abstract - sci.tamucc.edusci.tamucc.edu › ~cams › projects › 474.pdf · 1.4 mitigating...
TRANSCRIPT
2
ABSTRACT
Communication is usually done through means of network where there is a lot of intrusion
included to it. In order to detect the misbehavior, there should an effective strategy, which is
capable of detecting the kind of misbehavior in the network. Misbehavior in a network can be
described as a node dropping the packets intentionally even though it has the capability of
forwarding the packets, a node attracting the packets towards it making the source to believe that
it has capability of forwarding the packets to the destination, degrading the over all performance
of the network. It is always important to a network to be aware of the malicious activities going
on in order to prevent and to avoid them.
In this paper, solutions for detecting the misbehavior are proposed which involves Base Station.
Few rules defined by Base Station can help in detecting the misbehavior of the network. The
kind of possible attacks and the ways of detecting the misbehavior is shown in a simulated
environment.
3
TABLE OF CONTENTS
Abstract .......................................................................................................... 2
Table of Contents ........................................................................................... 3
List of Figures ................................................................................................ 5
1. Background and Rationale ......................................................................... 6
1.1 Delay Tolerant Networks .................................................................... 6
1.2. Routing In Socially Selfish Delay Tolerant Networks ...................... 6
1.3 A Practical Incentive Protocol ............................................................ 7
1.4 Mitigating Routing Misbehavior In Mobile Ad Hoc
Networks ..................................................................................... 8
1.5 Trust Management and Adversary Detection for
Delay Tolerant Networks………………………………….. . ... 9
1.6 A Secure Multilayer Credit-Based Incentive Scheme for
Delay-Tolerant Networks ........................................................ 10
2. Narrative .................................................................................................... 12
2.1 Problem Statement ........................................................................ 12
2.2 Motivation ..................................................................................... 12
2.3 Project Objective ........................................................................... 12
2.4 Functionalities of the Project ........................................................ 13
3. Proposed System Design............................................................................ 14
3.1 System Design and Architecture ................................................... 14
3.2 Use Case Diagram ......................................................................... 16
4
3.3 Flow Diagram .............................................................................. 17
3.4 Environment ................................................................................... 19
3.4.1 ns2 Simulator ...................................................................... 19
3.4.2 Tcl/tk ................................................................................... 19
3.4.3 NAM ................................................................................... 20
3.4.4 C++ ..................................................................................... 20
3.4.5 Linux ................................................................................... 20
4. Implementation .......................................................................................... 21
4.1 Configuring Network Simulator ................................................... 21
4.1.1 Creating the Nodes in the Network ..................................... 21
4.1.2 Creating the Application .................................................... 21
4.2 Implementation of Proposed System ............................................ 24
5. Testing and Evaluation .............................................................................. 28
5.1 Test case 1 (DOS Attack) ............................................................. 28
5.2 Test case 2 (Man in the Middle Attack) ........................................ 32
5.3Test case 3 (Sinkhole Attack) ........................................................ 36
6. Results ........................................................................................................ 40
6.1 Network Performance ......................................................................... 40
7. Conclusion and Future work ...................................................................... 44
References And Bibliography ........................................................................ 45
5
LIST OF FIGURES
Figure 1: System Design and Architecture .................................................... 16
Figure 2: Use Case Diagram- Detection System ........................................... 17
Figure 3: Flow Chart for Architecture ........................................................... 19
Figure 4: Network Simulator With Nodes Configured .................................. 23
Figure 5: Communication Between the Nodes .............................................. 24
Figure 6: Trace Files ...................................................................................... 27
Figure 7: Showing User’s Input for DOS Attack ........................................... 28
Figure 8: Communication Between Source and Destination ......................... 29
Figure 9: Attacker Node Attacking Targeted Node ....................................... 30
Figure 10: BS Detecting Malicious Activity ................................................. 31
Figure 11: User’s Input for Man in the Middle Attack .................................. 32
Figure 12: Communication Between Source and Destination ....................... 33
Figure 13: Man In the Middle Attack ............................................................ 34
Figure 14: BS Detecting Malicious Activity ................................................. 35
Figure 15: Showing User’s Input for Sinkhole Attack .................................. 36
Figure 16: Source Communicating with Malicious Node Thinking it is Destination
.........................................................................................…………………... 37
Figure 17: Malicious Node Accepting the Packets ........................................ 38
Figure 18: BS Giving Alert ............................................................................ 39
Figure 19: Packet Delivery Ratio for Man in the Middle Attack .................. 40
Figure 20: Throughput for Man in the Middle Attack ................................... 41
6
Figure 21: Packet Delivery Ratio for DOS Attack ........................................ 42
Figure 22: Throughput for DOS Attack ......................................................... 43
7
1. BACKGROUND AND RATIONALE 1.1 Delay-Tolerant Networks Delay-tolerant networks generally use intermittent nodes for transmission of messages or
data as these are designed to operate on extreme distances. So, in the process of sending the data,
these intermediate nodes may misbehave by dropping the packets intentionally or by any other
means. Some of the nodes make use of the services provided by the network and forward the
packets only to those nodes, which they are convenient with. Such nodes are called selfish nodes.
Generally all nodes are inspected by a Trusted Authority to know which node is malicious and
which is not. Contact history of nodes involved in the transmission is forwarded to the trusted
authority to verify which node has misbehaved.
Various solutions for detecting misbehavior in delay tolerant networks are discussed in this
section.
1.2. Routing in Socially Selfish Delay Tolerant Networks
Various solutions for detecting misbehavior in delay tolerant networks are discussed in this
section.
There can be a case where we can assume that most of the nodes forward the packets for others
but there are many nodes that behave selfishly. They transfer packets to the nodes in order to
build a social tie and thus misbehave. These nodes are willing to forward packets that have a
good reputation and thus take advantage to build their strength of the interpersonal tie. There
may be a case where the user is willing to forward the packet to a strong tie when compared to a
weaker tie, which has resource constraints. This is called as social selfishness that influences the
8
node to behave tactically. The node which is responsible for forwarding the packets may not be
willing to forward the packet to a node which has no social ties instead chooses a node which has
received packets from nodes with stronger ties when resources are constrained.
So there is a need to take in consideration for selfish nodes. An algorithm called Social
Selfishness Aware Routing (SSAR) algorithm was introduced to assure a genuine delivery of
packets to destination [1]. In this process, in order to ensure the packet reaches the destination
through selfish nodes, buffers and bandwidth are set up near the nodes to make them popular
since the nodes are selfish they forward packets through popular nodes so that they get social
benefit. This algorithm considers both the users desire as well as the contact information in order
to ensure better forwarding strategy. SSAR works by observing the node’s desire and capability
to forward the packet and thus reduces the packet drop rate. It uses a multiple knapsack problem
with assignment restrictions that forward the packets for social selfishness and without any
routing problems.
Disadvantage:
This algorithm is suitable only for selfish nodes and cannot be applied for other kind of
problems in DTNs and there is only a single concept called selfishness is focused on. This
algorithm may not provide full efficiency to a huge network because it has to provide buffers and
broadcasts to the selected nodes.
1.3 A Practical Incentive Protocol
The nodes in DTNs behave selfishly and this feature of DTN can be a problem to the
network. Also, due to lack of contemporaneous path and variety of system conditions, it is
difficult to predict the route of a packet before hand. To face these problems, a protocol was
9
introduced in which the packets can achieve a high delivery rate and low average delay [4]. Each
packet is referred to as bundles of messages and an incentive [4] is attached to the packet. This
incentive has the capability to forward the packets by attracting the nodes and thus satisfy the
selfish behavior of the nodes. This incentive is not only attractive but also fair for all the other
nodes in the network. In the reward model, intermediate nodes are given reward by the source
node if the packets reach the destination.
Disadvantage:
With the proposed incentive protocol, there may be problems in the network. Because these
may launch few attacks like free ride attack, layer removing and adding attacks, which can be
launched by selfish nodes.
1.4 Mitigating Routing Misbehavior in Mobile Ad Hoc Networks
Throughput of any ad hoc network is very important and may be the key factor to decide the
efficiency of a network. There are two techniques through which the throughput of the network
can be increased. WatchDog is used to identify the malicious/misbehaving nodes and
PathRater helps routing algorithm [3] to know about these nodes. Through simulation they have
observed that the use of these two techniques in a moderate ad hoc network increases the
throughput by 17% in the presence of 40% misbehaving nodes and increasing the overhead
transmission percentage from 9% to 17%, and during the extreme conditions it increases the
throughput by 27% while increasing the overhead from 12% to 24%. These two techniques are
used with Dynamic Source Routing (DSR) Algorithm to mitigate the misbehavior of nodes. In
DSR, all the nodes are bidirectional and will have the list of all neighboring nodes corresponding
to it. WatchDog uses an interesting mechanism of overhearing the packets that are being
10
forwarded by it to the next node, it waits and checks if the node is forwarding the packet to the
correct node or instead dropping it. With the use of WatchDog each node maintains the rating for
the neighboring nodes that in turn is used by PathRater to identify the misbehaving node.
PathRater gets the nodes, which are not functioning as specified, and gives it to DSR that will
eliminate the node/suspend it for some time.
Disadvantage:
DSR along with WatchDog has some disadvantages for example, it cannot detect the
misbehavior of a node in Ambiguous Collisions, Receiver Collisions, network with low
transmission power and partial dropping. The overhead increases very drastically with the use of
PathRater and Watchdog.
1.5 Trust Management and Adversary Detection for Delay Tolerant Networks
Delay Tolerant Networks play a major role in wireless communications. Due to the typical
behavior of DTN’s, it is a challenging task to ensure security of the network. Byzantine attacks
are predominant and cause serious damage to the network in terms of data availability and
latency. It differentiates from MANET’s for the above characteristics and so the security
mechanisms used for MANET’s are not applicable for DTN’s. Here a mechanism was proposed,
which detects the malicious nodes and controls the network. The proposed model is Iterative
Trust and Reputation Mechanism (ITRM) whose functionality is to analyze every node that
evaluates the other node with past behavior. It uses a computational complexity that depends on
the number of nodes; it computes the ratings/reputations of nodes without any central authority.
The two main goals of ITRM are evaluating the service quality of nodes who provide service by
taking into account the feedback provided by the nodes who use the services and calculating the
11
trustworthiness of the nodes by reviewing their feedback. In the trust mechanism, the most
common attack is Bad-mouthing which means the malicious nodes give wrong feedback about
other nodes in order to effect their rating and the other attack is Ballot stuffing wherein the nodes
give more rating to the nodes which have less reputation.
Disadvantage:
Trust management may not always identifies the malicious nodes because it depends
upon the nodes that provide ratings and it does not have any central authority to review the
ratings provided by the nodes.
1.6 A Secure Multilayer Credit-Based Incentive Scheme for Delay-Tolerant Networks
Delay Tolerant Networks are often called as opportunistic data forwarding networks,
which means the intermediate nodes store, carry and forward the packets in the network. That
means, all the nodes in the network should be efficient and willing to transfer the data, but often
this is not the case because all nodes might not be good and few may be malicious/selfish. Here
is a proposed secure multilayer credit based incentive scheme to address the data forwarding.
SMART [2] uses a credit-based scheme, which provides incentives to the selfish nodes and tries
to make it up to the other nodes data rate. One important and good feature about SMART is it
allows the credits to be transferred within the network by the nodes without the involvement of
the sender. This suits DTNs because the sender doesn't have the path in which the data is
transferred. The sender or destination or any intermediate node carries out the credit-based
scheme in different layers, which will be prescribed. The first layer is called base layer wherein
the sender sets the rules or policies that are to be followed. The next layers will be created by the
intermediate nodes by appending a non forgettable digital signature and this layer is called as
12
endorsed layer, which specifies that the forwarding nodes agrees to the service and the reward
mechanisms used.
Disadvantage:
SMART has a unique approach to the problem but there are few catches here with the
security of the network. It doesn't have any central system which keeps tracks of the nodes and
there may be malicious nodes which may inject additional layers for its comfort and remove
some of the important layers from the packets and effects the data packet rate tremendously.
All these are similar kind of solutions that are used to analyze the packet flow and detect the
misbehaving node in a network. These solutions have one or more flaws in them. So there is a
need for a algorithm or protocol, which is sufficient enough to detect the misbehavior among
nodes in a network. This project is about one of such solutions.
A system is proposed where in the information about all the nodes is sent to a Base Station,
which monitors the nodes in a network [7]. Few rules are defined by BS in order to detect the
malicious activity in the network. By this method, misbehavior can be detected irrespective of
the behavior of the node (selfish nodes).
13
2. NARRATIVE
2.1 Problem Statement
The most common problem of every network is to achieve integrity without any overhead
and at a reduced cost. Intermittent nodes in a network that are used in transferring the packets to
destination sometimes cannot be trusted. That means nodes may misbehave either by dropping
the packets intentionally or by sending the packets through other nodes those are not on the path
to that destination. There were many solutions proposed but had disadvantages like routing
overhead, which in turn creates cost overhead. So, there is a need to inspect and analyze the
nodes that are misbehaving in DTNs and to avoid such problems and prevent the network from
being attacked.
2.2 Motivation
Due to the misbehavior of nodes, network performance can be degraded to a bad level.
There may be serious attacks prone to the network because of these misbehaving selfish nodes.
Gradually network providers are under a serious threat and users cannot find integrity and
efficiency in the network. This is the reason for detecting misbehavior of nodes in the network.
2.3 Project Objective
The main objective of the proposed system is to inspect all the nodes in a network through a
Trusted Authority, which is responsible for collecting all the information regarding the nodes
behavior. Existing traditional methods create an additional overhead to the network and consume
more time and cost but could not provide an efficient way of detecting the misbehaving node.
This protocol improves the efficiency of the network and this is done in a lower cost.
14
2.4 Functionalities of The Project
The Base Station (BS) is a kind of authority, which looks after each and every node in the
Delay Tolerant Networks. Information of all the nodes in a network is sent to the BS. Whenever
an intermediate node is misbehaving by dropping packets, BS comes to know about it as it
monitors the network. So, when the same node is dropping the packets more than the threshold
value (which can be set) that node can be considered as malicious node.
There can be many kinds of attacks that can target a network for different reasons. In few
attacks, the aim of the malicious node is to drop the packets in between and not reach the
destination. In some other attack like Sinkhole attack, the aim of the malicious node is to attract
all the packets towards it and not allowing the destination to get any of the packets.
15
3. PROPOSED SYSTEM DESIGN
The proposed system consists of a network with a misbehavior detection systems for secure
transmission of data in DTNs. In this network, the base station has all the information about the
nodes that are participating in the network. The base station is periodically judges the behavior of
the nodes depending on the evidence collected from all the nodes that are involved in forwarding
the packet/message. Advantages of the proposed system are:
Ø It reduce the detection overhead, if the Probabilistic Misbehavior Detection Scheme
without compromising the detection performance.
Ø This method improves security as well as efficiency.
Ø It reduces transmission overhead incurred by misbehavior detection and detects the
malicious nodes effectively.
3.1 System Design and Architecture.
Figure 1 shows the architecture of detecting malicious node in the network. It consists of three
modules:
• Design of network
• Monitoring module
• Detection of malicious node module
16
Figure 1: System Design and Architecture
A network is formed with a topology that is capable enough to monitor and detect the malicious
nodes. A base station is used to for this purpose. It monitors all the activities that are taking place in
the network. Source and destination nodes can be defined only after all the nodes in the network are
created and configured.
In the monitoring module, the module scans the network for any malicious activity. That means the
network is screened for attacks and the base station keeps log of all the attacks. This is done at
different layers of the network internally. Monitoring of the nodes is done before the attack as well
as after the attack.
In detection of malicious node module, the node that misbehaves is determined. For determining the
malicious node, the network has to find the attacks and drawbacks, which matches the rules
17
processing. The node that matches the rules will be detected as the malicious node. The base station
keeps log of nodes activity in the network. The rules can be as follows.
• The base station has to monitor each and every node
• It must maintain log of attacks for each node.
• If a node drops the packets or misbehaves in any other way, this information is updated to the base
station.
• If the same node drops the packets more than three times, then the node is considered to be malicious.
Three is set as the threshold value for each node to drop packets.
3.2 Use Case Diagram
A use case diagram specifies the interaction of the system with the user. It defines the
relationship between the user and the different use cases involved in the system.
Figure 2: Use Case Diagram- Detection System
18
Use case activities:
• User starts the communication by selecting source and destination.
• Packets are sent over the network
• Base station monitors the network.
• Network is scanned for packet dropping near the nodes.
• If the packet is dropped for more than 3 times near a particular node and if the destination node has
not received any packets from the source, then it is termed as malicious node.
• If there is no malicious activity in the network, packet reaches the destination successfully and
process can be terminated.
3.3 Flow Diagram
A flow diagram represents the flow of the project and relationship among the modules. The data
is represented by using rectangles, squares etc., each showing a particular function. To represent the
relation among these rectangles and squares, arrows are used.
19
Figure 3: Flow Chart for Architecture
Figure 3 shows the flow of the project. First, communication is started among the nodes when user
specifies the source and destination. To know that the communication has started, packets are sent
from one node to the other. When these packets are being transmitted, the base station monitors all
20
the nodes before any attack takes place. When any suspicious activity is found, flow will be given to
the detection module. However, the detection module checks how many times a particular node has
dropped the packets or whether the destination has received the packets sent by the source. If a node
drops the packets and reaches the threshold value (3), then that the node is detected to be malicious
in that particular attack.
If there is no loss of packets, communication continues as normal and comes to stop. That means, the
receiver receives the packets sent by the sender without any packet loss in between.
3.4 Environment
To run the project in a simulated environment, a simulator is needed. In this project, ns2
simulator is used to show how the network works. TCL/TK Tool Command Language is used to
configure the nodes and set up the network. C++ is used to implement the required logic and
protocol.
3.4.1 ns2 Simulator
Network Simulator-2 (ns-2) is generally used to test and show how a network works. It
provides wired and wireless communications over a network and also supports TCP, routing etc.
It is used by many researches to implement and test their work, which depicts it on a real
network [9]. Instead of manually creating a network and performing tests on it, a simulator is
used to test the work and if it is successful then it can be implemented on a real network. Doing
so can decrease the overhead, lot of time, cost and wastage of resources. The core of ns2 is
written in C++ and the configuring the network environment in Tcl/tk.
21
3.4.2 tcl/tk
Tcl is a simple tool command language that can be pronounced as “tickle”. It is mainly a
scripting language created by John Ousterhout. Syntax is very simple and is easy to learn. It has
all the features that are needed for implementing any program on a variety of platforms. Tk is a
toolkit that is used for creating graphics using Tcl, which can be run on Windows, Mac OS X,
and Linux systems. Tcl/tk can be used from many languages like C, Pearl, Ruby, and Python.
3.4.3 NAM
NAM is a network animator used to show the animation required for simulation on a
simulator. It is a Tcl/tk based animator tool used to keep track of all trace files and packet routing
on a simulator. It supports packet tracing level animation, topology layout and various data
inspection tools.
3.4.4 C++
C++ is a general purpose Object Oriented programming language. It can be used for
programming in low-level purpose like in embedded systems or in system’s kernel. It can also be
used for developing web applications on servers and any kind of entertainment applications. In
this project, C++ is used to write the program for the protocol to be implemented.
3.4.5 Linux
Red Hat Linux operating system is required. Because Tcl language is supported only on
Linux operating system.
22
4. IMPLEMENTATION
4.1 Configuring Network Simulator:
The entire design of detecting the malicious system is implemented on the network simulator.
The proposed system with three modules can be implemented on the simulator, which behaves in
the similar way as in real time. Before implementing these modules, the simulator has to be
configured with nodes and network. TCL scripting language is used to configure the nodes in the
network.
4.1.1 Creating Nodes in the Network:
Creation of nodes in the network is based on the communication protocol. Here TCP
protocol is used for node communication. There should be a sender node and receiver node. TCP
agent is the sender node and TCP sink is the receiver node that is capable of receiving the
packets and to acknowledge the sender. Every network has a Base Station (BS) to monitor the
activities of the nodes. So, before a node enters into a network, it has to register itself to the BS
so that BS has the identity of each and every node in a network.
4.1.2 Creating the Application:
CBR (Constant Bit Rate) is the traffic used to create the application. CBR is capable of
transferring the packets at a constant rate between the sender and the receiver and with low
latency traffic. This fits well with the network simulator so is used in this project. Figure 4 shows
the nodes in a network simulator with the configurations defined as above.
23
Figure 4: Network Simulator With Nodes Configured
Number of nodes in the network is of user’s choice. That means variable number of nodes can be
given as an input from the console. Source and destination nodes are of user’s choice. Figure 5
shows the communication between the source and destination. Circles around the nodes show the
communication among the nodes.
24
Figure 5: Communication Between The Nodes
From Figure 5, it can be shown that source node 1 is communicating with the destination node
28 to send packets in the network simulator.
4.2 Implementation of the Proposed System:
DoS Attack (Denial of Service): In order to find the malicious activity, attacks are created
in the network. This attack mainly degrades the performance of the network. The malicious or
the attacker node will flood the targeted node with unwanted requests and make it inactive so
that it will not be able to handle the requests. Because of this there will not be proper
communication to the destination. Since the attacked node is flooded with the requests, it will not
25
be able to make the service to the destination. Only because the attacker node is flooding a
targeted node with unwanted hello requests, it cannot be said that the node is malicious. But
here, to define few rules for the base station in order to detect the malicious activity, a threshold
limit for receiving the packets was set.
Man in the middle attack: This attack is introduced to find the malicious node, which is one of
the intermediate nodes. In this attack, one of the intermediate nodes behaves maliciously by
dropping packets that are intended for the destination.
Sybil attack: In this attack the malicious node tries to attract all the traffic towards it that is
intended for the destination. This malicious node will duplicate its identity by having the same IP
address as the destination node. It can thus attract the traffic towards it and behaves maliciously.
This is a kind of impersonation attack, which is named after a lady who had schizophrenia (a
multiple personality disorder).
Monitoring module: In this project, BS is involved in monitoring the network. In this module,
BS monitors the activities by maintaining a routing table according to the AODV routing
protocol. Whenever a new node wants to enter into the network, it has to first register to the BS.
BS keeps all the entries in the routing table. This is implemented using new Reno protocol. It
initializes the packet flow with minimum packets. When the source gets the Acknowledgement
packets, then the packet flow is increased. It has the capability of controlling the packet flow
when there is a malicious activity in the network.
Intrusion detection module: This module is used to detect any malicious activity in the
network. BS plays an important role in detecting the malicious activity going on in the network.
DOS, Man in the middle and Sinkhole attacks are implemented to test the detection module.
26
Detection in DOS attack: Generally the attacker node tries to flood the targeted node with
unwanted requests. BS that has all the information of the nodes such as node’s IP address, MAC
address, monitors the network. Whenever the BS finds out that a particular node is continuously
sending the requests to another node, it records this information and suspects that some
malicious activity is taking place in the network.
Detection in Man in the middle attack: Whenever the source and destination are
communicating, the malicious node or the hacker node tries to impersonate both the source and
destination and gains access in the communication. This hacker node takes advantage of the
packet flow and drops them in between making them unreachable to the destination. BS
monitoring the network comes to know that a particular node is dropping packets continuously.
So, whenever a node is dropping packets more that three times, BS comes to know that there is
some malicious activity going on in the network. The number three is defined as the threshold
value, rule defined by the BS.
Detection in Sybil attack: The Hacker node tries to attract all the packets that are intended for
the destination. In order to do so, hacker node tries to behave as destination and make the sender
node believe that it is the destination node or it has the capability of forwarding the packets to the
destination. So, before any communication takes place in the network, each and every node
should register itself to the BS. So, BS has all the nodes IP address and MAC address that are
present in the network. However the hacker node will register into the network (to attract all the
traffic) with the same IP address as that of the destination node. When BS comes to know that
two nodes are having the same IP address, it will give an alert saying that it has detected some
malicious activity.
27
Whenever the simulation is started with any attack, data trace files are created which contains all
the routing information of the nodes. Like which node is sending the request and which node is
receiving the request and all. Normal man cannot read and understand the trace file. So
simulation is shown on a network animator, which is exact depiction of the trace file which can
be shown in Figure 6.
Figure 6: Trace Files
Limitations:
While implementing the attacks, user has the ability to give number of nodes, source,
destination, choice of the attack and the base station as the inputs from the console. Sometimes
there will be segmentation fault while executing the program. This is because, when the user
gives more number of nodes as input, these nodes may overlap on one another and user may not
see the nodes on the animator clearly. This is kind of warning but the program runs fine.
28
5. TESTING AND EVALUATION
Testing is very important in finding out the flaws if there are any in the project. Testing can be
done by giving different inputs and analyzing the output. Generally in any given network, all the
nodes will be communicating with each other. To test this project, different attacks are created in
the network and BS will find out the malicious activity going on in the network.
5.1 Test Case 1 (DOS Attack):
To test this attack, number of nodes, source, destination and base station can be given as
input by the user. In this project, there are three attacks implemented. So the user has to give the
choice of the attack as one of the inputs. In this project, the three attacks are defined as three
choices:
1. DOS attack
2. Man in the middle attack
3. Sybil attack
Figure 7: Showing User’s Input for DOS Attack
29
As shown in Figure 7, number of nodes is set to 80, source, destination, choice of the attack and
base station are given as inputs by the user.
Communication takes place between the source and destination, which can be shown in the
Figure 8 with the base station monitoring the traffic.
Figure 8: Communication Between Source and Destination
Before the communication starts, all the nodes register their identities to the destination. The
attacker node will attack the targeted node. Here, the attacker node will target the source node as
30
shown in Figure 9 by continuously sending the request packets to it and makes the source flood
with requests and thus degrade the performance of the network.
Figure 9: Attacker Node Attacking Targeted Node
31
When the attacker node is continuously sending the request packets to the source, BS monitoring
the traffic, suspects some malicious activity near the source that it is receiving many requests
than it can handle and detects that a node is attacking the source and thus finds out the malicious
activity in the network which is shown in Figure 10.
Fig 10: BS Detecting Malicious Activity
BS detects the malicious activity as described in the detection module of DOS attack.
32
5.2 Test Case 2 (Man in the middle attack):
One of the intermediate nodes behaves maliciously and takes advantage of the packets and
drops them to make the communication unreachable to the destination. As said above, user can
enter the number of nodes, source node, destination node, choice of the attack (here for the man
in the middle attack it is 2) and base station.
Figure 11: User’s Input for Man In The Middle Attack
As shown in Figure 11, number of nodes is set to 50. Source, destination, choice of attack and
the base station are given as input from the console.
33
Source starts communication by sending packets through some intermediate nodes to the
destination, which is shown in Figure 12.
Figure 12: Communication Between Source and Destination
34
When the packets are being transferred from source to destination, if there is a presence of
malicious node in the path, that malicious node will drop the packets and thus make the packets
unreachable to the destination. This malicious node is one of the intermediate nodes that
participate in the communication.
Figure 13: Man In The Middle Attack
As shown in Figure 13, malicious node (intermediate node) is dropping the packets.
35
When the BS finds out that a node has dropped the packets more than three times, it comes to
know that there is a malicious node in the network and detects that node that has dropped the
packets. In Figure 14, it can be shown that BS has detected the malicious activity in the network.
Figure 14: BS Detecting Malicious Activity
36
5.3 Test case 3 (Sybil attack):
Malicious node attracts all the traffic towards it that is intended to the destination. The user
can enter the number of nodes, source node, destination node, choice of the attack (here for the
sybil attack it is 3) and base station, which can be shown in Figure 15.
Figure 15: Showing User’s Input for Sybil Attack
37
Source starts communication. Since the malicious node tries to attract all the packets towards it,
source will be sending all the packets towards the malicious node thinking that it is the
destination node. This scenario is shown in Figure 16.
Figure 16: Source Communicating With Malicious Node Thinking it is Destination
38
As shown in Figure 17, it is clear that malicious node is taking all the packets that are intended
for destination.
Figure 17: Malicious Node Accepting the Packets
39
The base station, which has all the node’s identities, recognizes that there are two entries with the
same IP address and gives an alert that there is some malicious activity taking place in the
network. This is shown in Figure 18.
Figure 18: Base Station Giving Alert
40
6. RESULTS
The following results are generated which are helpful in determining the performance of the
network.
• Packet delivery ratio: Shows totally how many packets were delivered successfully.
• Throughput: Given a particular time, how many packets were delivered.
6.1 Network performance
Figure 19: Packet Delivery Ratio for Man In The Middle Attack
As shown in Figure 19, it is clear that packet delivery ratio is approximately 1.7%. Since the
packets sent are 5099 but only 88 packets were received.
41
Figure 20: Throughput for Man In The Middle Attack
Given the time intervals as 10 sec, throughput is calculated as shown in Figure 20. When the
graph is down, it means very fewer packets were transferred.
42
Figure 21: Packet Delivery Ratio for DOS Attack
Packet delivery ratio for DOS Attack is around 16%, which is shown in Figure 21. Packets sent
are 15325 but only 2526 packets were received.
43
Figure 22: Throughput for DOS Attack
Throughput for DOS attack is obtained for every 10 seconds. It seems to be very low since the
DOS attack degrades the performance of the network by not allowing the communication
between the source and destination.
44
7. CONCLUSION AND FUTURE WORK
Detection of malicious node in a network is very important to avoid network crashes. In this
project, malicious activity is determined with the help of base station. Rules described by the
base station help in determining the malicious activities in the network. When these rules match
any of the node’s properties, then that node is considered as malicious node. Few attacks are
launched in order to test the detection module and were successfully able to detect the attacks,
which can be shown from the screenshots of the results. BS plays an important role in
determining the behavior of the network. Performance of the network is also known using
xgraph which is the graph representation of throughput and packet delivery ratio.
This project works on static nodes. That means the nodes are not moving. The same project can
be implemented on mobile nodes in future. In this project, in every attack, the base station is able
to detect only one malicious node. In future, the base station can define efficient rules or there
can be some protocol, which has the capability of detecting more number of malicious nodes in
the network.
45
REFERENCES AND BIBLIOGRAPHY
[1] Q. Li, S. Zhu, and G. Cao, “Routing in Socially Selfish Delay- Tolerant Networks,” Proc. IEEE INFOCOM ’10, 2010. [2] H. Zhu, X. Lin, R. Lu, Y. Fan, and X. Shen, “SMART: A Secure Multilayer Credit-Based Incentive Scheme for Delay-Tolerant Networks,” IEEE Trans. Vehicular Technology, vol. 58, no. 8,pp. 828-836, 2009. [3] Q. Li and G. Cao, “Mitigating Routing Misbehavior in Disruption Tolerant Networks,” IEEE Trans. Information Forensics and Security, vol. 7, no. 2, pp. 664-675, Apr. 2012. [4] R. Lu, X. Lin, H. Zhu, and X. Shen, “Pi: A Practical Incentive Protocol for Delay Tolerant Networks,” IEEE Trans. Wireless Comm., vol. 9, no. 4, pp. 1483-1493, Apr. 2010. [5] E. Ayday, H. Lee, and F. Fekri, “Trust Management and Adversary Detection for Delay-Tolerant Networks,” Proc. Military Comm. Conf. (Milcom ’10), 2010. [6] F. Li, A. Srinivasan, and J. Wu, “Thwarting Blackhole Attacks in Disruption-Tolerant Networks Using Encounter Tickets”, IEEE INFOCOM, 2009 [7] Haojin Zhu, Member, IEEE, Suguo Du, Zhaoyu Gao, IEEE, Mianxiong Dong and Zhenfu Cao. “A Probabilistic Misbehavior Detection Scheme toward Efficient Trust Establishment in Delay-Tolerant Networks”, IEEE Transactions, Feb.2013. [8] H. Xia1 Z. Jia1 L. Ju1 Y. Zhu2 1. “Trust management model for mobile ad hoc network based on analytic hierarchy process and fuzzy theory”, IEEE IET-WSS 2043-6386, Dec 2011. [9] http://www.winlab.rutgers.edu/~zhibinwu/html/network_simulator_2.html [10] GuoHongxing, "Design And Implementation of Network Information Security Early-Warning
Control System", Computer Security, IEEE Conference, 2012 (02).