Analytical Termination of Malicious Nodes (ATOM): An Intrusion Detection System for Detecting Black Hole attack in Mobile Ad Hoc Networks

The decentralized administration and the lack of an appropriate infrastructure causes the MANET prone to attacks. The attackers play on the vulnerable characteristics of the MANET and its underlying routing protocols such as AODV, DSR etc. to bring about a disruption in the data forwarding operation. Hence, the routing protocols need mechanisms to confront and tackle the attacks by the intruders. This research introduces the novel host-based intrusion detection system (HIDS) known as analytical termination of malicious nodes (ATOM) that systematically detects one of the most significant black hole attacks that affects the performance of AODV routing protocol. ATOM IDS performs detection by computing the RREP count (Route Reply) and the packet drop value for each individual node. This system has been simulated over the AODV routing protocol merged with the black hole nodes and the resultant simulation scenario in NS2 has been generated. The trace obtained shows a colossal increase in the packet delivery ratio (PDR) and throughput. The results prove the efficacy of the proposed system.

disaster relief operation, military based operation, emergency situations etc. as they are open to swift adaptations on demand. The entire MANET communication is instituted upon on demand routing protocols such as AODV, DSR, DSDV etc. MANETS are devoid of a centralized administration and the infrastructure-less nature of the network is inclined to several attacks by the intruders. The lack of security mechanism in the AODV protocol paves the way for the intruders to directly aim at exploiting the vulnerabilities of the routing protocol. The attacks on network layer's routing protocol [2][3][4] compromises the nodes and its ability to deliver the packets to the intended destination. In AODV protocol [5], the route discovery procedure is initiated when the source node broadcasts a route request (RREQ) to the neighboring nodes within its communication range in search of a destination. The source waits for a specific time period for the Route reply (RREP) by the intermediate nodes and resends the RREQ once the former RREQ gets timed out. The RREP is not only sent by the nodes that legitimately recognize the destination mentioned in the RREQ packet but also by the malicious nodes that intentionally send a false RREP even though it is unaware of the location of destination. In accordance with the AODV protocol, the RREP packet by the node with the highest sequence number possesses the best fresh route to the designated destination.
The Intrusive black hole attack [6] is a perilous attack caused by the malicious nodes that deteriorate the entire network by broadcasting a fake fresh route to the destination by sending a RREP with a massively high destination sequence number and therefore draws the data packets towards itself resulting in the disruption of the services like dropping those data packets instead of forwarding them. The AODV protocol is blindsided from distinguishing between the authentic and malicious nodes as they cannot comprehend the legitimacy of the RREP. The intermediate malicious nodes that intentionally fake the RREP are also assumed as a trusted node by the AODV protocol which directly leads to a decrease in the packet delivery ratio. To tackle the vulnerability of the AODV protocol, copious intrusion detection systems were developed to detect, prevent and to punish the misbehaving nodes. The immediate reaction of any decent intrusion detection system is to occlude the detected malicious node from the ongoing communication. In the Host based Intrusion Detection System (HIDS), every node in the network acts as an IDS by detecting the data traffic flowing through it. Watchdog is the most prominent intrusion detection system that runs over the DSR protocol. It is a monitoring mechanism that looks over its neighboring nodes and detects any deviation in the behavior of those nodes by overhearing the packet forwarding process. However, the watchdog IDS is compatible only with the DSR protocol and isn't feasible for AODV routing protocol.
In this paper, we have proposed a host based intrusion detection algorithm ATOM (Analytical Termination of Malicious nodes) that is solely designed for AODV routing protocol so as to champion the adverse consequences of the intruding malicious nodes that attack the susceptible features of MANET. ATOM runs on every node and monitors the node's route reply count and the subsequent packet drop values. ATOM increments the RREP count for every node in its previous hop node's routing table and monitors the corresponding packet delivery status for that node. If a node exhibits abnormal behavior during detection, then the node is a malicious imposter posing as a legitimate node in the route discovery process.
The malicious node is then isolated and discarded from participating in the routing procedure and no further RREPs from that node will be acknowledged by its previous hop nodes. Thus the security feature of the AODV protocol is strengthened by reducing the packet loss and eliminating the intruders in the network. Hence, our proposed system leads to an increase in the packet delivery ratio and throughput.
The rest of the paper has been organized as follows. Section 2, we have addressed related works, Sect. 3 introduces system ATOM-An IDS for MANET and Sect. 4 we describe the simulation environment and result analysis final Section concludes the research paper.

Related Works
Marti et al. [7] proposed an IDS watchdog and path rater scheme for securing MANET from packet dropping attack. This scheme looks over its next hop neighbor node's transmission, and increments the suspicious count when a monitored node fails to forward its received packet intended for other destination. System will alarm if the suspicious value exceeds the threshold limit. Path rater avoids routes that contain malicious nodes to perform secure routing operations.
Buchegger et al. [8] proposed a routing protocol CONFIDANT with four modules: monitoring system, reputation system, trust manager and path manager. Each node monitors its neighbor nodes for updating the reputation value of overhearing nodes and performs the routing operation accordingly.
Hassan et al. [9] proposed specification-based intrusion detection for AODV to regulate the routing operations. Using a clustered network monitoring selection algorithm a network monitoring node (NM) is elected to monitor the exchange of RREQ and RREP messages. The NM node will ensure the integrity of Routing messages to perform the routing operations.
Shakshuki et al. [10] proposed an acknowledgment-based ID for MANET-Enhanced Adaptive Acknowledgment (EAACK). DSA and RSA algorithms have been used for authenticating the exchange of acknowledgement packets to overcome the several network layer attacks.
Su [11] proposed IDS for mitigating black hole in MANET by evolving the suspicious value of a node. The abnormal difference between the RREQ and the RREP of a node will be considered for the evaluation of this suspicious value. If the suspicious value reaches the threshold value, nearby IDS will broadcast the block message to every other node to block and isolate that node from the network.
Raj et al. [12] proposed a protocol DPRAODV which defends against black hole. If the RREP's sequence number of a reply packet is greater than that of the threshold value computed by Detection, Prevention and Reactive AODV (DPRAODV) then that node will be suspected as malicious.
Rajeswar et al. [13] proposed GNB-AODV for detecting black hole node with fixed deployed guard nodes. Guard node maintains packet monitoring table (PM) and malicious node table (MN) for updating the node's behavior during the route discovery procedure of AODV. All the RREQ of overhearing nodes will be logged in the PM table and the trust value will be evaluated in the MN table. According to their proposed method a node which didn't broadcasted any RREQ but forwards RREP to the specific route will be treated as an anomaly. Further the trust value of that node will be decremented. If the trust value decreases the predetermined threshold value, the guard node will alarm his overhearing nodes to isolate that node form network. This information will be updated in Black listed table owned by a normal node.
Sivanesh and Dhulipala [14] proposed an IDS Accurate and cognitive intrusion detection system (ACID) for detecting black hole attack. Parameters like destination sequence number and route reply count are considered for the evaluation of Black hole node. ACID detects the highly fabricated sequence number of AODV messages and compares them with the route reply count. If a node's RREP count and its difference of DSN exceed the threshold limit, ACID confirms that node as a malicious black hole and discards RREP.

Proposed System
The AODV routing protocol initiates the route discovery procedure on demand in search for a destination node with the aid of three control packets namely RREQ, RREP and RERR [6]. In MANET, every node maintains a routing table which constantly updates the information regarding the destination sequence number, hop count, network address etc.
The source node broadcasts a RREQ to its nearby neighbor nodes awaiting a RREP in return to its request. The intermediate nodes that receive the RREQ examine its own routing table regarding the sequence number information related to the destination. If the sequence number in the routing table for the corresponding destination in the incoming RREQ packet is higher than the one specified by the source node, then a RREP is unicast back to the originator of the Route Request. The malicious node poses as an intermediate node and allures the data packet to be forwarded through the path in which it is present by forging the RREP packet providing it with a high sequence number. Several Intrusion Detection Systems were developed in the past to reduce and eliminate the negative impact of malicious nodes on the MANET.
The ATOM is a host-based IDS that accurately discovers those malicious nodes with the aid of evaluation metrics such as Route Reply Count (RREP COUNT) and Packet Drop (PD).The malicious nodes sends a RREP whenever a RREQ is sent to it irrespective of their knowledge of location concerning the destination node. Hence, the route reply count of a malicious node will always be high when compared with an authentic intermediate node. Taking advantage of this factor, we craft an additional RREP COUNT field in the routing table of every node to reckon the total number of RREPs sent by that node. The node increments the RREP count in the routing table whenever it responds to a RREQ from the source node.
A threshold value is prefixed and if the RREP count for each node after increment exceeds the threshold limit, then the particular node's behavior is manifested as suspicious. The RREP count of authentic nodes that actively take part in the routing operations is also incremented in the routing table and hinted as suspicious upon surpassing the threshold limit.
In order to avoid an increase in the false positive rate and to confirm our uncertainty on the actively responding legitimate nodes marked as suspicious through the increment of RREP COUNT, the corresponding packet drop value for all the nodes in the routing process has been considered. The ATOM algorithm overhears the recipient status of the packets sent to its neighboring nodes and the packet drop value and calculates the ratio between the forwarded and dropped packets by that node. If the ratio between the total number of packets forwarded by the node and the total number of packets sent to that node is lesser than the ratio of the total number of packets dropped to the summation of packets dropped and forwarded, then the node has intentionally dropped packets in addition to the loss of packets due to collision.
The nodes that have intentionally dropped packets and the nodes that were deemed as suspicious through the RREP COUNT procedure are cross correlated with one another by the ATOM IDS to check for malicious behavior. If the RREP COUNT has surpassed the threshold limit for a node and its corresponding packet drop value is significantly high, then the node is fixated as malicious node.
The packet drop value for the legitimate nodes actively involving themselves in the route discovery procedure will be low in comparison with the intentional malicious packet droppers and hence the false positive rate in our proposed system can be overcome with the aid of packet drop parameter. Further, the nodes that are condemned as malicious are excluded from associating themselves with any route discovery related operation. By doing so, the packet delivery ratio and throughput of the AODV is vastly improved with an immense decrease in the packet loss count of each node. Figure 1a shows the block diagram of the proposed system ATOM followed by pseudo code.

Packets forwarded
Packets forwarded + Packets dropped < Packets dropped Packets forwarded + Packets dropped Fig. 1 Block diagram of proposed ATOM 1 3

Performance Evaluation
The analytical detection and the performance of ATOM have been evaluated in the NS2 [15] environment and the simulation specification are listed in Table 1. The simulation scenario of MANET comprised of 50 mobile nodes and simulated 5 diverse scenarios in NS2 where each scenario dealt with a varied number of malicious nodes such as 5, 10, 15, 20, 25 and 30. The evaluation metrics of ATOM such as PDR, packet loss, throughput and routing overhead are measured up with the AODV routing protocol infested with blackhole nodes. A total of 12 communications took place and the  Fig. 2a-f. Figure 2a-f packet delivery ratio (PDR) of ATOM and AODV with black hole of 5, 10, 15, 20, 25 and 30 malicious nodes.
Figure 2a-f clearly indicate the obvious fact that the proposed system ATOM has greater PDR when compared with the existing AODV protocol. ATOM with 5 &10 malicious nodes deliver the packet 50-60% more efficiently than the existing AODV protocol and a 40-50% increase in the packet delivery ratio when the malicious node density is 15, 20 25 and 30. Figure 3a-f Packet loss of ATOM and AODV with black hole of 5, 10, 15, 20, 25 and 30 malicious nodes.
Figure 3a-f depict the obvious fact that the ATOM has a lower packet loss when compared with the existing AODV protocol. The ATOM shows that with 5 and10 malicious nodes the packet loss value dropped to 60-70% more than the existing AODV protocol and a 40-50% decrease in the packet loss value when the malicious node density was fixed to15, 20, 25 and 30.
Since the ATOM IDS discards the Route Reply (RREP) packet of the malicious nodes, the source node re-initiates the route discovery procedure that consequently leads to an increase in the total number of control packets sent during the communication period.  Figure 5a-f shows that the proposed system ATOM has a greater throughput when compared with the existing AODV protocol. The throughput of ATOM with 5 &10malicious nodes is 50-60% more efficient than the existing AODV protocol and a visible 55-65% increase in the throughput of ATOM when the malicious node density is 15, 20, 25 and 30.

Conclusion
In this paper, we have developed an IDS Analytical Termination of Malicious nodes (ATOM) for Detecting Black Hole attack in Mobile Ad hoc Networks. Based on the analysis of various simulation scenarios, it is evident that results validate the efficiency of the proposed system ATOM on detecting black hole nodes with increased PDR and throughput.

Declarations
Informed consent This article does not contain any human participants in the study.