A Counterattack-Detection Scheme in Transmission Time-Based Wormhole Detection Methods

In recent years, the Mobile Ad hoc Network (MANET) is getting more important and is being utilized in various fields. However, routing-disruption attacks have become a serious problem for MANET. In various routing-disruption attack detection methods, transmission time-based methods can detect wormhole attacks efficiently. Attackers might fabricate a time stamp for a Route Request Packet (RREQ) or Route Reply Packet (RREP) to evade wormhole detection methods. To resolve this weakness, we propose a counterattack-detection scheme in transmission time-based wormhole detection methods. In this paper, we show that it is possible for an attacker to find an effective counterattack against wormhole detection methods, so we provide a counterattack-detection scheme. In the first phase, our proposed method uses the transmission time per hop extracted from a RREQ. If the attackers fabricate the RREQ's starting time to evade our proposed method, we can detect this counterattack using the RREQ's transmission time in the second phase, because the fabricated starting time makes the transmission time shorter than the original transmission time. The simulation shows that our proposed method has high reliability for detecting both wormhole attacks and the attacker's counterattack.


Introduction
A Mobile Ad hoc Network (MANET) is a self-configuring network of mobile nodes connected by wireless links.This network can be organized rapidly at low cost and does not require any fixed infrastructure such as fixed routers and backbone.For these reasons, MANET is being utilized in various fields including disaster relief, military operation, emergency service, oil drilling, and mining.In MANET, each node is free to move independently in any direction and can change its links to other nodes.Therefore, the network topology is changeable, and all nodes may enter and exit freely.The connections among nodes are limited to their transmission range, and cooperation with intermediate nodes is required for nodes to forward the packets to other nodes outside their transmission range.These properties compromise the security of MANET, making it vulnerable to attackers.An attacker can modify the routing protocol and disrupt the network operations through mechanisms like packet drops, selective forwarding, and data fabrication.These are called routing-disruption attacks.
One of the most serious routing-disruption attacks is a wormhole attack.These are typically performed by two or more malicious nodes located far from each other.The malicious nodes appear normal but at the same time appear to be within one-hop transmission range.In addition, a wormhole attack can provide fake authenticity and confidentiality, so that other normal nodes perceive the malicious nodes as normal.Therefore, the malicious nodes can form a fake route called a wormhole tunnel that appears to be the shortest legitimate route and then use it to gather network traffic.
To detect routing-disruption attacks including wormhole attacks, researchers have studied several approaches.In sensor networks, routing-disruption attacks can be detected International Journal of Distributed Sensor Networks using authentication techniques such as RSA [1].If the authentication key is assumed to be secured, these authentication techniques are confidential methods for detecting routing-disruption attacks because an existing attacker cannot use network vulnerability to create a counterattack.However, MANET lacks a centralized administration to manage authentication keys, so that the authentication techniques cannot be applied to detect routing-disruption attacks on a MANET.To resolve this problem, several workers have proposed authentication algorithms for MANET [2][3][4].However, these authentication algorithms are not suitable for MANET because of heavy computational requirements and a lack of certain infrastructural elements to support certificates.
In order to avoid using such impractical authentication techniques, the difference in a packet's transmission times has recently been used to detect wormhole attacks [5][6][7].Because the transmission time between the wormhole nodes is longer than that between two real neighbors, these methods are simple and do not require heavy computation.In TTM [5], Van Phuong et al. introduced the subject of wormhole attacks on Ad hoc On-demand Distance Vector (AODV) routing protocol in MANET and suggested a time-based detection method using the "Round Trip Time (RTT)" value [8].The RTT is the time that elapses as a routing packet travels to a remote node and back again, after the route is established.The remainder of this paper is organized as follows.In Section 2, we describe wormhole attacks on the AODV routing protocol.In Section 3, the proposed method is presented and simulation results are given in Section 4. In Section 5, we suggest the future works and we conclude the paper in Section 6.

Wormhole Attacks on AODV
In this section, we describe wormhole attacks on the AODV routing protocol [9].Since the AODV routing protocol provides a rapid and dynamic network connection, it can be applied to MANET, which has low processing loads and memory consumption.
On AODV, wormhole attacks make use of the RREQ route discovery process, which is based on hop count decrements.Also, wormhole attacks can be launched in two different modes: hidden mode and exposed mode [10].In these modes, a wormhole node captures RREQs from neighboring nodes and sends RREQs to another wormhole node by means of a wormhole tunnel.The wormhole tunnel can be made by using either an in-band channel or an outof-band channel [11].Next, the wormhole node fabricates information about the hop count for the RREQ, and then broadcasts false RREQs to the neighboring nodes.Even though the wormhole tunnel is very long, other normal nodes think that there is only a distance of one hop count.The normal nodes, which receive these false RREQ transmit the reverse route to the sender and update the routing table.Hence, all nodes that receive the false RREQs learn the forged route and subsequently use fabricated information in their data communication.
Briefly, wormhole nodes can gather network traffic using false RREQs and a wormhole tunnel.During the route discovery process, the wormhole nodes can easily reduce the hop count by using either in-band or out-of-band channels, thus depriving a route of accurate data communication.As a result, the other normal nodes believe that the route passing through the wormhole tunnel is the shortest route.

Proposed Method
3.1.First Phase: Detection of Wormhole Attacks.In MANET, there is no base station for inspecting packets, so that each node may inspect packets using its own energy and exchange information with neighbors.However, not all nodes have enough energy for such global exchange.Therefore, we selected a feature suitable for identifying the existence of wormhole attacks without the need for exchanging information among neighbors.
For a wormhole attack, the attacker can make a wormhole node using malicious behaviors after entering MANET.First, the wormhole nodes capture RREQs and fabricate the information of the hop count in RREQs.The fabricated RREQs are then sent to another wormhole node by means of a wormhole tunnel, and the received RREQs are broadcast to neighboring nodes.For this reason, the nominal hop count of the fabricated route is shorter than that of other normal routes.That is, the normal RREQ's transmission time, which is the RREQ's elapsed time from starting node to arrival node, is similar to that of the attack RREQ, but their recorded hop counts differ.Accordingly, we propose to use Transmission Time per Hop (TTH), which is the RREQ's elapsed time per hop from starting node to arrival node, as follows: where To detect an attack RREQ in real time, each node uses a threshold-based detection rule.The threshold is computed by using the TTH value of normal RREQs, as follows: where  is the average TTH of normal RREQs and  represents standard deviation () of the TTH of normal RREQs.In this paper, the threshold is set to  + 2 based on outlier detection.The reason for using outlier detection is that it is difficult to set a predefined threshold because MANET is dynamic and unpredictable.Hence, several studies have presented the suitability of outlier detection in MANET [12][13][14] and researched methods for improving outlier detection in MANET.In the field of outlier detection, the thresholds are usually set to two or three standard deviations from the mean [15].If a RREQ's TTH is longer than the target threshold, the RREQ is regarded as an attack packet and dropped immediately.Otherwise, the RREQ proceeds to the counterattack-detection phase to verify whether the RREQ is a normal RREQ.

Second Phase: Detection of Counterattacks.
If attackers recognize the proposed wormhole detection method in the network, they may try to find a counterattack against the detection method.One possible counterattack is based on fabrication of the TTH elements by the attackers to reduce the value of TTH artificially, because the TTH of the attack RREQ is longer than that of the normal RREQ.However, attackers cannot fabricate all the elements in calculation of TTH, such as the RREQ's arrival time, starting time, and the recorded hop count.The reason for this is that the RREQ's arrival time, which is not recorded in the RREQ, cannot be collected on an intermediate node and can be only used on the node currently executing the detection method.Also, the recorded hop count has already been changed in order to set the wormhole route.For these reasons, the attackers can only fabricate the RREQ's starting time used in the calculation of TTH, when the RREQ is passed through the wormhole nodes.Figure 3 shows the TTHs of collected RREQs after implementing the simulated counterattack.The environmental setting is shown in Table 1.Note that Figure 3 may look like Figure 1, which presents the TTHs of normal RREQs.As a result, it is possible that the attackers fabricate the RREQ's starting time to reduce TTH artificially.To detect this attacker's counterattack, we propose to use the Transmission time (), which is the RREQ's elapsed travel time from starting node to arrival node, as follows: where  is a node to inspect RREQ,  represents the arrival sequence number of the RREQ on node ,  is the origin of RREQ,    represents the RREQ's current arrival time on node , and    represents the RREQ's starting time at the origin.When a node does not detect wormhole attacks because of a counterattack, the transmission time becomes shorter than the original transmission time from the same origin because the fabricated starting time is later than the original starting time.Therefore, the node can detect the counterattack using this feature.
To detect such counterattacks in real time, each node must be set to thresholds according to the RREQ origins.The threshold is computed by using the  value of normal RREQs, as follows: where  is average  of normal RREQs and  represents standard deviation () of  of normal RREQs.In this paper, the threshold is set to  − 2 based on outlier detection, as mentioned in Section 3.1.If a RREQ's  is shorter than the threshold of the same origin, the RREQ is regarded as an attack packet and dropped immediately.Otherwise, the RREQ is regarded as a normal RREQ.

Threshold Updating Procedure.
In MANET, the mobility of the node can change the network topology.This may cause changes to the averages of TTH and .To resolve this, the proposed method is adapted to the changed topology by updating the thresholds.To collect normal RREQs on each node, let us assume that there are no wormhole attacks during the initial time interval just after establishing the network.
After each time interval except the initial time interval, the thresholds are updated using normal RREQs of each time interval.The "weighted moving average" method is used for updating the threshold, as follows: where  is the average TTH and  of normal RREQs,  is the current time interval, and  represents the weight of the current average.The  can be changed according to the network environment.In this paper,  is set to 0.5 because this value gives better results from 0 to 1 in our simulation environment.When the "weighted moving average" is calculated in our simulation, the computation time is less than 1 s.This shows that the "weighted moving average" method requires low computational resources and does not affect the MANET environment.

Simulation
We used the NS-2 Network Simulator to evaluate our proposed method.The MANET is assumed to be timesynchronized and constructed for pedestrian speed, because the node speed can be rapid only on a vehicle, and it is then difficult to construct a stable network.In the case of pedestrian speed, the network topology can be changed, but this does not happen frequently.In addition, the network topology is changed slowly, and the threshold updating procedure is performed periodically while changing the topology.In this situation, we established that the threshold updating procedure is performed every 10 seconds.Also, we do not here consider specific network congestion because consideration of such congestion is another research issue.Instead of considering the specific congestion, we simulated our proposed method using random network congestions.Every mobile node was placed randomly and moved according to a random waypoint algorithm [17].Other details of the simulation configuration are shown in Table 1.The values of these parameters were chosen through reference to other studies [18][19][20] on MANET.
To generate the wormhole attacks, we used the WARP method [16].In this method, the WRREQ and WRREP are presented and they refer to the RREQ and RREP in the wormhole tunnel.As shown in Figure 4, the wormhole tunnel was made by several tunnel nodes that executed a special protocol.After receiving an RREQ or RREP on the wormhole node, the wormhole node changes it into a WRREQ or WRREP, which are recognized only by tunnel nodes.In the To execute the attacker's counterattack, we designed the wormhole nodes to fabricate the starting time when the RREQ passed through the wormhole nodes.To reduce the TTH, the fabricated starting time could be calculated by comparing the elements of normal RREQs and those of attack RREQs.That is, we calculated the increased TTH value by fabricated hop count and reduced the TTH value by fabricating the starting time by as much as the increased TTH.Accordingly, the TTHs of attack RREQs were similar to those of normal RREQs.
The initial time interval should be short enough to guarantee that attackers are not in the system.In our simulation, we used 250 seconds as the initial time interval.Following the tradition of other research in this area, the performance of the proposed method was evaluated based on the average detection rate and average false positive rate.When an attacker executes a counterattack against the detection method, the detection rate is reduced from 95.0% to 33.3% and the false positive rate is increased from 6.7% to 11.3%.Hence, we confirm that a counterattack can be performed as we expected.For the purpose of comparison, we conducted simulations at various time intervals comparing TTM [5].This simulation result is shown in Figure 5 and Table 2.For all time intervals, the proposed method shows higher performance than TTM [5].Through these results, we validate that our wormhole detection method is also effective in detecting counterattacks.

Future Work
In the future, we will focus on measuring the detection ratio according to the change in the number of wormhole nodes and detecting the positions of the wormhole nodes.In this paper, we set the number of wormhole nodes at two and the proposed method detects only attack packets.Although, a wormhole attack using two nodes already presents a serious threat to MANET, it is also possible for attackers to increase the number of wormhole nodes.Thus, it is important not only to detect, but also to chase the wormhole nodes and catch the attackers.For these reasons, we intend to extend our proposed method.Additionally, we plan to consider specific congestion issues such as bottlenecks in MANET.

Conclusion
In this paper, we have described an attacker's counterattack against a transmission time-based wormhole detection method and proposed a counterattack-detection scheme using the RREQ's transmission time.In order to evaluate our proposed method, we simulated wormhole attacks, detection, and counterattacks, over varying time intervals.Through simulation, we have demonstrated a high probability that the proposed method will be reliable for detecting both wormhole attacks and counterattacks in MANET.

Figure 3 :
Figure 3: TTHs of collected RREQs after implementation of the counterattack.
is a node to inspect RREQ,  represents the arrival sequence number of the RREQ on node ,   represents RREQ's current arrival time on node ,   represents the RREQ's starting time at the origin, and   denotes the recorded hop counts of the RREQ on node .Using this feature in simulation, we confirm that the TTH of the attack RREQ is longer than that of the normal RREQ.The environmental setting is shown in Table1.Figure1presents the TTHs of normal RREQs collected during the target time interval.If this time interval includes wormhole attacks, then the TTH values of the RREQs collected during this time interval may look like Figure2.

Table 2 :
Detection rates and false positive rates.