ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

A Survey on Malicious Nodes in Mobile Ad hoc Network
M.S.Subbulakshmi,
M.Phil Research Scholar,
Department of Computer Science,
Erode Arts and Science College
(Autonomous), Erode


S.J.Mohana,
Assistant Professor & Head,
Department of Computer Science,
Erode Arts and Science College
(Autonomous), Erode


Abstract
The wireless mobile ad-hoc networks is emerging
technology has been protected by various systems such
as firewall’s, Antivirus, and so on. The MANET is not
having any infrastructure or any centralized server to
control entire networks. Since every node should rely
on other nodes intended for support into routing as
well as forwarding packets to the destination. The
intermediate nodes might be in agreement to forward
the packets although really crash or change them since
they are misbehaving. In this paper we have presented
study about malicious nodes in mobile ad hoc network
and brief description of some existing intrusion

detection system. The existing intrusion detection
system has gives more network overhead to MANET.
Here, we analyze and find a new efficient intrusion
detection system Hybrid Cryptography Technique
(BECDH) for reducing network overhead and enhance
the security level of MANET.
Keywords: Mobile Ad-hoc Network (MANET),
Security, Enhanced Adaptive Acknowledgment
(EAACK), Intrusion Detection System (IDS), Digital
Signature Algorithm (DSA), Blowfish Elliptic Curve
Diffie-Hellman Algorithm (BECDH).

revenue they are eagerly matched towards use within
severe otherwise explosive conditions.
MANETS have subsequently turned into an
extremely prevalent examination theme and have been
proposed for utilization in numerous regions, for
example, rescue operations, strategic operations,
ecological, checking, meetings, and so forth. MANETS
by their exceptionally nature are more helpless against
assault than wired net-works. The adaptability gave by
the open show medium and the cooperativeness of the
mobile devices (which have for the most part diverse
asset and computational limits, and run ordinarily on
battery force) presents new security dangers. As a
major aspect of normal danger administration we must
have the capacity to distinguish these dangers and
make proper move. At times we may have the capacity
to outline out specific dangers cost-adequately. In
different cases we may need to acknowledge that

vulnerabilities exist and try to make proper move when
we accept somebody is assaulting us. Accordingly,
intrusion detection is a basic piece of security for
MANETS.

2. Intrusion Detection System
1. Introduction
Wireless networking is now the intermediate of
choice for many applications. Here adding up, recent
developed systems agree to gradually more complicate
functionality to exist in devices that are always minor,
and consequently ever more movable. Mobile ad hoc
networks (MANETs) merge wireless communication
by a elevated amount of node mobility. Some degree of
range wireless communication along with elevated
node mobility earnings to the nodes should cooperate
through every other to give crucial networking, among
the fundamental network energetically varying to
guarantee wants to be frequently met. The energetic
environment of the protocols to allow MANET process

Intrusion is any situated of activities that endeavour
to trade off the integrity, confidentiality, or availability
of a resource [1] and an intrusion detection system
(IDS) is a framework for the location of such
intrusions. There are three fundamental parts of IDS:
data collection, detection, and response.
The data collection component is responsible for
collection and pre-processing data tasks: transferring
data to a common format, data storage and sending

data to the detection module [2]. IDS can use different
data sources as inputs to the sys-tem: system logs,
network packets, etc. In the detection component data
is analyzed to detect intrusion attempts and indications
of detected intrusions are sent to the response
component.
Intrusion detection can be classified based on audit
data as either host-based or network-based. A networkbased IDS captures and analyzes packets from network
traffic while a host-based IDS uses operating system or

137


ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

application logs in its analysis. Based on detection
techniques, IDS can also be classified into three
categories as follows [3]: Anomaly detection system,
Misuse
detection
system,
Specification-based
detection.
 Anomaly detection systems: The normal
profiles (or normal behaviors) of users are
kept in the system. The system compares the
captured data with these profiles, and then
treats any activity that deviates from the
baseline as a possible intrusion by informing

system administrators or initializing a proper
response.
 Misuse detection systems: The system keeps
patterns (or signatures) of known attacks and
uses them to compare with the captured data.
Any matched pattern is treated as an intrusion.
Like a virus detection system, it cannot detect
new kinds of attacks.
 Specification-based detection: The system
defines a set of constraints that describe the
correct operation of a program or protocol.
Then, it monitors the execution of the program
with respect to the defined constraints.

3. IDS Techniques for Malicious Nodes
in MANET
The mobile ad hoc network is an infrastructure less
network, so each node must rely on other nodes for
cooperation in routing and forwarding packets to the
destination. The intermediate nodes might agree to
forward the packets but actually drop or modify them
because they are misbehaving. The simulations in [4]
show that only a few misbehaving nodes can degrade
the performance of the entire system. There are several
existing techniques and proposed technique to detect
such misbehavior in order to avoid those nodes [5, 6].

3.1 Existing IDS Techniques
The existing intrusion detection system techniques
are finding the malicious nodes but it has some

problem of network overhead due to the number of
malicious nodes are increased. Here in this section,
watchdog, TWOACK, AACK and EAACK techniques
are explained.
3.1.1 Watchdog and Pathrater
Two techniques were proposed by Marti, Giuli, and
Baker, watchdog and path rater, to be added on top of
the standard routing protocol in adhoc networks. A
watchdog identifies the misbehaving nodes by
eavesdropping on the transmission of the next hop. A

path rater then helps to find the routes that do not
contain those nodes. In DSR, the routing information is
defined at the source node. This routing information is
passed together with the message through intermediate
nodes until it reaches the destination. Therefore, each
intermediate node in the path should know who the
next hop node is. In addition, listening to the next hop's
transmission is possible because of the characteristic of
wireless networks if node A is within range of node B,
A can overhear communication to and from B. The
Figure 1 shows how watchdog works.

Fig. 1 Watchdog Works
Assume that node S wants to send a packet to node
D, which there exists a path from S to D through nodes
A, B, and C. Consider now that A has already received
a packet from S destined to D. The packet contains a
message and routing information. When A forwards
this packet to B, A also keeps a copy of the packet in

its buffer. Then, it promiscuously listens to the
transmission of B to make sure that B forwards to C. If
the packet overheard from B matches that stored in the
buffer, it means that B really forwards to the next hop
(represented as a solid line). It then removes the packet
from the buffer. However, if there's no matched packet
after a certain time, the watchdog increments the
failures counter for node B. If this counter exceeds the
threshold, A concludes that B is misbehaving and
reports to the source node S.
Pathrater performs the calculation of the path metric
for each path. By keeping the rating of every node in
the network that it knows, the path metric can be
calculated by combining the node rating together with
link reliability, which is collected from past experience.
Obtaining the path metric for all available paths, the
path rater can choose the path with the highest metric.
In addition, if there is no such link reliability
information, the path metric enables the path rater to
select the shortest path too. As a result, paths
containing misbehaving nodes will be avoided.
However, those misbehaving nodes are not punished.
In contrast, they even benefit from the network. In
another word, they can use resources of the network
other nodes forward packets for them, while they
forward packets for no one, which save their own
resources. Therefore, misbehaving nodes are
encouraged to continue their behaviors [4].
Many MANET IDSs are either based on or
developed as an improvement to the Watchdog

scheme. Nevertheless, as pointed out by Marti et al.
[4], the Watchdog scheme fails to detect malicious
misbehaviors with the presence of the following: 1)
ambiguous collisions 2) receiver collisions3) limited
transmission power 4) false misbehavior report
5) collusion and 6) partial dropping

138


ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

3.1.2 TWOACK
Aiming to resolve the receiver collision and limited
transmission power problems of Watchdog, TWOACK
detects misbehaving links by acknowledging every
data packet transmitted over every three consecutive
nodes along the path from the source to the destination.
Upon retrieval of a packet, each node along the
route is required to send back an acknowledgment
packet to the node that is two hops away from it down
the route. TWOACK is required to work on routing
protocols such as Dynamic Source Routing (DSR). The
working process of TWOACK is shown in Fig.2.

Fig.2. TWOACK scheme
Node A first forwards Packet 1 to node B, and then,
node B forwards Packet 1 to node C. When node C
receives Packet 1, as it is two hops away from node A,

node C is obliged to generate a TWOACK packet,
which contains reverse route from node A to node C,
and sends it back to node A. The retrieval of this
TWOACK packet at node A indicates that the
transmission of Packet 1 from node A to node C is
successful. Otherwise, if this TWOACK packet is not
received in a predefined time period, both nodes B and
C are reported malicious. The same process applies to
every three consecutive nodes along the rest of the
route.
The TWOACK scheme successfully solves the
receiver collision and limited transmission power
problems posed by Watchdog. However, the
acknowledgment process required in every packet
transmission process added a significant amount of
unwanted network overhead. Due to the limited battery
power nature of MANETs, such redundant
transmission process can easily degrade the life span of
the entire network. However, many research studies are
working in energy harvesting to deal with this problem
[7].

ACKnowledge (ACK). Compared to TWOACK,
AACK significantly reduced network overhead while
still capable of maintaining or even surpassing the
same
network
throughput.
The
end-to-end

acknowledgment scheme in ACK is shown in Fig 3. In
the ACK scheme shown in Fig, the source node S
sends out Packet 1 without any overhead except 2 b of
flag indicating the packet type. All the intermediate
nodes simply forward this packet.
Fig.3. ACK scheme

Fig. 3 AACK Scheme
When the destination node D receives Packet 1, it is
required to send back an ACK acknowledgment packet
to the source node S along the reverse order of the
same route. Within a predefined time period, if the
source node S receives this ACK acknowledgment
packet, then the packet transmission from node S to
node D is successful. Otherwise, the source node S will
switch to TACK scheme by sending out a TACK
packet. The concept of adopting a hybrid scheme in
AACK greatly reduces the network overhead, but both
TWOACK and AACK still suffer from the problem
that they fail to detect malicious nodes with the
presence of false misbehavior report and forged
acknowledgment packets [8].
3.1.4 EAACK
EAACK (Enhanced Adaptive Acknowledgment) [9]
is designed to tackle three of the six weaknesses of
Watchdog scheme, namely, false misbehavior, limited
transmission power, and receiver collision. In a typical
example of receiver collisions, shown in Fig. 4, after
node A sends Packet 1 to node B, it tries to overhear if
node B forwarded this packet to node C; meanwhile,

node X is forwarding Packet 2 to node C.

3.1.3 AACK
Based on TWOACK, Sheltamiet al. Proposed a
new scheme called AACK. Similar to TWOACK,
AACK is an acknowledgment-based network layer
scheme which can be considered as a combination of a
scheme called TACK (identical to TWOACK) and an
end-to-end
acknowledgment
scheme
called

Fig.4. Receiver collisions

139


ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

In the case of limited transmission power, in order
to preserve its own battery resources, node B
intentionally limits its transmission power so that it is
strong enough to be overheard by node A but not
strong enough to be received by node C, as shown in
Fig. 5.
In such case, node A overhears that node B has
successfully forwarded Packet 1 to node C but failed to
detect that node C did not receive this packet due to a

collision between Packet 1 and Packet 2 at node C.

3.2 Proposed IDS Technique
The object of the proposed intrusion detection
technique is to enhance the strength of the security and
also solve the network overhead problem in the mobile
ad hoc network. In this proposed work, an innovative
approach called hybrid cryptography technique is
introduced, because it is desired to communicate data
with high security.
3.2.1 Hybrid Cryptography Technique (BECDH)

Fig.5. Limited transmission power
For false misbehavior report, although node A
successfully overheard that node B forwarded Packet 1
to node C, node A still reported node B as
misbehaving, as shown in Fig. 6.

Hybrid Cryptography Technique incorporates a
combination of asymmetric and symmetric encryption
to benefit from the strengths of each form of
encryption. These strengths are respectively defined as
speed and security. In this proposed work, create
hybrid cryptography algorithm of combine Blowfish
algorithm for symmetric and Elliptic Curve DiffieHellman for asymmetric. The figure shows the
encryption and decryption process of hybrid
cryptography Blowfish Elliptic Curve Diffie-Hellman
Algorithm (BECDH).
BECDH
Encryption


BECDH
Decryption

Blowfish
Decryption

Blowfish
Encryption

Fig.6. False misbehavior report
Due to the open medium and remote distribution of
typical MANETs, attackers can easily capture and
compromise one or two nodes to achieve this false
misbehavior report attack.
EAACK is consisted of three major parts, namely,
ACK, secure ACK (S-ACK), and misbehavior report
authentication (MRA). The results demonstrated
positive performances against Watchdog, TWOACK,
and AACK in the cases of receiver collision, limited
transmission power, and false misbehavior report.
Furthermore, in an effort to prevent the attackers
from initiating forged acknowledgment attacks,
incorporated digital signature. Although it generates
more ROs in some cases, it can vastly improve the
network’s PDR when the attackers are smart enough to
forge acknowledgment packets.
The EAACK scheme produces more routing
overhead when the number of malicious nodes is
increased. Because of generation and verification of

digital signature requires considerable amount of time.
So, for frequent exchange of messages the speed of
communication will reduce.

Shared
Secret
Key

A
C
K

Elliptic
Curve
DiffieHellman
Encryption

Sender
Side

Routing
of
Packets

Elliptic
Curve
DiffieHellman
Decryption

Receiver

Side

Fig.7. Process of Hybrid Cryptography Technique
(BECDH)
In this scheme, the sender before sending the
acknowledgment packets to the receiver, first encrypt
these packets by blowfish algorithm. The encrypted
information is again encrypted by ECDH algorithm for
improve the security. In receiver side, the receiver does
same operations for decrypting the acknowledgment

140

A
C
K


ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

packets but in reverse order. The ECDH algorithm first
decrypts the encrypted message after that the blowfish
again decrypts the message. Finally the receiver
receives the original acknowledgment packets. This

scheme detects the malicious nodes with low routing
overhead and it can also improve the packet delivery
ratio compared with the existing techniques


4. Comparative Study
The table shows the comparative study of the various existing IDS techniques and proposed IDS technique is used to
detecting the malicious nodes in MANET.
Table 1. Comparative Study of Different IDS Techniques

S.No
1

Intrusion
Detection
Techniques
Watchdog and
Pathrater

Algorithm /
Protocols

Advantages

Disadvantages

Dynamic
Source Routing
Protocol

To improve the throughput of
network with the presence of
malicious nodes.

Fails to detect malicious

misbehaviors
with
the
presence of the following:
1) ambiguous collisions
2) receiver collisions
3) limited transmission power
4) false misbehavior report
5) collusion
6) partial dropping

2

TWOACK

Dynamic
Source Routing
Protocol

To resolve the receiver collision
and limited transmission power
problems of Watchdog.

The acknowledgment process
required in every packet
transmission process added a
significant
amount
of
unwanted network overhead


3

AACK

Dynamic
Source Routing
Protocol

Compared to TWOACK, AACK
significantly reduced network
overhead while still capable of
maintaining or even surpassing
the same network throughput.

It is crucial to guarantee that
the acknowledgment packets
are valid and authentic.

4

EAACK

Digital
Signature
Algorithm

1.To solve the three weaknesses
of Watchdog scheme,
false misbehavior,

limited
transmission
power,
and
receiver collision
2.To prevent the attacker from
forging
acknowledgment
packets

Number of malicious nodes is
increased,
this
scheme
produces
more
network
overhead.

5

Hybrid
Cryptography
Technique

Blowfish
Elliptic Curve
Diffie-Hellman
Algorithm


1. To solve the network/routing
overhead problem of EAACK.
2. Give more security to MANET
compared with other schemes.

--

141


ISSN:2249-5789
M S Subbulakshmi et al , International Journal of Computer Science & Communication Networks,Vol 4(4),137-142

5. Conclusion
As the use of mobile ad hoc networks (MANETs)
has increased, the security in MANETs has also
become more important accordingly. Historical events
show that prevention alone, i.e., cryptography and
authentication are not enough; therefore, the intrusion
detection systems are brought into consideration. In
this survey, we have given different existing intrusion
detection techniques and also introduce new innovative
intrusion detection technique Hybrid Cryptography
(BECDH) for finding malicious nodes in MANETs.
Finally, we have justified that hybrid cryptography
technique (BECDH) is better intrusion detection
system for mobile ad hoc network while compared
with other existing intrusion detections systems.

References

[1] Y. Zhang, W. Lee, and Y. Huang, “Intrusion Detection
Techniques for Mobile Wireless Networks," ACM/Kluwer
Wireless Networks Journal (ACM WINET), Vol. 9, No. 5,
September 2003.
[2]. T. Anantvalee and J. Wu, “A Survey on Intrusion
Detection in Mobile Ad Hoc Networks,” in Wireless/Mobile
Security. New York: Springer-Verlag, 2008.
[3].N. Kang, E. Shakshuki, and T. Sheltami, “Detecting
misbehaving nodes in MANETs,” in Proc. 12th Int. Conf.
iiWAS, Paris, France, Nov. 8–10,2010, pp. 216–222.
[4]. N. Kang, E. Shakshuki, and T. Sheltami, “Detecting
forged acknowledgements in MANETs,” in Proc. IEEE 25th
Int. Conf. AINA, Biopolis,Singapore, Mar. 22–25, 2011, pp.
488–494.
[5].K. Liu, J. Deng, P. K. Varshney, and K. Balakrishnan,
“An acknowledgment-based approach for the detection of
routing misbehavior in MANETs,” IEEE Trans. Mobile
Comput., vol. 6, no. 5,pp. 536–550, May 2007.
[6]. Tapan P. Gondaliya1, Maninder Singh, “Intrusion
detection System for Attack Prevention in Mobile Ad-hoc
Network, “ International Journal of Advanced Research in
Computer Science and Software Engineering,Volume 3,
Issue 4, April 2013
[7]. Dr. S. S. Tyagi ,Aarti ,”Study of MANET:
Characteristics, Challenges, Application and Security
Attacks,”International Journal of Advanced Research in
Computer Science and Software Engineering,Volume 3,
Issue 5, May 2013
[8]. Alex Hinds, Michael Ngulube, Shaoying Zhu, and
Hussain Al-Aqrabi A Review of Routing Protocols for

Mobile Ad-Hoc NETworks (MANET)International Journal
of Information and Education Technology, Vol. 3, No. 1,
February 2013
[9]A. Al-Roubaiey, T. Sheltami, A. Mahmoud, E. Shakshuki
and H. Mouftah, “AACK: Adaptive Acknowledgment
Intrusion Detection for MANET with Node Detection
Enhancement”, in 24th IEEE International Conference on
Advanced Information Networking and Applications, 2010.
[10] M. G. Zapata, “Secure Ad Hoc On-Demand Distance
Vector (SAODV) Routing," ACM Mobile Computing and

Communication Review (MC2R), Vol. 6, No. 3, pp. 106-107,
July 2002.
[11] Y. Hu, A. Perrig, and D. B. Johnson, “Ariadne: A secure
On-Demand Routing Protocol for Ad hoc Networks,"
Proceedings of the 8th Annual International Conference on
Mobile Computing and Networking (MobiCom'02), pp. 1223, September 2002.
[12] S. Bansal and M. Baker, “Observation-Based
Cooperation Enforcement in Ad hoc Networks," Research
Report cs.NI/0307012, Stanford University, 2003.
[13]Y. Zhang, W. Lee and Y. Huang, “Intrusion Detection
Techniques for Mobile Wireless Networks,” ACM/Kluwer
Wireless Networks Journal (ACM WINET), Vol. 9, No. 5,
September 2003.
[14]Chlamtac, I., Conti, M., and Liu, J. J.-N.” Mobile ad hoc
networking: imperatives and challenges”. Ad Hoc Networks,
1(1), 2003, pp. 13–6.
[15] M. Frodigh, P. Johansson and P.Larsson.”Wireless ad
hoc networking: the art of networking without a
network”,Ericsson Review,No.4, 2000, pp. 248-263.

[16] Belding-Royer,E.M. and C.K. Toh, 1999.“A review of
current routing protocols for ad-hoc mobile wireless
networks”.IEEE Personal Communication magazine.
[17] PriyankaGoyal, VintiParmar and Rahul Rishi,
“MANET:
Vulnerabilities,
Challenges,
Attacks,
Application”, IJCEM International Journal of Computational
Engineering & Management, Vol. 11, January 2011.
[18] E. Surya and C. Diviya, “A Survey on Symmetric Key
Encryption Algorithms”, International Journal of Computer
Science & Communication Networks, Vol. 2(4), 475-477.
[19] P. Q. Nguyen and I. E. Shparlinski, “The insecurity of
the Digital Signature Algorithm with partially known
nonces”, Preprint, 2000, 1-26.
[20] D. Hakerson, A. Menezes, and S. Vanston , “Guide to
Elliptic Curve Cryptography,” Springer-Verlag, NY (2004).

142