Intrusion Detection for Black Hole and Gray Hole in MANETs Black hole and gray hole attack A C F S M B D H E G Black hole and gray hole attack A 3 C 2 4 3 S 1 F 2 M 1 H 1 4 B 3 E 2 G D Black hole and gray hole attack A C F S M B D H E G Black hole and gray hole attack Black hole: drop all data packets & cheat the previous node. Gray hole: drop part of the data & cheat the previous node. Gray Magnitude: the percentage of the packets which are maliciously dropped by an attacker(a node received 100 packets, and forwarded 70 packets, gray magnitude=70%) Black hole drop 100% (special gray hole) Goal of this paper: find the black or gray hole, and calculate the Gray Magnitude. They calculate the Gray Magnitude to make sure the node is a gray hole, in case of mismarking(collision problem). A Path-based Detecting Method C E S A B A, C, E, B are neighbors of S, Only A is on the path to D, so S only watch A. D A Path-based Detecting Method Overhear Overhear S A Sign 01 Sign 01 B D Forward Packet Buffer 1, every node should keep a FwdPktBuffer; 2, S send p01 to A, a signature is added into the FwdPktBuffer and S overhears A. 3, when A forwards P01, S releases the signature. overhear rate S A 10 B 8 D Explain: A forward 10 packets to B------------total overheard packer number=10; B forward 8 packets to D -----------total forwarded packer number=8; Overhear rate: OR=10/8 If the forwarding rate is lower than the overheard(8<10), the detecting node(A) will consider the next hop(B) as a black or gray hole. Latter, the detecting node(A) would avoid forwarding packets through this suspect node(B). Advantage of the Algorithm ln this scheme, each node only depends on itself to detect a black or gray hole. The algorithm does not send out extra control packets so that Routing Packet Overhead requires no encryption on the control packets to avoid further attacks on detection information sharing There is no need to watch all neighbors' behavior. Only the next hop in the route path should be observed. As a result, the syste1n performance waste on detection algorithm is lowered. A Path-based Detecting Method: S D B A C When A find B is a BH or GH, A chooses another path. Watch dog: S A B D C When A find B is a BH or GH, A tell S to choose another path. Collision problem In fig 2, Node S is source node and Node C is destination node. Packet I is transmitted from Node B to Node C. At the same time, Packet 2 is transmitted from Node S to Node A. Consequently, Packet 1 and Packet 2 will collide at Node A. Then Node S will retransmit Packet 2; but Packet 1 will not be sent again because Packet 1 has been received by Node C successfully. As a result, Node A misses Packet l and treats it being dropped by Node B deliberately. How do they define whether a node is a gray hole or not? They use a lot of equations to calculate the drop packets rate, the overheard rate and the collided rate OR(N) <(I-Tf ) ·(l- ACR(N)) Td(N) = 1- (l - T1 ) ·(l - ACR(N)) But briefly, when Dropped packets > collided packets The next node is a gray hole. Simulation Results and Discussion maximum transmission range is 250m distance between two neighbors is 200m so that a node can only have 4 neighbors Overall Packet Delive1y Rate: the percentage of the data packets which are actually received by the destination. GM = gray magnitude Based on this result, we will only focus on gray hole With gray magnitude of 0.6 or above, because a lower gray magnitude cannot bring about great damage to the network Reported Collision Rate Detection Rate Detection Rate & False Positive Rate vs. Gray Hole Number: Detection threshold is set to 0.6, and the attackers' gray magnitude is between 60% to 100% Approximately, detection rate still keeps above 90%, and false positive rate is lower than 5%. This result reflects that our detection scheme is valid for attackers with gray magnitude between 60% and l 00%. Questions: 1, What is Gray Magnitude ? the percentage of the packets which are maliciously dropped by an attacker(a node received 100 packets, and forwarded 70 packets, gray magnitude=70%) Black hole drop 100% (special gray hole) 2, What is FwdPktBuffer? Forward packet buffer.(put forwarded packet’s signature) 3, What’s the difference between A Path-based Detecting Method and Watchdog mechanism? A Path-based Detecting Method: S D B A C When A find B is a BH or GH, A chooses another path. Watch dog: S A B D C When A find B is a BH or GH, A tell S to choose another path.