous
network formation can lead to the creation of isolated sub-networks that are vulnerable to
attacks and can disrupt the overall network topology.
 Decentralized architecture: Each node in a MANET is independent and self-configured,
which means that nodes can join or leave the network without requiring any support.
Additionally, nodes are autonomous in making decisions regarding joining or leaving the
network, as well as forwarding or dropping data packets, even if these actions are not
6
recommended. The independence and self-configuration of nodes in MANETs allow for
flexibility and adaptability in the network. Nodes can join or leave the network at any time,
without requiring any support or authorization. This characteristic enables the network to
respond quickly to changing situations, which is a significant advantage in dynamic
environments. However, the independence of nodes also poses challenges in ensuring the
overall security and reliability of the network [13].
 Limited resources: Nodes in MANETs are typically equipped with low-power batteries
and less powerful processing units than those found in traditional networks. This
characteristic is a significant challenge for MANETs since nodes must operate with limited
resources of power and processing. The limited power supply of nodes in MANETs makes
them vulnerable to various types of attacks, including denial-of-service (DoS) attacks [14].
In a DoS attack, an attacker sends additional packets to nodes in the network to consume
their batteries and drain their power supply. This attack can disrupt the operation of the
network and render it unusable. Moreover, the limited processing power of nodes in
MANETs can also pose challenges in ensuring the overall security and reliability of the
network. Nodes may not be able to perform complex encryption or decryption processes,
which can lead to security vulnerabilities in the network. Additionally, the limited
processing power of nodes can affect the performance of the network and the quality of
service provided to users.
2.2 MANETs Security Challenges
Mobile Ad-hoc Networks (MANETs) are more vulnerable to security threats compared to standard
wired networks due to their limited resources, physical security, dynamic topology, and lack of
7
perimeter security. These characteristics make MANETs more prone to attacks from both inside
and outside the network. Attacks in MANETs can be categorized into two main types: active
attacks and passive attacks [15].
Active attacks are those in which the attackers attempt to modify or distort the data being
transmitted in the network. There are various examples of active attacks, including blackhole
attack, routing table overflow, impersonation, rushing attack, denial-of-service, Byzantine attack,
packet replication, and distributed denial-of-service. A blackhole attack is a type of active attack
where an attacker creates a false route to a destination node in the network, and then drops all
packets that are forwarded to that node. This type of attack can disrupt the routing process and
prevent communication between nodes.
On the other hand, passive attacks are those in which attackers attempt to gain unauthorized access
to eavesdrop the data being transmitted in the network. Some examples of passive attacks include
eavesdropping, traffic analysis, and location disclosure [16]. Eavesdropping involves the
interception of network traffic and the capture of sensitive information, while traffic analysis
involves analyzing the patterns of network traffic to infer sensitive information. Location
Disclosure involves tracking the location of nodes in the network, which can pose significant
privacy concerns.
Moreover, the dynamic topology of MANETs poses a significant challenge to ensure the overall
security and reliability of the network. The topology of MANETs changes frequently, making it
difficult to establish reliable routes between nodes. Additionally, the lack of perimeter security in
MANETs means that nodes can join or leave the network at any time, which can disrupt the
network topology and routing process. Furthermore, the limited resources of nodes in MANETs
8
make them vulnerable to attacks such as denial-of-service attacks, which can consume their power
supply.
Furthermore, the limited resources of nodes in MANETs require innovative solutions for managing
the power supply of nodes. Researchers have proposed the use of energy-efficient mechanisms to
optimize the use of resources and reduce energy consumption. Additionally, researchers have
proposed the use of energy harvesting techniques to recharge the batteries of nodes in MANETs,
which can improve the overall reliability and effectiveness of the network.
The dynamic topology of MANETs poses a significant challenge to ensuring the overall security
and reliability of the network. The lack of perimeter security means that nodes can join or leave the
network at any time, which can disrupt the network topology and routing process. Furthermore, the
limited resources of nodes in MANETs make them vulnerable to attacks such as denial-of-service
attacks, which can consume their power supply.
 Lack of perimeter security: One of the unique characteristics of Mobile Ad-hoc Networks
(MANETs) is that they are infrastructureless, meaning that there are no pre-defined
boundaries for its nodes. As a result, any node can join or leave the network freely, which
can make the topology dynamic and challenging to manage. This lack of a centralized
infrastructure also makes MANETs vulnerable to security threats, particularly when a
malicious node reaches the range of the network. The malicious node can impersonate a
legitimate node and start an attack, which can disrupt the operation of the network. This
type of attack is known as a spoofing attack, and it can be challenging to detect and prevent
in MANETs due to the dynamic nature of the topology.
 Limited physical security: Mobile Ad-hoc Networks (MANETs) are unique in that they
can be formed on the fly anywhere and at any time. Unlike traditional networks, there is no
9
centralized infrastructure or physical security to protect the core services of the network,
such as keeping the network backbone in a secure data center. This lack of physical
security in MANETs poses significant challenges to ensuring the overall security and
reliability of the network. Nodes in MANETs can join and leave the network at any time,
and the lack of a centralized infrastructure means that there is no defined perimeter for the
network. This can make it difficult to establish reliable communication between nodes and
to ensure that only authorized nodes are allowed to join the network. Moreover, the lack of
physical security in MANETs means that the network is vulnerable to various types of
attacks, including eavesdropping, impersonation, and denial-of-service attacks. These
attacks can disrupt the operation of the network and compromise the confidentiality,
integrity, and availability of the data being transmitted.
 Lack of centralized control: Mobile Ad-hoc Networks (MANETs) are unique in that they
lack a centralized system to provide essential security requirements such as identification,
authentication, and authorization, as well as other security services like firewalls and
network access control. This makes MANETs more challenging to secure compared to
standard networks. Without a centralized system, nodes in MANETs must rely on
distributed mechanisms to provide security services, which can be challenging to manage
and maintain. The lack of centralized control means that there are no predefined security
policies or access control mechanisms, which can make the network vulnerable to attacks.
Moreover, the lack of centralized security services in MANETs poses significant
challenges to ensuring the overall security and reliability of the network. Nodes in
MANETs can join and leave the network at any time, and the lack of a centralized
infrastructure means that there is no defined perimeter for the network. This can make it
10
difficult to establish reliable communication between nodes and to ensure that only
authorized nodes are allowed to join the network.
 Dynamic topology: Mobile Ad-hoc Networks (MANETs) are unique in that the nodes can
move freely in and out of the network, causing the connectivity between nodes to change
dynamically. This means that the routing information in MANETs can change rapidly and
frequently, making it challenging to maintain reliable communication between nodes. In
addition to nodes moving freely in and out of the network, networks in MANETs can also
merge or split, further complicating the topology of the network. This dynamic nature of
MANETs makes it difficult to establish reliable communication paths between nodes, as
the connectivity between nodes can change at any time.
 Scalability: Mobile Ad-hoc Networks (MANETs) are composed of a significant number of
nodes that can increase or decrease based on various situations, such as nodes joining or
leaving the network. This dynamic nature of MANETs makes them highly efficient, yet it
poses significant challenges in terms of security, specifically in identifying and
authenticating new nodes. The ability of nodes to join or leave the network at any time
makes it challenging to maintain the overall security and reliability of the network. Without
a centralized infrastructure, nodes in MANETs must rely on distributed mechanisms to
provide security services, which can be challenging to manage and maintain. The lack of
centralized control means that there are no predefined security policies or access control
mechanisms, which can make the network vulnerable to attacks.
 Quality of Service: Various types of data have different requirements when it comes to
transmission. For example, media streaming and live transmissions demand higher
bandwidth and stability as they require a continuous flow of data without interruptions or
11
delays. To ensure that there is no latency or data loss, it is essential to guarantee Quality of
Service (QoS) through policies and algorithms. QoS policies and algorithms are used to
prioritize certain types of traffic over others, ensuring that critical data, such as media
streaming and live transmissions, are given higher priority and are transmitted without
delay or interruption. These policies and algorithms can be implemented at various levels
of the network, including the application, transport, and network layers.
 Resource limitations: Mobile Ad-hoc Networks (MANETs) have nodes that possess
limited resources in terms of battery, processing, and storage. This creates two potential
issues. Firstly, due to the limited processing capability, nodes may not be equipped with
sophisticated end protection. Secondly, attackers may target nodes in order to drain their
batteries. The limited resources of nodes in MANETs make them vulnerable to attacks that
can exploit their weaknesses. For instance, nodes may have limited processing power,
which can make it difficult to implement complex security mechanisms, such as encryption
and authentication. This can leave them susceptible to attacks, such as eavesdropping and
data tampering. Moreover, the limited battery life of nodes can be exploited by attackers to
drain their batteries, rendering them useless. This attack, known as a Denial of Energy
(DoE) attack, can be used to disrupt the network by targeting critical nodes and draining
their batteries. This attack can have significant consequences, particularly in applications
where the network is used for emergency response or disaster relief efforts.
 Security: Mobile Ad-hoc Networks (MANETs) face more security challenges than
traditional networks due to a range of vulnerabilities. These vulnerabilities include the lack
of physical recourse, limited resources, absence of infrastructure, and dynamic topologies.
The lack of physical recourse in MANETs means nodes can move around freely, making it
12
difficult to establish a secure and stable network. In addition, the limited resources of
nodes, such as battery life and processing power, can make it challenging to implement
complex security mechanisms, leaving them vulnerable to attacks.
2.3 MANETs Routing Protocols
Routing protocols are a set of rules that determine how nodes in a network communicate with each
other. The primary objective of routing protocols is to find the most efficient way for a message to
travel from the sender to the intended recipient [16]. As shown in Fig. 2.1., there are three main
categories of routing protocols: proactive, reactive, and hybrid [17].
Proactive routing protocols work by having each node maintain a table of all possible routes.
Whenever there is a change in the network, such as a node joining or leaving, the table is updated
at regular intervals. This approach is known as a table-driven protocol and it aims to be efficient by
allowing nodes to react quickly to changes. However, the downside is that there is a significant
overhead on the network to update the routing tables at fixed intervals.
13
MANETs Routing Protocols
Proactive Reactive Hybrid
DSDV
AODV
OLSR
LMR ZRP
CGSR
TORA BGP
WRP
DSR EIGRP
TBRPF
LQSR
QDRP
1 Fig. 2.1. Classification of MANETs Routing Protocols
On the other hand, reactive routing protocols do not update the routing table until a data exchange
is initiated and a change is discovered. This approach is called an on-demand routing protocol and
it puts less overhead on the network than proactive protocols because it does not update the routing
tables regularly. However, there is a latency every time a change is discovered and data is
exchanged.
To address the limitations of both proactive and reactive routing protocols, hybrid protocols were
developed. These protocols combine the best of both algorithms. For example, a proactive routing
protocol could be used for nodes in close proximity to each other to update routing tables without
imposing a heavy overhead on the network. At the same time, a reactive routing protocol algorithm
could be used for remote nodes to reduce the time taken to discover the routes with those nodes.
14
Overall, the choice of routing protocol depends on the specific network's requirements and
characteristics. Proactive protocols work well in networks with stable topologies, while reactive
protocols are better suited for networks with dynamic topologies. Hybrid protocols offer a balance
between the two and are suitable for networks with a mix of stable and dynamic topologies.
It is worth noting that there are several routing protocols within each category, and each has its
own advantages and disadvantages. Examples of popular routing protocols include OSPF and
EIGRP for proactive protocols, and AODV and DSR for reactive protocols. Ultimately, the choice
of routing protocol will depend on factors such as the size and complexity of the network, the level
of traffic, and the desired level of efficiency and reliability.
2.4 Blackhole Attack
The blackhole attack is a type of active attack that takes advantage of the Ad-hoc On-demand
Distance Vector (AODV) routing protocol's operation. In the AODV routing protocol, every
network node maintains a routing table that stores information about the most efficient routes to
specific destinations. When a node wants to send a packet to another node, it first checks its own
routing table to see if it contains the required information. If it does not find the information or if
the required route is not active, the node broadcasts a Route Request (RReq) to all its neighbors,
initiating a discovery process.
If the receiving node is the destination node, it sends back a Route Reply (RRep) containing the
most updated sequence number, broadcast ID, and hop count [18]. If not, it checks its own routing
table to see if it has any routing entries to the destination and compares the routing destination
sequence. If the sequence number is less than or equal to the one it has, it sends out an RReq to its
15
neighbors [19]. If the sequence number is higher, it updates its routing table with the fresh route
and sends back an RRep to the node that sent the RReq.
In a blackhole attack, a malicious node injects itself into the network and falsely claims to have the
shortest path to the destination. For example, if node "S" wants to reach node "D," it sends out an
RReq to its adjacent nodes. The malicious node, "M," injects itself and rapidly responds with false
information, claiming that it has the best route [20]. Once communication starts, the malicious
node "M" drops all the information sent through it, disrupting the network's performance,
especially the packet delivery ratio and throughput. This is shown in Fig. 2.2.
The blackhole attack is a serious threat to wireless ad-hoc networks, and there are two types of
blackhole attacks: single and cooperative. In a single attack, only one node is malicious and drops
all the packets passing through it. In contrast, in a cooperative attack, multiple malicious nodes in
the same network work together to drop packets, making it more complex and dangerous than a
single blackhole attack.
A blackhole attack is an active attack where the malicious node drops all the data passing through
it [21]. Such an attack affects the network's performance, and the malicious node broadcasts false
information to its adjacent nodes, claiming that it has the shortest paths to the destination requested
by other nodes. This attack disrupts the network's performance, and the malicious node can cause a
significant loss of data, leading to a degraded network.
16
D
2Fig. 2.2. Malicious node (M) drops packets in a blackhole attack.
To prevent blackhole attacks, researchers have proposed various solutions, including secure
routing protocols, trust-based routing protocols, and intrusion detection systems. These solutions
aim to detect and prevent malicious nodes from disrupting the network's performance, ensuring
secure and reliable communication among network nodes. Overall, blackhole attack is a significant
threat to wireless ad-hoc networks, and it is important to implement effective security measures to
mitigate their impact.
S
M
17
Packets drop
Chapter 3: Literature Survey
The blackhole attack has gained significant attention from researchers due to the increasing
popularity and applications of ad hoc networks in various fields. Ad hoc networks are becoming
more prevalent, and their use is expanding rapidly, making them an attractive target for attackers.
The blackhole attack can disrupt the network's performance significantly, causing data loss and
degradation. As a result, researchers are working on developing effective techniques to prevent
blackhole attacks and ensure the security and reliability of ad hoc networks. The need for secure ad
hoc networks is critical as they are used in many critical applications, including military
operations, emergency response systems, and sensor networks. Therefore, it is essential to continue
researching and developing effective security measures to mitigate the impact of blackhole attacks
and other types of threats to ad hoc networks. The common proposed solutions can be classified
into four main approaches as shown in Fig. 3.1.
3.1 Enhanced Routing Protocol Based
Researchers have proposed a mitigation approach to address the threat of blackhole attacks in ad
hoc networks. This approach involves enhancing existing protocols to make them more capable of
detecting and preventing such attacks. These enhancements could include modifications to routing
protocols, such as adding authentication and verification mechanisms to ensure that packets are not
being dropped by malicious nodes. Other proposed solutions include the use of intrusion detection
systems and trust-based routing protocols to identify and isolate malicious nodes. The goal of these
enhancements is to make ad hoc networks more resilient to attacks and ensure that they can
continue to operate effectively even in the presence of malicious nodes. Overall, this mitigation
18
approach is crucial in providing a secure and reliable communication environment in ad hoc
networks.
An enhanced routing protocol called MBDP-AODV was proposed by [20] to address the threat of
blackhole attacks in ad hoc networks. This protocol incorporates statistical features, such as
standard deviation and mean, to detect suspicious activity. Under normal conditions, these figures
should increase gradually. However, during an attack, they rise rapidly in a suspicious manner.
The proposed solution involves three phases. In the first phase, the source node calculates a
threshold value for the sequence number of the destination and determines whether the packet is
suspicious. In the second phase, the suspect packet is detected, and the malicious node ID is sent to
all nodes in the network. In the third phase, the malicious node is prevented from participating in
the network. This enhanced routing protocol is designed to detect and prevent blackhole attacks
effectively. By using statistical features to detect suspicious activity, the protocol can identify
malicious nodes and prevent them from disrupting the network's performance. It is crucial to
continue researching and developing effective security measures like MBDP-AODV to ensure the
secure and reliable operation of ad hoc networks across various fields. One potential drawback of
MBDP-AODV is that it can be vulnerable to certain types of attacks, such as the blackhole and
grayhole attacks. In a blackhole attack, a malicious node drops all incoming packets, while in a
grayhole attack, it selectively drops packets. As MBDP-AODV relies on the assumption that all
nodes in the network are cooperative, these attacks can disrupt the network performance and cause
communication failures. Another drawback of MBDP-AODV is that it requires a relatively high
level of coordination and synchronization among nodes in the network. This can make be
challenging to implement in large and dynamic networks where nodes are constantly joining and
leaving the network.
19
In their research, the authors of [7] have presented a novel technique for identifying blackhole
nodes in a network. These nodes are known for their disruptive behavior as they intentionally drop
or modify packets in order to interrupt the communication flow within the network. To overcome
this issue, the authors have proposed a technique that involves setting bait timers in all nodes
within the network. These timers are set to a random time interval and when they expire, they
trigger the nodes to launch broadcasts with fake IDs. As blackhole nodes are known to reply to all
requests, regardless of their nature, they also respond to these fake requests. This allows the
sending node to identify the blackhole nodes by monitoring their responses to these fake requests.
Once a blackhole node has been identified, the sending node maintains its information in a table of
malicious nodes. This table can be used to disregard responses from blackhole nodes when true
requests are launched in the network. Thus, the technique proposed by the authors helps to
improve the reliability and security of communication in the network by identifying and mitigating
the impact of blackhole nodes. Overall, the proposed technique is effective in detecting blackhole
nodes in a network by setting bait timers and launching fake requests. By identifying and
maintaining information about these malicious nodes, the network can avoid their interference and
ensure smooth communication flow.
While the technique proposed by the authors in [7] is effective in detecting blackhole nodes in a
network, there are several drawbacks that should be considered. Firstly, the technique relies on the
assumption that all nodes within the network will respond to all requests, including fake ones. Yet,
some nodes may be programmed to ignore or filter out certain types of requests, which can lead to
false negatives and failure to detect some blackhole nodes. Secondly, the technique may consume
a significant amount of network resources. The random bait timers used to trigger the fake requests
may cause a high volume of unnecessary traffic in the network, which can lead to congestion and
20
decreased network performance. Thirdly, the technique may not be suitable for networks with high
levels of traffic or with a large number of nodes. In such networks, the overhead of setting bait
timers and launching fake requests may become unmanageable and impractical.
Proposed Solutions
Techniques
Enhanced Routing Reputation and Acknowldgement Intrusion Detection

Protocol Based Trust Based Based Syetem Based
3Fig. 3.1. Classification of the mitigation techniques proposed by other researchers
The authors of [22] have proposed a modification to the Ad hoc On-Demand Distance Vector
(AODV) protocol by adding a Neighbor Credit Table to each node in the network. This table
records the credit value of each neighboring node, such that whenever a neighbor sends or
forwards a data packet, its credit value is increased. Nevertheless, even genuine nodes that do not
participate actively in the network will receive poor credit values. When a node wants to use a
neighbor node for message transmission, it first checks the value of the credit table. If the neighbor
node does not have enough credit, it is deemed untrustworthy, and another hop is used instead.
This modification enables the detection of black-hole nodes during the route discovery phase
rather than during data transmission, making the network more secure. Additionally, it can detect
and isolate smart black hole attacks, further enhancing the security of the network.
21
However, this technique has some drawbacks that should be considered. One of the main
disadvantages is that it increases overhead due to the additional packets sent to identify malicious
nodes. This leads to increased network traffic, which can reduce the overall network performance.
Moreover, the credit table requires frequent updates to maintain an accurate record of the credit
values of neighboring nodes, which can further increase the network overhead and complexity.
3.2 Reputation and Trust Based
A reputation system is a mechanism that gathers, evaluates, and shares information about the
behavior of nodes in a network based on their past interactions. It helps to establish the
trustworthiness of nodes by maintaining a record of their previous actions and interactions. The
system collects information about the node's behavior, such as its reliability, responsiveness, and
willingness to cooperate, and uses this information to evaluate the node's reputation. The
reputation of a node is then distributed to other nodes in the network, allowing them to make
informed decisions about whether to trust or distrust the node. Reputation systems are used in
various applications, including peer-to-peer networks, e-commerce platforms, and social media
platforms, to promote trust and prevent malicious behavior. By using a reputation system, nodes
can make more informed decisions when interacting with other nodes in the network, which can
help improve the overall performance and security of the network.
In [23], a technique called Selfish Node Removal using Reputation Model (SNRRM) was
proposed as means to remove selfish nodes from a network. According to the authors, selfish
nodes can be identified based on their current energy level and communication ratio. When both
the sender (S) and destination (D) nodes are within communication range, only the reputation
value of the sender is checked. Yet, when the sender and destination nodes are not within the same
communication range, the sender broadcasts a control packet to its neighbors and waits for replies.
22
The communication ratio is then calculated based on the number of sent requests and received
replies. SNRRM works by maintaining a reputation model that evaluates the behavior of nodes in
the network based on their communication patterns and energy consumption. Nodes with low
communication ratios or high energy consumption are identified as selfish nodes and removed
from the network.
The advantage of SNRRM is that it can remove selfish nodes from the network without relying on
central authorities or external monitoring systems. Instead, the reputation model is distributed
across the network, and nodes use it to make decisions about which nodes to trust and which to
avoid.
However, there are also some potential drawbacks to consider. For example, the technique relies
on the assumption that all nodes in the network are willing to cooperate and participate in the
reputation system. Additionally, the accuracy of the reputation model depends on the quality and
quantity of data collected, which can be affected by various factors such as network topology, node
mobility, and environmental conditions.
In [24], the authors proposed a Node Activity-based Trust and Reputation Estimation (NA-TRE)
solution that monitors node activities to assess their status as either normal (N) or malicious (M),
and then computes trust and reputation estimates accordingly. The technique is designed to detect
and mitigate malicious nodes in wireless ad hoc networks, and it is based on the assessment of
three different states of nodes: Normal State (NS), Resource Limitation State (RS), and Malicious
State (MS). In the NS, nodes cooperate and follow routing requirements to the best of their
abilities. In the RS, nodes do not cooperate as much due to various factors such as low power
consumption, being out of communication range, or high congestion. In the MS, nodes
intentionally disrupt the network by initiating denial of service attacks, creating false paths,
23
delaying packets, or engaging in other malicious activities that impact the network. To proactively
distinguish between these states, the authors used a "Semi-Markov probability decision process" to
predict the state of a node based on its activities. This allows the NA-TRE solution to detect
malicious nodes before they can cause significant damage to the network.
The advantage of the NA-TRE solution is that it provides a comprehensive assessment of node
activities and performance, which can help improve the reliability and security of wireless ad hoc
networks. By detecting malicious nodes and computing trust and reputation estimates, the
technique enables nodes to make informed decisions about which nodes to trust and which to
avoid.
Yet, there are also some potential limitations and challenges associated with the NA-TRE solution.
For example, the accuracy of the technique depends on the quality and quantity of data collected,
which can be affected by various factors such as the topology of the network, node mobility, and
environmental conditions. Additionally, the technique relies on the assumption that all nodes in the
network are willing to cooperate and participate in the trust and reputation estimation process,
which may not be the case in all scenarios.
In their research presented in [25], the authors proposed a reputation and trust system to counter
blackhole attacks in wireless ad hoc networks. The system is based on trust relationships between
nodes. Specifically, if node A trusts node B, then node B can also trust node A. Similarly, if node
A trusts node C and node C trusts node B, then node A can trust node B. To implement this
solution, each node in the network is equipped with a reputation table that maintains data about the
behavior of its neighboring nodes. This data is quantified and stored in the table. When a message
is sent from a source to a destination, an acknowledgment is sent back from the destination to
confirm receipt of the message. This acknowledgment is then sent to all other nodes in the
24
network. In case the acknowledgment is not received, the trusted table is updated negatively. The
based trust system is similar to the reputation system, as every node maintains a register of other
nodes based on their interactions. However, in the based trust system, when a node forwards a
packet, it checks the trust values of its adjacent nodes and chooses the node with the higher trust
value.
The advantage of this reputation and trust system is that it can detect and mitigate blackhole
attacks by enabling nodes to make informed decisions about which nodes to trust and which to
avoid. By using a reputation table and based trust system, nodes can build trust relationships with
their neighbors and use this information to make decisions about routing. This can help improve
the security and reliability of the network.
Despite that, there are also potential limitations and challenges associated with this solution. For
example, the accuracy of the system depends on the quality and quantity of data collected and
stored in the reputation table. Moreover, the system assumes that all nodes in the network are
honest and willing to cooperate in building trust relationships, which may not always be the case.
The Node Activity-based Trust and Reputation estimation (NA-TRE) technique proposed in [26] is
designed to ensure both security and quality of service in wireless ad hoc networks by evaluating
the trustworthiness of nodes based on their activities, such as packet forwarding or dropping.
This approach has a key advantage in that it can detect black-hole nodes during the route discovery
phase, rather than waiting until the data transmission phase. This makes it possible to isolate smart
black hole attacks effectively.
However, one of the main drawbacks of NA-TRE is that it increases network overhead by sending
additional packets to identify malicious nodes. This can lead to high network traffic, which can
25
affect network performance. Despite this drawback, NA-TRE has several key advantages,
including the fact that the reputation system is not limited to classifying nodes as good or bad, but
also provides more detailed information about how cooperative nodes are. Moreover, NA-TRE
provides node trust values while packets are forwarded, which supports Quality of Service (QoS)
requirements. This means that nodes can make informed decisions about which nodes to trust
when forwarding packets, which can help improve network performance. Though, it is important
to note that the reputation system used by NA-TRE is reactive and takes decisions based on
historical data. This means that it may not be effective in detecting newly emerging threats or
attacks.
Another potential limitation of NA-TRE is that the reputation tables used to store trust and
reputation information can be falsified, compromising the security and reliability of the network.
Additionally, the technique is vulnerable to denial of service attacks, which can undermine its
effectiveness.
3.3 Acknowledgment Based
The acknowledge based approach is a technique designed to mitigate blackhole attacks in wireless
ad hoc networks. This approach involves creating acknowledgment packets through either the
source or intermediate nodes before the route determination process. The nodes that do not reply to
these packets are classified as either selfish nodes, nodes with insufficient energy, or malicious
nodes. The primary aim of this approach is to address the problem of blackhole attacks, which can
significantly affect network performance by dropping or blocking packets. By using
acknowledgment packets, nodes can determine which nodes are trustworthy and which are not.
Nodes that do not reply to the acknowledgment packets are considered untrustworthy and can be
avoided when routing packets.
26
One of the key advantages of the Acknowledge based approach is that it helps detect malicious
nodes prior to the route determination process. This can help prevent blackhole attacks from
occurring, which can be particularly important in situations where network security is critical.
Furthermore, this approach can help identify other types of problematic nodes, such as selfish
nodes or nodes with insufficient energy, which can also affect network performance.
Yet, there are also potential limitations associated with the Acknowledge based approach. For
example, the creation of acknowledgment packets can increase network overhead, which can affect
network performance. Additionally, the approach relies on the assumption that nodes will always
reply to the acknowledgment packets, which may not always be the case. Finally, the approach
may not be effective in detecting newly emerging threats or attacks.
The authors of [27] have proposed an improved routing protocol called Ad hoc On-demand
Multipath Secure Routing (AOMSR) that uses acknowledgments to enhance network performance
and security. This protocol requires the source node to maintain multiple paths from the source to
the destination based on the maximum delay in receiving data. The primary objective of AOMSR
is to improve the performance and security of wireless ad hoc networks by creating multiple paths
for data transmission. By creating multiple paths, AOMSR can address the problem of single path
routing where a single path may not always be reliable or available. In addition, AOMSR uses
acknowledgments to ensure that data is properly transmitted, which can help prevent packet loss
and improve network performance.
One of the key advantages of AOMSR is that it provides a more secure and reliable routing
protocol for wireless ad hoc networks. By using multiple paths and acknowledgments, AOMSR
can help prevent attacks such as blackhole attacks and improve network performance. Moreover,
27
AOMSR is designed to be robust in the face of node failures or changes in network topology,
which can further enhance its reliability.
On the other hand, there are also potential limitations associated with AOMSR. For example, the
creation of multiple paths can increase network overhead and complexity, which can affect
network performance. Additionally, the use of acknowledgments can also increase network traffic
and latency, which can further impact network performance.
In [28], the authors have proposed an extension of the Acknowledge based approach that takes into
account the selection of energy-efficient intermediate nodes that are non-congested for
communication, session key agreements, a counter-based end-to-end cycle of acknowledgement,
and the authentication of Ack packets using message digest. The aim of this technique is to
improve the security and efficiency of wireless ad hoc networks by differentiating between
malicious nodes, selfish nodes, and nodes with insufficient energy.
The primary advantage of this technique is that it can identify the different types of problematic
nodes in the network, including malicious nodes, which can help prevent attacks such as blackhole
attacks. By selecting energy-efficient intermediate nodes and using session key agreements, this
approach can also improve network performance and efficiency. Moreover, the use of message
digest for authentication can enhance the security of the network by ensuring that the
acknowledgment packets are not tampered with.
However, one of the potential drawbacks of this technique is the increased network load due to the
additional acknowledgment packets. This can lead to network congestion and affect network
performance, particularly in situations where the network is already congested.
28
3.4 Intrusion Detection System Based
An Intrusion Detection System (IDS) is a valuable tool for detecting and preventing attacks in
wireless ad hoc networks, particularly in Mobile Ad hoc Networks (MANETs). IDS based in
MANETs can help detect and respond to malicious activities, such as blackhole attacks or
wormhole attacks. The IDS can operate in a centralized or distributed manner, depending on
network topology and requirements. Intrusion detection system works as an alarm system. When
discovering an attack, it issues a warning to the system [29]. The IDS system contains an audit
register for keeping all the data for analysis and provide an output based on which decisions are
taken.
One of the key advantages of IDS in MANETs is that it can help improve network security by
detecting and mitigating attacks. By using various techniques, such as pattern matching or machine
learning algorithms, IDS can detect and classify malicious nodes based on their behavior patterns.
Moreover, IDS can be designed to be resilient to node failures and changes in network topology,
which can enhance the reliability of the network.
Yet, there are also potential limitations associated with IDS in MANETs. For example, IDS can
increase network overhead and latency, which can affect network performance. Additionally, IDS
may not be effective in detecting newly emerging threats or attacks, as it relies on historical data or
known attack patterns. Moreover, IDS may be vulnerable to attacks, such as spoofing or denial of
service attacks, which can undermine its effectiveness.
Despite its potential limitations, IDS based in MANETs remains a valuable technique for
improving network security. By using a combination of techniques, such as signature-based and
anomaly-based detection, IDS can detect and respond to attacks while minimizing false positives
29
and false negatives. Moreover, IDS can be designed to be scalable and adaptable to different types
of MANETs, which can enhance its effectiveness.
The authors of [30] have proposed an Intrusion Detection System (IDS) called DPAA-AODV to
address the problem of blackhole attacks in wireless ad hoc networks. This IDS protocol works in
two phases: an online phase and an offline phase. During the offline phase, the ReliefF Model is
used to identify reliable features in the Blackhole Detection Dataset (BDD) dataset. This is done to
ensure that the selection of features is accurate. In the online mode, the previously learned features
are selected. If the results exceed the threshold, it is likely that a malicious node is present. The
primary objective of DPAA-AODV is to detect and mitigate blackhole attacks in wireless ad hoc
networks. By using the ReliefF Model to identify reliable features in the BDD dataset, DPAA-
AODV can effectively detect blackhole attacks. Moreover, by using a threshold-based approach to
classify malicious nodes, DPAA-AODV can improve network security and reliability.
One of the key advantages of DPAA-AODV is that it provides a more accurate and reliable
approach to blackhole attack detection. By using the ReliefF Model to identify reliable features in
the BDD dataset, DPAA-AODV can ensure that the selection of features is accurate. Additionally,
the threshold-based approach used in the online mode can help prevent false positives and false
negatives, which can further enhance the reliability of the IDS.
Conversely, there are also potential limitations associated with DPAA-AODV.For example, the
IDS protocol can increase network overhead and latency, which can affect network performance.
Additionally, the approach may not be effective in detecting new or emerging threats, as it relies
on historical data or known attack patterns. Moreover, the IDS may be vulnerable to attacks, such
as spoofing or denial of service attacks, which can undermine its effectiveness.
30
The authors of [31] have proposed a host-based Intrusion Detection System (IDS) that collects
information about the normal behavior of nodes in a wireless ad hoc network. They simulated
normal and malicious behavior of nodes using the GloMoSim simulator. Then, they used the
machine learning tool Weka 3.7.11 to apply feature selection techniques to identify malicious
nodes. The IDS protocol used six features to detect malicious nodes, these features include the
number of RREQ (Route REQuest) sent, the number of RREP (Route REPly) forwarded, the
number of high destination sequence number, the number of low count of hops to destination, the
number of nodes acting as source, and the number of nodes acting as destination. The primary
objective of this host-based IDS system is to detect and mitigate malicious nodes in wireless ad
hoc networks. By using machine learning and feature selection techniques, the IDS can detect
anomalies and classify them as malicious nodes. Moreover, by using a host-based approach, the
IDS can be more effective in detecting attacks that originate from within the network.
One of the key advantages of this host-based IDS is that it provides a more accurate and reliable
approach to detecting malicious nodes. By using feature selection techniques and machine learning
algorithms, the IDS can identify new or emerging threats and classify them as malicious nodes.
Moreover, the host-based approach used in this IDS can help detect attacks that originate from
within the network, which can enhance network security and reliability.
However, there are also potential limitations associated with this host-based IDS. For instance, the
IDS may not be effective in detecting attacks that occur outside the network or attacks that use
sophisticated techniques to evade detection. Additionally, the IDS may increase network overhead
and latency, which can affect network performance. Moreover, the IDS may require significant
computational resources to process and analyze network data, which can be a challenge for
resource-constrained devices.
31
The authors of [18] have proposed a two-phase solution to address the problem of blackhole
attacks in wireless ad hoc networks. The first phase involves feature selection to identify the
features of blackhole nodes based on their behavior, such as how they handle RREQ (Route
REQuest) and RREP (Route REPly). In the second phase, the AODV (Ad hoc On-Demand
Distance Vector) protocol is enhanced by incorporating the learned data into each node to detect
and avoid blackhole nodes during data transmission. The primary objective of this proposed
solution is to improve network security by detecting and mitigating blackhole nodes in wireless ad
hoc networks. By using feature selection techniques and enhancing the AODV protocol, the
solution can effectively identify blackhole nodes and prevent them from disrupting network
communication.
One of the key advantages of this solution is that it provides a more accurate and reliable approach
to detecting blackhole nodes. By using feature selection techniques to identify the behavior
patterns of blackhole nodes and enhancing the AODV protocol with the learned data, the solution
can effectively detect and avoid blackhole nodes during data transmission. Moreover, the solution
can be adapted to different types of wireless ad hoc networks, which enhances its versatility.
However, there are also potential limitations associated with this solution. For instance, the
solution may not be effective in detecting attacks that occur outside the network or attacks that use
sophisticated techniques to evade detection. Additionally, the solution may increase network
overhead and latency, which can affect network performance to address these limitations,
researchers and developers may need to consider alternative techniques that can complement or
enhance the capabilities of this solution for improving the security and reliability of wireless ad
hoc networks. For instance, combining multiple IDS techniques, such as host-based and network-
based IDS, can provide a more comprehensive approach to detecting and mitigating attacks.
32
Moreover, implementing security mechanisms and protocols that can detect and mitigate attacks
can help improve the security and reliability of the network.
In [23], the authors proposed an enhanced routing protocol called Secure Ad hoc On-Demand
Distance Vector (SAODV) to provide better security for Mobile Ad hoc Networks (MANETs)
against blackhole attacks. SAODV is designed to be a more secure version of the Ad hoc On-
Demand Distance Vector (AODV) routing protocol. While SAODV and AODV share similar
functionalities, such as the route discovery process, SAODV includes an additional verification
process to ensure the trustworthiness of adjacent nodes. The primary objective of this enhanced
routing protocol is to improve the security of MANETs by providing a more reliable and secure
routing protocol against blackhole attacks. By incorporating a verification process, SAODV can
effectively detect and prevent blackhole nodes from disrupting network communication.
One of the key advantages of this enhanced routing protocol is that it provides a more secure
approach to routing in MANETs. By adding a verification process, SAODV can ensure that
adjacent nodes are trusted and prevent blackhole nodes from disrupting network communication.
Additionally, the protocol can be customized and adapted to different types of wireless ad hoc
networks, which enhances its versatility.
However, there are also potential limitations associated with this enhanced routing protocol. For
instance, the protocol may not be effective in detecting attacks that occur outside the network or
attacks that use sophisticated techniques to evade detection. Additionally, the protocol may
increase network overhead and latency, which can affect network performance.
In [32], the authors proposed an Intrusion Detection System (IDS) that relies on various classifiers,
including decision tree, K-Nearest Neighbors (KNN), Support Vector Machine (SVM), and Neural
33
Network. The decision tree classifier involves nodes, edges, and leaves to generate rules for
classifying records into malicious and non-malicious classes. The KNN classifier saves the training
data and considers the distance metric of other nodes while relating the data set to its respective
classes. The SVM classifier is mainly used for pattern detection problems and can also be used for
classification, while the Neural Network is used for processing and training the records. The
primary objective of this proposed IDS is to improve network security by detecting and mitigating
blackhole and greyhole attacks in wireless ad hoc networks. By using various classifiers, the IDS
can effectively identify and classify anomalies in network traffic.
One of the key advantages of this technique is that the classification algorithm is not only used for
blackhole attacks but is also effective in detecting greyhole attacks. Moreover, the anomaly-based
approach has a high accuracy level in discovering blackhole attacks, while the random forest
classifier has a high accuracy and detection rate.
However, there are also potential limitations associated with this technique. For instance, the nodes
have to be in a promiscuous mode, which may not be acceptable by all nodes, and the system itself
can be attacked. Additionally, the technique may not be effective in detecting attacks that occur
outside the network or attacks that use sophisticated techniques to evade detection. Furthermore,
the technique may increase network overhead and latency, which can affect network performance.
As previously mentioned, there exist four primary techniques for detecting blackhole attacks:
Enhanced Routing Protocol Based, Reputation and Trust Based, Acknowledgement Based, and
Intrusion Detection System Based. In our research, we opted for the Intrusion Detection System
(IDS) approach due to several advantages it offers. IDS provides higher accuracy in detecting
blackhole attacks, is less complex, and does not require significant changes to the network
topology and routing protocols as required by the Enhanced Routing Protocol approach.
34
Additionally, IDS is more reliable and less vulnerable to manipulation than the Reputation and
Trust Based technique. Furthermore, IDS is a lightweight mechanism that imposes a lower load on
the network compared to the Acknowledgement Based system.
35
Chapter 4: Experimental Methodology
This thesis employs a methodology that comprises of four distinct steps (as shown in Fig. 4.1). The
initial step involves generating data that will be used for machine learning analysis. In order to
simulate a traffic data that closely resembles real-life traffic with a blackhole attack, the OMNET+
+ simulator is used. The generated data is then collected in a specific format that can be analyzed
later. During the collection process, the traffic records exhibit certain common features or
behaviors. These features are then analyzed using Support Vector Machine (SVM) in order to
classify the traffic into two categories: normal and malicious traffic.
Subsequently, based on this analysis, the malicious nodes can be accurately identified and blocked
to prevent further damage. SVM is a machine learning algorithm that is commonly used in
classification tasks where the goal is to separate data into different classes. By analyzing the
common features and behaviors of the traffic data, SVM can accurately classify the traffic into
normal and malicious traffic. Through this classification, it is possible to identify and block the
malicious nodes that are causing the blackhole attack.
Overall, this methodology provides a systematic approach for generating and analyzing traffic data
under the presence of a blackhole attack. By employing machine learning techniques such as SVM
for classification, it is possible to accurately identify and block the malicious nodes. This approach
can help in improving the security of network systems and preventing potential attacks.
36
Data Generation Features Data
Data Collection
Using OMNET++ Selection Processing
4 Fig. 4.1. Methodology used in the thesis to mitigate blackhole attack
4.1 Proposed Solution
In Mobile Ad-hoc Networks (MANETs), the nodes are expected to work together and rely on each
other to fulfill functions that are typically provided by infrastructure. This collaboration is essential
for the proper functioning of the network. However, attacks such as the Blackhole attack can
disrupt the network's operation by corrupting the nodes. To identify these malicious nodes, their
behavior needs to be studied.
Malicious nodes in a MANET display certain behavioral characteristics that are common. These
can be summarized as follows:
 They increase their transmission power to respond to most of the RREQ (Route REQuests).
 They rarely send any RREQ themselves.
 They usually send unicast messages and hardly ever broadcast messages.
To address this issue, an Anomaly Detection System based on SVM (ADS-SVM) has been
developed. The purpose of ADS-SVM is to detect any malicious nodes based on the behavioral
characteristics mentioned above. Once detected, these nodes will be labeled and isolated from the
network to prevent further harm.
37
The Anomaly Detection System based on SVM (ADS-SVM) does not add a significant overhead
to the network's resources. By analyzing the behavior of nodes in the network, the system can
identify any nodes that exhibit the aforementioned malicious behavior. Once identified, these
nodes are flagged as malicious and isolated from the network to prevent further damage.
Overall, the Anomaly Detection System based on SVM (ADS-SVM) provides an effective solution
to detect and isolate malicious nodes in a MANET. By identifying and isolating these nodes, the
system can prevent them from disrupting the network's operation and ensure the network's overall
security.
4.2 Data Generation
To simulate the behavior of both normal and malicious nodes as shown in Fig. 4.2, we utilized
OMNET++ 5.7. The simulation was conducted on a network consisting of seven nodes, one of
which is stationary and functions as a sender (node1). As this static node is irrelevant to the
simulation's core objective, it was omitted from the graphs that were generated.
As stated in table 4.1., the simulation was performed in two different scenarios. In the first
scenario, all nodes were assumed to be cooperative, and no malicious node was present.
Consequently, all nodes exhibited normal behavior. In contrast, the second scenario involved the
introduction of a malicious node (node 6), while the rest of the nodes continued to function
normally. The radio transmission power for all nodes was set to 1 mW.
The simulation allowed us to investigate and analyze the behavior of both normal and malicious
nodes in a controlled environment. By comparing the results of the two scenarios, we could
identify any anomalous behaviors that were present in the presence of a malicious node.
38
56Fig. 4.2 A snapshot from OMNET++ while a node sending
packets (RReq) to adjacent nodes
A specific scenario set up in which the radio transmission power of node 6 was increased to 5 mW.
By increasing its transmission power, node 6 was able to deceive all its neighboring nodes into
believing that it was the closest node to them. As a result, it received a substantial number of
requests from the other nodes in the network.
In more detail, when nodes search for the best routes between them, they send RReq messages to
their neighboring nodes. In this scenario, node 6 would appear to be an adjacent node to the other
nodes due to its increased transmission power. As a result, it would be the first node to receive the
RReq messages and would respond with RRep messages as quickly as possible.
This behavior is a common trait of a blackhole attack, in which a malicious node deceives other
nodes into believing that it has the best path to the destination. By doing so, the malicious node can
intercept and manipulate traffic, causing disruption to the network's operation.
39
Table 1Table 4.1 The parameters configuration used to generate the data set in OMNET++ simulator
Simulation Environment Parameters

Simulation used OMNeT++5.7
Number of nodes 7 nodes
Routing Protocol AODV
Total Space 400 m
Transmission Power [All nodes] 1 mW
Transmission Power [Node 6] 5mW
Transmission Speed 24Mbps
Mobility Speed 25mps
Transport protocol UDP
4.3 Data Collection
After conducting the simulations in two different scenarios, the results were collected and fed into
a detection system for analysis. The first scenario assumed that all nodes were cooperative and
behaved normally, while the second scenario involved the presence of a malicious node. The
dataset that was collected during the simulation contained critical data that was used for analysis.
The dataset included the AODV request, which is the message that nodes send to request a route to
a destination node. It also contained information on the transmission power of nodes while sending
their packets and the type of data transfer, which could either be broadcast or unicast.
By analyzing this data, the detection system could identify any anomalous behaviors that were
present in the second scenario when the malicious node was introduced. The system could
compare the results from the two scenarios and identify any deviations from normal behavior.
This approach allows for the effective detection of malicious nodes in a MANET. By analyzing the
behavior of nodes and comparing it to normal behavior, it is possible to identify any nodes that are
exhibiting anomalous behavior. This can help in preventing potential attacks and maintaining the
security of the network.
40
4.4 Feature Selection
Chapter 5 of the research thesis outlines three key characteristics of the blackhole attack that were
identified in the study. The first feature is that the malicious node increases its transmission power
to appear as the closest node to other nodes in the network. This deception allows the malicious
node to receive as many requests as possible from other nodes.
The second feature of the blackhole attack is that malicious nodes rarely send any Route REQuests
(RReq) themselves. Instead, they focus on replying to as many requests as possible. This behavior
allows the malicious node to control the flow of traffic in the network, intercepting and
manipulating messages as needed.
The third and final feature of the blackhole attack is that malicious nodes typically send unicast
messages and hardly ever broadcast messages. This behavior is consistent with the goal of the
attack, which is to deceive other nodes and manipulate traffic for the malicious node's benefit.
By identifying these three characteristics of the blackhole attack (shown in Fig. 4.3), we were able
to develop an Anomaly Detection System based on SVM (ADS-SVM) that can detect malicious
nodes based on their behavior. The system analyzes data collected during simulations and
compares it to normal behavior to identify any deviations. Once a malicious node is detected, it is
isolated from the network to prevent further harm.
41
Malcious nodes behaviours
Increase transmission power to respond to most
of the RREQ
Almost never send any RReq
Always unicast and almost never broadcast
7Fig. 4.3. Feature Selection based on malicious nodes' behaviors
During the simulation, the radio transmission power was increased of node 6 to 5 mW, while all
other nodes were set to the default 1 mW. This manipulation of transmission power allowed node 6
to deceive other nodes by appearing as the closest node to them.
The second key feature of the blackhole attack is that the attacker replies to as many requests as
possible while keeping a low profile in terms of sending route requests (RReq). This behavior
allows the malicious node to receive traffic and control the flow of data without drawing attention
to itself.
The third feature of the blackhole attack is that the attacker almost never broadcasts messages, and
all of its communication is in the form of unicast messages. This behavior is consistent with the
goal of the attack, which is to deceive other nodes and manipulate traffic for the attacker's benefit.
4.5 Data Processing
The data collected from the OMNET++ simulator contains eight columns of information.
However, only five of these columns will be used for analysis, while the remaining three are
42
irrelevant for the purpose of the analysis. The five columns of data that will be utilized for analysis
are as follows:
 The first column, Hops, serves two crucial purposes for the research. Firstly, it indicates the
direction of transmission, revealing the node that is used as a hop or the node that performs
the routing function. Secondly, it helps to identify the path that the data transmission takes
through the network.
 The second column, Transmission Type, provides information about the transmission
power and whether it is a Route Request (RReq) or Route Reply (RRep) message. This
column is particularly critical for identifying nodes that are not sending any RReq
messages, which is an essential feature used to identify nodes exhibiting misbehavior and
potentially engaging in blackhole attacks.
 The third column, Node Name, contains the name of the node that is transmitting the data.
This information is vital for identifying each node in the network and recognizing any node
that is misbehaving.
 The fourth column, Transfer Type, provides the value of the transfer type, which is either
broadcast or unicast. This column is used to identify nodes that are not broadcasting any
messages, which is a suspicious behavior and an indication of potential misbehavior.
 Finally, the fifth column, Transmission Power, indicates the power used to transmit the
data. Manipulating transmission power is a common tactic used in blackhole attacks to
increase the power of the node and intercept and respond to Route Request messages.
Therefore, this column is particularly important for detecting any malicious activity in the
network.
43
4.6 Machine learning using SVM
The Support Vector Machine (SVM) is a popular machine learning algorithm, widely known for
its effectiveness in solving pattern classification problems. As shown in Fig. 4.4, the SVM model
consists of three lines, with the middle line referred to as the optimal classification line and the
other two lines referred to as the margin lines. These lines are used to classify patterns into two
distinct classes [40]. In our scenario, the SVM model is employed to differentiate between
normally behaving nodes and malicious nodes based on the analyzed traffic.
w . x +b=0 (1)
Where “w” is the weight vector, and “x” is the input vector. In SVM, we want to find the
hyperplane that maximizes the margin between the two classes. The margin is defined as the
distance between the hyperplane and the closest data points from each class. Those closest data
points are called support vectors and they determine the position of the hyperplane.
The optimal classification line in the SVM model represents the boundary that optimally separates
the two classes of data. The margin lines, on the other hand, are positioned parallel to the optimal
classification line and are used to maximize the distance between the optimal classification line
and the closest data points from each class. This process, called margin maximization, improves
the robustness and generalization ability of the model, making it less susceptible to overfitting and
noise in the data.
In our specific use case, the SVM model is trained on a dataset of network traffic to identify
patterns in the data that correspond to malicious behavior. The model uses the analyzed traffic data
to learn the characteristics of normal behavior and then identifies deviations from this behavior as
44
potentially malicious. By separating the normal behaving nodes from the malicious ones, the SVM
model can detect and classify suspicious activity accurately and efficiently.
The dataset used for the SVM model consists of two classes, with the first class represented by a
positive label (+1), and the second class represented by a negative label (-1). The dataset contains a
sample size of n, where each sample is represented by a vector characteristic x_i, and a
corresponding label y_i, which can be either -1 or +1. Although the characteristics of the samples
may not be identical, they can still be accurately classified, provided a margin is defined that
allows for some acceptable deviation.
The SVM algorithm works by finding the optimal classification line, which separates the two
classes of data and maximizes the margin between them. This optimal line is represented by the
sum of the weighted vector (w) and the bias (b), which equals zero, as shown in equation 2.
The margin is a critical parameter in the SVM algorithm, as it determines the maximum
permissible deviation that a sample can have from the optimal classification line while still being
correctly classified. The SVM algorithm aims to maximize the margin while correctly classifying
all the samples in the dataset. This process is achieved by iteratively adjusting the values of w and
b until the optimal classification line is found.
The SVM algorithm's ability to accurately classify data even with some deviation in the
characteristics is due to the use of the kernel function. The kernel function maps the input data into
a higher-dimensional space, where it is more easily separable, allowing for more accurate
classification. This transformation allows the SVM model to capture nonlinear relationships
between the input data and the corresponding labels.
45
Due to the fact that the vector characteristics of the dataset are not identical, there are two
additional lines that are parallel to the optimal classification line and have some margin. These two
lines, along with the optimal classification line, form what is referred to as the hyperplane. The
hyperplane is a crucial component of the SVM algorithm, as it serves as the decision boundary that
separates the two classes of data.
Fig. 4.4 Support Vector Machine (SVM)
The SVM algorithm aims to maximize the margin between the hyperplane and the closest data
points from each class. The points that lie on or above the hyperplane are classified as belonging to
the positive class, while the points that lie below the hyperplane are classified as belonging to the
negative class. To achieve this, we impose a constraint on the distance between the hyperplane and
the closest data points from each class. Specifically, we require that the distance between the
hyperplane and the closest data points, known as the margin, is at least 1. Mathematically, this
constraint can be expressed as w.x+b>=1 (Eq. 2) for all positive examples and w.x+b<=-1 (Eq. 3)
for all negative examples, where positive examples belong to one class and negative examples
46
belong to the other class. The margin is then given by the distance between the hyperplane and the
closest data points.
The margin between the hyperplane and the closest data points is determined by the marginal bias
in the SVM model. The marginal bias is the distance between the optimal classification line and
the closest data points from each class. By maximizing this margin, the SVM algorithm can
minimize the risk of misclassification and improve the model's accuracy.
w . x +b ≥ 1 (2)
In a similar fashion to the positive class, the points that lie below the hyperplane are classified as
belonging to the negative class. Equation 4 describes how the SVM algorithm classifies the data
points that lie below the hyperplane as belonging to the negative class.
w . x +b ≤ 1 (3)
In the SVM algorithm, the two classes of data points are typically referred to as the malicious and
normal vectors. The SVM algorithm's ability to accurately classify data points into these two
classes has made it a popular tool in various fields, including cybersecurity and financial analysis.
Although the SVM algorithm is a powerful tool for classifying data, it has certain limitations. One
of the main disadvantages of the SVM algorithm is that it does not perform well with large
datasets, where there is a significant amount of noise, or when the number of features exceeds the
number of trained data samples. These limitations can impact the SVM model's accuracy and make
it less effective in certain use cases.
47
However, in our specific use case, the limitations of the SVM algorithm did not impact the quality
of our work. This is because the dataset used in our analysis was not very large, and the features
were clear and well-defined. This allowed the SVM algorithm to accurately classify the data points
into their respective classes and identify any potential security threats in the network traffic data.
48
49
Chapter 5: Results
In the simulation, seven nodes were set up to communicate with each other, with one of the nodes
being designated as a malicious node that mimicked a blackhole attack. As shown in table 5.1, the
simulation ran for a duration of seven minutes, generating a total of 18,478 records that were
analyzed by the system. The system was able to accurately classify the records into two classes:
normal records and malicious records. Out of the 18,478 records, 13,353 records were labeled as
normal, while 5,125 records were labeled as malicious.
Table 2 Table 5.1 Data generated from OMNET++ simulator
Dataset generated from OMNET++

Total number of records 18,478 Records
Malicious traffic 5,125
Normal traffic 13,353
Fig. 5.1 demonstrates the normal behavior of six nodes in the simulation. All nodes were sending
both RReqs and RReps in a normal way, with the number of RReqs to the number of RReps being
in a relative proportion across all nodes. This normal behavior was compared with the behavior of
the malicious node (node 6) in the second scenario, where it exhibited the three key features of the
blackhole attack.
By understanding the behavior of the blackhole attack, we were able to develop an Anomaly
Detection System based on SVM (ADS-SVM) that can detect and isolate malicious nodes in a
MANET. The detection system analyzes data collected during simulations and compares it to
50
normal behavior to identify any deviations. Once a malicious node is detected, it is isolated from
the network to prevent further harm.
Overall, the study highlights the importance of understanding the behavior of malicious nodes in a
MANET. By identifying the key characteristics of attacks such as the blackhole attack, an effective
solution was developed to detect and respond to these threats and maintain the security of the
network.
Normal Behaviour
600 2050
2000
500
1950
400
1900
300 1850
1800
200
1750
100
1700
0 1650
Node 2 Node 3 Node 4 Node 5 Node 6 Node 7
AODV Rrep AODV Rreq
8 Fig. 5.1. Results of the simulator in absence of a blackhole attack
The graph in Fig. 5.2 illustrates a significant disparity in the number of Route Reply (RRep)
messages sent by node 6 compared to the other nodes in the network. The reason for this
discrepancy is due to the increased transmission power of node 6, which is set at 5 mW, compared
to the rest of the nodes, which are set at 1 mW. This higher transmission power allows node 6 to
respond to most RReq messages in the network, resulting in a significantly increased number of
RReps sent.
51
Furthermore, it is observed that node 6 sends almost no RReq messages, while the other nodes
have a high number of RReq messages, which are relatively similar to each other. This behavior is
indicative of a blackhole attack, as the attacker increases its transmission power to intercept and
respond to RReq messages, but does not send any RReq messages itself. This results in a
significant increase in RRep messages sent by the attacker, while other nodes in the network have
a lower number of RRep messages due to the blackhole node intercepting the RReq messages.
The system used three key features to classify the records accurately:
 The first feature was whether the transmission power of the node was changed. As
previously explained, the malicious node changes its transmission power to appear adjacent
to the Rreq sender, and this feature was used to identify potential malicious behavior.
 The second feature was a remarkable increase in responding to as many Rreq as possible.
This behavior is typical of a blackhole attack, where the malicious node attempts to
intercept as much traffic as possible.
 The third feature was the tendency of the malicious node to always send unicast messages
and almost never send broadcast messages.
 By analyzing these three features, the system was able to accurately classify the records
into their respective classes, with a high degree of accuracy. This demonstrates the
effectiveness of the SVM algorithm in detecting and classifying potential security threats in
network traffic data.
52
The machine learning algorithm used in the simulation was able to clearly identify the
malicious records by analyzing the key features of the data. The system demonstrated a high
degree of accuracy in detecting the malicious nodes by analyzing their behaviors based on the
features mentioned above.
Malcious Behaviour
20000 5000
18000 4500
16000 4000
14000 3500
12000 3000
10000 2500
8000 2000
6000 1500
4000 1000
2000 500
0 0
AODV Rrep AODV Rreq
9 Fig. 5.2. Results of the simulator in presence of a blackhole attack
As previously stated, a blackhole attack can be identified by analyzing the number of route replies
(Rrep) in response to route requests (Rreq). In such an attack, the malicious node will reply to as
many requests as possible but will not send any route requests. By analyzing the percentage of
Rreqs to Rreps, we can identify if a node is involved in a blackhole attack.
53
Rrq to Rrep %
30% 28%
25%
23%
25% 22%
20% 18% 17%
15%
10%
5%
0%
10 Fig. 5.3. Results of the simulator in the absence of a blackhole attack
In Fig.5.3, we can observe that the percentage of Rreqs to Rreps is quite similar across all nodes.
However, when we compare this with Figure 5.4, we can discern that node 6 has a markedly lower
percentage of Rreqs to Rreps. This strongly suggests that node 6 is involved in a blackhole attack.
Specifically, the number of requests sent by node 6 is almost zero percent of the number of replies
it sent, indicating that it is not actively seeking routes but is instead trying to disrupt the network
by dropping or selectively forwarding packets.
54
Rrq to Rrep %
25%
25%
20%
20% 18%
16%
15% 13%
10%
5%
0%
0%
11 Fig. 5.4. Results of the simulator in presence of a blackhole attack
By accurately identifying and classifying potential security threats in network traffic data, the
system can help network administrators take proactive measures to mitigate any potential attacks.
This can help improve the overall security of network systems and reduce the risk of data breaches
or other security incidents.
Table 3Table 5.2 Comparing the results to other researchers using machine learning detection system
Detection Accuracy
ADS-SVM 99%
Inception-CNN 96%
BLSTM 84%
DBN 75.36%
As shown in table 5.2 and depicted in Fig. 5.5, when comparing the results of our detection method
that is proposed in this thesis, it is obvious that our proposed method for detecting black hole
55
attacks in Mobile Ad hoc Networks (MANETs), ADS-SVM, performs better than the other
methods that were proposed by other researchers, which are Inception-CNN, BLSTM, and DBN.
Specifically, that ADS-SVM method achieves a detection accuracy of 99%, which is significantly
higher than the accuracy achieved by the other methods. Inception-CNN achieves a detection
accuracy of 96%, which is still quite high, but falls short of the accuracy achieved by ADS-SVM.
BLSTM and DBN achieve lower detection accuracies of 84% and 75.36%, respectively. This
suggests that ADS-SVM is a highly effective method for detecting black hole attacks in MANETs,
and may outperform other existing methods in terms of accuracy.
Detection accuracy
99.00%
100% 95.87%
90% 84.03%
80% 75.36%
70%
60%
50%
40%
30%
20%
10%
0%
ADS-SVM Inception-CNN BLSTM DBN
12 Fig. 5.5. Comparing the results to other researchers using machine learning detection system
56
57
Chapter 6: Conclusion and Future Work
6.1 Conclusion
Mobile ad-hoc networks (MANETs) are unique in that they lack a fixed infrastructure and instead
rely on the cooperation between nodes to function as both clients and routers. However, due to
their lack of resources and security features, MANETs are more fragile than standard infrastructure
networks. In this thesis, we explored the concept of mobile ad hoc networks (MANETs) and their
various applications in Chapter 2. We highlight the unique characteristics of MANETs, including
their decentralized nature and dynamic topology, which make them challenging to manage and
secure. Chapter 3 presented an overview of the existing literature on MANETs, identifying gaps in
current knowledge and building on existing research to develop new solutions. In Chapter 4, we
proposed a solution for discovering and avoiding blackhole attacks using machine learning. We
used OMNET++ to simulate a malicious node in a MANET network and generated a dataset that
we used to analyze the behavior of a malicious node acting as a blackhole attack. We focused on
three key features to identify blackhole attacks: transmission power, the number of responses in
relation to the rest of the nodes, and the communication method used (whether it was unicast or
broadcast). These three features were thoroughly examined using machine learning techniques.
Finally, in Chapter 5, we summarized our key findings and suggest areas for future research. By
contributing to efforts to improve the performance, security, and reliability of MANETs, we hope
to further the development and application of this important technology.
58
6.2 Future work
While the simulation was conducted on only seven nodes with a single attacker, this research
provides a foundation for future studies on blackhole attacks in larger MANET networks with
multiple attackers. This would allow for a deeper analysis of blackhole attacks in larger networks
as well as network traffic analysis with the presence of multiple attacking nodes.
The proposed solution using machine learning provides a promising approach for detecting and
mitigating blackhole attacks in MANETs. By analyzing the key features of network traffic data,
machine learning algorithms can accurately identify potential security threats and help network
administrators take proactive measures to mitigate any potential attacks.
Overall, this research highlighted the importance of addressing security challenges in MANETs
and developing effective solutions to mitigate potential security threats. By continuing to explore
and refine these solutions, researchers can improve the overall security of MANETs and help
prevent costly data breaches or other security incidents.
59
Bibliography
1. M. H. a. M. S. A. a. M. H. a. M. A. a. R. A. A. a. J. M. A. Hassan, "Mobile ad-hoc network routing
protocols of time-critical events for search and rescue missions," Bulletin of Electrical Engineering and
Informatics, vol. 10, no. 1, pp. 192--199, 2021.
2. P. a. V. S. a. R. D. B. a. D. S. a. o. Rani, "Mitigation of black hole attacks using firefly and artificial
neural network," Neural Computing and Applications, pp. 1--11, 2022.
3. S. K. a. S. T. Prasad, "Performance comparison of multipath routing protocols for mobile ad hoc
network," International Journal of Systems, Control and Communications, vol. 13, no. 1, pp. 82--98,
2022.
4. Shrivastava, Prashant Kumar, and L. K. Vishwamitra. "Comparative analysis of proactive and reactive
routing protocols in VANET environment." Measurement: Sensors 16 (2021): 100051.
5. Mukti, Fransiska Sisilia, et al. "A Comprehensive Performance Evaluation of Proactive, Reactive and
Hybrid Routing in Wireless Sensor Network for Real Time Monitoring System." 2021 International
Conference on Computer Science and Engineering (IC2SE). Vol. 1. IEEE, 2021.
6. A. M. a. K. S. a. M. A. H. Shantaf, "Performance evaluation of three mobile ad-hoc network routing
protocols in different environments," in 2020 International Congress on Human-Computer Interaction,
Optimization and Robotic Applications (HORA), 2020.
7. A. a. A. Z. M. Yasin, "Detecting and isolating black-hole attacks in MANET using timer based baited
technique," Wireless Communications and Mobile Computing, 2018.
8. D. a. M. A. a. A. S. a. P. S. Ramphull, "A review of mobile ad hoc NETwork (MANET) Protocols and
their Applications," in 2021 5th international conference on intelligent computing and control systems
(ICICCS), 2021.
9. D. Kanellopoulos, "Congestion control for MANETs: An overview," ICT Express, vol. 5, no. 2, pp.
77--83, 2019.
10. D. a. S. V. K. Kanellopoulos, "Survey on power-aware optimization solutions for manets," Electronics,
vol. 9, no. 7, p. 1129, 2020.
11. B. S. K. a. A. M. a. K. A. R. a. G. P. Anibrika, "A Survey of Modern Ant Colony Optimization
Algorithms for MANET: Routing Challenges, Perpectives and Paradigms," International Journal of
Engineering Research and Technology (IJERT), 2020.
12. N. a. C. U. Yadav, "Secure Routing in MANET:A Review," in 2019 International Conference on
Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), 2019.
13. S. J. J. a. R. A. a. S. S. Thangaraj, "Comprehensive Learning on Characteristics, Applications, Issues
and Limitations of Manets," International Journal of Innovative Technology and Exploring
Engineering (IJITEE) ISSN, pp. 2278--3075, 2019.
14. K. A. a. A. S. Alshaker, "Availability in IOT for MANET network," Materials Today: Proceedings,
2021.
15. N. a. M. R. Sivapriya, "Analysis on Essential Challenges and Attacks on MANET Security Appraisal,"
JOURNAL OF ALGEBRAIC STATISTICS, vol. 13, no. 3, pp. 2578--2589, 2022.
16. M. a. A. L. a. A. R. S. a. H. M. A. a. A. S. a. S. M. A. Maad Hamdi, "A Review of Applications,
Characteristics and Challenges in Vehicular Ad Hoc Networks (VANETs)," in 2020 International
Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), 2020.
60
17. S. Yogarayan, "Wireless Ad Hoc Network of MANET, VANET, FANET and SANET: A Review,"
Journal of Telecommunication, Electronic and Computer Engineering (JTEC), vol. 13, no. 4, pp. 13--
18, 2021.
18. H. Al-Refai, "An Enhanced AODV Protocol Against Black Hole Attack Based on Classification
Algorithm," Int. J. Open Problems Compt. Math, vol. 13, no. 2, 2020.
19. F.-H. a. C. H.-P. a. C. H.-C. Tseng, "Black hole along with other attacks in MANETs: a survey,"
Journal of Information Processing Systems, vol. 14, no. 1, pp. 56--78, 2018.
20. S. a. C. S. Gurung, "A dynamic threshold based approach for mitigating black-hole attack in MANET,"
Wireless Networks, vol. 24, no. 8, pp. 2957--2971, 2018.
21. P. Sarao, "Performance Analysis of MANET under Security Attacks," Journal of Communications,
vol. 17, no. 3, 2022.
22. K. a. S. M. Rama Abirami, "Preventing the impact of selfish behavior under MANET using Neighbor
Credit Value based AODV routing algorithm," vol. 43, no. 4, pp. 1--7, 2018.
23. A. M. a. D. H. El-Semary, "BP-AODV: Blackhole protected AODV routing protocol for MANETs
based on chaotic map," IEEE Access, vol. 7, pp. 95197--95211, 2019.
24. M. a. o. ponnusamy, "Detection of selfish nodes through reputation model in mobile adhoc network-
MANET," Turkish Journal of Computer and Mathematics Education (TURCOMAT), vol. 12, no. 9,
pp. 2404--2410, 2021.
25. A. a. O. M. a. D. N. a. T. A. Hammamouche, "Lightweight reputation-based approach against simple
and cooperative black-hole attacks for MANET," Journal of information security and applications, vol.
43, pp. 12--20, 2018.
26. R. L. a. R. C. Raghavendar, "Node activity based trust and reputation estimation approach for secure
and QoS routing in MANET," International Journal of Electrical and Computer Engineering, vol. 6,
no. 9, p. 5340, 2019.
27. D. a. D. P. Dave, "An effective Black hole attack detection mechanism using Permutation Based
Acknowledgement in MANET," 2014.
28. M. A. a. D. B. Hussain, "Preventing Malicious Packet Drops in MANETs by Counter Based
Authenticated Acknowledgement.," Ingénierie des Systèmes d’Information, vol. 25, no. 2, pp. 173--
181, 2020.
29. M. P. a. M. R. a. A. S. Preet, "RESEARCH TECHNOLOGY INTRUSION DETECTION SYSTEM
FOR MANET," INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES, 2020.
30. F. a. Y. M. B. a. N. A. Albalas, "Detecting black hole attacks in MANET using relieff classification
algorithm," in Proceedings of the 5th International Conference on Engineering and MIS, 2019.
31. M. B. a. K. Y. M. a. A. M. Yasin, "Feature Selection for Black Hole Attacks," J. Univers. Comput.
Sci., vol. 22, no. 4, pp. 521--536, 2016.
32. Laqtib, S., El Yassini, K. and Hasnaoui, M.L., 2020. A technical review and comparative analysis of
machine learning techniques for intrusion detection systems in MANET. International Journal of
Electrical and Computer Engineering, 10(3), p.2701.
61

Thesis Ashraf V4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis Ashraf V4

Uploaded by

Copyright:

Available Formats

Anomaly detection system based on SVM (ADS-SVM)

for detecting blackhole attacks

Presented in Partial Fulfillment of the Requirements for

Anomaly detection system based on SVM (ADS-SVM)

Doctor-Name (Committee Chair, Internal Committee Member)

TBD (External Committee Member)

existing methods in terms of accuracy.

1.1 Problem Definition

infrastructure-less. In infrastructure networks, wireless devices are connected to fixed base

1.2 Thesis Motivation

demand routing protocols [7]. However, it is vulnerable to blackhole attack.

The thesis's main contributions include are as follows:

techniques used to mitigate the blackhole attacks in MANETs.

 Developing an Anomaly Detection System based on SVM (ADS-SVM) for identifying

1.3 Thesis Structure

manage and secure.

develop new solutions.

and techniques we employed.

and reliability of mobile ad hoc networks.

Finally, thesis conclusions and future work are depicted in Chapter 6.

2.1 MANETs Characteristics

effectiveness of MANETs and include the following:

 Lack of infrastructure: MANETs are defined as networks without a fixed infrastructure,

challenge in ensuring the overall security and reliability of the network.

architecture instead of a client-server architecture. For MANETs to function effectively, all

nodes must cooperate by providing functions that would typically be performed by

infrastructure in standard networks. This cooperation is crucial to build trust and

 Distributed management: The absence of centralized management and control in

decentralization of security functions makes MANETs more vulnerable to attacks than

traditional networks. Additionally, the distributed nature of network topology management

a challenge, particularly in large and complex networks. Furthermore, authenticating new

and availability of data in a decentralized manner, which poses a significant challenge.

known as multi-hop routing. Multi-hop routing is a crucial function in MANETs, as it

of malicious nodes to disrupt the routing process.

attacks and can disrupt the overall network topology.

 Decentralized architecture: Each node in a MANET is independent and self-configured,

respond quickly to changing situations, which is a significant advantage in dynamic

overall security and reliability of the network [13].

service provided to users.

2.2 MANETs Security Challenges

attacks and passive attacks [15].

prevent communication between nodes.

attacks, which can consume their power supply.

infrastructure also makes MANETs vulnerable to security threats, particularly when a

in MANETs due to the dynamic nature of the topology.

attacks, including eavesdropping, impersonation, and denial-of-service attacks. These

integrity, and availability of the data being transmitted.

lack a centralized system to provide essential security requirements such as identification,

standard networks. Without a centralized system, nodes in MANETs must rely on

distributed mechanisms to provide security services, which can be challenging to manage

Moreover, the lack of centralized security services in MANETs poses significant

authorized nodes are allowed to join the network.

frequently, making it challenging to maintain reliable communication between nodes. In

MANETs makes it difficult to establish reliable communication paths between nodes, as

the connectivity between nodes can change at any time.

 Scalability: Mobile Ad-hoc Networks (MANETs) are composed of a significant number of

poses significant challenges in terms of security, specifically in identifying and

a centralized infrastructure, nodes in MANETs must rely on distributed mechanisms to

mechanisms, which can make the network vulnerable to attacks.

of the network, including the application, transport, and network layers.

of physical recourse, limited resources, absence of infrastructure, and dynamic topologies.

complex security mechanisms, leaving them vulnerable to attacks.

2.3 MANETs Routing Protocols

categories of routing protocols: proactive, reactive, and hybrid [17].