Detection of black-hole attacks in MANET using adaboost support vector machine

Abstract

Mobile Ad hock Networks (MANETs) are currently used for developing the privacy and accuracy of modern networks. Furthermore, MANET applications are fit to be data-oriented systems, that introduce a secure and more robust data transmission protocol making it a topmost priority in the design. The lack of infrastructure in the existence of dynamic topology as well as limited resources of MANET is a major challenge facing those interested in the field. Further, the nonexistence of a formerly authorized trust relationship within the connected nodes produces instability of the detection process in MANETs. Basically, by adding adapted LEACH routing protocol to MANET, enhancement of the preserved nodes vitality will be achieved, moreover, the load balancing with data loss reduction provides MANET ability to tracks along with shortest and limited paths. This paper proposes a newly developed detection scheme for both active and passive black-hole attacks in MANETs. Moreover, the scheme deals with assessing a group of selected features for each node-based AdaBoost-SVM algorithm. These features are collected from cluster members nodes based on Ad hoc On-demand Multipath Distance Vector (OMDV) with LEACH routing protocol clustering approaches. Although SVM is considered a more stable classifier, there are great influences of the AdaBoost weight adaption algorithm to enhance the classification process in terms of strengthening the weights of extracted features. This hybrid algorithm is essential for active black-hole attacks as well as for identifying passive black-hole attacks in MANET. The proposed scheme is tested against the effect of mobility variation to determine the accuracy of the detection process including the routing overhead protocol. The experimental results investigated that the accuracy of detecting both active and passive black-holes attacks in MANET reached 97% with a promising time complexity for different mobility conditions. Moreover, the proposed scheme provides an accurate decision about malicious vs benign node dropping behavior using an adjustable threshold value.

Keywords

Ada-boost support vector machine AOMDV black-hole attack and MANET

1 Introduction

Currently, Mobile Ad hoc Networks (MANETs) have drawn great attention as a mobile network for exchanging and extracting essential information. There are different applications related to that area including mobile applications, and healthcare systems, and are much more evident in military communications used on battlefields as there is no need for infrastructure equipment. Typically, MANET is defined as a dynamic topology Ad hoc network that consists of many distributed and decentralized infrastructures-less nodes. These nodes share a broadcast channel with limited resources. Each node works dependently as a host and as a router to connect the non-neighbors’ nodes. These features enforce the nodes to cooperate in routing and forwarding of data. Energy consumption plays an essential role while selecting MANET routing protocol, because the battery node drain can halt its function and cause link disconnection. Modern approaches propagate the Low Energy Adaptive Cluster Hierarchy (LEACH) to consume the energy and that is generally considered as an efficient routing protocol for consumption of the energy in MANET [1 –3]. Researchers have demonstrated that implementing LEACH provides a long lifetime in a MANET with reliable high link mobility. LEACH protocol in MANET ignores the shortest path routing principle and creates a multipath between source and destination to improve transmission reliability and provide economical energy consumption [3]. Nevertheless, unlike wired networks, the behavior of the node is changeable and indefinite during the data routing process, and that leads to various attacks in MANET. Therefore, MANET security remains an open challenge, and many types of research have recently recommended different defenses against many types of attacks such as [4] intrusion attack, poison attack, denial of service (DoS) attack, schedule overrun, and black-hole attack. Generally, these attacks are categorized into four well-known types [5], namely, spoofing, sinking, fabrication, and flushing. The most harmful node behavior is sinking, by which, one or more nodes do not cooperate with the routing process in the network. Further, the packet is dropped during the transmission from source to destination. As a result of packet drop, the behavior of sinking is vulnerable to DoS attack [6]. Different detection and prevention techniques for this attack were introduced and discussed. However, a robust sinking detection system should distinguish between malicious sinking and benign sinking, since benign packet dropping in MANET could happen due to different factors, i.e., nodes mobility, high traffic, fading conditions, and high network density. Applying conventional IDS for MANET security faces many challenges because of the node’s dynamic nature and heterogeneity. Also, it is affected by network congestion and routing delay. Since the randomness in the interval of transmissions and dynamic routing challenges the performance of IDS. Therefore, an intelligent routing algorithm is highly recommended in this case. The behavior of the sinker node could be distinguished based on two features: Packet Dropping Ratio (PDR) and duration of an attack. Since the sporadic sinking node behavior is highly confusing with benign packet dropping. To select the best path from the source to destination, an intelligent routing protocol is proposed to isolate the sinker node out of the extracted features from the transferred packets.

The administrator absence for every node act as a router to increase the vulnerability of MANET. Moreover, continuous varying in energy and spatial distribution enforces constraints in dealing with MA-NET security issues. The major contribution of this paper is the capability for an adventure of the data combined by applying LEACH routing protocol with on-demand reactive multipath named AOMDV to MANET [7]. Further, for detecting both active and passive black-hole attacks in MANET, this protocol integrates the advantages of both reactive and proactive routing procedures. Afterward, to perform a single route process and determine the multiple paths caches; we present a new routing discovery process that is responsible for all these paths that undergo breakage. In the routing discovery process, a proactive way for the selected path is achieved and the response is related to the reactive fashion. In this paper, we present a semi-parametric Machine Learning (ML) architecture for weighting the combined data extracted from each cluster to detect the black-hole attack including the paths through MANET. Moreover, ML-based semi-parametric analysis offers the pros of ML high detection accuracy with a minimum complexity because of using semi-parametric analysis. In the proposed scheme, a conditional proactive routing phase is performed during the lifetime of the MANET to collect the neighbor node’s information. Furthermore, by applying the semi-parametric ML for malicious detection of the node, optimizations of running time with minimum complexity are achieved. Finally, these results can be utilized in a reactive routing manner to monitor other nodes. The novelty of this work is realized in adjusting the weight of the features for an iterative way to assist greatly in reducing the complexity and time of the detection process, by which it helps mainly in preserving the vitality of nodes during mobility. Moreover, the proposed architecture achieves high flexibility for adjusting the threshold values to discriminate the malicious and benign sinker nodes.

The remainder of this paper is organized as follows. The literature survey is presented in Section 2. While the proposed scheme is presented in Section 3, Section 4 investigates the experimental results, simulations, and discussions. Finally, in Section 5 the conclusions and future works are presented.

2 Related works

In this section, some of the prevailing solutions to the black hole attack in MANETs and ad hoc networks will be discussed. Recent trends in this area have led to a proliferation of studies to get many successful models and routing protocols [4]. One of the important challenges is securing links in network design, especially through insecure media. Therefore, because of the limited capacity of the node, the previous studies have reported that the traditional security routine with large accounts and overheads of communications is not appropriate in MANET [8]. Thus, a control mechanism should be established to join only authorized nodes to have accessibility to a network. Some of these common detection methods are based on ad hoc routing protocol security extensions like Secure Ad-Hoc On-Demand Distance Vector (SAODV), Secure Efficient Distance vector routing for mobile wireless Ad hoc networks (SEAD), and Sequential Assignment Routing (SAR) [9]. These strategies need to add a kind of security strategy based on a complex encryption/decryption algorithm. Although they provide sufficient routing security to detect the blackhole threats, this will cost too much in resource consumption to achieve a strong collaborative relationship between nodes in a network. Additionally, Shurman et al. [10] introduced a redundant routing protocol to authenticate that the node is safe or malicious. In this technique, the source node at least needs to get and unicast a ping to three separate routes to the destination. After checking the reply to ping requests, the source node should verify each node and get a safe route to reach the destination. In this method, there is no further corresponding processing on malicious nodes, but it requires a higher delay to each transmission.

Recent studies have been carried out to mitigate the harmful effects of the black hole attack and its variants in MANET and different detection mechanisms have been applied [11]. A great deal of active research into MANETs has focused on optimizing routing protocols based on several mechanisms and making the routing decision established on several distinct constraints. It has been noted that concatenating a clustering approach with a distinct mechanism to detect black hole nodes even in the case of the frequent change in node mobility as in a VANET (Vehicular Ad hoc Network) topology can be more beneficial in isolating malicious nodes [12]. Moreover, performing minor changes with the observed data in the structure of the MANET with suitable routing protocols could enhance and increase the efficiency and security of simultaneous real-time applications [6].

The fuzzy inference system is one of such systems, the authors in [13] built and analyzed the performance of a couple of routing protocols including (AODV and DSR) in the existence of fuzzy inference system and compared the system performance without it. Recently, Ektefa [14] investigated that the classification tree based on SVM is utilized to detect intrusions within a set of characteristics like entropy and Information Gain (IG) for each function. Another IDS model was established based on the concepts of Neutrosophic rules which compute with symbols instead of numeric values to determine each attack by the membership, non-membership, and indeterminacy degrees in a hybrid framework of Self-Organized Features Maps (SOFM) and the genetic algorithms (GA) [15]. Applying this algorithm gives enhancement performance to the detection process by which the computation time required with network assignment by the administrator, and the communications overhead of the system are still vulnerable challenges. In [16], they provided a black-hole detection scheme developed using dynamic threshold values to severe changes in the regular performance of the network connections. Moreover, in [17] another solution for detecting the black-hole attack is investigated using the first route reply by which the response from the malicious nodes determined and therefore deleted this transaction. Since this solution leads to a decrease of data loss with the increase of the throughput, it cannot discriminate the maliciousness of the packet sinking. Therefore, Yazhini and Devipriya [18] presented a modified AODV routing protocol based on SVM to detect black-hole attacks. In each active transmission, their proposed model generated a contingency table to monitor the size of the sent packets. To determine the density curve of each packet transmitted from source to destination for time, a simple network composed of seven nodes are presented to determine the status of MANET with and without a black hole. The low peaks in the density curve indicated that one malicious node detection. Therefore, additional data collection is demanded to determine the black-hole node and to generate the whole behavioral proofs that represented the information extracted from data traffic and accelerating paths with more indication to get satisfied prediction results [19, 20]. Ardjani et al. [21] presented an improved SVM algorithm depending on particle swarm named (PSO-SVM) to improve the accuracy of SVM. Therefore, Kaur and Gupta in [16] implemented the idea of integrating both minimum and maximum variants optimization using Ant-colony-SVM (i.e. ACO-SVM) depending on AODV routing protocol for detecting passive black-hole attacks in MANETs. Moreover, in [18] PSO-SVM is used to identify the dropping packets by passive black holes in an intrusion detection system (IDS). In [22], they propose ML techniques to distinguish the difference between attacked and normal behavior of a specified network. Additionally, in [23], they attempted to avoid the black hole attack in MANET by applying a slight change in AODV protocol based on presenting the consistency factor-based approach to detect fake RREP. To determine the value of this factor a periodical check is performed to detect the attacker node. Wile, many researchers focused on detecting passive black-holes, there are restricted current solutions to detect active black-hole attacks. As a solution, a method of utilizing the chaotic map features to extend the functionality of the AODV protocol had been proposed to effectively fight the cooperative malicious nodes during the routing process [24]. All of these methods depend on certain features to detect the attacks, such as an end-to-end delay, packet dropping, Packet Delivery Ratio (PDR). Hence, the classification performance of machine learners is affected by these parameters. Additionally, the data gathering process is a crucial step since the representative data differ not only from each problem to another but also from one period to the other. Therefore, to address networking problems, a more effective ML model can be implemented by extra illustrative out of bias data. Timer Based Baited algorithm is presented by Yasin and Zant [25] as they used NS-2.35 simulation toolbox applied to AODV. The results of their proposed technique are 29.69% throughput without blackhole attacks and 108.45% with the black-hole attack. Biga and Pramila [26] presented a survey for recognizing black-hole attacks in MANET and studied the difference between both active and passive attacks for IEEE 802.11 media access control. Furthermore, a simulation-based on dynamic source routing (DSR) protocol of MANET and Ad Hoc on Demand Vector (AODV) protocol is presented by Mwangi et al. [27, p. 3] and the performance of packet delivery reached 95% with routing overhead 4.75% within a range of 0.9 to 1.65 sec for an end-to-end delay and 95.6 kpbs throughput. In [28] a wormhole attack in AODV was handled using the packet delivery ratio for each node to detect both active and passive attacks, the resulting speed reached 15 m/sec to deliver the packet with maximum attackers.

3 Proposed scheme

MANETs are characterized by having continuous variations in their node’s spatial distribution. Hence, the reactive routing protocols are highly required to be applied in such networks. However, energy constraints play an important role in route selection. As mentioned in Sec.2, applying the LEACH protocol into MANET introduces a great solution to these problems. LEACH protocol can divide the entire network into clusters, each cluster consists of a group of cluster members (aka CM) assigned to a cluster head (aka CH). Those cluster members are moving all the time within a predefined cluster region, and the candidate CH is responsible for transferring data between them and the base station. Due to CM’s mobility, they may lose their direct route with the corresponding CH, thus a process of route selection within entire clusters may be needed to reach the nearest CH. These arrangements could be exposed to different types of attacks. DOS is the most dangerous one. It may occur due to a black hole or sink hole attack. Black holing occurs when the traffic is redirected through forged routing to a malicious node. Due to this attack, the network performance is degraded and disturbed in terms of increasing end-to-end delay and decreasing throughput. Rather than, sink holing routes the traffic to another working adversary node and preventing the base station from receiving the data from other nodes [29].

The proposed scheme in this paper is mainly concerned with detecting black hole attacks. The black-hole attacks can be classified into two categories: passive and active black-hole. Passive black hole attacks occur when a single malicious node broadcasts a routing message with exceptionally high power, it has a vast capability to mislead many nodes, as it reroutes the data reaching through itself and drops all the packets. Hence, this kind of black hole attack assaults only the topology of a network without injecting the network with extra false routing messages [30]. In the active black hole attacks, the malicious node convinces the whole nearby nodes to send their packets earlier by receiving the immediate Route Reply Packet (RREP) Packet. After receiving a Route Request Packet (RREQ), the active black hole node immediately responds with a fake RREP to the source node by claiming to have a one-hop path to reach the destination. In Fig. 1 the illustration of both passive and active black-hole attacks are demonstrated. Typical to the AOMDV routing protocol, every source node will send data packets after getting the first RREP packet and drop the remainder of RREP packets. Thus, these uncensored nodes seek to use this malicious node as the next hop in their routing path. However, they are at a far-away distance from the destination node, and they need multiple hops to get a transaction. Through doing this scenario, the active black hole node can pull more packets that are sent from other nodes and tamper with the routing information. Consequently, it is remarked that the active black hole node interrupts regular communication and severely affects the network load. Therefore, it is very hard to disclose or prevent and has more devastating impacts on the network than the passive black hole [31].

Fig. 1

Black-Hole attacks including (a) Passive black-hole, and (b) Active black-hole.

In this work, an integration of the LEACH routing protocol for reactive on-demand multipath AOMDV is proposed with ML algorithms for improving the performance of detecting the two well-known types of black-hole attacks. Through the detection process, intelligent groups of Quality of Service (QoS) are applied to produce the most significant features. These features are demonstrated to be effective indicators for preventing active malicious behavior and to be compared with other noisy features which are results from distracts of detection decisions. Furthermore, each feature weight through the learning process is arranged to Ada-Boost weights to provide an effective monitoring action used to detect the active resulting black-hole. A group of cluster head nodes is selected periodically to collect these features that are collaboratively aggregately and exchangeable routing reply tables to produce trustworthy nodes. These cluster heads are selected during the whole MANET lifetime based on the LEACH-AOMDV dynamic cluster head (CH) selection technique. At each round, LEACH-AOMDV applies the random method to distribute the energy load among nodes. Here the CH is chosen to have a higher energy level with a suitable dynamic threshold value i.e., this threshold value is ranged from 0 to one as probability value.

The major contribution here is the AOMDV which is applied to the basic AODV route discovery approach, with minimum required energy perspective. Further, it registers multi-path from the source to the destination, by which one of them represents the primary path and the others represent alternatives ones. Both primary and alternative paths are used to communicate with the enrolled packets to increase the utilization of MANET network. Multi-path selection is performed on pre-advertised hop counts by which the protocol rejects all replies with hop counts greater than or equal to the advertised one. Afterward, the multi-path routes with a lower hop count.

Cluster-based routing has proven to be a very useful routing protocol that can decrease communications, save node’s energy, and achieves load balance. Dealing with MANET poses extra routing challenges due to its dynamic topology. However, the LEACH technique is considered a self-adaptive and self-organized cluster-based routing protocol that provides more flexibility by inserting or eliminating nodes into clusters in each round. The whole MANET is classified into distinct clusters, every cluster consists of a sensor node, that has the higher residual energy compared with other nodes, is selected to be CH, and the other ones are named cluster members (CM). The entire nodes collaborate in work for serving the request. The main idea of AOMDV is to compute multipath during discovering the routes by which one of them represents the primary path and the others represent the alternative ones. During the alternative paths, we ensure that the communications between the nodes provide high reliability, high network utilization, and reduce blocking probability. However, these paths were selected depending on ordinary protocol lacking any security analysis.

Referring to the previously defined passive black-hole node behavior, the LEACH routing protocol algorithm can identify the passive black-hole attack in which the CH demonstrated the higher power of the transmitted data concerning time. Moreover, black hole operates as a probability function that can be chosen with a promising reduced computational time [32]. For each round, through the complete MANET lifetime, clustering is prepared periodically within major two stages; stage (1) is the clustering set upstage and the second is (2) the steady-state stage. Through the setup stage the CH is designated while in the steady-state stage, the data is identified. The steady-state lifetime is far longer than the set-up stage to decrease the consumption of energy. CH is particular for every round using threshold determination of the total number of nodes within the cluster. Typically, the number of rounds for each CH node probability (p) is determined with each node’s energy. Therefore, the CH workload is distributed based on the enrolled nodes of MANET ensuring the entire lifetime is increased by rotating their roles, i.e., CH cannot be repeated in the first round while the next (1/p) rounds periodically [32]. The networks start a new round after a predetermined time by repeating the two stages, respectively.

After cluster formation, the CH is responsible for gathering the information from CMs. The aggregation of data is accomplished by the cluster head to reduce redundancy. Each CH broadcasts an advertising message to the other nodes, then each node specifies its CH based on the signal strength of the advertising message received. Finally, CM relates to the selected CH by sending a joint message.

Once the set-up stage ends, the steady state begins. Each CH collects data from its CM’s. Upon data aggregation process at CH’s, the dropping behavior can be sensed by measuring the delay variance of the received packet into each cluster; (aka, jitter value). This delay could be due to benign causes such as improper queuing; congestion in the network, configuration errors, mobility, or it could be due to malicious node behavior. The task of each CH is to test the collected features against the real cause behind this delay.

The proposed scheme operates through two major phases that are concatenated in each round; i) Data aggregation; to collect neighbors’ nodes features which simulate the process of the reactive protocol ii) Identification of Malicious Nodes; that investigates the collected data based on ML to build dependable routing tables, in addition to proactive routing protocols. In [35], the authors suggested an adaptive boosting algorithm (Ada-Boost) that is commonly used to boost the weak classifier and generate strong classifiers. The Ada-Boost is applied to be adjusted by using the weighted update algorithm mentioned in [33, 34] by which each feature weights of the iterative learning is used to reduce the computation complexity. Moreover, the Ada-Boost algorithm plays a vital role in strengthening the weights of the input features to enhance the performance using SVM learner algorithm. SVM is mainly chosen in the identification phase for nonlinear ML algorithms that can be categorized as a stable, strong classifier that achieves higher detection accuracy [33].

The flow chart of the principal processes is investigated in Fig. 2 which represents the scheme that is repeated periodically during the whole MANET lifetime. It can be explained in detail as follows:

Fig. 2

Flowchart of the Proposed Scheme.

3.1 Phase (1): Set-up phase

Generally, the entire MANET with a spatial area is divided into several clusters named Cluster Heads (CH’s). The CH can be selected by residual energy by which each node has the same probability (p) in CH for the first round. Given that when the numbers of rounds are increased, the resulting probability response of CH for each node is decreased until all nodes are departed. In this paper, we were inspired by the set-up phase based on the standard LEACH protocol algorithm as in [35].

3.2 Phase (2): Data-aggregation phase

Regarding the suspicious cluster, the data-aggregate phase starts infrequently at CH based on the jitter value computed for this cluster. Moreover, the CM’s are distributed in the deployment field and the simulation of data-aggregate phase is performed based on the following effected parameters: Throughput, Packet Delivery Ratio (PDR), Average number of hops (NH), Normalized Routing Load (NRL), Number of Packet Loss (NPL), Average Data Delivery (ADD), Dropped Packets (DP), and Energy Consumption (EC).

The following step illustrates in detail how the Data-aggregation phase is performed.

Step 1: For CH node (n_k), given k = 1, 2,..K; such that K is the total number of suspicious nodes, and the RREQ sends the packets to the neighbors within the cluster.

Step 2: RREQ packets are received when the neighbor node accepts the responses with RREP packet and realizes if it has the destination, if not, the RREQ multi-casts its neighbors to continue the route to find the next operation.

Step 3: RREQ, and RREP packets information are collected regarding modified-neighbors, and hop-count, (the smaller number of hops advertised by the Sinker node and flags itself as the shortest path).

Step 4: For each CH node (n_k), the RREPT that represents the route reply table is created covering essential features associated with the neighbor node CM, n_i such that (i = 1, 2, ... I; I represents the total number of CM into each cluster). The following represent the enrolled features:

Determination of Destination Node Identification Number (DNID) or (D-ID).

Calculation of Initialization Time (IT); the started time by which RREQ was sent its packets.

Determination of the Waiting Time (WT); the time RREP received given end-to-end delay that represents the difference between IT and WT.

Specifying the Next Node Hop (NH) Identification number (ID).

Determination of a total number of Hops Count (HC) to reach from source to destination.

Specifying the Packet Delivery Rate (PDR) for each neighbor node.

Calculating the Residual Energy (RE) of each node within the cluster.

3.3 Phase (3): Malicious-Node-identification (MNI)

When the RREPT is completed, the data analysis phase begins. This stage aims to analyze the specific RREP features mentioned above in order to give a decision about the benign behavior versus the malicious behavior of the nodes. The following steps represent Malicious-Node-identification (MNI) phase: -

Step 1 : In the presence of each Fj, such that j = 1, 2, 3..J; represent the total number of features, N observations are recorded through an interval of I such that [i = 1 T] under typical conditions based on previous RREPT records for each feature. The average value C_j as well as the standard δ_j deviation are determined as in Equations (1) and (2) as follows: $c_{F_{j}} = \frac{1}{N} \sum_{i = 1}^{N} F_{ji}$ (1) $δ_{F_{j}} = \sqrt{\frac{\sum_{i = 1}^{N} {(F_{ji} - c_{F_{j}})}^{2}}{N}}$ (2)

Step 2: The new enrolled features are determined by feature normalization value based on Euclidean distance dj as shown in Equation (3) and (4) respectively: $\bar{F_{ij}} = \frac{F_{ij} - min F_{j}}{max F_{j} - min F_{j}}$ (3) $d_{j} ({\bar{F}}_{j}, c_{F_{j}}) = \sqrt{\sum_{i = 1}^{N} {({\bar{F}}_{ji} - c_{F_{j}})}^{2}}$ (4)

As investigated in the equations, we found that the parametric sampled data based on using ML can be computed as in step 3.

Step 3: By Applying the SVM-classifier for the collected sampled pairs of features (F_ij, $\bar{F_{ij}}$ ), the learners Ada-Boost the weak classifiers to generate strong classifiers based on using SVM by adjusting the weights. Therefore, the resulting feature weights achieve the same value as investigated in Equation (5): $W_{1} (t) = \frac{1}{J}$ (5)

Based on SVM classifier, the updated weights (W_t+1) are determined based on the resulting classifier’s error (ɛ) value of (F_ij, $\bar{F_{ij}}$ ) that represent the pair samples given the previous weights sets W_t as shown in Equations (6) to (8): $W_{t + 1} = \frac{W_{t} \exp (- \propto_{t} \bar{F_{ij}} h_{t} (F_{ij}))}{Z_{t}}$ (6)

Where: $\propto_{t} = \frac{1}{2} log (\frac{1 - ɛ_{t}}{ɛ_{t}})$ (7) $h_{t} = arg \min_{h_{j}} ɛ_{j} = \sum_{i = 1}^{N} W_{t} (i)$ (8) where a total number of weights (N) by which the number of iteration for different weights are updated continuously until addressing the AdaBoost-SVM optimization problem [33]: $\min_{w} φ (W, ξ) = \frac{1}{2} ∥ W ∥^{2} + C$ (9)

Where (φ) is the optimization function of sampled pairs (F_ij, $\bar{F_{ij}}$ ) given that the regularization C, and i represent the number of iterations such that ξ_i > 0 for i slack variable. As presented in Algorithm 1 the detailed illustration of the proposed algorithm steps.

Algorithm 1: Data aggregation and Analysis phases.
1:
	While MANET lifetime = true do
2:
	% Apply LEACH algorithm
3:
	For c = 1, K.
4:
	Compute jitter(c)
5:
	If Jitter(c)< = stability threshold
6:
	Do
7:
	% Phase1: data aggregation
8:
	Repeat n_i≤I do
9:
	send RREQ
10:
	Receive RREP
11:
	Construct RREPT
12:
	Until all nodes reply
13:
	% phase 2: malicious node detection
14:
	For n_i≤I do
15:
	For j≤J do
16:
	Computeμ_j,δ_j, $\bar{F_{ij}}$
17:
	Apply machine learning technique
18:
	If detection threshold = true
19:
20:
	Mark (n_i) as a suspicious node
21:
	End
	End
	End
	End

4 Results and discussion

In this paper, the simulation results is tested and implemented for the proposed scheme depends on the following environment and conditions:

For MANET, the simulation environment is implemented based on (NS-2) simulator version number 2.35 performed on Core I3 Intel-processor with 2.40 GHz, and 2GB RAM with Ubuntu Linux 12.04.

MANET Simulation based on NS-2 simulator version 2.35 is preferred rather than NS-3 by which it offers a more diverse set of MANET modules. Further, to normalize the environment implementation with similar state-of-the-art researches in [1, and 7].

The area size for the simulation are (1500 m×1500 m) by which the rectangular space were randomly distributed based on mobile communication model with specified nodes and constant bit rate (CBR) traffic source. Table 1 demonstrates the basic MANET parameters used in the experimental results. Different simulation scenarios are tested and the resulting performance of the proposed architecture in terms of the efficiency of detecting the black-hole attacker node and the total detection time. These scenarios include different mobility modes to check the robustness of the proposed detection scheme.

Table 1
The proposed MANET parameter simulation

Parameter Value

MAC-Protocol IEEE 802.11

Model of Antenna Omni-Directional

Scale of MANET Net work 1500 m×1500 m

Simulation time 10 sec.

MAC Type 802.11

Traffic CBR

Routing protocol AOMDV/LEACH

Size of Packet 1000 Bytes/packet

Data Rate 0.1 Mbps

Node placement Random

Node movement Random

Node velocity 5–20 m/s

Pause time 1 sec

No. of mobile nodes 33 [3 clusters]

No. of source 1 / cluster

No. of attackers 1 / cluster

Observation parameters Jitter, PDF, end-to-end delay, throughput.

Parameter	Value
MAC-Protocol	IEEE 802.11
Model of Antenna	Omni-Directional
Scale of MANET Net work	1500 m×1500 m
Simulation time	10 sec.
MAC Type	802.11
Traffic	CBR
Routing protocol	AOMDV/LEACH
Size of Packet	1000 Bytes/packet
Data Rate	0.1 Mbps
Node placement	Random
Node movement	Random
Node velocity	5–20 m/s
Pause time	1 sec
No. of mobile nodes	33 [3 clusters]
No. of source	1 / cluster
No. of attackers	1 / cluster
Observation parameters	Jitter, PDF, end-to-end delay, throughput.

Firstly, the whole MANET must be clustered periodically during the whole lifetime to specify the CH’s. The clustering is based on LEACH technique for different mobility conditions in the case of free MANET and black hole attacked MANET, respectively. As the black-hole attack has severe impacts on the performance of the MANET, various parameters that credit the network efficiency have been analyzed.

4.1 Security analysis

The simulation results are accompanied by different scenarios of mobility speeds to assess the performance of such attacks. We used fixed 5 m/s and 20 m/s speeds for each node. Moreover, the applied nodes are randomly moved in the entire direction. In this experiment, we have four scenarios that are used, the two beginning scenarios with fixed node mobility (5 m/s and 20 m/s), while the other two scenarios have the same conditions with an active sink-hole attack. If node-4 and node-5 belong to cluster-1 and cluster-2 respectively are attacker nodes. Figures (3a-3d) exhibit the variation of attacker nodes parameters readings for the different four scenarios mentioned above. These figures are real-time implementation recorded during the whole MANET simulation time (X-axis) to track the variations in essential node parameters transmission readings (Y-axis), such as packet delivery rate, throughput, node delay, and dropped packets.

These figures reveal that increasing the mobility of the nodes has a noticeable effect on degrading its parameter readings. Generally comparing the network’s performance curves under the different mobility scenarios, 5 m/s, and 20 m/s has proven that raising the node speed increases both the end-to-end delay and the packet drop while decreasing the packet delivery ratio and throughput.

Additionally, Figs. (3c) and (3d) represent the simulation results of the active black hole nodes in the two scenarios of MANET. The sinkhole nodes in the network block the packets which they had been received instead of forwarding them towards the destination. As a result of sinking the captured data, the network performance parameters are affected in the presence of the attack i.e. the throughput becomes very low and the end-to-end delay becomes very high.

To compare between both normal and abnormal routing parameters for the network, we investigated that a slight decrease in PDR, throughput, and jitter values are obtained indicating the abnormality’s existence within specified clusters. The reason is due to the influence of suspicious nodes for certain clusters. The comparison between the two scenarios is shown in Table 2. This comparison shows that the changes in the stability performance for abnormal cases are noticed by considering the different jitter values.

Table 2
Performance indicators for abnormality transactions for applied two scenarios

Applied Scenario Current Status End to End in (sec.) Jitter value

Scenario (1) Abnormal 0.0196 1.1732

Normal 0.0187 0.0048

Scenario (2) Abnormal 0.0242 1.3969

Normal 0.0199 0.0065

Applied Scenario	Current Status	End to End in (sec.)	Jitter value
Scenario (1)	Abnormal	0.0196	1.1732
	Normal	0.0187	0.0048
Scenario (2)	Abnormal	0.0242	1.3969
	Normal	0.0199	0.0065

The Clusters which sense the CH abnormality performance must immediately start in constructing a reliable RREPT for its neighbors and declare it. An Example of RREPT entry for the different mobile scenarios is shown in Table 3 for one cluster in the whole network under a single active black hole node.

Table 3

A Cluster traffic parameter

Traffic	Scenario (1)		Scenario (2)
Parameters	without black hole	with black hole	without black hole	with black hole
Sent pkt’s	240	240	240	240
Received Pkt’s	239	112	228	96
Routing Pkt’s	13	28	41	44
Forwarded Pkt’s	114	81	204	115
Dropped Pkt’s	1	128	12	144
Average End to End Delay (ms)	13.76	19.79	18.76	24.56
Average Jitter	0.22	1.49	0.25	3.4
Average Throughput (Kbps)	98.4	45.97	93.67	39.4
PDR	99.58%	46.67%	95.00%	40.00%

4.2 Detection analysis

To assess the efficacy of the proposed framework, a MATLAB program with a certain simulation is utilized to execute the semi-parametric analysis for different nodes as well as classify the parameters using AdaBoost-SVM to determine the resulting performance as investigated in Equation 1 to 9. In this paper, we used different matrices to evaluate the performance of the proposed AdaBoost-SVM classifier as follows:

Precision: measures the positive nodes that are correctly detected from the total number of nodes in positive exposures to the variations in packet arrival time which can occur due to timing drift and any route changes. Additionally, with the presence of black holes, the average jitter increases, and the end-to-end delay increases as indications of degradation to the network performance class. Recall measures the fraction of positive nodes that are correctly classified, Accuracy: measures the ratio of correct detection over the total number of instantaneous evaluated, and F-measure is a popular measure of the harmonic between precision and recall, as greater as better. The mathematical formulas of these metrics are [36, 37]: $Precision = \frac{TP}{TP + FP}$ (10) $Recall = \frac{TP}{TP + FN}$ (11) $Accuracy = \frac{TP + TN}{TP + TN + FP + FN}$ (12) $F - measure = 2 \times \frac{Precision \times Recall}{Precision + Recall}$ (13)

Where TP equals the total number of correctly classified positive nodes, TN equals the total number of correctly classified negative nodes, FP equals the total number of misclassified negative nodes, and FN equals the total number of misclassified positive nodes. Tables 4 and 5 introduce the detection accuracy for different learners for two different increasing mobility conditions. Compared with results on using common machine learning techniques such as Decision-tree [22], Naïve Bayes, and Random Forest [9, 38], the proposed AdaBoost-SVM has provided improvement in terms of detection accuracy and time complexity. Previous techniques and protocols for detecting a single black-hole attack in MANET have achieved up to 96% TP value [18 , 40]. Moreover, the results approved the superiority of SVM in terms of detection time.

Table 4

Learners’ performance comparison for the first scenario

Learner	TP	FP	Precision	Recall	F-measure
Decision-tree (C4.5)	0.929	0.123	0.952	0.929	0.940
Naïve Bayes	0.882	0.097	0.960	0.882	0.920
Random Forest	0.963	0.136	0.945	0.963	0.956
Proposed AdaBoost SVM	0.973	0.149	0.949	0.973	0.959

Table 5

Learner’s performance comparison for the second scenario

Learner	TP	FP	Precision	Recall	F-measure
Decision-tree (C4.5)	0.960	0.010	0.951	0.960	0.956
Naïve Bayes	0.964	0.036	0.849	0.964	0.918
Random Forest	0.984	0.016	0.919	0.910	0.910
Proposed AdaBoost SVM	0.994	0.006	0.969	0.931	0.949

Aitionally, the threshold value demonstrated that there is an effective influence on differentiating between attacker and benign nodes. Generally, the decrease in the threshold value leads to an increase in the False Positive Rate (FPR), on the other hand, the increase in the threshold value leads to detection failure. As shown in Fig. 4, for the last scenario, the performance of altered learners is the worst-case result from the increase of the threshold value. Good classifiers must show more stability while increasing threshold values, while for poor ones, the detection sensitivity increases as the threshold values increase.

Fig. 3

Readings of Node Performance Routing Parameters during 10 Sec. simulation time (Transmission range vs. simulation time); (a) Normal parameters readings for the first scenario. (b) Normal parameters readings for the second scenario. (c) Attacked parameter readings for the first scenario. (d) Attacked parameter readings for the second scenario.

Fig. 4

The accuracy of the detection process against a threshold value.

However, the proposed scheme shows more detection stability due to depending on semi-parametric learning.

To measure the robustness of the proposed scheme in the case of the black-hole attacker increasing the number of nodes, we tested the MANET performance measurements including throughput, PDR, average end-to-end delay, and average packet loss. Figures 5a to 5d, respectively introduces the performance against attacker nodes increment. The robustness of the proposed scheme can be noticed obviously from these illustration curves.

Fig. 5

The performance of MANET against number of black hole attacker nodes increment.

Generally, a good classification algorithm is characterized by providing low absolute error while preserving a short detection time. Therefore obviously, the proposed scheme ensured that it performs more efficiently compared with the other inspected learners.

Figures 6 and 7 compare the absolute error results versus the time detected values using the same attacks. Allowing for the obtained values to be applied in the conventional SVM, in [35] the authors present an absolute error of 0.148 and a time elapsed of 10.62 sec. Moreover, Ant colony optimization can be combined with SVM as investigated in [16] (SVM+ACO), the obtained values were 0.122 and 6.99 sec., respectively however in Particle swarm optimization (PSO) based SVM (SVM+PSO) [18], the values are in between 0.094 and 2.19 sec. The achieved result checks that an enhancement of classification accuracy achieved is even higher in time execution. Even though the values of applying Decision-tree (C4.5) [22] are 0.111 and 2.48 sec., additionally, applying both Naïve Bayes and Random Forest [38] takes 2.72 sec. and 3.35 sec. to detect an attack packet with absolute error values of 0.147 and 0.071 respectively. Regarding the obtained results and the comprehensive discussion, the feasibility and robustness of the proposed algorithm to detect black-hole attacks with less detection time is very clear now. This hybrid method between LEACH and AdaBoost-SVM achieves higher detection rate, and a low false alarm are obtained, despite the clustering technique limits in the network overheads and reduces the consumed energy to resist the attack. Moreover, the proposed procedure provides a shorter detection time to distinguish an attack packet. Thus, the superiority of the proposed AdaBoost-SVM algorithm granted a significant enhancement to detect active and passive black-hole attack accurately.

Fig. 6

The absolute error of the proposed algorithm compared with the common existing algorithms.

Fig. 7

Detection time of the proposed algorithm compared with the common existing algorithms.

5 Conclusion

Cluster-based routing protocol has proven that there is more and more efficiency in extending the lifetime of the network. Moreover, a great enhancement of load balancing and durability is needed to fight different types of attacks. While MANET management processes required additional burden in terms of black-hole attack detection, the proposed scheme has confirmed that there is effective detection accuracy with a promising execution time achieved. The most significant features are selected and further the weights are adapted to minimize time complexity based on the Ada-Boost algorithm SVM classifier.

In this paper, an accurate and fast detection scheme is obtained, due to the validity of the data that mainly depends on that gathered from RREP packets. Therefore, for any modification of packets, there are harmful attacks that are detected easily and removed. The utilization of the LEACH algorithm can detect the passive black-hole attack, while on the other hand, CH does not transmit all the data in time which means that a black-hole can be detected and reduced based on the likelihood of the selected features. Therefore, it is extremely difficult to spot the collaborative streams.

References

Anbarasan

, Prakash

, Anand

and Antonidoss

, Improving performance in mobile ad hoc networks by reliable path selection routing using RPS-LEACH, Concurrency and Computation-Practice & Experience 31(7) (2019).

Chandel

and Kaur

, Energy consumption optimization using clustering in mobile ad-hoc network, Int J Comput Appl 168(12) (2017), 11–16.

Gavhale

and Saraf

P.D.

, Survey on algorithms for efficient cluster formation and cluster head selection in MANET, Procedia Computer Science 78 (2016), 477–482.

Jangir

S.K.

and Hemrajani

, A comprehensive review and performance evaluation of detection techniques of black hole attack in MANET, J Comput Sci 13 (2017), 537–547.

Obi

O.O.

, Security issues in mobile ad-hoc networks: a survey, The 17 th White House Papers Graduate Research In Informatics at Sussex (2004).

Sarika

, Pravin

, Vijayakumar

and Selvamani

, Security issues in mobile ad hoc networks, Procedia Computer Science 92 (2016), 329–335.

Shakya

, Sharma

and Saroliya

, Enhanced multipath LEACH protocol for increasing network life time and minimizing overhead in MANET, in 2015 International Conference on Communication Networks (ICCN) (2015), 148–154.

Meenatchi

and Palanivel

, Intrusion detection system in MANETS: a survey, International Journal of Recent Development in Engineering and Technology 3(4) (2014).

Kumar

, Kulkarni

and Gupta

, Effect of Black hole Attack on MANET routing protocols, International Journal of Computer Network and Information Security 5(5) (2013), 64.

10.

Al-Shurman

, Yoo

S.-M.

and Park

, Black hole attack in mobile ad hoc networks, in Proceedings of the 42nd annual Southeast regional conference, (2004), 96–97.

11.

Khanna

and Sachdeva

, A comprehensive taxonomy of schemes to detect and mitigate blackhole attack and its variants in MANETs, Computer Science Review 32 (2019), 24–44.

12.

Cherkaoui

, Beni-hssane

and Erritali

, A clustering algorithm for detecting and handling black hole attack in vehicular ad hoc networks, in Europe and MENA cooperation advances in information and communication technologies, Springer, (2017), 481–490.

13.

Doja

M.N.

, Alam

and Sharma

, Analysis of reactive routing protocol using fuzzy inference system, AASRI Procedia 5 (2013), 164–169.

14.

Ektefa

, Memar

, Sidi

and Affendey

L.S.

, Intrusion detection using data mining techniques, in 2010 International Conference on Information Retrieval & Knowledge Management (CAMP) (2010), 200–203.

15.

Elwahsh

, Gamal

, Salama

A.A.

and El-Henawy

I.M.

, A novel approach for classifying Manets attacks with a neutrosophic intelligent system based on genetic algorithm, Security and Communication Networks 2018 (2018).

16.

Kaur

and Gupta

, A novel technique to detect and prevent black hole attack in MANET, Int J Innov Res Sci Eng Technol 3 (2015), 4261–4267.

17.

Koujalagi

, Considerable detection of black hole attack and analyzing its performance on AODV routing protocol in MANET (mobile ad hoc network), Am J Comput Sci Inf Technol 6(2) (2018).

18.

Yazhini

S.P.

and Devipriya

, Support vector machine with improved particle swarm optimization model for intrusion detection, Int J Sci Eng Res 7 (2016), 37–42.

19.

Nisha

S.K.

and Arora

S.K.

, Analysis of black hole effect and prevention through ids in manet, American Journal of Engineering Research (AJER) 2(10) (2013), 214–220.

20.

Singh

and Singh

, Black hole attack detection in MANET using mobile trust points with clustering, in International conference on smart trends for information technology and computer communications (2016), 565–572.

21.

Ardjani

, Sadouni

and Benyettou

, Optimization of SVM multiclass by particle swarm (PSO-SVM), in 2010 2nd International Workshop on Database Technology and Applications (2010), 1–4.

22.

Pavani

and Damodaram

, Anomaly detection system for routing attacks in mobile ad hoc networks, International Journal on Network Security 5(2) (2014), 13.

23.

Gupta

, Goel

, Varshney

and Tyagi

, Reliability factor based AODV protocol: Prevention of black hole attack in MANET, in Smart Innovations in Communication and Computational Sciences, Springer, (2019), 271–279.

24.

El-Semary

A.M.

and Diab

, BP-AODV: Blackhole protected AODV routing protocol for MANETs based on chaotic map, IEEE Access 7 (2019), 95197–95211.

25.

Yasin

and Abu Zant

, Detecting and isolating black-hole attacks in MANET using timer based baited technique, Wireless Communications and Mobile Computing 2018 (2018).

26.

Thebiga

and Pramila

, A Survey on Assorted Subsisting Approaches to Recognize and Preclude Black Hole Attacks in Mobile Adhoc Networks, (2020).

27.

Mwangi

E.G.

, Muketha

G.M.

and Kamau

G.N.

, Optimized Trust-Based DSR Protocol to Curb Cooperative Blackhole Attacks in MANETs Using NS-3, (2020).

28.

Sankara

, Narayanan and G. Murugaboopathi, Modified secure AODV protocol to prevent wormhole attack in MANET, Concurrency and Computation: Practice and Experience 32(4) (2020), e5017.

29.

Anwar

R.W.

, Bakhtiari

, Zainal

and Qureshi

K.N.

, Wireless sensor network performance analysis and effect of blackhole and sinkhole attacks, Jurnal Teknologi 78(4–3) (2016).

30.

Osanaiye

O.A.

, Alfa

A.S.

and Hancke

G.P.

, Denial of service defence for resource availability in wireless sensor networks, IEEE Access 6 (2018), 6975–7004.

31.

Gao

, Wu

, Cao

and Zhang

, Detection and defense technology of blackhole attacks in wireless sensor network, in International Conference on Algorithms and Architectures for Parallel Processing (2014), 601–610.

32.

Sharma

, Patil

and Tiwari

, Detection and Suppression of Blackhole Attack in Leach based Sensor Network, (2014).

33.

Wang

, Ada Boost for feature selection, classification and its relation with SVM, a review, Physics Procedia 25 (2012), 800–807.

34.

Chengsheng

, Huacheng

and Bing

, Ada Boost typical Algorithm and its application research, in, MATEC Web of Conferences 139 (2017), 00222.

35.

Tyagi

and Kumar

, A systematic review on clustering and routing techniques based upon LEACH protocol for wireless sensor networks, Journal of Network and Computer Applications 36(2) (2013), 623–645.

36.

Sarhan

, Nasr

A.A.

and Shams

M.Y.

, Multipose Face Recognition-Based Combined Adaptive Deep Learning Vector Quantization, Computational Intelligence and Neuroscience 2020 (2020).

37.

Armah

G.K.

, Luo

and Qin

, A deep analysis of the precision formula for imbalanced class distribution, International Journal of Machine Learning and Computing 4(5) (2014), 417–422.

38.

Vapnik

V.N.

, An overview of statistical learning theory, IEEE transactions on neural networks 10(5) (1999), 988–999.

39.

Singh

M.M.

, Singh

and Mandal

J.K.

, A snapshot of black hole attack detection in MANET, International Journal of Computer Applications 116(14) (2015).

40.

Kaplantzis

, Shilton

, Mani

and Sekercioglu

Y.A.

, Detecting selective forwarding attacks in wireless sensor networks using support vector machines, in 2007 3rd International Conference on Intelligent Sensors, Sensor Networks and Information (2007), 335–340.

Detection of black-hole attacks in MANET using adaboost support vector machine

Abstract

Keywords

1 Introduction

2 Related works

3 Proposed scheme

3.2 Phase (2): Data-aggregation phase

3.3 Phase (3): Malicious-Node-identification (MNI)

Table 2 Performance indicators for abnormality transactions for applied two scenarios Applied Scenario Current Status End to End in (sec.) Jitter value Scenario (1) Abnormal 0.0196 1.1732 Normal 0.0187 0.0048 Scenario (2) Abnormal 0.0242 1.3969 Normal 0.0199 0.0065

References

Table 2
Performance indicators for abnormality transactions for applied two scenarios

Applied Scenario Current Status End to End in (sec.) Jitter value

Scenario (1) Abnormal 0.0196 1.1732

Normal 0.0187 0.0048

Scenario (2) Abnormal 0.0242 1.3969

Normal 0.0199 0.0065