IEEE SYSTEMS JOURNAL 1 Defending Against Collaborative ... · CHANGet al.: DEFENDING AGAINST COLLABORATIVE ATTACKS BY MALICIOUS NODES IN MANETs 3 TABLE I PACKET FORMAT OFRREQ Fig

This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

IEEE SYSTEMS JOURNAL 1

Defending Against Collaborative Attacks byMalicious Nodes in MANETs: A Cooperative Bait

Detection ApproachJian-Ming Chang, Po-Chun Tsou, Isaac Woungang, Han-Chieh Chao, and Chin-Feng Lai, Member, IEEE

Abstract—In mobile ad hoc networks (MANETs), a primaryrequirement for the establishment of communication among nodesis that nodes should cooperate with each other. In the presenceof malevolent nodes, this requirement may lead to serious secu-rity concerns; for instance, such nodes may disrupt the routingprocess. In this context, preventing or detecting malicious nodeslaunching grayhole or collaborative blackhole attacks is a chal-lenge. This paper attempts to resolve this issue by designing adynamic source routing (DSR)-based routing mechanism, which isreferred to as the cooperative bait detection scheme (CBDS), thatintegrates the advantages of both proactive and reactive defensearchitectures. Our CBDS method implements a reverse tracingtechnique to help in achieving the stated goal. Simulation resultsare provided, showing that in the presence of malicious-nodeattacks, the CBDS outperforms the DSR, 2ACK, and best-effortfault-tolerant routing (BFTR) protocols (chosen as benchmarks)in terms of packet delivery ratio and routing overhead (chosen asperformance metrics).

Index Terms—Cooperative bait detection scheme (CBDS), col-laborative bait detection, collaborative blackhole attacks, detec-tion mechanism, dynamic source routing (DSR), grayhole attacks,malicious node, mobile ad hoc network (MANET).

I. INTRODUCTION

DUE to the widespread availability of mobile devices,mobile ad hoc networks (MANETs) [1], [2] have been

widely used for various important applications such as militarycrisis operations and emergency preparedness and response

Manuscript received May 28, 2012; revised March 19, 2013 andOctober 16, 2013; accepted December 10, 2013. An abridged version of thiswork has been published in the Proceedings of the 2nd International Conferenceon Wireless Communications, Vehicular Technology, Information Theory andAerospace and Electronic Systems Technology (VITAE 2011), Chenai, India,February 28–March 3, 2011. This work was supported in part by a grant fromthe National Science Council of Taiwan, held by the fourth author, underContract NSC98-2221-E-197-009-MY3 and a grant from the Natural Sciencesand Engineering Research Council of Canada (NSERC), held by the thirdauthor, under Grant RGPIN/293233-2011.

J.-M. Chang is with the Chung Shan Institute of Science and Technology,Ministry of National Defense, Taoyuan 325, Taiwan (e-mail: [email protected]).

P.-C. Tsou is with the Chung Cheng Institute of Technology, NationalDefense University, Taoyuan 335, Taiwan (e-mail: [email protected]).

I. Woungang is with the Department of Computer Science, Ryerson Univer-sity, Toronto, ON M5B 2K3, Canada (e-mail: [email protected]).

H.-C. Chao is with the Institute of Computer Science and Information Engi-neering, National Ilan University, Ilan 260, Taiwan (e-mail: [email protected]).

C.-F. Lai is with the Department of Computer Science and InformationEngineering, National Chung Cheng University, Chiayi 621, Taiwan (e-mail:[email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/JSYST.2013.2296197

Fig. 1. Blackhole attack–node n4 drops all the data packets.

operations. This is primarily due to their infrastructurelessproperty. In a MANET, each node not only works as a host butcan also act as a router. While receiving data, nodes also needcooperation with each other to forward the data packets, therebyforming a wireless local area network [3]. These great featuresalso come with serious drawbacks from a security point of view.Indeed, the aforementioned applications impose some stringentconstraints on the security of the network topology, routing,and data traffic. For instance, the presence and collaboration ofmalicious nodes in the network may disrupt the routing process,leading to a malfunctioning of the network operations.

Many research works have focused on the security ofMANETs. Most of them deal with prevention and detectionapproaches to combat individual misbehaving nodes. In thisregard, the effectiveness of these approaches becomes weakwhen multiple malicious nodes collude together to initiate acollaborative attack, which may result to more devastatingdamages to the network.

The lack of any infrastructure added with the dynamic topol-ogy feature of MANETs make these networks highly vulnera-ble to routing attacks such as blackhole and grayhole (known asvariants of blackhole attacks). In blackhole attacks (see Fig. 1),a node transmits a malicious broadcast informing that it has theshortest path to the destination, with the goal of intercepting

1932-8184 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

http://www.ieee.org/publications_standards/publications/rights/index.html

mailto: [email protected]







2 IEEE SYSTEMS JOURNAL

messages. In this case, a malicious node (so-called blackholenode) can attract all packets by using forged Route Reply(RREP) packet to falsely claim that “fake” shortest route to thedestination and then discard these packets without forwardingthem to the destination. In grayhole attacks, the malicious nodeis not initially recognized as such since it turns maliciousonly at a later time, preventing a trust-based security solutionfrom detecting its presence in the network. It then selectivelydiscards/forwards the data packets when packets go through it.In this paper, our focus is on detecting grayhole/collaborativeblackhole attacks using a dynamic source routing (DSR)-basedrouting technique.

DSR [4] involves two main processes: route discovery androute maintenance. To execute the route discovery phase,the source node broadcasts a Route Request (RREQ) packetthrough the network. If an intermediate node has routing in-formation to the destination in its route cache, it will reply witha RREP to the source node. When the RREQ is forwarded to anode, the node adds its address information into the route recordin the RREQ packet. When destination receives the RREQ, itcan know each intermediary node’s address among the route.The destination node relies on the collected routing informationamong the packets in order to send a reply RREP message tothe source node along with the whole routing information of theestablished route. DSR does not have any detection mechanism,but the source node can get all route information concerning thenodes on the route. In our approach, we make use of this feature.

In this paper, a mechanism [so-called cooperative bait detec-tion scheme (CBDS)] is presented that effectively detects themalicious nodes that attempt to launch grayhole/collaborativeblackhole attacks. In our scheme, the address of an adjacentnode is used as bait destination address to bait maliciousnodes to send a reply RREP message, and malicious nodesare detected using a reverse tracing technique. Any detectedmalicious node is kept in a blackhole list so that all other nodesthat participate to the routing of the message are alerted tostop communicating with any node in that list. Unlike previousworks, the merit of CBDS lies in the fact that it integratesthe proactive and reactive defense architectures to achieve theaforementioned goal.

II. RELATED WORK

Many research works have investigated the problem of ma-licious node detection in MANETs. Most of these solutionsdeal with the detection of a single malicious node or requireenormous resource in terms of time and cost for detectingcooperative blackhole attacks. In addition, some of these meth-ods require specific environments [5] or assumptions in orderto operate. In general, detection mechanisms that have beenproposed so far can be grouped into two broad categories.1) Proactive detection schemes [6]–[12] are schemes that needto constantly detect or monitor nearby nodes. In these schemes,regardless of the existence of malicious nodes, the overheadof detection is constantly created, and the resource used fordetection is constantly wasted. However, one of the advantagesof these types of schemes is that it can help in preventing oravoiding an attack in its initial stage. 2) Reactive detection

schemes [13]–[15] are those that trigger only when the destina-tion node detects a significant drop in the packet delivery ratio.

Among the above schemes are the ones proposed in [9]and [13], which we considered as benchmark schemes forperformance comparison purposes. In [9], Liu et al. proposeda 2ACK scheme for the detection of routing misbehavior inMANETs. In this scheme, two-hop acknowledgement packetsare sent in the opposite direction of the routing path to in-dicate that the data packets have been successfully received.A parameter acknowledgment ratio, i.e., Rack, is also used tocontrol the ratio of the received data packets for which theacknowledgment is required. This scheme belongs to the classof proactive schemes and, hence, produces additional routingoverhead regardless of the existence of malicious nodes. In [13],Xue and Nahrstedt proposed a prevention mechanism calledbest-effort fault-tolerant routing (BFTR). Their BFTR schemeuses end-to-end acknowledgements to monitor the quality ofthe routing path (measured in terms of packet delivery ratio anddelay) to be chosen by the destination node. If the behavior ofthe path deviates from a predefined behavior set for determining“good” routes, the source node uses a new route. One of thedrawbacks of BFTR is that malicious nodes may still exist inthe new chosen route, and this scheme is prone to repeatedroute discovery processes, which may lead to significant routingoverhead. Our proposed detection scheme takes advantage ofthe characteristics of both the reactive and proactive schemesto design a DSR-based routing scheme able to detect gray-hole/collaborative blackhole attacks in MANETs.

III. PROPOSED APPROACH

This paper proposes a detection scheme called the coopera-tive bait detection scheme (CBDS), which aims at detecting andpreventing malicious nodes launching grayhole/collaborativeblackhole attacks in MANETs. In our approach, the sourcenode stochastically selects an adjacent node with which tocooperate, in the sense that the address of this node is usedas bait destination address to bait malicious nodes to send areply RREP message. Malicious nodes are thereby detectedand prevented from participating in the routing operation, usinga reverse tracing technique. In this setting, it is assumed thatwhen a significant drop occurs in the packet delivery ratio, analarm is sent by the destination node back to the source nodeto trigger the detection mechanism again. Our CBDS schememerges the advantage of proactive detection in the initial stepand the superiority of reactive response at the subsequent stepsin order to reduce the resource wastage.

CBDS is DSR-based. As such, it can identify all the ad-dresses of nodes in the selected routing path from a source todestination after the source has received the RREP message.However, the source node may not necessary be able to identifywhich of the intermediate nodes has the routing information tothe destination or which has the reply RREP message or themalicious nodeâ reply forged RREP. This scenario may resultin having the source node sending its packets through the fakeshortest path chosen by the malicious node, which may thenlead to a blackhole attack. To resolve this issue, the functionof HELLO message is added to the CBDS to help each node


CHANG et al.: DEFENDING AGAINST COLLABORATIVE ATTACKS BY MALICIOUS NODES IN MANETs 3

TABLE IPACKET FORMAT OF RREQ′

Fig. 2. Random selection of a cooperative bait address.

in identifying which nodes are their adjacent nodes within onehop. This function assists in sending the bait address to enticethe malicious nodes and to utilize the reverse tracing programof the CBDS to detect the exact addresses of malicious nodes.The baiting RREQ packets are similar to the original RREQpackets, except that their destination address is the bait address.The modified packet format is shown in Table I.

The CBDS scheme comprises three steps: 1) the initial baitstep; 2) the initial reverse tracing step; and 3) the shiftedto reactive defense step, i.e., the DSR route discovery startprocess. The first two steps are initial proactive defense steps,whereas the third step is a reactive defense step.

A. Initial Bait Step

The goal of the bait phase is to entice a malicious node tosend a reply RREP by sending the bait RREQ′ that it has usedto advertise itself as having the shortest path to the node thatdetains the packets that were coverted. To achieve this goal,the following method is designed to generate the destinationaddress of the bait RREQ′.

The source node stochastically selects an adjacent node, i.e.,nr, within its one-hop neighborhood nodes and cooperates withthis node by taking its address as the destination address of thebait RREQ′. Since each baiting is done stochastically and theadjacent node would be changed if the node moved, the baitwould not remain unchanged. This is illustrated in Fig. 2, Thebait phase is activated whenever the bait RREQ′ is sent priorto seeking the initial routing path. The follow-up bait phaseanalysis procedures are as follows.

First, if the nr node had not launched a blackhole attack, thenafter the source node had sent out the RREQ′, there would be

other nodes’ reply RREP in addition to that of the nr node. Thisindicates that the malicious node existed in the reply routing, asshown in Fig. 2. Therefore, the reverse tracing program in thenext step would be initiated in order to detect this route. If onlythe nr node had sent the reply RREP, it means that there was noother malicious node present in the network and that the CBDShad initiated the DSR route discovery phase.

Second, if nr was the malicious node of the blackhole attack,then after the source node had sent the RREQ′, other nodes (inaddition to the nr node) would have also sent reply RREPs.This would indicate that malicious nodes existed in the replyroute. In this case, the reverse tracing program in the next stepwould be initiated to detect this route. If nr deliberately gaveno reply RREP, it would be directly listed on the blackhole listby the source node. If only the nr node had sent a reply RREP,it would mean that there was no other malicious node in thenetwork, except the route that nr had provided; in this case, theroute discovery phase of DSR will be started. The route that nr

provides will not be listed in the choices provided to the routediscovery phase.

B. Initial Reverse Tracing Step

The reverse tracing program is used to detect the behaviors ofmalicious nodes through the route reply to the RREQ′ message.If a malicious node has received the RREQ′, it will reply with afalse RREP. Accordingly, the reverse tracing operation will beconducted for nodes receiving the RREP, with the goal to de-duce the dubious path information and the temporarily trustedzone in the route. It should be emphasized that the CBDS isable to detect more than one malicious node simultaneouslywhen these nodes send reply RREPs. Indeed, when a maliciousnode, for example, nm, replies with a false RREP, an addresslist P = {n1, . . . nk, . . . nm, . . . nr} is recorded in the RREP.If node nk receives the RREP, it will separate the P list by thedestination address n1 of the RREP in the IP field and get theaddress list Kk = {n1, . . . nk}, where Kk represents the routeinformation from source node n1 to destination node nk. Then,node nk will determine the differences between the addresslist P = {n1, . . . nk, . . . nm, . . . nr} recorded in the RREP andKk = {n1, . . . nk}. Consequently, we get

K ′k = P −Kk = {nk+1, . . . nm, . . . nr} (1)

where K ′k represents the route information to the destination

node (recorded after node nk). The operation result of K ′k

is stored in the RREP’s “Reserved field” and then revertedto the source node, which would receive the RREP and theaddress list K ′

k of the nodes that received the RREP. To avoidinterference by malicious nodes and to ensure that K ′

k does notcome from malicious nodes, if node nk received the RREP, itwill compare:

1) A. the source address in the IP fields of the RREP;2) B. the next hop of nk in the P = {n1, . . . nk, . . . nm,

. . . nr};3) C. one hop of nk.



Fig. 3. Reverse tracing program of the CBDS approach.

If A is not the same with B and C, then the received K ′k

can perform a forward back. Otherwise, nk should just forwardback the K ′

k that was produced by itself.In Fig. 3, although n4 can reply with K ′

4 = {n5, n6}, n3 willcheck and then remove K ′

4 when it receives the RREP. After thesource node obtains the intersection set of K ′

k, the dubious pathinformation S replied by malicious nodes could be detected,i.e.,

S = K ′1 ∩K ′

2 ∩K ′3 . . . ∩K ′

k. (2)

Given that a malicious node would reply the RREP to everyRREQ, nodes that are present in a route before this action hap-pened are assumed to be trusted. The set difference operationof P and S is conducted to acquire a temporarily trusted set T ,i.e.,

T = P − S. (3)

To confirm that the malicious node is in set S, the sourcenode would send the test packets to this route and would sendthe recheck message to the second node toward the last nodein T . This requires that the node had entered a promiscuousmode in order to listen to which node the last node in T sent thepackets to and fed the result back to the source node. The sourcenode would then store the node in a blackhole list and broadcastthe alarm packets through the network to inform all other nodesto terminate their operation with this node. If the last node haddropped the packets instead of diverting them, the source nodewould store it in the blackhole list. The situations faced bymalicious nodes in the route are illustrated in Fig. 3. In this case,a single malicious node n4 exist in the route, the source node n1

pretends to send a packet to the destination node n6. After n1

sends the RREQ′, node n4 replies with a false RREP along withthe address list P = {n1, n2, n3, n4, n5, n6}. Here, node n5 isa random node filled in by n4. If n3 had receive the replied

RREP by n4, it would separate the P list by the destinationaddress n1 of the RREP in the IP field and get the addresslist K3 = {n1, n2, n3}. It would then conduct the set differenceoperation between the address lists P and K3 = {n1, n2, n3} toacquire K ′

3 = P −K3 = {n4, n5, n6}, and would reply withthe K ′

3 and RREP to the source node n1 according to therouting information in P . Likewise, n2 and n1 would performthe same operation after receiving the RREP; will obtain K ′

2 ={n3, n4, n5, n6} and K ′

1 = {n2, n3, n4, n5, n6}, respectively;and then will send them back to the source node for intersection.The dubious path information of the malicious node, i.e., S =K ′

1 ∩K ′2 ∩K ′

3 = {n4, n5, n6}, is obtained. The source nodethen calculates P − S = T = {n1, n2, n3} to acquire a tem-porarily trusted set. Finally, the source node will send the testpackets to this path and the recheck message to n2, requesting itto enter the promiscuous mode and listening to n3. As the resultof the listening phase, it could be found that n3 might divert thepackets to the malicious node n4; hence, n2 would revert thelistening result to the source node n1, which would record n4

in a blackhole list.In Fig. 3, if there was a single malicious node n4 in the

route, which responded with a false RREP and the addresslist P = {n1, n2, n3, n5, n4, n6}, then this node would havedeliberately selected a false node n5 in the RREP addresslist to interfere with the follow-up operation of the sourcenode. However, the source node would have to intersect thereceived K ′

k to obtain S = K ′1 ∩K ′

2 ∩K ′3 = {n5, n4, n6} and

T = P − S = {n1, n2, n3} and request n2 to listen to the nodethat n3 might send the packets to. As the result of this listeningphase, the packets that should have been diverted to n5 by n3

should have been sent to n4. The source node would then storethis node to the blackhole list. It is worth mentioning that evenif the malicious node cooperated with a false interfering RREP,it would still be detected by the CBDS. In Fig. 3, if n5 andn4 were cooperative malicious nodes, we would obtain T =



TABLE IIDYNAMIC THRESHOLD ALGORITHM

P − S = {n1, n2, n3}, and n2 would be requested to listen towhich node n3 might send the packets. Either n5 or n4 would bedetected, and their cooperation stopped. Hence, the remainingnodes would be baited and detected. Fig. 2 illustrates that evenif there were more malicious nodes in MANETs, the CBDSwould still detect them simultaneously when they send the replyRREP.

C. Shifted to Reactive Defense Phase

After the above initial proactive defense (steps A and B), theDSR route discovery process is activated. When the route isestablished and if at the destination it is found that the packetdelivery ratio significantly falls to the threshold, the detectionscheme would be triggered again to detect for continuousmaintenance and real-time reaction efficiency. The threshold isa varying value in the range [85%, 95%] that can be adjusted ac-cording to the current network efficiency. The initial thresholdvalue is set to 90%.

We have designed a dynamic threshold algorithm (seeTable II) that controls the time when the packet delivery ratiofalls under the same threshold. If the descending time is short-ened, it means that the malicious nodes are still present in thenetwork. In that case, the threshold should be adjusted upward.Otherwise, the threshold will be lowered.

The operations of the CBDS are captured in Fig. 4. It shouldbe noticed that the CBDS offers the possibility to obtain thedubious path information of malicious nodes as well as that oftrusted nodes; thereby, it can identify the trusted zone by simplylooking at the malicious nodes reply to every RREP. In addition,the CBDS is capable of observing whether a malicious nodewould drop the packets or not. As a result, the proportion ofdropped packets is disregarded, and malicious nodes launchinga grayhole attack would be detected by the CBDS the same wayas those launching blackhole attacks are detected.

IV. PERFORMANCE EVALUATION

A. Simulation Parameters

The QualNet 4.5 simulation tool [16] is used to study theperformance of our CBDS scheme. We employ the IEEE802.11 [17] MAC with a channel data rate of 11 Mb/s. Inour simulation, the CBDS default threshold is set to 90%. Allremaining simulation parameters are captured in Table III. Thenetwork used for our simulations is depicted in Fig. 5; and werandomly select the malicious nodes to perform attacks in thenetwork.

B. Performance Metrics

We have compared the CBDS against the DSR [4], 2ACK[9], and BFTR [13] schemes, chosen as benchmarks, on thebasis of the following performance metrics.

1) Packet Delivery Ratio: This is defined as the ratioof the number of packets received at the destination andthe number of packets sent by the source. Here, pktdi isthe number of packets received by the destination nodein the ith application, and pktsi is the number of packetssent by the source node in the ith application. The averagepacket delivery ratio of the application traffic n, which isdenoted by PDR, is obtained as

PDR =1

n

n∑

i=1

pktdipktsi

. (4)

2) Routing Overhead: This metric represents the ratio ofthe amount of routing-related control packet transmis-sions to the amount of data transmissions. Here, cpkiis the number of control packets transmitted in the ithapplication traffic, and pkti is the number of data packetstransmitted in the ith application traffic. The averagerouting overhead of the application traffic n, which isdenoted by RO, is obtained as

RO =1

n

n∑

i=1

cpkipkti

. (5)

3) Average End-to-End Delay: This is defined as the av-erage time taken for a packet to be transmitted fromthe source to the destination. The total delay of packetsreceived by the destination node is di, and the numberof packets received by the destination node is pktdi.The average end-to-end delay of the application traffic n,which is denoted by E, is obtained as

E =1

n

n∑

i=1

dipktdi

. (6)

4) Throughput: This is defined as the total amount of data(bi) that the destination receives them from the sourcedivided by the time (ti) it takes for the destination toget the final packet. The throughput is the number of bitstransmitted per second. The throughput of the applicationtraffic n, which is denoted by T , is obtained as

T =1

n

n∑

i=1

biti. (7)



Fig. 4. Operations of the CBDS.

TABLE IIISIMULATION PARAMETERS

Two simulation scenarios are considered:

1) Scenario 1: Varying the percentage of malicious nodeswith a fixed mobility.

2) Scenario 2: Varying the mobility of nodes under fixedpercentage of malicious nodes.

Under these scenarios, we study the effect of differentthresholds of the CBDS on the aforementioned performanceparameters. The results are as follows.

C. Varying the Percentage of Malicious NodesWith a Fixed Mobility

First, we study the packet delivery ratio of the CBDS andDSR for different thresholds when the percentage of maliciousnodes in the network varies from 0% to 40%. The maximumspeed of nodes is set to 20 m/s. Here, the threshold value is set to

85%, 95%, and the dynamic threshold, respectively. The resultsare captured in Fig. 6. In Fig. 6, it can be observed that DSRdrastically suffers from blackhole attacks when the percentageof malicious nodes increases. This is attributed to the fact thatDSR has no secure method for detecting/preventing blackholeattacks. Our CBDS scheme shows a higher packet delivery ratiocompared with that of DSR. Even in the case where 40% ofthe total nodes in the network are malicious, the CBDS schemestill successfully detects those malicious nodes while keepingthe packet delivery ratio above 90%. A threshold of 95% wouldthen result in earlier route detection than when the threshold is85% or is set to the dynamic threshold value. Thus, the packetdelivery ratio when using a threshold of 95% is higher thanthat obtained when using a threshold of 85% or the dynamicthreshold.

Second, we study the routing overhead of the CBDS andDSR for different thresholds. The results are captured in Fig. 7.In Fig. 7, it can be observed that when the number of maliciousnodes increases, DSR produces the lowest routing overheadcompared with the CBDS. This is attributed to the fact that DSRhas no intrinsic security method or defensive mechanism. Infact, the routing overhead produced by the CBDS for differentthresholds is a little bit higher than that produced by DSR; thismight be due to the fact that the CBDS would first send baitpackets in its initial bait phase and then turn into a reactivedefensive phase afterward. Consequently, a tradeoff should bemade between routing overhead and packet delivery ratio. Wehave studied the effect of thresholds on the routing overhead.As expected, it was found that the routing overhead of theCBDS reaches the highest value when the threshold is set to



Fig. 5. Network topology.

Fig. 6. Packet delivery ratio of DSR and the CBDS for different thresholds.

95%. This is attributed to the fact that the detection scheme ofCBDS triggers fast when the threshold value is 95% comparedwith when it is set to 85% or when it is equal to the dynamicthreshold value. Thus, the bait packets will be sent many timesin the network. It should be noticed that the dynamic thresholdvalue can be adjusted according to the network performance.

Third, we study the end-to-end delay of the CBDS and DSRfor different thresholds. The results are captured in Fig. 8. InFig. 8, it can be observed that the CBDS incurs a little bit moreend-to-end delay compared with that of DSR. This is attributedto the fact that the CBDS necessitated more time to bait anddetect malicious nodes. Therefore, a tradeoff must be madebetween end-to-end delay and packet delivery ratio. Even in

Fig. 7. Routing overhead of DSR and the CBDS for different thresholds.

the case that there are more malicious nodes in the network,the CBDS would still detect them simultaneously when theyreply with a RREP. Thus, the end-to-end delay of the CBDSfor different thresholds does not increase when the numberof malicious nodes increases. We further study the effect ofthresholds on the end-to-end delay. Although a threshold of85% produces the shortest delay, the resulting packet deliveryratio appears to be lower than that produced when the thresholdis set to 95% or is set to the dynamic threshold value.

Fourth, we study the throughput of the CBDS and DSR fordifferent thresholds. The results are captured in Fig. 9. In Fig. 9,it can be observed that DSR suffers the most from malicious-node attacks compared with the CBDS. In addition, the CBDS



Fig. 8. End-to-end delay of DSR and the CBDS for different thresholds.

Fig. 9. Throughput of DSR and the CBDS for different thresholds.

with different thresholds results in higher throughput than DSR.We further study the effect of thresholds on the throughput. Theresults are shown in Fig. 10. In Fig. 10, it can be observed thatthe throughput obtained when the threshold is set to 95% is, ingeneral, slightly higher than that obtained when the thresholdis set to 85% or is set to the dynamic threshold value. Evenin the case where the number of malicious nodes present inthe network is relatively high (up to 40%), it is observed thatthe CBDS can still detect malicious nodes successfully whilekeeping the throughput above 15 000 bit/s.

Fifth, we compare DSR, 2ACK, BFTR, and CBDS in termsof packet delivery ratio and routing overhead when the mali-cious nodes increase in the network. Here, the threshold for theCBDS is set to the dynamic threshold value. The results arecaptured in Figs. 10 and 11, respectively.

In Fig. 10, it can also be observed that DSR heavily suffersfrom increasing blackhole attacks since it does not have any de-tection and protection mechanism to prevent blackhole attacks.When the percentage of malicious nodes varies in the networkfrom 0% to 40%, BFTR does not detect malicious nodesdirectly. It chooses a new route that may still include malicious

Fig. 10. Effect of malicious nodes on the packet delivery ratio.

Fig. 11. Effect of malicious nodes on the routing overhead.

nodes when the end-to-end performance of a route deviatesfrom the predefined behavior of good routes. Therefore, thepacket delivery ratio of BFTR is lower than that observedfor both the 2ACK and CBDS schemes. Moreover, the packetdelivery ratio of the CBDS is highest compared with that ofDSR. This is attributed to the fact that the CBDS sends baitpackets to bait malicious nodes when replying and is capable oftracing the location of the blackhole node at the initial stage.

In Fig. 11, it can be observed that when the percentage ofmalicious nodes increases, DSR produces the lowest routingoverhead compared with all other schemes including the CBDS.This is attributed to the fact that DSR has no intrinsic security ordefensive mechanism. Moreover, the CBDS is able to achieveproactive detection in the initial stage and then change intoreactive response in the later stage. Through this feature, theadvantage of proactive detection and the superiority of reactiveresponse can be merged to reduce the waste of resource. Thishas led to a better routing overhead for the CBDS comparedwith that of the 2ACK and BFTR schemes. Furthermore, the2ACK scheme has the highest routing overhead compared withthat of BTFR and CBDS. This is attributed to the fact that



Fig. 12. Packet delivery ratio for different thresholds, under varying nodespeed.

2ACK is a proactive scheme, which incurs routing overheadregardless of the existence of malicious nodes. Although BFTRbelongs to the family of reactive schemes, the new route thatit has selected may still have malicious nodes in it, which, inturn, will trigger repeated route discovery processes, causingthe additional routing overhead observed in BFTR comparedwith the CBDS.

D. Varying the Mobility of Nodes Under a Fixed Percentageof Malicious Nodes

In this scenario, the maximum speed of nodes is varied from0 to 20 m/s, and the percentage of malicious nodes is fixedto 20%.

First, we study the packet delivery ratio of the CBDS andDSR for different thresholds. The threshold value is set to 85%,95%, and the dynamic threshold, respectively. The results arecaptured in Fig. 12. It can also be observed that the packet deliv-ery ratio of DSR and the CBDS for different thresholds slightlydecreases when the node’s speed increases. The CBDS yieldsa higher packet delivery ratio compared with DSR. Finally, theCBDS can detect malicious nodes successfully while keepingthe packet delivery ratio above 90%.

Second, we study the routing overhead of the CBDS andDSR for different thresholds. The threshold value is set to 85%,95%, and the dynamic threshold, respectively. The results arecaptured in Fig. 13. In Fig. 13, it can be observed that therouting overhead of DSR and the CBDS for different thresh-olds increases when the node’s speed increases. Moreover,the CBDS can still detect malicious nodes successfully whilekeeping a routing overhead a little higher than that of DSR.

Third, we study the throughput of the CBDS and DSR for dif-ferent thresholds. The threshold value is set to 85%, 95%, andthe dynamic threshold, respectively. The results are captured inFig. 14. In Fig. 14, it can be observed that the throughput ofDSR and the CBDS for different thresholds slightly decreaseswhen the node’s speed increases. The CBDS yields the highestthroughput compared with DSR in all cases. It is also found that

Fig. 13. Routing overhead for different thresholds, under varying node speed.

Fig. 14. Throughput for different thresholds, under varying node speed.

the CBDS can still keep the highest throughput while avoidinginterference with malicious nodes.

Fourth, we study the end-to-end delay of the CBDS andDSR for different thresholds. The threshold value is set to 85%,95%, and the dynamic threshold, respectively. The results arecaptured in Fig. 15. In Fig. 15, it can be observed that theaverage end-to-end delay incurred by the CBDS is higher thanthat incurred by DSR in all cases. This is attributed to thefact that the CBDS requires more time to detect and trace themalicious nodes, which is not the case for DSR since the latterhas no intrinsic malicious node detection mechanism.

V. CONCLUSION

In this paper, we have proposed a new mechanism (calledthe CBDS) for detecting malicious nodes in MANETs undergray/collaborative blackhole attacks. Our simulation results re-vealed that the CBDS outperforms the DSR, 2ACK, and BFTRschemes, chosen as benchmark schemes, in terms of routingoverhead and packet delivery ratio. As future work, we intendto 1) investigate the feasibility of adjusting our CBDS approach



Fig. 15. End-to-end delay for different thresholds, under varying node speed.

to address other types of collaborative attacks on MANETsand to 2) investigate the integration of the CBDS with otherwell-known message security schemes in order to construct acomprehensive secure routing framework to protect MANETsagainst miscreants.

REFERENCES

[1] P.-C. Tsou, J.-M. Chang, H.-C. Chao, and J.-L. Chen, “CBDS: A coopera-tive bait detection scheme to prevent malicious node for MANET based onhybrid defense architecture,” in Proc. 2nd Intl. Conf. Wireless Commun.,VITAE, Chenai, India, Feb. 28–Mar., 03, 2011, pp. 1–5.

[2] S. Corson and J. Macker, RFC 2501, Mobile Ad hoc Networking(MANET): Routing Protocol Performance Issues and Evaluation Consid-erations, Jan. 1999. (Last retrieved March 18, 2013). [Online]. Available:http://www.elook.org/computing/rfc/rfc2501.html

[3] C. Chang, Y. Wang, and H. Chao, “An efficient Mesh-based core multicastrouting protocol on MANETs,” J. Internet Technol., vol. 8, no. 2, pp. 229–239, Apr. 2007.

[4] D. Johnson and D. Maltz, “Dynamic source routing in ad hoc wirelessnetworks,” Mobile Comput., pp. 153–181, 1996.

[5] I. Rubin, A. Behzad, R. Zhang, H. Luo, and E. Caballero, “TBONE: Amobile-backbone protocol for ad hoc wireless networks,” in Proc. IEEEAerosp. Conf., 2002, vol. 6, pp. 2727–2740.

[6] A. Baadache and A. Belmehdi, “Avoiding blackhole and cooperativeblackhole attacks in wireless ad hoc networks,” Intl. J. Comput. Sci. Inf.Security, vol. 7, no. 1, 2010.

[7] S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehav-ior in mobile ad hoc networks,” in Proc. 6th Annu. Intl. Conf. MobiCom,2000, pp. 255–265.

[8] K. Vishnu and A. J Paul, “Detection and removal of cooperativeblack/gray hole attack in mobile ad hoc networks,” Int. J. Comput. Appl.,vol. 1, no. 22, pp. 28–32, 2010.

[9] K. Liu, D. Pramod, K. Varshney, and K. Balakrishnan, “An Acknowl-edgement based approach for the detection of routing misbehavior inMANETs,” IEEE Trans. Mobile Comput., vol. 6, no. 5, pp. 536–550,May 2007.

[10] H. Deng, W. Li, and D. Agrawal, “Routing security in wireless ad hocnetwork,” IEEE Commun. Mag., vol. 40, no. 10, Oct. 2002.

[11] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and K. Nygard,“Prevention of cooperative blackhole attacks in wireless ad hoc net-works,” in Proc. Int. Conf. Wireless Netw., Jun. 2003, pp. 570–575.

[12] H. Weerasinghe and H. Fu, “Preventing cooperative blackhole attacks inmobile ad hoc networks: Simulation implementation and evaluation,” inProc. IEEE ICC, 2007, pp. 362–367.

[13] Y. Xue and K. Nahrstedt, “Providing fault-tolerant ad hoc routing servicein adversarial environments,” Wireless Pers.Commun., vol. 29, pp. 367–388, 2004.

[14] W. Kozma and L. Lazos, “REAct: resource-efficient accountability fornode misbehavior in ad hoc networks based on random audits,” in Proc.WiSec, 2009, pp. 103–110.

[15] W. Wang, B. Bhargava, and M. Linderman, “Defending against collabo-rative packet drop attacks on MANETs,” in Proc. 28th IEEE Int. Symp.Reliable Distrib. Syst., New Delhi, India, Sep. 2009.

[16] QualNet Simulaton Tool, Scalable Network Technologies. (Last retrievedMarch 18, 2013). [Online]. Available: http://www.qualnet.com

[17] IEEE Standard for Information Technology, IEEE Std 802.11-14997,1997, Telecommunications and Information exchange between systems:wireless LAN medium access control (MAC) and physical layer (PHY)Specifications, pp. i-445.

Jian-Ming Chang received the M.S. degree in elec-trical engineering and the Ph.D. degree in computerscience and information engineering from NationalDong Hwa University, Hualien, Taiwan, in 2007 and2012, respectively.

He is currently an Assistant Researcher with theElectronic System Research Division, Chung-ShanInstitute of Science and Technology, Ministry ofNational Defense, Taoyuan, Taiwan. His research in-terests focus on the next-generation Internet, mobilecomputing, cellular mobility management, personal

communication networks, adaptive antenna arrays, beamforming, and phased-array radar systems.

Po-Chun Tsou received the B.S. degree in computerscience and engineering from Chung Cheng Insti-tute of Technology, National Defense University,Taoyuan, Taiwan, in 2006 and the M.S. degrees incomputer science and information engineering fromNational Ilan University, Ilan, Taiwan, in 2011.

He is currently an R&D officer with the ChungCheng Institute of Technology, National DefenseUniversity. His research interests include wire-less networks, mobile computing, and informationsecurity.

Isaac Woungang received the M.Sc. degree in math-ematics from the Université de la Méditerranée-AixMarseille II, Luminy, France, in 1990; the Ph.D.degree in mathematics from the Université du Sud,Toulon-Var, France, in 1994; and the M.A.Sc. de-gree from the INRS-Énergie, Matériaux et Télécom-munications, University of Quebec, Montreal, QC,Canada, in 1999.

From 1999 to 2002, he was a Software Engineerwith Nortel Networks. Since 2002, he has been withthe Department of Computer Science, Ryerson Uni-

versity, Toronto, ON, Canada. In 2004, he founded the Distributed Applicationsand Broadband NEtworks Laboratory (DABNEL) R&D group. His researchinterests include network security, computer communication networks, andmobile communication systems.

Han-Chieh Chao received the M.S. and Ph.D. de-grees in electrical engineering from Purdue Univer-sity, West Lafayette, IN, USA, in 1989 and 1993,respectively.

He is a jointly appointed Professor with the De-partment of Electronic Engineering and the Instituteof Computer Science and Information Engineering,National Ilan University, Ilan, Taiwan. His researchinterests include high-speed networks, wireless net-works, and IPv6-based networks and applications.

Dr. Chao is also serving as an IPv6 Steering Com-mittee Member and the Deputy Director of the R&D Division of the NICITaiwan and a Cochair of the Technical Area for IPv6 Forum Taiwan. He is aFellow of the Institute of Engineering and Technology and the British ComputerSociety.

http://www.elook.org/computing/rfc/rfc2501.html

http://www.qualnet.com



Chin-Feng Lai (M’07) received the Ph.D. de-gree from National Cheng Kung University, Tainan,Taiwan, in 2008.

Since 2013, he has been an Assistant Professorwith the Department of Computer Science and In-formation Engineering, National Chung Cheng Uni-versity, Chiayi, Taiwan. He has more than 100 paperpublications. His research focuses on Internet ofThings, body sensor networks, E-healthcare, mo-bile cloud computing, cloud-assisted multimedia net-works, and embedded systems.

Dr. Lai is an Associate Editor-in-Chief for the Journal of Internet Technologyand serves as the Editor or Associate Editor for IET Networks. He received theBest Paper Award from the IEEE 10th International Conference on Embeddedand Ubiquitous Computing (EUC 2012).

Documents

IEEE SYSTEMS JOURNAL 1 Defending Against Collaborative ... · CHANGet al.: DEFENDING AGAINST COLLABORATIVE ATTACKS BY MALICIOUS NODES IN MANETs 3 TABLE I PACKET FORMAT OFRREQ Fig