Shapiro-Wilk Test to Detect The Routing Attacks In MANET

. In the last recent years, the number of wireless devices has been growing and the security challenges increases too. Mobile Ad hoc Network (MANET) considers as a part of wireless network that connects mobile devices by using wireless channels without infrastructure. MANET use specific protocols to ensure the connectivity and exchange data between the source and destination. Optimized Link State Routing Protocol (OLSR) is a table-driven protocol that keep the route to all destination at any times, unfortunately it can be affected by many active routing attacks that reduce its performance by dropping the exchange packets or stopping the forward of data. In this paper we present a new approach to detect any active routing attacks by using the concept of Shapiro-Wilk test. Our method of detection is easy to implement and does not require any modification in the standard version of OLSR routing protocol as we will demonstrate by NS-3 simulations the detection of Black hole, Worm hole and Node isolation attacks that consider as most known attacks in MANET. A real experience is done by creating a small ad hoc network that connect six wireless devices by using OLSR protocol and finally we detect the presence of an active routing attack by applying our proposed method.


2
MANET is constructed by wireless devices called by nodes without any fixed infrastructure. The main supposition considered in MANET is that all devices are trusted nodes. However, some of them can be malicious nodes and therefore can drop or stop forwarding the data packets to the destination node [1]. OLSR routing protocol considers as the most popular proactive MANET protocol thanks to its new concept MultiPoint Relay (MPR) which are selected nodes neighbors from 1-hop neighbor to reach 2-hop neighbor used for forwarding the data packets in the network [2]. In the other meaning, the MPRs nodes are selective devices that forward broadcast messages during the flooding process [3]. The basic idea of MPRs is to decrease the overhead of flooding messages by limiting redundant relays in the same area of the network. This mechanism reduces the network overhead compared to the classical flooding and make OLSR as well the most appropriate MANET routing protocol for high density. The assumption of trusted nodes and the transparence in OLSR algorithms for selection the MPR nodes, added to other constraints of MANET as mobility, infrastructure-less and energy consumption, all these factors make OLSR protocol more vulnerable to many attacks that reduce it performance. In literature, the MANET routing attacks are classified into two types, based on the nature of attack: passive and active attacks in follow we cite the difference between them [4]:  Passive attack is of eavesdropping in nature like passive listening of communication without any intervention, the attackers spy on the data exchanged in the network without modification. The detection of passive attacks is difficult because the routing protocol itself is not affected.
 Active attack is an attack which involves modifications or insertion of control or routing messages during communications. The active attack may decrease the efficiency of any MANET routing protocol by dropping or stop forwarding data packets to the destination. 3 In this paper we present new efficient method to detect any active routing attacks can affect the performance of OLSR routing protocol. Our proposed method reckons on Normality Test by using Shapiro-Wilk method [5] that considers as effeteness and powerful for the small number of sample size s (s ≤ 50) [6]. To test the effeteness of this method, we simulated OLSR routing protocol under three different MANET active routing attacks which are: The Black hole attack, the Worm hole attack and the Node Isolation Attack. According to our modest knowledge of the state of the art, this technique has not been used before for the detection of routing attacks in MANET. To test the effeteness of our proposed method in real environment, we create a small ad hoc network by connecting 6 wireless devices (three personnel computers and three smartphones) and we configure them to use OLSR as MANET routing protocol, we integer the Node Isolation attack that does not require more devices, the results obtained by our proposed method confirm the detection of this active routing attack in MANET.
The remainder of the paper is organized as follows: Sect. 2 present OLSR routing protocol followed by MANET active routing attacks in Sect. 3. Sect 4 simply surveys the related works. Sect. 5 introduces the basic idea of our proposed method of detection. Sect. 6 describes simulations and results, and finally Sect. 7 draws the conclusions.

OLSR routing Protocol
OLSR is a proactive routing protocol for mobile ad hoc networks, it uses the link state algorithm that calculates routes based on the cost of the path. In traditional link-state routing algorithms, each node broadcasts its direct links to its neighbors throughout the network, whereas OLSR minimizes the traditional flooding of control traffic by selective flooding using a node called a multipoint relay (MPR) to relay control messages ( Figure 1).
With this technique, only nodes selected as MPRs (nodes with gray color) are allowed to retransmit the periodic control messages necessary to maintain routes to all destinations in the network [7]. MPR nodes reduce the number of duplicate packets distributed on the network and only they are authorized to broadcast control messages, the other nodes use these messages to construct their global network vision. Each node selects its MPR from its symmetric set to achieve its neighbors with two hops [8].
The protocol is especially useful for large and dense networks, as optimization using MPR performs well in this environment. The higher the network, the more optimization can be achieved compared to the classical link state protocol. [9], [10].
Each node in the network selects a subset (MPR set) from the nodes in its 1-hop symmetrical neighborhood to cover all 2-hop symmetrical nodes. In other words, each node in the strict 2-hop symmetrical neighborhood of N (set of neighbors of the node) must have a symmetrical link to the MPR (N). In addition, the MPR set should be as small as possible to reduce the overload of control traffic.
OLSR can also optimize reactivity to topological changes by reducing the interval time of the transmission for the periodic control message. OLSR is intended to operate in a fully decentralized manner without any central 5 entity. The protocol does not demand reliable transmission of control messages: each node regularly sends control messages and can suffer a reasonable failure some of them. These losses occur in wireless networks due to collisions or to other communication problems. [3] In addition, OLSR does not require sequential message delivery. Each control message is associate with a sequence number that is incremented for each message. Thus, the receiver of a control message can simply identify the most recent information -even if the messages have been reorganized during transmission. Other pros for OLSR is supporting some protocol extensions such as sleep mode operation and multicast routing. These extensions can be introduced as additions to the protocol without breaking compatibility with older versions. OLSR does not need any changes to the format of IP packets. Thus, any existing IP stack can be deployed as it is: the protocol only interacts with the management of the routing tables. [3] OLSR follows the logic of link state routing, which can be divided into two main branches. The first step is discovering the neighborhood by exchanging information about the link state of each node. The second step is the dissemination of the topology and the construction of the complete routing table for each node in the network. To provide the two main functions, OLSR broadcasts regularly and mainly two control messages to inform the situation of the topology: the HELLO message that is diffused by all the nodes to define one and two hop neighbors, detect the position of the location (symmetrical or asymmetrical) as well as the choice of MPRs. The Topology Control (TC) message is distributed only by MPR nodes and shows the list of neighbors that have selected this node as MPR. Both control messages are using to generate the routing tables.
The next section presents the most knowns attacks that affect OLSR routing protocol specially in its performance of routing. 6

MANET Routing Attacks
MANET is more vulnerable than the wired network due to mobility of nodes and the way used to exchange of data packets and control packets, generally, they passed from the source to the destination via different intermediate nodes [11] that can be malicious nodes inside the network. OLSR routing protocol can be affected by many active routing attacks which reduce its performances, in following we present three main routing attacks have negative impacts on OLSR protocol:

Black hole attack
The topology of the network in OLSR protocol was built by the information received from both OLSR control messages: HELLO and TC messages. The attacker starts the Black hole attack by sending incorrect information in its HELLO messages that broadcast to its 1-hop neighbors, these messages inform that malicious node has a direct link with several nodes that not really exist. The second step of the attacker is being an MPR node, due to the transparency in the algorithms of MPR selection calculated by each node. When a malicious node has been selected as an MPR node from its neighbors, it can receive all routing data and control packet, unfortunately, this attacker drops or stop forward them to the destination [12]. Figure 2 presents the mechanism used by the black hole attacker in OLSR protocol to affect its performances. The second type of Black hole attack is the cooperative or multiple attack when two or more attackers collaborate between them by dropping or stop forwarding all routing messages received from these malicious nodes, each attacker send false HELLO message to its neighbors in order to be an MPR node, However the second attacker who ack as Black hole node and drop all received messages from the first attacker.
In our study we focus on the single Black hole attack that can implemented by each node in the network. 8

Node Isolation attack
Node Isolation Attack is a kind of service denial attack that concerns precisely OLSR protocol. Node Isolation Attack have main goal is shut off the communication of the target nodes with the other nodes which have a distance further than 2 hops away. The attacker in Node Isolation Attack do two technic for isolating any target node, the first way is deleting the IP address of the target nodes from 1-hop neighbor list that forwarded in HELLO message; in result, the neighbors that have 2-hop away from the target node cannot detect it present in the network [13]. The second technic for launching Node Isolation attack is done when the attacker becomes the only MPR for the target node, in this situation the malicious node stop generating and forwarding any TC messages for the target node and it will be isolated from the network. Figure 3   In the case of a node isolation attack, the attacker generally disconnects the target node from the network and makes it from being allowed to communicate with other neighbors [9]. The attacker can isolate the target node by deleting it IP address from HELLO message or hiding the victim node on the MPR selector set that send in TC messages.

Worm Hole Attack
In the Worm Hole attack, two attackers called by connivance nodes establish a virtual connection between them; the attack begins when the first attacker gets packets at one place in the network, and routes them through a tunnel to another location, and replay them from this point in the network. The virtual tunnel created between these colluding nodes is named as Wormhole Tunnel; however, in reality, these malicious nodes have distance longer than the normal wireless transmission range. The malicious nodes make the packets arrive in the Wormhole Tunnel with better metrics compared to normal multi-hop metrics [14]. With the use of a single long-range direction or a direct connection, the accomplice attacker creates the wormhole tunnel. Due to the broadcast nature of the wireless channel, it is also possible for a colluding attacker to create a wormhole path for packets not delivered to itself because it can hear and forwards them to the colluding attacker at the end of the wormhole. In the Wormhole attack, the position of the attacker must be very powerful relative to other nodes in the network to compromise the security of the network. Figure 4 presents an example of a Wormhole attack in MANET where nodes X and Y are the colluding nodes of the Wormhole Tunnel. In Worm hole attack, an attacker is listening secretly and behaves like a normal node, and at a certain point in time, it collects data and can leave the network. In most cases, all colluding nodes operate cooperatively and openly in a network [15].
The next section presents some previous work that develop MANET routing protocols to be more secure against these active routing attacks.

Related Work
The Black hole, the Worm hole and the Node Isolation attack are generally the most discussed attacks by researchers in wireless environments, and particularly in MANET environment. There are several methods that are designed to detect and mitigate the MANET routing attacks.
In the work [16] the authors presented four intrinsic properties of the OLSR protocol concerning control messages to be more secure against Node Isolation Attack, the first property is TC defined in the message TC must be 11 a subset of the HELLO message of the same source MANET node. The second property says that each node receives a TC message that presents itself as an MPR selector, the originator of the TC message must be near to this MANET node. The third property shows if a MANET node gets a TC message from its neighbors and notes that the TC message is presented as an MPR selector, this MANET node must have presented the sender of the TC message as MPR in its HELLO message first. Finally, the transmitter of the TC message must listen the same information as the TC messages which is transmitted by all its MPRs.
[9] suggest a fictitious node scheme for the detection as well as the prevention of certain network layer attacks such as the wormhole, the black hole as well as the gray hole attack, artificial nodes tend to operate at periodic intervals to verify the presence of any malicious node on the network. In same way, the authors examine the change in the number of fictitious nodes and the actual nodes in the network, this approach increases the surcharge of the network when there is a big number of nodes in the network.
The authors [17] proposed to use control message signatures to authenticate OLSR messages among network nodes. In this encryption system, a signature is provided by the originator of each OLSR control message and sends it together with a control message in the same message packet. The authors use the timestamp and match it to each signature to decide if the messages are recent or too old. This field avoids the duplication of messages previously transmitted and signed. When nodes have received a control message, it is required to check the timestamp and signature. If there are correct, the node addresses the message, otherwise it rejects the message and considers the original node as a malicious node. In this work, the authors define two methods of distributing the public key infrastructure (PKI), the first is proactive and aims to disseminate the public key to the nodes of the network, but the reactive method allows the nodes to request keys only when necessary.
The authors [18] proposed secure OLSR as a solution to prevent the standard OLSR routing protocol against network attacks such as wormhole attacks by protecting the discovery of neighbors, and the use of the wormhole 12 detection mechanism to defend themselves against this attack. This solution goes through three stages, on the one hand, by the detection of neighbors followed by the detection of wormholes and finally by the use of identity authentication, the authors present the theoretical analysis without any implementation, in addition, the proposed method uses additional messages for the exchange of identity authentication.
The authors [19] use the dummy node mechanism as a method where each node in the network checks whether a node isolation attack can be carried out through it. This technique prevents network nodes from sending false information about their neighbors and connectivity to other nodes by adding a fictitious node that does not exist in the network to avoid the attacker as the only MPR by applying the rules of contradiction designed to find an inconsistency between HELLO messages and the known topology.
In [20], the authors proposed a method allowing each node to check the accuracy of the HELLO message received from their neighbors at a hop before starting the MPR selection process. This method uses three extra control messages; to detect the malicious node, the three additional messages are the 2-hop request, the 2-hop response and NEQ (Node Exist Query). Each node uses these three additional messages to verify the presence of all the neighbors of the 2-hop node which are declared by their 1-hop neighbors; if a node is detected by the control messages, one or more nodes are not available by the other MPRs on the network, the authors prevent the node isolation attack.
the authors [21] proposed some modification in OLSR protocol, the first step star by using watchdog mechanism to monitor the neighbors, then they required authentication of the sender node by applying provable identity that calculates and update trust values of the corresponding nodes, finally, they add any mistrust node in a blacklist that regroups all nodes not able to be MPR. fuzzy Petri net (FPNT) is a proposed model suggested by [22], their mechanism evaluates trust values of mobile nodes by selecting a path with the maximum confidence value among all possible paths, an extended version of OLSR was developed using the proposed confidence model and the trustbased routing algorithm. [23] proposing a combined algorithm named by Jaya Cuckoo Search (JCS) algorithm, that 13 uses the Jaya algorithm and Cuckoo Search (CS) algorithm in order to initiate a secure route among the MANET nodes. They explain the of Jaya algorithm thanks to its powerful mechanism for optimization, whereas CS algorithm is a metaheuristic algorithm, whose goal is to speed up the rate of convergence with its single parameter value and is considered as a trouble-free optimization algorithm, this proposed technic is very complexed when there is a large number of nodes in MANET.
Other authors [24] have proposed a solution to detect the Black hole attack during communication in a VANET network, their method is based on a variable control chart in order to monitor the quality of a given process and to monitor in general the activities of network and finally they identify potential black hole attacks, the authors test the effeteness of their method by just one routing attack. [25] propose trusted agent-based lightweight surprise check for malevolent node detection in MANET. This method divided in three phases, the first one is Lightweight surprise that check manager detects the malevolent node based on node forward rate and secure and location of the node. the second step named by cluster phase where the clusters are elected nodes based on the residual energy and utility of neighbors, and finally the phase of mobile agent that is used for data communication among cluster head to destination.
The work [26] introduces a new selection algorithm for all MPRs to avoid malicious neighbors and select the more secure route by adding a new criterion called degree of routing, the authors add new control message called by acknowledgment Hello Message to verify the information of HELLO message. The proposed method can detect and prevent only Black hole attack.
The next section we will present the main idea of our proposed method to detect any active routing attacks, by using the concept of Normality test and by applying the Shapiro Wilk method. 14

Proposed work
In our study, we present a new approach to detect any MANET routing attacks by applying the Normality Test that used in other different domains mainly in statistics, the goal of the normality test consists of deciding whether a dataset is well modeled by a normal distribution or not and calculating the probability that a random variable underlying the dataset is normally distributed. In MANET lot of research suggest adding or modifying the routing protocols either by including other control messages or by employing prevention methods for detecting the attack.
Our approach for detection of the routing attacks suggests using the concept of Shapiro-Wilk [5] test in order to verify that the experimental distributions of the experiments are compatible with a particular theory distribution.
Shapiro-Wilk test, it is very successful and efficient for lower numbers of the sample size s (s ≤ 50) [27] . Some experts suggest the Shapiro-Wilk test as the best way to test the validity of the data. [28]. The benefits of our method are firstly we analyze just the results of the throughput metric in well-determined samples, also this method can detect any active routing attacks which stop or drop the routing packets and minimize the performance of throughput. In addition, our method does not request any modifications in protocol operation algorithms that means we save the same network overhead. The Shapiro-Wilk is based on the value of W which was determined as following: Most active routing attacks in MANET have been affected especially the performance of throughput due to many lost and dropped packets in the network. For this reason, we choose to analyze the normality of the throughput measurement, which is defined as the total number of bites received successfully by the destination in a given time.
All in all, the calculated results W of the throughput for different samplings s have two meanings: in our case :  If calculated W is bigger than , he test of normality is approved and there are no active routing attacks.
 If calculated W is lower than , the normality test is refused and we detect the existence of network attacks.
Our proposed method tests only if there is an active routing attack in the network with no action to eliminate it. The identification of active routing attacks in MANETs by the Shapiro-Wilk technique can be used as a simple way for any MANET routing protocol with no change in their algorithms in the same network overload. 16

Results and Analysis
This section evaluates the efficiency of our proposed method to detect the active routing attacks in MANET by using OLSR as routing protocol. In the first part we simulate 50 nodes under the effect of three routing attacks that vulnerable OLSR protocol these attacks are: Black hole, Worm hole and Node Isolation attacks. The implementation was realized by the Simulator Network (NS-3). ns-3 is a discrete-event network simulator for Internet systems, designed primarily to use in research and education. ns-3 is open-source software, licensed under GNU GPLv2, and is accessible to the public for research, development and deployment [29].

Simulation and results
To implement the normality test in MANET to detect the routing attacks , we simulated 50 nodes under Black Hole   Moreover, when the Worm Hole attack was launched in the network, we remark that W has been decreasing during all first 35 seconds, in this case, we reject the hypothesis of the normality and by the end, the detection of Worm Hole attack have been done in simple and efficient may. 22 The results of Shapiro Wilk for the throughput in MANET that affect by Black hole, Worm hole or Node Isolation attacks confirm their present in the network and by the end the detection of them without any modification on the protocol.
In the sext part of testing, we create a real MANET with wireless devices Which configure to use standard version of OLSR in their communication.

Case study
To test the effeteness of our proposed method for detecting the routing attacks in MANET. We create small ad hoc network by using six wireless devices that composed three personnel computers and three smartphones. All These MANET devices are connected by wireless channel without any access point. Figure 8 shows the topology created in real environment. In addition, we configure all nodes with OLSR routing protocol to ensure the connectivity between them. The routing attack chosen in this analysis is Node Isolation Attack that can launched in small density contrary to Black hole and Worm hole which required more other devices to affect the network. we fixed all devices in their positions without any movement and we select the white PC as attacker because we have the possibility to change OLSR in its algorithm to isolate the target node, in our case is the circler smartphone, this latter has one MPR in it routing table which is the attacker.
Two scenarios are simulated in this real case study, the first one test the performance of ping command without attack where the destination node is the target smartphone. In the next step we calculate the throughput of the network reckons on the results of ping command then we choose the first 35 samples for checking the Shapiro Wilk test.
In the second scenario we save the same topology and configuration but we integer the Node Isolation attack in white PC to isolate the target smartphone; after that we test the connectivity to reach the victim node with ping command. Figure 9 and   For the second scenario the OLSR routing protocol have been modified in the attacker device to isolate the target smartphone, this attack is done by sending false HELLO messages that remove the IP address of the victim, these messages are generated by the attacker and forwarded to its neighbors. When we check the routing table of other devices, we remark the absence of any entry for the target node, by the end it become isolated from the network.
The W calculated for the 10 first samples of throughput has less value compared to the critical W referenced in the Shapiro Wilk table [5]. The same result is shown in 15 samples, in the other hand the W calculated becomes increasing in the 20 and 25 samples but its have values less than 0.3, after that we show a reduce value for 30 and 35 samples, and by applying the hypothesis of normality test in Shapiro Wilk, we detect the presence of active routing attack that affect the throughput of MANET, in this experience is the Node Isolation attack 26

Comparative study between existing solutions
This part of section presents a comparative analysis of previous solutions that detect some active routing attacks. Table 2 compares the different solutions with their strategies used for the detection in OLSR routing protocol.   The technic used by Black Hole attack in OLSR.