Detecting Black-hole Attack in Mobile Ad Hoc Networks

Mobile Ad-hoc NETworks (MANETS) have seen tremendous gmwth in recent years. It is a new paradigm of communication’ in which t h m is no fixed infrasmrcture. Nodes within the radio range of each other can communicate directly over the wireless link, while those that are far apart use other nodes as relays. Routing protocols are the cornerstone of MANET. In the past few years, much research effolts have been focused on this area and many different kinds of routing protocols have been put forward in the literature, such as Wueless Routing Protocol (WRP) [I], Dynamic Source Routing protocol @SR) [2], Ad hoc On Demand Distance Vector protocol (AODV) [3] and Location Aided Routing [4]. However, from the beginning of its design, almost none of the routing protocols specify security measures, hut the tun of wireless ad hoc networks makes them very vulnerable to malicious attacks compared to traditional wired networks. An attack occurs when an inbuder tries to exploit vuherabilities of a system. There are many types of attacks in MANET. Generally spaking, these attacks can be classified into two broad categories: pasfive and &rive attacks [6][9]. In passive attacks, the attackers typically involve eavesdropping of data, thus disclose the information of the location and move patterns of mobile nodes. This kind of attack is very difficult to detect, because the attacker seldom exhibits abnormal activities. Active attacks, on the other hand, involve actions performed by intruden. The target of the attack can be either data traffic or routing traffic [6]. The intruders may insert large volume of extraneous datapackets into networks. They can also intentionally dmp, corrupt and delay data packets passing through it. In this paper, we are focUSig on detecting a special active attack black hole attack. One type of black hole attack can mur when the malicious node on the path directly attacks the data haffic by intentionally dropping, delaying or altering the data traffic passing through it. This type of black hole attack can be easily mitigated by setting the promiscuous mode of each node and listening to see if the next node on the path fonvard the data traffic as expected. Another type of black hole attack is to attack routing control traffic. The malicious node can impersonate some other no& and advertise itself having the shortest path to the data source whose packets it is interested in. In this way, this malicious node becomes a black hole since the data traffic are misrouted to a wrong destination. We develop methods to detect this type ofrouting misbehavior caused black,hole attack. To defend against this type of black hole attack, we propose a neighborhood-based method. Our solution c q be briefly ,elaborated as: Once the normal path discovery procedurein a routing protocol is finished, the source node sends a special control packet to request the destination to send its Rlrient neighbor set. By comparing the received neighbor sets, the source no& can dete!mhe whether there is a black hole attack in the network. To mitigate the impact of the black hole attack, we design a routing recoveryprotocol to establish the path to the correct destiytion. Our design has been motivated by three main factors: 1) Cryptography-based methods are expensive in terms that they require a priori trust and excessive overhead and resource consumption caused by the encryptioddecryption operations for authentication purposes. The solution should have acceptable detection probability and improve the packet throughput to a reasonable level without having too much overhead and expensive resource requirements. This is important to MANET because mobile nodes are typically quite limited in their capacities: processing speed, memory space, link bandwidth and battery power. 2) The solution should be scalable and decentralized to operate in a large-scale n-rk. And.3) The solution can be easily deployed without or with least modification to the existing routing protocol. Our methods proposed in this paper have such remarkable advantage that the number of cryptography operatio? is much reduced compared to those that completely rely on cryptographybased methods. We have done a set of simulations using ns-2 [8] to evaluate the effectiveness and efficiencies of our methods. Our simulation result shows that the detection probability in most cases is above 93% without introducing too much over-. head. The response mechanism can improve the packet throughput by at least 15%. The false positive probability is also very low, usually less than 1.7%.