An Efficient Algorithm for the Detection of Exposed and Hidden Wormhole Attack

MANETs (Mobile Ad Hoc Networks) are slowly integrating into our everyday lives, their most prominent uses are visible in the disaster and war struck areas where physical infrastructure is almost impossible or very hard to build. MANETs like other networks are facing the threat of malicious users and their activities. A number of attacks have been identified but the most severe of them is the wormhole attack which has the ability to succeed even in case of encrypted traffic and secure networks. Once wormhole is launched successfully, the severity increases by the fact that attackers can launch other attacks too. This paper presents a comprehensive algorithm for the detection of exposed as well as hidden wormhole attack while keeping the detection rate to maximum and at the same reducing false alarms. The algorithm does not require any extra hardware, time synchronization or any special type of nodes. The architecture consists of the combination of Routing Table, RTT (Round Trip Time) and RSSI (Received Signal Strength Indicator) for comprehensive detection of wormhole attack. The proposed technique is robust, light weight, has low resource requirements and provides real-time detection against the wormhole attack. Simulation results show that the algorithm is able to provide a higher detection rate, packet delivery ratio, negligible false alarms and is also better in terms of Ease of Implementation, Detection Accuracy/ Speed and processing overhead.

Similarly the routing protocols that are built for MANETs were also based on the assumption that all nodes are honest and hence the section of security was overlooked. Because of the ease of access and absence of prominent network boundaries everyone can eavesdrop on the wireless communication, and may start some malicious activity.
MANETs are vulnerable to a number of attacks. In some of the attacks more than one attacker combine/synchronize their actions to launch some attack on a network e.g. Black hole, Sybil, Wormhole etc. Some of the attacks cannot be put under one classification category and their effects are scattered across many dimensions. These attacks can be a foundation point for other severe attacks and also can launch a number of different attacks. The range of possible malicious activities is quite large; however we are focusing on one particular of attack in the area of MANETs known as the Wormhole Attack.
In this paper a new architecture is proposed which is an enhanced version of our previous work [1]. We have tried to eliminate the limitations from our previous work and also upgraded it to cover all types of the wormhole attacks. In the new algorithm there is no longer any need to pass encrypted packets for wormhole confirmation. We are now able to detect both kinds of wormhole attack i.e. Hidden as Well as exposed attack. Although our previous work has also been proved to be quite effective and better than most of the published techniques in literature by independent researchers. Gauri, et. al. [2] have taken our algorithm and implemented it in NS3 as compared to our NS2 implementation, they proved that our technique provides ease of deployment,better detection accuracy and more real-time detection.
In a wormhole attack; two far apart nodes separated by many hops; combine their actions in such a way that they appear to be one hop apart to other nodes, as in Fig. 1. Since the path passing through the malicious nodes appear to be shorter; eventually all the network traffic get diverted through this path. Now this becomes an alarming situation in which the colluder nodes are in control of the whole network traffic and have the ability to cryptanalyze (if traffic is encrypted), shape, divert, drop or selectively drop the network traffic. Because of the possible malicious activity a wormhole type structure is forbidden an ad-hoc network otherwise the colluder nodes seems to be providing a very useful service by offering a shortest path. The severity of wormhole attack increases by considering the fact that it can be launched on networks where the traffic is even encrypted. It can also be launched against each and every type of protocol with the same severity level.

Types of Wormhole Attack
The wormhole attack can be launched in two modes, a hidden wormhole and an exposed wormhole. As the name suggests, in a hidden wormhole the attackers are not visible to normal network nodes. Whereas in an exposed wormhole attack the attackers are visible to the normal network nodes and appear in routing information. " Hidden Wormhole" nodes do not leave their trails in routing queries; instead there are other legitimate nodes which appear to be used excessively in links.

Effects of Wormhole Attack
The effects of wormhole attack have been explained in detail in our survey paper [3]. Some which are as follows but not limited to: • Allows the attacker to:  Following are the techniques that use the Round Trip time for the detection of wormhole attacks present along a path.

BACKGROUND AND RELATED WORK
Song, et al. [5] proposed a three step based wormhole detection scheme. It is an RTT based scheme which comprises of responses comparisons from different nodes along the path.
Raju, et. al. [6] proposed an avoidance technique based upon average RTT. It is not aimed towards identification or detection of intruders.
Simsek, et. al. [7] proposed a distributed approach which considers nodes' neighbor densities and standard deviation to identify abnormality in the behavior. The algorithm can detect exposed wormhole but not the hidden wormhole.

PROPOSED METHODOLOGY
As depicted in our previous work [1,3], there are not many solutions of wormhole attack present in literature which try to handle both the hidden as well as the exposed wormhole attack. Hereby our aim is to propose a technique that can effectively detect both kinds of wormhole attacks.
The aim of our technique is to detect the wormhole attack in the easiest possible way. We are also eliminating the need of any extra hardware requirements. The proposed solution is free from fixed timing constraints or time synchronizations. We are avoiding the complex calculations of the location identification algorithms which are used for the detection of wormhole attacks.
Here we are proposing a slightly modified algorithm from our previous Exposed Wormhole detection algorithm [1] to remove the requirement of encrypted traffic. However the applicability of our algorithm [1] has been verified by independent researchers [2]. They [2] have compared our algorithm to a number of other techniques and found it more lightweight, robust, low resource intensive and provides more real-time detection. We make the assumption that we have a homogeneous network in which all normal/legitimate nodes have same transmission ranges and powers. We will be detecting the wormhole by considering the following facts: (1) A wormhole link will be present in more number of paths in the routing table of an infected node e.g. Consider Node-12 and 13 from Table 1 and   (2) The signal strength received from a wormhole node will not be of the order of a normal node. i.e.

FIG. 2. MAIN BLOCKS OF DETECTION ALGORITHM
it will be higher than normal nodes.
(3) For an infected path, the Round Trip Time will be either larger than normal RTT or it will be very much lower, given the relation between the signal strength and RTT.

Detection Parameters
We are proposing a state of the art technique in which we will take into the account the RSSI and the RTT for the detection and identification of wormhole attackers.

Received Signal Strength Indicator
Researchers in [17][18][19][20] all uses RSSI for location estimation and/or malicious activity detection in their research. It is the voltage received by the receivers' circuit [17]. It can be said as the measured power received and which is calculated by squaring the magnitude of the received signals' strength. We can easily calculate RSSI upon the reception of data without any burden or overhead on the hardware, node energy or network bandwidth.
As the distance among the nodes increases the RSSI decreases [18], using this feature of RSSI is the main theme of our algorithm.
Given two antennas, the signal strength received is given as [19][20]: Where G t and G r are the antenna gains of the transmitting and receiving antennas respectively, lambda is the wavelength, and R is the distance between the antennas.
RSSI has been used in security solutions [20] for WSN, but it hasn't been used in MANET and especially for the detection of wormhole attack.

Round Trip Time
RTT or Round Trip Time is the measure of the time taken by a packet from a source node to a destination node and from the destination back to the source node [21]. It is the length of time it takes for a signal to be sent plus the length of time it takes for an acknowledgment of that signal to be received.
RTT is dependent upon data transfer rate, route delays, node delays, medium and number of hops between source and destination. RTT has also been used in a number of attack solutions in literature, but the problem with RTT is, that it is not sufficient alone for the detection of wormhole attack.

RSSI vs Distance between Nodes
The signal propagation model [22] states that RSSI (S r ) is This means the greater the distance (d sr ) between the two nodes; the lower will be its RSSI (S r ) Similarly, RTT of a packet is directly proportional to the distance (d sr ). An increase in the distance will generally mean an increase in the RTT.
RTT i α d sr (5) In case of a wormhole free network if i is nearer than j, then the following two equations must hold: RTT--RTT-> Δ RTT (7) Where "Δ" is the error factor in calculations due to any sort of inconsistencies in the signal propagation.
According to Equations (6-7), in a homogeneous network, the RTT of a one hop link will be inversely proportional to its RSSI. This means the nearer the node, the lower will be its RTT and higher RSSI, and vice versa [18].

Working of the Algorithm
Looking at the exposed wormhole attack, we can see that a malicious path is advertised (that exists between the colluder nodes), and all the normal nodes are forced to make all their routes using this malicious path. Thus, the entries in the routing tables of nodes will include entries of the malicious nodes as well.

Detection Methodology
Some of the routing protocols store full path from source to destination in routing tables of each node, however, for others which do not save full path, we have proposed a slight modification in the routing table that will help in the identification of malicious links [1].
The slight modification for some protocols is to store the full path from source to destination in routing The main idea here is that any link that is advertised by or consisting of the mischievous nodes will have a relatively higher usage ratio as compared to normal links e.g. Node 12 and 13 in Table 1. We are aiming to find those links for the detection of "Exposed" Wormhole attack e.g. Fig. 3.
This is because in a wormhole free network it is very much unlikely for the same links to have higher usage ratio in routing tables of a node and all of its neighbors. A flow diagram shows the steps of the exposed algorithm in Fig. 4. We also assume that more than one node cannot be placed such that the same link will get a higher usage percentage for all nodes.

Link Usage Calculation
Whenever the routing table is updated, the algorithm gets if Usage i > k * (max (Usage j )) => Suspicous (7) Where max (Usage j ) represent the maximum value of link usages in the set of links excluding the link i (i.e. Usage i ) and "k" is fine tuning factor.

FIG. 4. FLOW OF EXPOSED WORMHOLE DETECTION
"k" is a factor that can be adjusted to fine tune the difference of percentage between normal and malicious links usage. If the percentage usage of a particular link is greater by a factor "k" from the maximum usage percentage of all other links we are suspecting a wormhole on that link. Table 2 shows link usage percentages for paths in the routing table of Node-0 in Fig. 3, usage for path from node-12 to 13 being clearly ahead of every other link.

RSSI Based Detection
Once a suspicious link is identified, we need to confirm whether it is a real intruder link or the geographical locations of the suspicious nodes make it look like a wormhole link. To do this confirmation we have proposed a simple yet efficient solution that involves usage of RTT and RSSI calculations.
Having made the assumption that we have all homogeneous nodes, the possibility of internal node option of wormhole is limited to only the encapsulation mode. This is because of the fact that no node will be able to create a link longer than one hop length. To create a wormhole intruders need to advertise a path that offers an improvement more than just one hop length, in that case they will need to use encapsulation in order to advertise a more attractive path.
The combination of RTT and RSSI opens up another option in the detection methodologies of wormhole attack.
RSSI is a feature that is available with every packet received and if used efficiently can help in detection of malicious activity [18]. It is already being used in the detection of various other wireless attacks [20]. RSSI is a ranging technology which needs little communications overhead, low implementation complexity and is also inexpensive [22].
For a link that is infected by a wormhole, Equation (6-7) will not hold. The reason behind this is that in case of an infected link RTT is being calculated for a link that in reality is not a one-hop link e.g. Node 0 to 7 in Fig. 7. This is because the existence of wormhole nodes (Node 12 and 13) will make it multi hop link and hence its RTT will increase automatically. On the other hand the RSSI for the infected link will also be higher because it will be calculated for a packet that has been received from a nearby node (Since the node (12 or 13) was not visible to normal nodes). We are utilizing this fact to identify the links that are infected by a wormhole.
In case of hidden wormhole identification only the one hop neighbor circle is enough for identification where as in case of exposed wormhole we need to calculate RTT and RSSI for the whole Path from source to destination.

Wormhole Confirmation
For a node (k) if the RTT of a neighbor (j) is greater than the maximum of RTT of all other neighbors; the RSSI of the neighbor (j) should be less than the minimum RSSI of all the other neighbors within an error band "Δ". "Δ" is the error factor in calculations due to any sort of inconsistencies in the signal propagation.

An Efficient Algorithm for the Detection of Exposed and Hidden Wormhole Attack
To have a clearer picture of the wormhole detection procedure, consider a simplified scenario, where we assume that node-12 and node-13 are the attackers in a hidden wormhole attack as in Fig. 7. Node-0 is connected to node-7 through a hidden wormhole link created by node-12 and node-13. Node-12 and node-13 are not visible to any other node in the network. Since node-12 and node 13 does not appear in the routing information, node-0 and node-7 will assume themselves as one-hop neighbors.
Node-0 and node-7 will not be correct geographical neighbors but still they will be advertising one another as one-hop neighbors (due to the hidden wormhole).
Therefore, normal nodes will add them to their routes because the path passing through node-0 and node-7 (and hence wormhole path) will be the shortest, resulting in higher usage ratio of link between node-0 and node-7.
The block diagram of the detection procedure is given in Fig. 5.
Looking at Fig. 7, node-0 will see five normal nodes as its one-hop neighbors whereas in reality only four of them are its genuine neighbors. The challenge here is to correctly identify the path of the node which is not a genuine neighbor.
Node-0 will calculate RSSI and RTT for all of its neighbors and will store them. Now this list can be used for the detection of hidden wormhole. Each entry of the list will be evaluated according to Equation (6) and accordingly the RSSI and RTT of node-7 will not be according to the relation in Equations (6-7), because the actual communication distance between source and destination will be very small (i.e. because node-0 will be receiving traffic from a very much nearby node-12). The RSSI will be high and at the same time the RTT is also going to be quite high as compared to other neighbors of node-0. Therefore the link that points towards node-7 will be identified as a hidden wormhole infected link.
Although we have mentioned the hidden and exposed wormhole detection procedure separately, they run in tandem with one another and from code perspective there is very little separation between the two. A pseudo code of the whole system is given in Algorithm, Fig. 6 to explain the complete algorithm. A block diagram Fig. 2 shows the different blocks of the detection algorithm.

EXPERIMENTAL PROCEDURE AND TESTING
We have carried out the simulations using NS2 (version 2.35) network simulator. The mobility scenarios are generated by a Random way point model. The numbers of nodes tested in a terrain area of 1000x1000m are between 8 and 50. Each simulation was done for 100 seconds. Different scenarios based upon the Attraction and Strength of the wormhole were tested.
Attraction: It is measure of the reduced number of hops that the wormhole offers, e.g. if a normal path may be 10 hops long and the wormhole path is only 3 hops long, then the attraction will be 7.

Strength:
It is the number of paths that are passing through the wormhole link.
Based upon our simulations and their results we have identified three different kinds of nodes, because of their relation to the wormhole attack.

Wormhole/Intruders/Attackers:
The goal is to identify these nodes and we have been able to detect them quite successfully in case of "Exposed Wormhole" and in case of "Hidden Wormhole" the links have been identified.
Since NS2 doesn't allow nodes with different transmission ranges. We had to customize NS2(2.35) to accommodate the special type of wormhole nodes that are able communicate over a larger distance (1000m) as compared to the normal (250m) of the normal NS2 nodes.
First we conducted experiments to calculate the RTT and RSSI individually with and without wormhole attack to verify the validity of our proposal.
For the RTT we created two nodes that were directly connected to one another and calculated the RTT for a simple packet transfer. The Average RTT for normal nodes was found to be around 4.5 milliseconds. Then we introduced two hidden wormhole nodes in between them and calculated the average RTT. As expected now the average RTT was a lot higher and found to be in multiples of the average RTT of normal one hop.
In real scenarios the RSSI may not be uniform in all directions because of the differences in interferences in the different directions. However NS2 doesn't take into account these interferences and hence the RSSI part was straight forward, the RSSI received at the receiver end was of the order of the senders' transmission power and its distance. If the node was a normal NS2 node, its RSSI at the receiver was lower and was higher for the customized nodes with higher transmission power.

Results
Two nodes were set up as malicious nodes by making their transmission power higher, this way they were able to communicate with one another from a longer distance.  Table 3 and Fig. 9.
PDR as calculated by sending a fixed number of packets from source to destination. Averages were calculated and it was found that PDR was around 98% in cases where there was no wormhole present in the network, it will drop up to 50% on average once wormhole attack is introduced. After deployment of the detection algorithm the PDR will again rise up to around 90% proving the effectiveness of the proposed architecture. Table 4 and Graph in Fig. 9 shows the PDR for different cases.

Theoretical Comparison
The proposed architecture offers the following

Ease of Implementation
This parameters takes into consideration the amount of effort or the Hardware required to get our technique into action. The proposed technique only requires addition of an extra column in the routing table that will contain full path from source to destination. In [12] there is a need for the GPS Hardware in order to be able to find the coordinates of each node. In [4] we may need extra hardware/software for the tightly synchronized clocks to limit the packet traveling ability for the time based leashes.
In case of distance based leashes we may need GPS Hardware. In [15] the packet size may extraneously increase for lengthy paths. In [16] we need customized hardware for the processing of their challenge response detection scheme, in addition there is also a requirement of tightly synchronized clocks. From the above discussion it can be easily concluded that our proposed technique provides the most easy implementation without any extra hardware/ software or clock synchronization.

Detection Accuracy
The proposed technique offers the detection accuracy as compared to [4,15] which relies on the limiting the packets traveling capability and may cause legitimate packets to be dropped after the capped interval (timebased or distance-based) [15] suffers from the problem of false alarms.

Minimal Overhead
The proposed architecture has a minimal overhead, just the modification of routing

Detection Speed
The proposed technique is the best of all in terms of realtime detection of the wormhole. The wormhole will be detected as soon as the attackers tries to integrate themselves into the network. on the other hand [4,[15][16] are more of the type of avoidance algorithms as compared to our detection algorithm.

CONCLUSION
In this paper a simple and unique architecture is proposed for the detection of wormhole attack. This architecture is unique in a sense that it has the ability to detect hidden as well as exposed wormhole attack while keeping the requirements simple which does not require any extra hardware, time synchronization or any special type of nodes. The technique combines Routing Table, RTT and RSSI to make an accurate and comprehensive detection.
Based upon simulations the technique has been found to be more lightweight, robust, low resource intensive and provides a real-time detection. The results obtained have also been confirmed by independent researchers who simulated our previous work in NS3 (as compared to our usage of NS2). Our algorithm achieves a high detection rate for the situations where the attackers have incorporated their entries in the routing tables of normal nodes. We are able to detect the wormhole attack as soon as the attackers try to get themselves in; long before they start to cause any damage to the system. We do not need extra hardware and neither do we need any time synchronizations; instead we are using the information that is readily available to each and every node/packet in the network. Our future work is aimed towards the monitoring of Throughput and the End-to-End delay in the network when our algorithm is in action.