Detection of Blackhole Attack in A Wireless Mesh Network Using Intelligent Honeypot Agents

J Supercomput
DOI 10.1007/s11227-010-0547-3
Detection of blackhole attack in a Wireless Mesh
Network using intelligent honeypot agents
Anoosha Prathapani Lakshmi Santhanam
Dharma P. Agrawal
Springer Science+Business Media, LLC 2011
Abstract A Wireless Mesh Network (WMN) is a promising way of providing low-
cost broadband Internet access. The underlying routing protocol naively assumes that
all the nodes in the network are non-malicious. The open architecture of WMN, multi-
hop nature of communication, different management styles, and wireless communi-
cation paves way to malicious attackers. The attackers can exploit hidden loopholes
in the multipath mesh routing protocol to have a suction attack called the blackhole
attack. The attacker can falsify routing metrics such as the shortest transmission time
to reach any destination and thereby suck the network trafc.
We propose a novel strategy by employing mobile honeypot agents that utilize
their topological knowledge and detect such spurious route advertisements. They are
deployed as roaming software agents that tour the network and lure attackers by send-
ing route request advertisements. We collect valuable information on attackers strat-
egy from the intrusion logs gathered at a given honeypot. We nally evaluate the
effectiveness of the proposed architecture using simulation in ns-2.
Keywords AODV Blackhole Grid Honeypots Malicious Random Spoofed
WCETT Wireless Mesh Networks
A. Prathapani
Department of Electrical and Computer Engineering, University of Cincinnati, Cincinnati, OH, USA
e-mail: prathaaa@mail.uc.edu
L. Santhanam D.P. Agrawal ()
School of Computing Sciences and Informatics, University of Cincinnati, Cincinnati, OH, USA
e-mail: dpa@cs.uc.edu
L. Santhanam
e-mail: santhal@cs.uc.edu
A. Prathapani et al.
1 Introduction
In recent years, there is an enormous growth in the eld of wireless networking tech-
nology [16] due to an increasing demand for ubiquitous broadband Internet connec-
tivity and a widespread use of applications such as multimedia streaming in VoIP
services, video streaming, etc. Wireless Mesh Networks (WMNs) have drawn consid-
erable attention due to their potential to supplement the existing wired backbone with
a wireless scheme in a cost-effective manner. WMNs include some key advantages
like their self-organizing ability, self-healing capability, low-cost infrastructure, rapid
deployment feasibility, good scalability, and ease of installation. WMNs are capable
of providing attractive services in a wide range of application scenarios such as broad-
band home/enterprise/community networking and disaster management [8, 15, 16].
The WMN is a promising technology that offers good coverage area through
multi-hop communication without any degradation in the channel capacity. A typical
WMN is organized in a hierarchical manner and consists of Mesh Routers (MRs),
Mesh clients (MCs), and Internet Gateways (IGWs) as shown in Fig. 1 [2]. The Ac-
cess Points (APs) are IGWs that are connected to the wired network and form the
top level of the hierarchy. The MRs (layer 2) are nothing but static APs that are
inter-connected by wireless links. The MRs route the trafc of MCs to the IGWs
in a multi-hop fashion. The MCs (layer 3) connect to the nearest available MR in a
single/multi hop fashion.
The mesh-networking technology has attracted both academia and industry, stir-
ring efforts for their real-world deployment in a variety of applications. MIT de-
ployed WMN in one of its laboratories for studying the industrial control and sensing
aspects. Several companies like Nortel Networks, Strix Systems, Tropos Networks,
Fig. 1 Hierarchical WMN architecture
Detection of blackhole attack in a Wireless Mesh Network using
and Mesh Dynamics are offering mesh networking solutions for applications such as
building automation, small and large scale internet connectivity, etc., using custom-
ary products. Strix systems has deployed a city-wide Wi-Fi mesh network in Bel-
gium spanning an area of 17.41 km
2
to provide wireless Internet access to its resi-
dents, tourists, businesses, and municipal and public-safety applications and adver-
tising systems around the city. Strix also deployed a wireless tracking system called
project kidwatch that traces the real-time location of a child in a beach area or around
a city.
Though there are several ongoing researches in WMNs, security is very much in
its infancy. It is critical to address the security concerns in order to realize their rapid
deployment. The open infrastructure, wireless communication, multi-hop communi-
cation, different management styles of the WMNs paves way to malicious attackers
in the network [3]. As WMNs are primarily deployed in public places such as parks
and building tops, they lack tamper resistant hardware and hence the routing mod-
ule can be manipulated. A malicious attackers in the network can exploit ambiguities
in the underlying routing protocols and cause various attacks like Blackhole Attack,
Selsh node Attack, etc. [4, 10, 18, 22].
In this paper, we specically focus on the problem of detecting malicious MRs
that bypass route lookup process and instead broadcast spurious route replies to all
incoming route request query. It generates route replies such that any source is en-
couraged to choose this MR as an intermediate MR to route its trafc. It falsies
the sequence number eld (high) and the hop count (low) eld in the reply packet
and advertises itself as the best possible route. A sequence number eld in a routing
protocol reects the freshness of the route and the hop count reects the distance be-
tween the replying MR and the destination MR under question. In essence, it traps
all the MRs in its neighborhood and lures them to route their trafc towards itself.
Upon receiving the data trafc, it unscrupulously drops all the trafc. Thus, in a way
the malicious MR imitates the blackhole in the Universe that attracts all particles
towards itself due to its enormous gravitational pull. Hence, we synonymously name
this egregious MR as a blackhole node or blackhole MR in the network and the
attack is called a blackhole attack.
Thus, Blackhole attack is a severe attack that exploits the hidden vulnerabilities
in the routing protocol of wireless networks. The only possible counter-measure to
prevent inltration of such an attack is to authenticate the sequence number and hop-
count updates received from other nodes. Though secure routing protocols such as
SEAD [9], Ariadne [14] attempt to address this issue, it is not a complete solution
to thwart such an attack as MRs are deployed at public places. Here, we propose
a pervasive monitoring that pro-actively supervises the routing process and ensures
healthy operation.
In this paper, we propose such a pervasive monitoring scheme employing intel-
ligent software agents called honeypots that are deployed on MRs. Honeypots are
popular agents that are used in tandem with Intrusion Detection Systems (IDS) to de-
tect the malicious attackers [25]. They have been widely used in corporate networks
along with Firewalls to prevent the inltration of Denial of Service Attacks (DoS At-
tacks) [23]. Honeypots are a highly exible security tool as they are used as decoys
to lure attackers and discretely perform close monitoring of the network. We intend
to employ such an intelligent software agent for detecting blackhole nodes.
We utilize honeypots that discretely tour the WMN, examining the status of each
region. We chose to deploy honeypots as mobile software agents rather than deploy-
ing on a xed MR to camouage their location. In addition, if a honeypot is deployed
on an MR, it results in poor coverage of the detection scheme owing to the static
nature of WMNs. Honeypots are synonymous to secret police ofcers who conduct
random investigation [26]. Nevertheless, honeypots are by default structured as an
easy prey for attackers so that an attacker is lured to it. Honeypots traverse the WMN
along random paths at random intervals in order to conduct stealthy monitoring and
catch attackers red-handed.
A honeypot generates a Route Request (RREQ) to a destination to which it al-
ready knows the route. This is called dummy RREQ because the honeypot does not
originate any data trafc. Instead, it generates such a request for the sole purpose
of luring blackhole nodes to send a falsied reply. Unlike traditional honeypots [1],
which capture only packets directed to them, our proposed mobile mechanism is very
attractive to lure all attackers in the network. Upon seeing the RREQ of the honey-
pot, a malicious blackhole node produces a falsied route reply (RREP). It advertises
itself as the best path (high sequence number and shortest hop) to a given destina-
tion. The honeypot, in turn, generates a dummy data packet to be sent to a randomly
chosen known destination. It is termed as a known destination because the honey-
pot is aware of an alternate route to that destination MR. Then the honeypot queries
the destination through the known route that it is already aware of, to determine the
integrity of the malicious node. Thus, we exploit the availability of multipath routing
option available in WMNs [17] to validate the integrity of a route reply originating
from a node.
The honeypot serves as a powerful tool to distinguish legitimate MRs and mali-
cious blackhole nodes in WMNs. The logs collected in the honeypots serve as a useful
tool to understand the modus operandi of the blackhole node, so that new exploitation
trends can be understood. Through our extensive simulation, we observe that, when
the network is up to 20% compromised, a node advertising itself as best path was
found to be a blackhole node with 97% accuracy. Though, the trafc reaching the
honeypot is fairly small; it does provide deep insight on attackers location.
The remainder of this paper proceeds as follows. In the next section, we review
some of the related work. Section 3 shows various ambiguities in the route discov-
ery phase of Ad hoc On-Demand Vector (AODV) protocol that can be exploited by
a blackhole attacker for the topologies under consideration. In Sect. 4, we outline
the architecture of our proposed honeypot based blackhole attack detection scheme.
Section 5 gives an overview of the performance analysis of the proposed approach
using simulations in the ns-2 simulator and compares the results for both the topolo-
gies [11]. Finally, we conclude the paper in Sect. 6 along with some pointers for
future work.
2 Related work
Although our work is not based on security related issues in ad hoc and sensor net-
works, we mention related work in this area. In [18], Ning et al. mentioned all the
misuses that can be done with the AODV protocol. This work covers several classes
of insider attacks, and then explains how these goals are achieved through the misuses
of the routing protocol. Bhargava and Agrawal [4] proposed an Intrusion Detection
and Response Model to detect malicious activities that can be carried out in a routing
protocol and respond if such an activity was found. This has been done by observing
the anomaly behavior of the nodes in the neighborhood where an Intrusion Detection
Model (IDM) is deployed on every node in the network and then is isolated with the
process carried out in Intrusion Response Model (IRM) [14].
Huang et al. [11] proposed a cooperative Intrusion Detection System (IDS) in an
ad hoc network for various kinds of attacks. The authors assume that an attacker
may not only try to affect the routing protocol in the ad hoc network but also the
IDS. The authors perform an anomaly detection technique using correlation, assum-
ing that there exists a strong correlation if they are normally behaving. But this is not
the same when malicious behavior is present. Hence, they use such correlation to de-
tect the abnormal behavior. However, with the anomaly detection system, the results
obtained for a blackhole attack are less effective. The authors also identify the attack
type where they use a monitoring node and a monitored node, where the function
of the monitoring node is to analyze the behavior of the monitored node [21]. For a
blackhole attack, the assumption is that the monitoring node is observing the moni-
tored node, which explains that there is a need to deploy the IDS [20] on every node
in the network, which is a very expensive affair. The authors also propose various
cluster based IDS protocols and detection schemes, where a cluster head among the
nodes is elected for a given neighborhood. However, if a compromised node happens
to be a cluster head, then the attacks can be launched easily without being detected
as there may be a case where the IDS has been already disabled [21]. Ruiz et al. [20]
mention about the blackhole attack injection in the ad hoc networks, where they deal
with the blackhole attack in the OLSR routing protocol for VoIP calls. However, this
work just mentions the fundamentals of the blackhole attack.
Shurman et al. [24] proposed two solutions to detect a blackhole attack. However,
the rst solution suffers fromexcessive time delay, because the used concept of shared
hops of sending packets along the redundant paths cannot be sent forever when the
sending node has no shared hops or nodes between the routes. In the second solution,
every node has two additional tables being updated whenever a packet is transmitted
or received. However, these solutions fail if a group of attackers are present in the
network. Deng et al. [7] propose routing security issues of mobile ad hoc networks
and provide a solution for the blackhole problem in AODV. However, this algorithm
fails in case of a group attack in the network.
Ramaswamy et al. [19] proposed a solution to the cooperative blackhole in the
network by introducing an extended Data Routing Information (DRI) table which
maintains the information passing from and through the nodes. Here 1 stands for
true and 0 stands for false [24]. Whenever a source node broadcasts a RREQ and
a RREP is received from an intermediate node during the route discovery process,
crosschecking is carried out to verify whether the RREP is from a reliable interme-
diate node or not. Although, a onetime process of crosschecking helps in identifying
and securing against the cooperative blackholes in the network, the power constraints
and low processing speeds in the wireless ad hoc and sensor networks limit the use-
fulness of this solution.
Karakehayov et al. [12] propose a routing algorithm called REWARD to detect
blackhole attacks both in single attacker and group of attackers by utilizing two dif-
ferent broadcast messages. This algorithm takes advantage of promiscuous mode of
inter-radio behavior among transmissions between the neighboring nodes and detects
the malicious behavior in the network. A database is created which consists of mali-
cious nodes or nodes under suspicion that can be detected, and the response is passed
through two different broadcast messages called MISS and SAMBA [24]. However,
this technique reduces the vulnerability of the network at the expense of utilizing
large amounts of energy from the batteries.
Karlof and Wagner [13] provide a detailed description of security threats against
routing protocols and the counter measures in sensor networks. Along with the other
attacks, the authors propose selective forwarding attacks and suggest the use of multi-
path forwarding against selective forwarding attacks. However, sensor networks have
several resource constraints like power, memory that may get exhausted during the
multipath forwarding [13].
3 Blackhole attack illustrated
In this section, we explain the operation of a blackhole attack using AODV proto-
col analysis. We consider the route discovery phase in AODV protocol [6] and then
delineate vulnerabilities in AODV protocol that the attacker can exploit.
3.1 Vulnerabilities of AODV
The AODV protocol is an on-demand routing protocol [12] which initiates a route
discovery process only when an originating MR desires to send some trafc to an un-
known destination. The originating MR broadcasts a Route Request (RREQ) packet
with a sequence number set to an unknown value. Then, the neighbors re-broadcast
the RREQ packets only if it does not have a fresh enough route (i.e., sequence num-
ber is greater than the advertised sequence number in the RREQ packet). This process
continues until the RREQ reaches the destination MR or an intermediate MR that has
a fresh route.
However, if a malicious blackhole node is present in the network, it generates a
false RREP for all the RREQ packets received by it. The malicious blackhole node
generates a false RREP packet irrespective of whether or not it has a route to a given
destination. During a normal operation of route resolution, upon receiving a RREQ,
MR rst performs a route lookup for the destination in its routing table. If it is aware
of the route to the destination, it generates a RREP to the source. Otherwise, it re-
turns a NULL value. However, a malicious blackhole node bypasses this lookup
process and always generates a RREP. It advertises itself to be closest to the des-
tination (stamps lower hopcount value in RREP) and it also falsies the sequence
number to be an arbitrarily high value in order to ensure this RREP is favored by the
source. The originating MR then sends the data packets to the malicious blackhole
node, which then drops all the data trafc unscrupulously. In this manner, the mali-
cious blackhole node systematically traps all its neighboring MRs by sucking their
data trafc.
Such an attack results in severe performance degradation in WMNs, especially if
the malicious blackhole node is located near the IGW. The blackhole node also de-
creases the network throughput, resulting in network partitioning, increasing end-to-
end delay and most severely causing denial of service to clients using User Datagram
Protocol (UDP) kind of trafc (e.g., VoIP, FTP) which has no knowledge whether the
packets have reached the destination or not. Thus, it is critical to prevent the inltra-
tion of a blackhole attack in a WMN.
3.2 Vulnerabilities in WCETT
Another routing metric that we use is the WCETT (Weighted Cumulative Esti-
mated Transmission Time) which considers the intra-ow interference among multi-
ple channels. The intra-ow interference occurs when there are different nodes which
send trafc for the same ow [5]. This metric is a sum of the end-to-end delay. The
routing algorithm selects the path with the lowest WCETT. The vulnerabilities that
attackers can exploit are the advertisement of the least end-to-end delay.
The blackhole attacker plays the same role of attracting all the trafc towards
itself by advertising itself as having the least end-to-end delay and then dropping all
the trafc of the network.
Thus, the attacker can attract all the trafc and then drop the entire network trafc.
Therefore, it is critical to prevent inltration of the blackhole attack in a WMN.
3.3 Impact of black hole attack
In this subsection, we illustrate the impact of a blackhole malicious node in WMNs
through simulations in ns-2. We illustrate the effect of a blackhole attack in the fol-
lowing two topologies:
1. Grid Topology, and
2. Random Topology
3.3.1 Grid Topology
We consider a simple IEEE 802.11s based network with 49 MRs (7 7) deployed
in a grid fashion in an area of 1500 1500 meters. We randomly attach 23 mesh
clients to each of these MRs. The MRs communicate with each other using the legacy
IEEE 802.11 based interface, forming a wireless backbone. We assume that the com-
munication between an MR and an MC does not interfere with the communication
between two MRs.
We start ows from the MCs that are being serviced by the MRs. From here on,
when we say that a ow is started from the MR, we mean that the MC has started its
ow. We initiate 20 UDP ows, sending trafc at a constant rate of 200 kbps. We use a
constant packet size of 512 bytes. IEEE 802.11 is used for channel arbitration with the
transmission range and the channel capacity set to 250 m and 11 Mbps, respectively.
AODV is the underlying protocol. The total simulation time is set to 500 seconds.
Each simulation was repeated with 10 different trafc proles containing randomly
chosen trafc sources. The destination is changed from time to time to obtain various
ows and to determine the effect of blackhole nodes in the network when different
routes are taken.
Fig. 2 Instantaneous
throughput of ows under the
blackhole attack for Grid
Topology
3.3.1.1 Instantaneous throughput We randomly choose one of the nodes as the ma-
licious blackhole node which attracts all the network trafc towards itself by adver-
tising itself as the nearest route (highest sequence number and shortest hop count).
For a randomly chosen trafc prole, Fig. 2 shows the effect of the blackhole node
on the instantaneous throughput of three affected ows at the IGW. We consider the
case where we select the blackhole MR which is randomly located and initiate the
ows from one MR to the other MR.
The throughput is very low for the ows where we consider the presence of black-
hole MRs in the network as compared to the throughput of other ows where there
are no blackhole nodes present. It is observed that the throughput decreases as the
number of blackhole nodes in the network increases. Thus, the number of blackhole
nodes determines the instantaneous throughput of the ow. We randomly initiated
ten such ows in the network and observed the throughput of those ows. We check
the proles of three such ows. We have introduced an Attack Flow and observed by
introducing many blackhole nodes in a route that was being selected during simula-
tion. These blackhole nodes give RREQ packets to the destination and do not allow
any other RREQ packets from any of the innocent MRs in neighborhood. Thus, the
ow is ooded with all the malicious packets that do not allow other innocent MRs
packets to be transmitted to the destination.
In Fig. 2 for Flow-1, the throughput is very high when compared to the other ows
Flow-2, Flow-3 and Attack Flow. The maximum throughputs of Flow-1, Flow-2,
Flow-3, and Attack Flow are 105, 40, 110, and 60 kbps, respectively. Flow-2 has the
lowest throughput among the three ows. This is because of the number of blackhole
nodes present in this particular route of a ow.
3.3.1.2 Aggregate throughput In Fig. 3, we have shown the affect of a blackhole
attack on the aggregate throughput of the mesh network for the grid topology.
We study the aggregate throughput for different percentages of compromised
nodes in the network. We evaluate the effectiveness of our scheme by measuring
the normalized aggregate throughput of ows, which is the ratio of the throughput
obtained to the offered load. We compare the normalized throughput of ows in the
default case and for our scheme for different ows in the WMN. We start with 5%
of compromised nodes in the network and observe the throughput by increasing the
Fig. 3 Aggregate throughput
obtained for various blackhole
nodes
percentage of number of compromised nodes. We do this until we reach 25% of com-
promised nodes. Figure 3 shows the aggregate throughput for different percentage
of compromised nodes. In Fig. 3, it can be observed that the aggregate throughput
of the network is around 20 kbps when 5% of blackhole nodes are present, and as
the percentage of blackhole nodes increases to 25%, the aggregate throughput of the
network is observed to be around 5 kbps.
3.3.2 Random Topology
We consider a simple IEEE 802.11s based network with 49 MRs deployed in random
fashion in an area of 1500 1500 meters. The network setup is similar to the one
used in the grid topology.
We start ows from the clients that are being serviced by the MRs. We initiate
20 UDP ows sending trafc at a constant rate of 512 bytes. IEEE 802.11 is used for
channel arbitration with the transmission range and the channel capacity set to 250 m
and 11 Mbps, respectively. AODV is the underlying protocol. The total simulation
time is set to 500 seconds. Each simulation is repeated with 10 different trafc proles
containing randomly chosen trafc sources. One of the MR acts as the IGW, which is
the destination of all the ows in the network. The destination is changed from time
to time to obtain various ows and to determine the effect of blackhole nodes in the
network when different routes are taken.
3.3.2.1 Instantaneous throughput We randomly choose one of the nodes as the ma-
licious blackhole node which attracts all the network trafc towards itself by adver-
tising itself as a nearest route (highest sequence number and shortest hop count).
Figure 4 shows the effect of the blackhole node on the instantaneous throughput of
three affected ows at the IGW for a randomly chosen trafc prole. We consider the
case where we select the blackhole MR randomly and initiate the ows from one MR
to the other MR.
The throughput is very low for the ows where we consider the presence of black-
hole MRs in the network as compared to the throughput of other ows where there
are no blackhole nodes present. It is observed that the throughput decreases as the
number of blackhole nodes in the network increases. Thus, the number of blackhole
nodes determines the instantaneous throughput of the ow. We randomly initiated ten
such ows in the network. We observe the proles of three such ows. In Fig. 4, the
throughput is very high when compared to the other ows Flow-2 and Flow-3 for
throughput of ows under the
blackhole attack for Random
Topology
obtained for various blackhole
nodes for Random Topology
Flow-1. The maximum throughputs of Flow-1, Flow-2, Flow-3 and Attack Flow are
100, 50, 105, and 40 kbps, respectively. Flow-3 has the lowest throughput among the
three ows as there are a number of blackhole nodes present in this particular route
of a ow.
3.3.2.2 Aggregate throughput In Fig. 5, we show the affect of the blackhole attack
on the aggregate throughput of the WMN for a random topology.
We study the aggregate throughput for different percentages of compromised
nodes in the network. We start with 5% of compromised nodes in the network and ob-
serve the throughput by increasing the percentage of compromised nodes up to 25%.
Figure 5 shows the aggregate throughput for different percentage of compromised
nodes in a random topology. In Fig. 5, it can be observed that the aggregate through-
put of the network decreases from 18.6 to 4.3 kbps as the percentage of the blackhole
nodes in the network increases from 5% to 25%. The aggregate throughput of the
network is observed to decrease for the random topology too with an increase in the
percentage of blackhole nodes.
However, with our proposed scheme, the aggregate throughput increases with the
same amount of compromised nodes for the grid as well as for the random topology.
obtained for % of various
blackhole nodes for Grid and
Random
Thus, we can state that this scheme increases the overall throughput of the network
by a considerable amount.
3.4 Aggregate throughput for Random vs Grid Topology
Figure 6 gives us the details of the aggregate throughput of the network for both
topologies without any prevention scheme. The aggregate throughput of the attack
in the network is observed to be less for the random topology than that of the grid
topology because of the connectivity issues that come into consideration due to the
structural distribution. The AODV protocol initiates route discovery process when-
ever there is any link breakage between the MRs and the AODV updates the route
table. Thus, AODV route discovery phase consumes some time before the actual
process of transmission of the packets is resumed.
4 Honeypot based detection scheme
In this section, we rst present the system architecture and then we describe the pro-
posed honeypot detection scheme.
4.1 Detection system architecture
The system architecture of the proposed honeypot detection scheme is illustrated in
Fig. 7.
It consists of the following components:
Route module
The Route module consists of a Route Reply Analyzer, Dummy Packet Genera-
tor, and Constant Bit Rate Unit. The honeypot positions itself next to a testee and
generates a RREQ to a certain known destination. When the testee receives such
a RREQ, it generates a RREP packet. In order to determine if this RREP is valid
or spurious, the Route Reply Analyzer module analyzes the received reply packet.
This module analyzes the RREP packet and makes a note of the sequence number
and the hop-count in the RREP packet. It then triggers the Dummy Packet Gener-
ator to initiate dummy packets to be sent to the testee. These dummy packets are
Fig. 7 System architecture of
the proposed scheme using
honeypot
used to determine whether the testee under consideration is malicious or reliable.
Such trafc is sent towards a testee to be forwarded to a given destination. The
Dummy Packet Generator uses a Constant Bit Rate Unit that generates UDP pack-
ets at constant bit rate. However, the unit is modied so that the payload is stuffed
and padded with random data.
Feedback module
The feedback module plays a critical role in the detection of the blackhole node.
A query packet is dispatched to a known destination to determine if it has received
any trafc packets from the testee, and such information is stored in the feedback
module providing what it has learned from the alternate path. If the destination
node receives the packet, it acknowledges the receipt of the trafc and unicasts a
trace reply to the honeypot. Depending on this answer, the feedback module then
declares the testee as reliable; else it is a malicious attacker.
Alert module
If the feedback module detects malicious activity, it is fed as input to the alert
module. We consider the positive output as an indication of a normal condition
and a negative output representing the presence of an attack. When an attack is
detected, the alert module to block the intrusive activity issues an alert. The alert
module broadcasts the identity of a malicious blackhole MR to all MRs in the
network so that they stop forwarding trafc through it and discard any route reply
packets originating from the blacklisted blackhole MR.
Interactive log
It gives the information about the strategies that the honeypot applied to lure the
malicious node. It also gathers information on the route replies that the attacker
Fig. 8 Illustration of blackhole
attack
used to lure other MRs in the network. The report of the entire route discovery
phase and alerts is lodged in the Interactive log.
4.2 Honeypot agents in detection
We model detection of a blackhole attack using honeypots as software detection
agents. We illustrate a blackhole attack in a WMN in Fig. 8. As seen in the g-
ure, the blackhole MR sucks the entire data trafc from the neighboring MRs and
thereby drops the data trafc. The blackhole MR advertises itself as a best route to all
other MRs by increasing the sequence number and decreasing the hop count (AODV)
[12, 13]. The blackhole MR can also advertise that the route has the smallest end-to-
end delay (lowest WCETT) [13].
A honeypot agent places itself next to the testee. The Honeypot operates in two
modes in order to nd whether the testee is a malicious one or not. The two modes in
which the honeypot operates is:
1. Network topology known to honeypot.
2. Network topology unknown to honeypot.
4.2.1 Network topology known to honeypot
When we use WCETT as a metric, we consider the path having the smallest WCETT
as the best path. The honeypot sits in the next hop of the testee. It estimates the delay
from this node to the destination through the testee. Then, we check the delay adver-
tised by the testee. If the network topology is known to the honeypot, the network
deployment is also known. The Internet Service Provider (ISP) knows the network
deployed and it gives the information to the honeypot [19].
4.2.2 Network topology unknown to honeypot
When the network topology is not known to the honeypot, then the honeypot sits next
to the testee. We estimate the delay by sending trafc to the testee. We later observe
any deviation between the actual and the expected end-to-end delay. When the testee
advertises its end-to-end delay to be the lowest, the honeypot places itself next to
the testee, sends the testee trafc and observes whether the testee sends the trafc to
the destination through the other route or not. Thus, the honeypot uses the WCETT
metric to observe the testee under consideration [13].
We deploy the honeypots on MRs to lure the malicious attacker. These honeypots
are synonymous to the network cops. The proposed scheme is explained through the
illustrative Fig. 9.
Various stages are as follows:
1. The honeypot agent sends an RREQ packet to the testee. The source address is
that of the MR on which the honeypot is residing. The destination address is that
of a randomly chosen known destination. We assume that the honeypot is already
Fig. 9 Honeypot based
blackhole attack detection
aware of a route to the destination and issues an exclusive RREQ to determine the
validity of the nodes in its neighborhood.
2. The testee sends an RREP packet back to the honeypot. This RREP could be a
valid or a spurious one. A malicious testee would include a spurious RREP with
a high sequence number and a low hop count value. On the other hand, a valid
testee would generate RREP only if it is aware of a route to this destination. The
honeypot detection scheme in the subsequent steps is able to establish the integrity
of RREP packets.
3. Next, the honeypot prepares a testee data packet and forwards it to the testee.
The testee packet is like any other regular data packet. However, its payload is
masked and padded with a random data stream so that it would not be possible for
the testee to conclude that it had originated from the honeypot.
4. The honeypot sends a Query packet to the destination to inquire about the packet
that it forwarded to the testee in Step 3. The format of this packet is shown in
Table 1. The feedback module uses the alternate path table to retrieve the known
alternate route to the chosen destination. It then routes the query packet through
this route. The various elds in the query packet consist of the Sequence number,
Source IP address, Destination IP address, and the testee id.
5. The source IP address is stamped with the address of the node on which the hon-
eypot resides, and the destination IP address is that of the chosen destination. It
also consists of a testee id eld that is the source IP address of the testee, which is
being evaluated.
6. When the destination receives such a trace query, it processes it by examining its
Most Recently Received Trafc Cache. This cache captures the most recently re-
ceived trafc from different sources including the source ids, the timestamp when
it was received and the count of the number of packets received from this source.
7. If the destination nds the testee id in its trafc cache, it prepares a Query reply
packet, the destination address of which is equal to the source address of the
honeypot from which the query packet came. The query reply packet also includes
the following data in its information eld: the count of the number of packets
received and the timestamp of the last received packet. Thus, the Query reply
packet is unicast to the honeypot using the same route by which the trace packet
came. Various elds in the Query reply packet are shown in Table 2.
8. When the honeypot agent receives the query packet, it hands it to the feedback
module. Depending on the content of the information eld, the integrity of the
Table 1 Description of elds in
trace query packet
Sequence
number
The sequence number is the
sequence number of the packet that
it receives from the source
Source IP
address
The source IP address is the
address of the MR on which the
honeypot resides
Destination
IP address
The destination IP address is the
address of the known destination
Testee ID The testee ID is the source IP
address of the testee being
evaluated
Table 2 Description of elds in
query reply packet
Sequence
number
This is the sequence number of the
IP packet being originated at the
destination
Source IP
address
This is the address of destination
node that is being considered. The
packet is being sent from the
destination
Destination
IP address
This is the address of the node on
which honeypot resides
Packet
count
This keeps count of the number of
packets received from the testee
under consideration.
Time
stamp
The time stamp gives time
information about the last packet
that it received
Fig. 10 Format of query
packets
testee is determined. If the packet has been received at the destination, the tes-
tee is considered to be a Good MR. If the eld is empty, then the testee is
considered a malicious attacker.
9. Then, the alert module in the honeypot advertises that the testee under consid-
eration is a malicious blackhole attacker. Thus, the other nodes in the network
avoid forwarding their packets through the malicious blackhole. This information
is also sent to the IGW which then passes it to the Internet Service Provider (ISP)
to isolate, thereby removing the malicious MR.
Thus, the honeypot acts as a network cop examining the integrity of the routing
module of the MRs in the network. The mobile honeypot can be made to move along
a pre-congured itinerary in the network. The honeypot can also conduct a random
walk of the network, starting from the IGW to the leaf MRs in a depth rst fashion.
This way, it is not possible for a malicious attacker to determine if a honeypot is
testing it. As the request packets originating from the honeypot agents are similar in
structure to any other RREQ packets sent by other nodes, the malicious blackhole
node cannot adapt to behave selectively.
5 Performance analysis
In this section, we study the performance of our proposed detection of a blackhole
attack using honeypots as detection agents with the simulations performed in ns-2
[26]. We use the same scenario described in Sect. 3. Although the honeypot can be
run on top of any underlying protocol, we choose AODV (Ad hoc On-Demand Dis-
tance Vector routing) as the routing protocol. We start ows from the clients that are
being serviced by the MRs. The IEEE802.11 standard is used for the channel arbi-
tration, with the transmission range and channel capacity set to 250 m and 11 Mbps,
respectively. The total simulation time is set to 150 seconds. We generate the UDP
ows from each MR. We use the 77 nodes mesh topology for our simulation of grid
topology and 49 randomly distributed MRs, all distributed in an area of 1500 1500
meters for random topology. We compromise the network for about 20%, observe
the effect of a blackhole attack on the network, and calculate the throughput of the
network. We evaluate the network performance based on the following detection met-
rics:
True Positives (TP): Number of times an alert is raised, when an attack is present.
False Negatives (FN): Number of times an alert is not raised when an attack is
present.
False Positives (FP): Number of times an alert is raised, but attack is not present.
True Negatives (TN): Number of times no alert is raised, when no attack is present.
The performance of our scheme is based on the TPR (True Positive Rate) and FPR
(False Positive Rate). We dene both TPR and FPR as:
TPR: This is the ratio of number of alerts when there is an attack to total number of
attacks. The mathematical expression for TPR is as follows: TPR =TP/(FN +TP).
FPR: This is the rate at which a good MR is detected and reported as a compro-
mised MR. The mathematical expression is: FPR =FP/(TN +FP).
5.1 Instantaneous throughput of WMN with scheme
First, we illustrate the effect of the blackhole attack on the WMN for various ows.
We initiate and observe the instantaneous throughput for the ows both for the ran-
dom and the grid topologies. Finally, we compare the instantaneous throughput of
both topologies in the network when our proposed scheme is incorporated.
We randomly choose one of the nodes as a malicious blackhole node which at-
tracts all the network trafc towards itself by advertising as the nearest route (highest
sequence number and shortest hop count). We start a set of ows at different MRs
and observe the throughput of each ow in the presence of blackhole nodes.
From Fig. 11 and Fig. 12, we can observe improvements in the instantaneous
throughput for the grid topology and the random topology due to the implementa-
tion of the scheme. We observe that for the case when the proposed scheme is not
implemented, the instantaneous throughput of the ows reduces due to the presence
of blackhole MRs. Throughput of the attack ow is very low when compared to the
other ows in the network when we implement the proposed honeypot based detec-
tion scheme as shown in Fig. 9.
throughput of the ows with our
scheme for Grid Topology
throughput of the ows with our
scheme for Random Topology
5.1.1 Grid Topology
The trafc ow, Flow-1, has a throughput of 100 kbps, which is an improvement over
the default case. Flow-2 has a throughput of 200 kbps, and Flow-3 has the through-
put of 300 kbps. Due to the implementation of our scheme, the attack ow has the
minimum throughput of all the ows in the network. It can also be seen that the in-
stantaneous throughput of other ows improves when compared to the case when the
scheme is not implemented.
The instantaneous throughputs of the network in the case when no scheme is
implemented for grid topology are 105, 40, and 60 kbps for Flow-1, Flow-2, and
Flow-3, respectively. The other ows like Flow-1, Flow-2, Flow-3 have increased
instantaneous throughputs when the proposed scheme is implemented. The attack
ow throughput has been reduced when the proposed scheme is implemented. From
Fig. 11, we can observe that the instantaneous throughput for the attack ow is very
small when compared to the other ows. This suggests that the attack detects and
removes the blackhole nodes properly. However, we show that the proposed scheme
has high detection rates.
The trafc ow, Flow-1, has a throughput of 100 kbps, which is an improvement over
the default case. Flow-2 has a throughput of 210 kbps, and Flow-3 has the through-
put of 300 kbps. It can be observed that due to the implementation of our scheme, the
attack ow has the minimum throughput of all the ows in the network. The instan-
taneous throughput of other ows has improved when compared to the case when the
scheme is not implemented.
The instantaneous throughputs of the network with no scheme, implemented for
the random topology, are 100, 60, and 40 kbps for Flow-1, Flow-2 and Flow-3, re-
spectively. When the proposed scheme is implemented, the ows Flow-1, Flow-2,
Flow-3 have increased instantaneous throughputs, and the attack ow throughput has
been reduced.
In Fig. 12, we observe that the instantaneous throughput for the attack ow is very
small when compared to the other ows. This suggests that the attack detects and
properly removes the blackhole nodes.
It can be deduced that there is no major difference in highest instantaneous
throughputs of the random and the grid topology when our scheme is implemented
because the honeypot effectively detects the blackhole MRs, even though there is a
change in the topology. However, there is a difference in the instantaneous throughput
from grid topology as the connectivity issue comes into play.
The instantaneous throughput of each ow has been increased when our intelligent
honeypots had been deployed as software agents in order to detect the blackhole MRs
in the network thereby removing the blacklisted blackhole MRs in the network. The
detected blackhole MRs are blacklisted, and then we suspend any activities to and
from the blackhole MRs. We then pass a message to the IGW and also to the Internet
Service Provider (ISP), and then isolate and effectively remove the detected blackhole
MRs from the mesh network.
5.1.3 Random vs Grid
It is observed that both topologies have almost equal throughputs when the scheme
is implemented. It shows that even a change in the topology does not effect the per-
formance of the scheme with the honeypot. But there is a major difference between
the two topologies. However, the connectivity between MRs in the network topology
comes into picture when we consider a random topology. Due to random deployment
of MRs, the connectivity between MRs varies due to radio signals between them.
Due to wireless connectivity between MRs, there can be link breakages between
MRs. Then, there is a need for the route discovery phase of AODV to be initiated
and for the selection of a route where the packets can be transmitted properly to the
destination. This route discovery process of AODV protocol could cause some time
delay, and this could reduce the throughput at some time instances. This does affect
the instanteneous throughput as is shown in Fig. 13.
Figure 13 gives an idea about the two different topologies considered in our work.
The instantaneous throughput of the random topology is smaller at some instances
as time is consumed in the route discovery phase by the AODV protocol due to link
breakages between MRs. Figure 13 shows a comparison of the instantaneous through-
put when the scheme is implemented for both the grid and the random topologies.
Fig. 13 Instantaneous throughput of the ows with our scheme for Random and Grid
of the network with the scheme
and without scheme for Grid
Topology
5.2 Aggregate throughput
5.2.1 Grid Topology
From Fig. 14, we observe that in the default case, the aggregate throughput of the
network is 20%, even in the presence of 5% of blackhole nodes in the network.
As the percentage of blackhole MRs in the network increases, the aggregate through-
put decreases. When we observe the aggregate throughput of the network in the
presence of 20% of malicious blackhole MRs, the total network throughput reduces
to 5%.
But when our scheme is applied, the aggregate throughput of the network in-
creases as seen in Fig. 14. The achieved aggregate throughput of the network is
almost 100%, when 5% of the network MRs are malicous blackholes. As the per-
of the network with the scheme
and without scheme for Random
Topology
centage of blackhole MRs increases from 5% to 20%, the aggregate throughput is
observed to decrease from 100% to approximately 80%. The increase in the network
aggregate throughput is approximately 75%a remarkable achievement of the pro-
posed scheme.
We can see from Fig. 15 that the aggregate throughput of the network is 20% of the
entire throughput, even in the presence of 5% of blackhole nodes in the network. This
is due to the fact that as the percentage of blackhole MRs in the network increases,
the aggregate throughput decreases. The aggregate throughput of the network in the
presence of 20% of malicious blackhole MRs is less than 5% of the total network
throughput.
But when our scheme is applied, the aggregate throughput of the network increases
as seen in Fig. 15. When 5% of the network MRs are malicous blackholes, the ag-
gregate throughput is almost 97%, which means that our scheme is almost perfectly
detecting the 5% of malicious MRs. It can be observed that as the percentage of com-
promised MRs increases from 5% to 20%, the aggregate throughput in the network
decreases from 97% to 76%. But the aggregate throughput is not as low as that of the
network throughput without our scheme.
When the scheme is implemented, the network aggregate throughput decreases
because of the number of deployed detection agents. This is due to the fact that as
the percentage of the malicious blackhole MRs increases, the number of roaming
honeypots needs to be increased in order to detect the malicious MRs. However, with
the scheme that is being used in the network, the aggregate throughput increases
with the same number of compromised nodes. Thus, we can state that our scheme
increases the overall throughput of the network by a considerable amount varying
from 70% to 80%.
5.2.3 Aggregate throughput in Random vs Grid
In Fig. 16, we observe the aggregate throughput of the grid and the random topol-
ogy with and without our scheme. In Fig. 15, the aggregate throughput of the grid
topology seems to be high in both schemes. The aggregate throughput of the random
Fig. 16 Aggregate throughput for Random and Grid Topology
topology without scheme varies from 18% to 7% as the percentage of blackhole MRs
increases from 5% to 20%. For the grid topology, the aggregate throughput varies
from 20% to approximately 10% as the percentage of blackhole MRs increases from
5% to 20%.
It can be observed that the aggregate throughput has been increased considerably
when the proposed scheme of honeypots is applied for both the grid and the random
topologies.
From Fig. 16, we can observe that the aggregate throughput of the random topol-
ogy varies from 96% to 85% as the percentage of blackhole MRs is increased from
5% to 20%. In the grid topology, the aggregate throughput of the network varies from
almost 100% to 90% as the percentage of blackhole MRs increases from 5% to 20%.
5.3 TPR and FPR Variation
We study the effect of our scheme in the presence of blackhole attacks and observe
the TPR (True Positive Rate), i.e., the number of times when a correct malicious MR
in the network is reported and an alarm is raised. The simulation is done by increasing
the percentage of the number of malicious blackhole MRs in the network.
5.3.1 Grid Topology
Figure 17 shows that when the number of network attackers has been increased from
5% to 20%, the TPR falls from 100% to approximately 87%. This shows that the
scheme is detecting almost all the network attackers even when the numbers of at-
tackers have been increased.
The numbers of false alarms are very small when there are few attackers. But, as
the number of attackers is increased, the FPR also increases. The graph in Fig. 17
proves that the proposed honeypot based detection scheme has a very high TPR
(100%) and a low FPR (23%) for a grid topology.
Fig. 17 TPR vs FPR variation
in Grid Topology
Fig. 18 TPR and FPR variation
in Random Topology
It can be observed from Fig. 18 that in the random topology the malicious MR is
correctly reported, and the TPR for 5% of blackhole MRs in the network is about
99.56%. If only a few of the MRs are malicious, our honeypot based detection system
accurately detects themwith a high TPR of 99.56% even for the random topology. We
see that with our scheme, when the percentage of malicious blackhole MRs increases,
the TPR decreases. For 20% of the malicious MRs in the network the TPR is around
85%. This is because, as the number of compromised nodes in the network increases,
the probability of a malicious MR being detected becomes low with the same num-
ber of honeypot detection agents. We need to deploy more detection agents, thereby
increasing the total cost.
We see in Fig. 18 that the FPR (False Positive Rate), i.e., the number of times an
alarm is raised when an innocent MR is reported as a malicious MR in a random
topology is very low. In the case of 5% of malicious blackhole MRs present in the
network, FPR is about 6% in the random topology. It can be observed that as the
percentage of the malicious MRs in the network increases to 20%, the FPR increases
to 24.6%. This means that a honeypot detection agent reports an innocent MRs as a
Fig. 19 TPRVs FPR for Grid
Topology
malicious MRs and raises the alarm, as the percentage of the blackhole MRs in the
network increases, and the detection agent may not be able to detect the malicious
MR.
From Fig. 17 and Fig. 18, it can be easily said that the proposed intelligent honey-
pot based detection scheme has a very high TPR (100%) and a low FPR (23%) for the
grid topology, and a high TPR (99.56%) and a low FPR (24.6%) for random topol-
ogy. There is a slight difference in the detection rate due to the delay in the initiation
of route discovery during link breakages in the random topology. Thus, the proposed
scheme detects malicious attackers efciently in both topologies.
5.4 ROC curve
We next study the Receiver Operating Characteristics (ROC) curve (TPR vs. FPR).
The ROC curve reects the tradeoffs in the sensitivity of the detection algorithm.
5.4.1 Grid Topology
Figure 18 shows the ROC curve for the grid topology in our detection scheme. We
observe that in our scheme, very few normal instances are misclassied as anomalies
(as seen by 0 FPR value) and all attack instances are correctly identied as intrusions
(as seen by the high TPR value close to 1).
We observe that when our scheme is implemented on the grid topology, very few
innocent MRs are reported as malicious MRs as seen from the value of 0.05 of the
FPR. It can be observed that all the compromised blackhole MRs are correctly de-
tected and reported as seen from the value of the TPR which is very close to 1. The
False Positive Rate is dened as the number of good MRs detected and reported as
blackhole attackers in the network. This is the misclassication of blackhole attack-
ers in the network. Similar low FPR vs. high TPR values can be observed by varying
the percentage of the number of malicious blackhole attackers in the system.
Figure 20 shows the ROC curve for our proposed detection scheme for the random
topology. We observe that in our scheme, very few MRs reported as malicious MRs
Fig. 20 TPR vs FPR for
Random Topology
Fig. 21 ROC curve for Grid
and Random Topology
as seen from the value of 0.06 of the FPR, and all the compromised blackhole MRs
are correctly detected and reported as seen from the value of the TPR which is very
close to 1.
Similar low FPR vs. high TPR values can be observed by varying the percentage
of the number of malicious blackhole attackers in the system.
5.4.3 ROC curve for Random vs Grid
From Fig. 21, we can observe the Receiver Operating Characteristics of both the
random and the grid topologies. We can observe that there is a slight difference be-
tween the TPR and FPR rates for the two topologies. The ROC curve is observed
to have TPR of about 1 and FPR of 0.05 for the grid topology. The ROC curve for
the random topology is observed to have TPR of about 1 and FPR of about 0.06. In
both topologies, very few innocent MRs are reported to be malicious MRs and all
the compromised blackhole MRs are correctly detected and reported as seen from the
Fig. 22a TPR under varying
number of misbehaving MRs for
Grid Topology
Fig. 22b TPR under varying
number of misbehaving MRs for
Random Topology
values of the TPR which are very close to 1 and of the FPR which are 0.05 and 0.06
for the grid and the random topologies, respectively.
However, there is a difference in the ROC curves of the two topologies, and it is
due to the delay obtained during the route discovery of the link breakages. The dif-
ference between the two topologies is considered to be minimal, and both topologies
provide good performance when our proposed scheme is incorporated.
Figures 22a and 22b demonstrate the detection ability of our system when the
number of malicious MRs generating malicious RREQ is increased in both topolo-
gies. Even if only a few of the MRs are malicious, we see that our honeypot based
model accurately detects them with a high TPR of 98% and almost close to 100%
detection rate for a largely compromised network.
Similarly, Figs. 23a and 23b show the FPR for various number of good MRs.
A large number of good MRs implies that very few MRs are compromised. It can
be seen that the maximum value of the FPR is within 23% and 24.56%, for a largely
compromised WMN in the grid and the random topologies, respectively.
We also see that as the attack rate increases, the FPR increases, indicating that
a small percentage of false alarms would be raised from time-to-time. Both graphs
prove that the proposed honeypot based system has a very high TPR (100%) and a
Fig. 23a FPR for varying
number of well behaving nodes
for Grid Topology
Fig. 23b FPR for varying
number of well behaving MRs
for Random Topology
low FPR (23% to 24%) in both topologies. The proposed IDS thus detects malicious
blackhole MRs accurately and efciently.
6 Conclusion
In this paper, we propose an intelligent honeypot based system to detect blackhole at-
tackers in WMNs for the considered topologies. We model the detection mechanism
of malicious blackhole attackers using a honeypot as a detection agent. The blackhole
attack severely affects the performance and other criteria of the WMNs and the hon-
eypot based detection system raises a timely alert of an attack occurrence. Through
extensive simulations, we demonstrate that our honeypot based detection model has
a high detection rate and a low false positive rate. As a part of our future work, we
plan to use honeypot detection agents to detect other attacks. We also plan to use the
WCETT (Weighted Cumulative End-To-End Delay) as a routing technique to detect
the blackhole attackers in the WMNs.
References
1. Agrawal DP, Zeng Q-A (2006) Introduction to wireless and mobile networks, 2nd edn. Brookes Cole
Publishing, Pacic Grove
2. Akyildiz IF, Wang X (2005) A survey on Wireless Mesh Networks. IEEE Commun Mag (Sept)
3. Ben Salem N, Hubaux JP (2006) Securing Wireless Mesh Networks. IEEE Wirel Commun (Apr)
4. Bhargava S, Agrawal DP (2001) Security enhancements in AODV protocol for wireless ad hoc net-
works. In: IEEE vehicular technology conference, VTS 54th, vol 4, pp 21432147
5. Campista MEM, Esposito PM, Moraes IM, Costa LHMK, Duarte OCMM, Passos DG, Albuquereque
CVN, Saade DCM, Rubistein MG (2008) Routing metrics and protocols for Wireless Mesh Networks.
IEEE Commun Mag 22(1):612
6. Cordeiro C, Agrawal DP (2006) Ad hoc and sensor networks: theory and application. World Scientic,
Singapore
7. Deng H, Li W, Agrawal DP (2002) Routing security in wireless ad hoc network. IEEE Commun Mag
40(10)
8. http://www.earthlink.net (2011)
9. Hu Y, Perrig A, Johnson DB (2002) Ariadne: a secure on-demand routing protocol for ad hoc net-
works. In: Proc of ACM Mobicom, pp 1223
10. Hu Y, Johnson DB, Perrig A(2003) SEAD: secure efcient distance vector routing for mobile wireless
ad hoc networks. Ad Hoc Netw 175192
11. Huang Y-A, Lee W (2003) A cooperative intrusion detection system for ad hoc networks. In: Pro-
ceedings of 1st ACM workshop on ad hoc and sensor networks, pp 135147
12. Karakehayov Z (2007) Securitylifetime tradeoffs for wireless sensor networks. In: Emerging tech-
nologies & Factory automation, ETFA, IEEE, Sept 2007, pp 246250
13. Karlof C, Wagner D (2003) Secure routing in wireless sensor networks: attacks and countermeasures.
In: First IEEE international workshop on sensor network protocols and applications (SNPA 03), May
2003, pp 113127
14. Khattab S, Melhem R, Mosse D, Znati T (2006) Honeypot back-propagation for mitigating spoong
distributed Denial-of-service attacks. J Parallel Distrib Comput 66:11521164
15. Nandiraju D (2009) Efcient trafc diversion and load balancing in wireless mesh networks. Ph.D.
Dissertation, University of Cincinnati
16. Nandiraju N, Nandiraju D, Santhanam L, He B, Wang J, Agrawal DP (2007) Wireless mesh networks:
current challenges and future directions of web-in-the-sky. IEEE Commun Mag 14(4):212
17. Network Simulator (NS-2) (2011) http://www.isi.edu/nsnam/ns/index.html
18. Ning P, Sun K (2005) How to misuse AODV: a case study of insider attacks against mobile ad hoc
routing protocols. Ad Hoc Netw 3(6):795819
19. Ramaswamy S, Fu H, Sreekantaradhya M, Dixon J, Nygard K (2003) Prevention of cooperative black
hole attack in wireless ad hoc networks. In: Proceedings of the international conference on wireless
networks, June 2003
20. Ruiz J-C, Friginal J, Andres D, Gil P (2011) Blackhole attack injection in ad hoc net-
works. In: Fault tolerance systems group (GSTF). http://www.ece.cmu.edu/~koopman/dsn08/fastabs/
dsn08fastabs_ruiz.pdf
21. Santhanam L (2008) Integrated security architecture for Wireless Mesh Networks. Ph.D. Dissertation,
University of Cincinnati, Mar 2008
22. Santhanam L, Mukherjee A, Bhatnagar R, Agrawal DP (2007) A perceptron based classier for de-
tecting malicious route oods in Wireless Mesh Networks. In: 3rd Intl conference on wireless and
mobile communications, Guadeloupe, French Caribbean, 49 March, 2007
23. Santhanam L, Nandiraju N, Yoo Y, Agrawal DP (2006) Distributed self-policing architecture for
fostering node cooperation in Wireless Mesh Networks. In: Personal wireless communication, Sept
2022, Spain. Lecture notes in computer science, vol 4217/2006. Springer, Berlin, pp 147158
24. Shurman MA, Yoo S-M, Park S (2004) Blackhole attack in mobile ad hoc networks. In: Proceedings
of ACM of 42nd annual south-east conference regional conference, pp 9697
25. Spintzer L (2003) The honeynet project: trapping the hackers. IEEE Secur Priv Mag 1(2)
26. The Honeynet Project (2011) http://www.honeynet.org/

Detection of Blackhole Attack in A Wireless Mesh Network Using Intelligent Honeypot Agents

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detection of Blackhole Attack in A Wireless Mesh Network Using Intelligent Honeypot Agents

Uploaded by

Copyright:

Available Formats

J Supercomput

You might also like