Intrusion Detection for
Black Hole and Gray Hole in MANETs
Black hole and gray hole attack
A
C
F
S
M
B
D
H
E
G
Black hole and gray hole attack
A
3
C
2
4
3
S
1
F
2
M
1
H
1
4
B
3
E
2
G
D
Black hole and gray hole attack
A
C
F
S
M
B
D
H
E
G
Black hole and gray hole attack
 Black hole: drop all data packets & cheat the previous node.
 Gray hole: drop part of the data & cheat the previous node.
 Gray Magnitude: the percentage of the packets which are
maliciously dropped by an attacker(a node received 100
packets, and forwarded 70 packets, gray magnitude=70%)
 Black hole drop 100% (special gray hole)
 Goal of this paper: find the black or gray hole, and calculate
the Gray Magnitude.
 They calculate the Gray Magnitude to make sure the node is a
gray hole, in case of mismarking(collision problem).
A Path-based Detecting Method
C
E
S
A
B
A, C, E, B are neighbors of S,
Only A is on the path to D, so S only watch A.
D
A Path-based Detecting Method
Overhear
Overhear
S
A
Sign 01
Sign 01
B
D
Forward Packet Buffer
1, every node should keep a FwdPktBuffer;
2, S send p01 to A, a signature is added into the FwdPktBuffer and S overhears A.
3, when A forwards P01, S releases the signature.
overhear rate
S
A
10
B
8
D
Explain:
A forward 10 packets to B------------total overheard packer number=10;
B forward 8 packets to D -----------total forwarded packer number=8;
Overhear rate: OR=10/8
If the forwarding rate is lower than the overheard(8<10), the detecting node(A)
will consider the next hop(B) as a black or gray hole.
Latter, the detecting node(A) would avoid forwarding packets
through this suspect node(B).
Advantage of the Algorithm
 ln this scheme, each node only depends on itself to detect a
black or gray hole. The algorithm does not send out extra
control packets so that Routing Packet Overhead
 requires no encryption on the control packets to avoid further
attacks on detection information sharing
 There is no need to watch all neighbors' behavior. Only the
next hop in the route path should be observed. As a result,
the syste1n performance waste on detection algorithm is
lowered.
A Path-based Detecting Method:
S
D
B
A
C
 When A find B is a BH or GH, A chooses another path.
Watch dog:
S
A
B
D
C
 When A find B is a BH or GH, A tell S to choose
another path.
Collision problem
 In fig 2, Node S is source node and Node C is destination node.
 Packet I is transmitted from Node B to Node C. At the same
time, Packet 2 is transmitted from Node S to Node A.
 Consequently, Packet 1 and Packet 2 will collide at Node A.
 Then Node S will retransmit Packet 2; but Packet 1 will not be
sent again because Packet 1 has been received by Node C
successfully.
 As a result, Node A misses Packet l and treats it being dropped
by Node B deliberately.
How do they define whether a node
is a gray hole or not?
They use a lot of equations to calculate the
drop packets rate, the overheard rate and the
collided rate
OR(N) <(I-Tf ) ·(l- ACR(N))
Td(N) = 1- (l - T1 ) ·(l - ACR(N))
But briefly, when
Dropped packets > collided packets
The next node is a gray hole.
Simulation Results and Discussion
 maximum transmission
range is 250m
 distance between two
neighbors is 200m
 so that a node can only
have 4 neighbors
 Overall Packet Delive1y Rate: the percentage of the data packets which are
actually received by the destination.
 GM = gray magnitude
 Based on this result, we will only focus on gray hole With gray magnitude of
0.6 or above, because a lower gray magnitude cannot bring about great
damage to the network
Reported Collision Rate
Detection Rate
 Detection Rate & False Positive Rate vs. Gray Hole Number:
Detection threshold is set to 0.6, and the attackers' gray
magnitude is between 60% to 100%
 Approximately, detection rate still keeps above 90%, and
false positive rate is lower than 5%. This result reflects that
our detection scheme is valid for attackers with gray
magnitude between 60% and l 00%.
Questions:
 1, What is Gray Magnitude ?
 the percentage of the packets which are maliciously
dropped by an attacker(a node received 100 packets, and
forwarded 70 packets, gray magnitude=70%)
 Black hole drop 100% (special gray hole)
 2, What is FwdPktBuffer?
 Forward packet buffer.(put forwarded packet’s signature)
 3, What’s the difference between A Path-based Detecting
Method and Watchdog mechanism?
A Path-based Detecting Method:
S
D
B
A
C
 When A find B is a BH or GH, A chooses another path.
Watch dog:
S
A
B
D
C
 When A find B is a BH or GH, A tell S to choose
another path.