Available online at www.sciencedirect.

com

ScienceDirect
Procedia Technology 25 (2016) 264 271

Global Colloquium in Recent Advancement and Effectual Researches in Engineering, Science and
Technology (RAEREST 2016)

A Novel Approach for Detection of Single and Collaborative

Black Hole Attacks in MANET

Arathy K Sa*, Sminesh C Na

a
Government Engineering College Thrissur, Kerala, 680009, India.

Abstract

Ad hoc On Demand Distance Vector Routing is an extensively accepted routing protocol for Mobile Ad hoc Network. The inadequacy of security
considerations in the design of AODV makes it vulnerable to black hole attack in which, malicious nodes attract data packets and drop them
instead of forwarding. Among the existing black hole detection schemes, just a few strategies detect both single and collaborative attacks and that
too with much routing, storage and computational overhead. In this paper, we propose a novel strategy to detect single and collaborative black
hole attacks, with reduced routing and computational overhead. The proposed D-MBH algorithm detects single and multiple black hole nodes
using an additional route request with nonexistent target address, computes a threshold ADSN, creates a black hole list and invokes the proposed
D-CBH algorithm. Using ADSN, black hole list and next hop information extracted from RREP, the D-CBH algorithm creates a list of
collaborative black hole nodes.
2016
2015TheTheAuthors.
Authors. Published
Published by by Elsevier
Elsevier Ltd.Ltd.
This is an open access article under the CC BY-NC-ND license
Peer-review under responsibility of the organizing committee of RAEREST 2016.
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the organizing committee of RAEREST 2016
Keywords:ADSN; BH list; CBH list; fake RREQ.

1. Introduction

Mobile Ad hoc Network (MANET) is defined as the cooperative engagement of a collection of mobile
nodes, without the support of any centralized access point or existing infrastructure [1]. In this multi hop routing
scenario, each node functions as a host and a router. Thus nodes are collectively responsible for the management

* Corresponding author.
E-mail address:arathyks92@gmail.com

2212-0173 2016 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the organizing committee of RAEREST 2016
doi:10.1016/j.protcy.2016.08.106
 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271 265

of network. MANET has numerous applications in military and rescue zones since it gives an adaptable
communication where terrestrial or geographical constraints are present [2].Ad hoc on demand distance vector
routing is a reactive routing protocol in MANET that offers low processing and memory overhead, quick adaptation
to dynamic link conditions and low network utilization [3]. The paucity of security contemplation in the design of
AODV makes it vulnerable to black hole attacks. In single black hole attack, a malicious node claims to have the
freshest and shortest route to destination, attracts data packets and drops them instead of forwarding. Sometimes
these malicious nodes act in coordination resulting in collaborative black hole attacks. In this paper, we propose two
algorithms to detect single and collaborative black hole attacks with reduced computational and routing overhead.
This strategy makes use of a fake RREQ with nonexistent target address, destination sequence number and next hop
information extracted from RREP to identify the malicious nodes. The paper is organized as follows. Section 2 gives
a preface to Black Hole attacks in AODV, section 3 focus on related work in this area; section 4 analyses the
proposed algorithm, followed by the conclusion in section 5.

Nomenclature

D-MBH Detection of Multiple Black hole Attack

D-CBH Detection of Collaborative black hole attack
AODV Ad hoc On Demand Distance Vector Routing
DSN Destination Sequence Number
ADSN Average Destination Sequence Number
SN Source Node
RREQ Route Request
RREP Route Reply
RREPN Route Reply Sending Node
NHN Next Hop Node
IN Intermediate Node
BH list list of black hole nodes
CBH list list of Collaborative black hole nodes

2. Black Hole Attacks in AODV

In AODV, SN initiates route discovery process by broadcasting a Route request (RREQ) to its neighbours.
On receiving an RREQ, an intermediate node (IN), looks up in its routing table for a fresh enough route to
destination. If such a route is unavailable, IN broadcasts the RREQ. Else, it responds with a Route Reply (RREP) to
the source node. However when a link failure occurs, a route error (RERR) message is sent to notify others about the
same. According to AODV, only an intermediate node with fresher and valid route to destination can respond to a
RREQ. On receiving a RREQ, a black hole node exploits this feature by immediately sending back a malicious
RREP, having destination sequence number (DSN) set to the maximum possible value and hop count set to the
minimum value and hence claims to have the freshest and shortest route to destination [4,5]. Since a malicious node
does not even check in its routing table, it is the first node that responds to a RREQ in most cases [6]. On receiving
this RREP, the source node starts routing packets via the claimed path and subsequently, the attacker node drops all
the packets.

If there are multiple adversary nodes, the attack is called multiple black hole attack. Collaborative or
cooperative black hole attack is a special case of multiple black hole attack in which two or more black hole nodes
are acting in collusion [7,8]. Fig.1 is a pictorial representation of collaborative black hole attack. In Fig. 1[9], node S is
the source node and node D is the destination node.Here, node 4 and node 5 are malicious nodes working in
266 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271

collaboration. Hence, node 4 can either drop the data packets or forward them to node 5. Similarly node 5 can either
drop the packets or sent them to the adjacent malefic node in alliance.

Fig. 1 Collaborative black hole attack

3. Related Works

Black hole detection has been an active area of research since Hongmei Deng proposed next hop
information [10] based scheme in 2002. Researchers have proposed various solutions to identify and handle black
hole attack. But merely a few among them detect collaborative black holes. A review of such strategies is presented.
In [9], L.Tamilselvan et al., proposes the notion of Fidelity Table. Here, every participating node is allotted a
particular fidelity level, a measure of reliability. Whenever a source node broadcasts a RREQ and holds up, the
incoming RREPs are gathered in its Response Table. If the average of the fidelity level of RREP sending node
(RREPN) and its next hop node (NHN) in the route is found to be over a predetermined threshold, the RREPN is
considered as trustworthy. Therefore, on the receipt of multiple RREPs, the one with the highest fidelity level is
selected. However, if multiple nodes have the same fidelity level, the RREP with the minimal hop count is chosen.
Finally, routing is accomplished via the selected path. Upon data receipt, the destination node sends an
acknowledgement to the source node within timer. Next, fidelity level of the RREPN is incremented as an accolade
for honest routing else that of both RREPN and its NHN is decremented for being collaborative. Anyway, if fidelity
level of a node drops to zero, it is considered as a black hole and the presence of attack is intimated to all using
alarm packets. Despite the fact that this method handles both single and collaborative black hole attacks, it involves
increased storage overhead, routing overhead, computational overhead and delay. This is because each node should
maintain a Fidelity Table and a Response Table that must be updated and exchanged among the nodes periodically.
Subsequent to routing, the source node has to wait for an acknowledgement from destination to confirm the safety of
route. In order to presume that a node is malicious, we need to wait until its fidelity level drops to zero. Hence data
packets will be dropped to some degree.
J. Sen et al., introduces the concept of data routing information (DRI) table [11]. Here, every node maintains a DRI
table which keeps track of past routing information. In the table, the field From denotes that the node has routed
data packets from the node in question whereas the second field Through denotes that the node has routed data
 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271 267

packets through the node in question. When any node sends or receives data packet through or from one of its
neighbours, corresponding entries in its DRI table are updated. However, on the receipt of a RREQ, the RREPN
looks up in its DRI table and sends the DRI entry of its Next Hop Node (NHN) to the source node. A node is treated
as reliable, if source node has successfully routed data packets through it. If unreliable, current NHN becomes the
new intermediate node and the source node has to send a further request (FRq) to the next hop node of this
intermediate node. Then NHN sends back a further reply (FRp) that incorporates DRI entries of IN and the next hop
of current NHN. Meanwhile, Source node on receiving FRp scrutinizes the DRI entries and if DRI entry of IN says
that it has routed packets from NHN and that of NHN says that it has not routed any packet through IN, then all the
nodes, in the reverse path from intermediate node to RREPN are considered as black hole since NHN is a reliable
node.
If IN is an amiable node, routing can be accomplished. Even though this method prevents cooperative black hole
attack, each node has to maintain a large table in addition to normal routing table which results in memory space
wastage and increase in overhead. Furthermore, a recently entered non malicious node may be wrongly detected as
black hole and eliminated as it might not have done any data transfer through or from the neighboring nodes and it
also fails in the presence of single or non cooperative multiple black holes since they drop FRq itself. In [12], [13]
and [14], advanced DRI tables are used.
As indicated by the plan specified in [15], values are arbitrarily assigned for some parameters for each node. By taking
the product of these parameters to be specific rank (a measure of reliability), stability factor (conversely corresponding
to velocity of node) and remaining battery force, trust estimation of every node is resolved. Later, average trust of each
route is assessed by averaging the trust of every single participating node in that route and the route with the highest
average trust is selected. Subsequently, the source node has to wait for an acknowledgement from destination. If the
packet transmission is successful, the destination node sends back an acknowledgement to the source node. On receipt
of affirmation from destination, the source node increases the rank and decrements the remaining battery power of all
nodes in that path. On contrary, if no acknowledgement, the source node decrements rank of each node in the route.
Even though this method handles both single and collaborative black hole attacks, all RREPs should be buffered and
average trust value ought to be determined. Moreover, the parameters associated with each node need to be maintained
and updated frequently. In order to make sure that a node is malicious, we need to hold up until its rank drops to zero.

Table 1. Single and collaborative black hole detection schemes

Scheme Detection Type Defects
Fidelity Single and collaborative 1) Increased Storage overhead due to fidelity tables and
response tables.
2)Increased routing overhead due to exchange of
fidelity tables and additional control packets.
3) Waits until Fidelity level drops to zero to detect the
presence of a black hole. So increased end to end delay.

DRI Single and collaborative 1) Increased routing overhead due to FRq, FRp and
exchange of DRI tables.
2) Increased Storage overhead due to DRI tables
3) Increased End to end delay

Trust Single and collaborative 1) Increased storage overhead due to buffers and tables
to store trust values.
2) Increased routing overhead due to exchange of trust
tables.
3)Computational overhead
4)Waits until Trust level drops to zero to identify black
hole. Hence, increased end to end delay.
268 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271

4. Proposed Algorithms

To shield AODV from single and collaborative black hole attacks, it is essential to discover noxious nodes
amid the route discovery process, when they send malicious RREPs to attract the source node. We propose two
algorithms for mitigating single and collaborative black hole attacks. Three additional elements are used in the
proposed algorithms specifically, a fake RREQ with nonexistent target address [16], a list of black hole nodes( BH
list) and a list of collaborative black hole nodes(CBH list). The proposed Detection of Multiple Black Hole attack
(D-MBH) algorithm detects single and multiple black hole nodes, computes a threshold for DSN (ADSN), creates
BH list and invokes the proposed Detection of Collaborative Black Hole attack (D-CBH) algorithm. Using ADSN,
BH list and next hop information extracted from RREP, the proposed D-CBH algorithm creates the CBH list.

4.1 Algorithm Details

According to D-MBH algorithm, SN broadcasts a fake RREQ with nonexistent target address and waits for
RREP. Since a genuine node never reacts to a fake RREQ, it is undeniable that all RREPNs in this scenario are
malicious nodes. Therefore these nodes are included in the BH list. The malicious RREPs from black holes have
absolutely large DSN because larger DSN implies fresher route. Therefore the proposed D-MBH algorithm
computes the average of DSN of all malicious RREPs received so far (ADSN). This can be considered as a
threshold since RREPs from black holes posses higher DSN in comparison with normal RREPs; and when a new
black hole joins the network, it sends an RREP with a DSN higher than ADSN. Now, passing black hole list (BH
list) and ADSN, the proposed D-MBH algorithm invokes the D-CBH algorithm.

Actual route discovery process begins in the D-CBH algorithm when SN makes a RREQ and buffers all
RREPS. According to the proposed D-CBH algorithm, discard a RREP immediately if the RREPN is an already
identified black hole. Otherwise, check whether NHN of RREPN is in BH list. If yes, then the RREPN can be
considered as fraudulent node acting in coordination with NHN. Furthermore, if DSN of this RREP is greater than
ADSN, the RREPN and NHN can be included in the collaborative black hole list, without being skeptical. Other
RREPNs sending RREPs with DSN greater than ADSN are considered as newly entered black hole nodes and these
RREPNs are added in the BH list. Thus, using BH list and CBH list we can distinguish non collaborative multiple
black holes and collaborative black holes.

Abbreviations

D-MBH Detection of Multiple Black hole Attack

D-CBH Detection of Collaborative black hole attack
DSN Destination Sequence Number
ADSN Average Destination Sequence Number
SN Source Node
RREQ Route Request
RREP Route Reply
RREPN Route Reply Sending Node
NHN Next Hop Node
BH list list of black hole nodes
CBH list list of Collaborative black hole nodes
 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271 269

Algorithm 1. D-MBH Algorithm

Begin
SN broadcasts fake RREQ.//additional RREQ with nonexistent target address//
SN receives RREPs and pushes RREPNs in the BH list.//only the attacker nodes respond to a fake RREQ //
ADSN= Average of DSNs of all RREPs. // malicious RREP from black hole contains higher DSN//
Call D-CBH algorithm (ADSN, BH list) // invokes D-CBH algorithm passing ADSN and BH list as parameters
End

Algorithm 2. D-CBH algorithm(ADSN, BH list)

Begin
SN broadcasts RREQ and buffers RREPs
For each RREP do
If RREPN in BH list then//RREPN is an already identified black hole//
Discard RREP.
Else if NHN of RREPN in BH list and DSN > ADSN then // NHN is an already identified black hole so NHN
and RREPN are acting in coordination//
Push RREPN in BH list.
Push RREPN and NHN in CBH list.
Else if DSN > ADSN then// RREPN is a newly joined single black hole node//
Push RREPN in BH list.
Else route data packet if routing has not yet done
End if
End for
End

4.2 Analysis of Algorithms

We analyse the computational, routing and storage overhead of the proposed algorithms with the existing
Fidelity, DRI and Trust based schemes.
The DRI based scheme uses a data routing information table for each node. Similarly, the Fidelity and Trust
based schemes use fidelity tables and trust tables respectively in addition to response table for buffering RREPs.
Unlike the existing schemes, in addition to response table, the proposed scheme does not require any table.
However, each node maintains two lists namely BH list and CBH list. These lists are updated only when a black
hole node is encountered. All the above mentioned existing schemes require frequent updating and periodical
exchange of tables which resulted in extraneous routing of control packets. Consider N number of nodes and M
number of different RREQ in the network. In the worst case, the proposed algorithm needs to update the lists for
each RREQ. Hence, the complexity of routing is O(MN) whereas in the existing schemes, due to additional control
packets and periodical exchange of tables, it is O(N2) +O(MN). Hence, in comparison with the existing methods,
the proposed algorithms have a relatively downsized routing overhead. Graph 1 depicts the routing overhead versus
the number of nodes of existing and proposed scheme, assuming a single RREQ scenario.

The proposed algorithms just demand the calculation of a threshold, which is the average of DSN of malicious
RREPs from black hole nodes and this is an O(1) computation. The trust based strategies [15, 17] and the fidelity
scheme require trust computation or fidelity computation. In the worst case scenario, since there are (n-1) RREPs for
270 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271

a single RREQ, this is an O(MN) computation. Graph 2 depicts the computational overhead versus the number of
nodes of existing and proposed scheme, assuming a single RREQ scenario.

Since the proposed algorithms need to maintain BH list and CBH list, there is no considerable improvement in
storage overhead in comparison with the existing DRI, fidelity and trust based schemes. Hence, the proposed
algorithms detect single and collaborative black holes with reduced computational and routing overhead even
though there is no considerable improvement in storage overhead.

Graph1. Comparison of Routing Overhead Graph 2. Comparison of Computational Overhead

5. Conclusion and Future Work

We proposed two algorithms for the detection of single and collaborative black hole attacks. The proposed
D-MBH algorithm uses a fake RREQ with nonexistent target address and computes a threshold for DSN and creates
a list of black hole nodes. Using the threshold, list of black hole nodes and next hop information extracted from
RREP, the proposed D-CBH algorithm creates a list of collaborative black hole nodes. We have analyzed the
proposed algorithms with the existing DRI, fidelity and trust based schemes and found that the routing overhead and
computational overhead has been considerably reduced. However, there is no considerable improvement in storage
overhead compared to the existing schemes. Metrics in MANET like end to end delay, packet delivery ratio, routing
overhead and computational overhead has to be analyzed as a part of simulation work. As future work, algorithms
can be developed to detect the presence of gray holes, which are occasionally acting as black holes, in MANET.

References

[1] Perkins, Charles E., Elizabeth M. Belding-Royer, and R. Samir. Das, Mobile Ad Hoc Networking Working Group. Internet Draft,
February, 2003.
[2] Goyal, Priyanka, Vinti Parmar, and Rahul Rishi. "Manet: vulnerabilities, challenges, attacks, application." IJCEM International Journal
of Computational Engineering & Management 11 (2011): 32-37.
 K.S. Arathy and C.N. Sminesh / Procedia Technology 25 (2016) 264 271 271

[3] Perkins, Charles, Elizabeth Belding-Royer, and Samir Das. Ad hoc on-demand distance vector (AODV) routing. No. RFC 3561. 2003.
[4] Gurung, Shashi, and Krishan Kumar Saluja. "Mitigating Impact of Blackhole Attack in MANET." Int. Conf. on Recent Trends in
Information, Telecommunication and Computing, ITC. 2014.
[5] Al-Shurman, Mohammad, Seong-Moo Yoo, and Seungjin Park. "Black hole attack in mobile ad hoc networks." Proceedings of the 42nd
annual Southeast regional conference. ACM, 2004.
[6] Tseng, Fan-Hsun, Li-Der Chou, and Han-Chieh Chao. "A survey of black hole attacks in wireless mobile ad hoc networks." Human-
centric Computing and Information Sciences 1.1 (2011): 1-16.
[7] Vu, Cong Hoan, and Adeyinka Soneye. An Analysis of Collaborative Attacks on Mobile Ad hoc Networks. Diss. Master Thesis at School
of Computing, Blekinge Institute of Technology, 2009.
[8]Dhurandher, Sanjay Kumar, et al. "GAODV: A Modified AODV against single and collaborative Black Hole attack inMANETs.
" Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on. IEEE, 2013..
[9] Tamilselvan, Latha, and V. Sankaranarayanan. "Prevention of co-operative black hole attack in MANET." Journal of networks 3.5
(2008): 13-20.
[10] Deng, Hongmei, Wei Li, and Dharma P. Agrawal. "Routing security in wireless ad hoc networks." Communications Magazine,
IEEE 40.10 (2002): 70-75.
[11] J.Sen, S. Koilakonda, A. Ukil, "A Mechanism for Detection of Cooperative Black Hole Attack in Mobile Adhoc Networks" IEEE
Second International Conference on Intelligent Systems, Modeling and Simulation, 2011.
[12] Bindra, Gundeep Singh, et al. "Detection and removal of co-operative blackhole and grayhole attacks in MANETs." System Engineering
and Technology (ICSET), 2012 International Conference on. IEEE, 2012.
[13] Hiremani, Vani, and Manisha Madhukar Jadhao. "Eliminating co-operative blackhole and grayhole attacks using modified EDRI table
in MANET."Green Computing, Communication and Conservation of Energy (ICGCE), 2013 International Conference on. IEEE, 2013.
[14]Wahane, Gayatri, and Savita Lonare. "Technique for detection of cooperative black hole attack in MANET." Computing,
Communications and Networking Technologies (ICCCNT), 2013 Fourth International Conference on. IEEE, 2013.
[15] Biswas, Santosh, Tanumoy Nag, and Sarmistha Neogy. "Trust based energy efficient detection and avoidance of black hole attack to
ensure secure routing in MANET." Applications and Innovations in Mobile Computing (AIMoC), 2014. IEEE, 2014.
[16] Nishu kalia, Kundan Munjal, Multiple Black Hole Node Attack Detection Scheme in MANET by Modifying AODV Protocol
International Journal of Engineering and Advanced Technology (IJEAT), Vol. 2, Issue-3, February 2013.
[17] Thachil, Fidel, and K. C. Shet. "A trust based approach for AODV protocol to mitigate black hole attack in MANET." Computing
Sciences (ICCS), 2012 International Conference on. IEEE, 2012.