Intrusion Detection for Black Hole and Gray Hole in MANETs
S E G D F H C B M A Black hole and gray hole attack
S E G D F H C B M A
S E G D F H C B M A
Black hole: drop all data packets & cheat the previous node. Gray hole: drop part of the data & cheat the previous node. Gray Magnitude: the percentage of the packets which are maliciously dropped by an attacker(a node received 100 packets, and forwarded 70 packets, gray magnitude=70%) Black hole drop 100% (special gray hole) Goal of this paper: find the black or gray hole, and calculate the Gray Magnitude. They calculate the Gray Magnitude to make sure the node is a gray hole, in case of mismarking(collision problem). Black hole and gray hole attack
A Path-based Detecting Method S A D B C E A, C, E, B are neighbors of S, Only A is on the path to D, so S only watch A.
A Path-based Detecting Method S A D 1, every node should keep a FwdPktBuffer; 2, S send p01 to A, a signature is added into the FwdPktBuffer and S overhears A. 3, when A forwards P01, S releases the signature. B Forward Packet Buffer Sign 01 Overhear Sign 01 Overhear
overhear rate S A B D Explain: A forward 10 packets to B total overheard packer number=10; B forward 8 packets to D total forwarded packer number=8; Overhear rate: OR=10/8 If the forwarding rate is lower than the overheard(8<10), the detecting node(A) will consider the next hop(B) as a black or gray hole. Latter, the detecting node(A) would avoid forwarding packets through this suspect node(B). 10 8
ln this scheme, each node only depends on itself to detect a black or gray hole. The algorithm does not send out extra control packets so that Routing Packet Overhead requires no encryption on the control packets to avoid further attacks on detection information sharing There is no need to watch all neighbors' behavior. Only the next hop in the route path should be observed. As a result, the syste1n performance waste on detection algorithm is lowered. Advantage of the Algorithm
When A find B is a BH or GH, A chooses another path. A Path-based Detecting Method: SA D B C Watch dog: SA D B C When A find B is a BH or GH, A tell S to choose another path.
In fig 2, Node S is source node and Node C is destination node. Packet I is transmitted from Node B to Node C. At the same time, Packet 2 is transmitted from Node S to Node A. Consequently, Packet 1 and Packet 2 will collide at Node A. Then Node S will retransmit Packet 2; but Packet 1 will not be sent again because Packet 1 has been received by Node C successfully. As a result, Node A misses Packet l and treats it being dropped by Node B deliberately. Collision problem
How do they define whether a node is a gray hole or not? OR(N) <(I-Tf ) ·(l- ACR(N)) Td(N) = 1- (l - T1 ) ·(l - ACR(N)) But briefly, when Dropped packets > collided packets The next node is a gray hole. They use a lot of equations to calculate the drop packets rate, the overheard rate and the collided rate
maximum transmission range is 250m distance between two neighbors is 200m so that a node can only have 4 neighbors Simulation Results and Discussion
Overall Packet Delive1y Rate: the percentage of the data packets which are actually received by the destination. GM = gray magnitude Based on this result, we will only focus on gray hole With gray magnitude of 0.6 or above, because a lower gray magnitude cannot bring about great damage to the network
Reported Collision Rate
Detection Rate
Detection Rate & False Positive Rate vs. Gray Hole Number: Detection threshold is set to 0.6, and the attackers' gray magnitude is between 60% to 100% Approximately, detection rate still keeps above 90%, and false positive rate is lower than 5%. This result reflects that our detection scheme is valid for attackers with gray magnitude between 60% and l 00%.
1, What is Gray Magnitude ? the percentage of the packets which are maliciously dropped by an attacker(a node received 100 packets, and forwarded 70 packets, gray magnitude=70%) Black hole drop 100% (special gray hole) 2, What is FwdPktBuffer? Forward packet buffer.(put forwarded packet’s signature) 3, What’s the difference between A Path-based Detecting Method and Watchdog mechanism? Questions:
When A find B is a BH or GH, A chooses another path. A Path-based Detecting Method: SA D B C Watch dog: SA D B C When A find B is a BH or GH, A tell S to choose another path.