A Fuzzy Knowledge-Based Approach for End-2-End Behavioural Analysis of Wormhole Attacks on Mobile Ad-Hoc Networks

Mobile Ad hoc Networks (MANETs) involves series of travelling nodes communicating with each other without a fixed Set-up. Certainly, MANETs are networks that utilize communication peripatetic nodes such as; Personal Digital Assistants (PDAs), mobile phones, laptops which enable wireless transmission across an area and forwarding data packets to the other nodes resulting in frequent change in topology. MANETs are exposed to several communication assaults such as active attack and passive attack. The active attack disrupts network operations while the passive attack obtains information without upsetting normal networks operation. Wormhole is a typical case of active attack. Indeed, an attacker receives packets at one end of the network, tunnels them to another end of the network, and then replays them into the networks from that point resulting in a collapse in communication across wireless setups. This research work simulates and models a typical wormhole attack in MANET using Network Simulator (NS-2.35) and Fuzzy Inference System (FIS). The End-2-End behavioural analysis of wormhole attacks on the transmitting networks layer of MANET was realized. To detect the level of wormhole attack in the network several parameters such as Packet Delivery Ratio, Packet Forwarding Probability and Packet Dropping Probability were considered by determining the degree of severity of wormhole attack which may upset the Quality of Service (QOS) delivery. The aim of this research paper is in the direction of Network security optimization.


Introduction
The term "Ad hoc" is a Latin phrase which means "for this purpose", therefore ad hoc networks are used for a particular purpose. Ad hoc networking can be applied where there is little or no communication infrastructure. There are various types of ad hoc networks such as; Vehicular Ad hoc Network, Mobile Ad hoc Network, Smartphone Ad hoc Network, Wireless Sensor Network, etc. Among these various types of ad hoc networks, this project will focus on the Mobile Ad hoc Network (MANET). [7] defines Mobile Ad hoc Network (MANET) as an autonomous system which consists of a collection of self-configurable mobile nodes connected through wireless links. MANETs that may require secure communication network include but is not limited to the following areas: military or police communication network, safety operations in oil drilling platforms, critical business application, safety operations in hospital (emergency), warzone, etc. MANET has some challenges which makes it vulnerable to attacks which are; absence of centralized infrastructure, dynamic topology, lack of resource constraints such as; power capacity, memory. The nodes in a MANET are free to move in any direction independently, they leave and join the network randomly. Compared to wired networks, MANET has more security issues and many types of attacks can be initiated on such networks, these attacks can be either passive or active. [13] stated that in passive attacks, the attacker obtains information without disturbing normal network operation and is difficult to detect since the operation of network is not affected while in an active attack, an attacker can be internal (within the network) or external (outside the network) and can disturb network operation by modifying or deleting information, injecting a false message or impersonating a node. A typical example of an active attack is known as a wormhole attack.
A wormhole attack is usually performed by two or more malicious nodes. [1] defined wormhole attack as the most frequently occurring attack in ad hoc networks in which one malicious node tunnels the packets from its location to other defective nodes. [19] described wormhole attack as where an attacker receives packets at one point in the network, tunnels them to another point in the network, and then replays them into the network from that point. This tunnel between two attackers are called wormhole. The wormhole attack is difficult to detect because the attackers can launch the attack without revealing their identity.
This end-2-end behaviour of wormhole is due to the fact that the tunnel formed by the wormhole is from one end of the network to the other end of the network (i.e. from source to destination). In this research project, the focus is on the study of wormhole attack, some detection methods and techniques to prevent occurrences of attack in mobile ad hoc networks. The remainder of this paper is structured as follows: Section 2 provides a review of related literature on typical wormhole attack in MANET. Section 3 presents the materials and method employed in the research. Section 4 presents the results obtained from the study. Section 5 discusses the results with reference to existing literature. Section 6 concludes on the paper and points to future research direction.

Literature Review
In [20] paper presented an approach for detecting and defending against wormhole attacks called packet leashes, and the specific protocol called TIK (TESLA with Instant Key disclosure) that implements leashes. A leash is any information that is added to a packet designed to restrict the packet's maximum allowed transmission distance. Packet leashes provide a way for a sender and a receiver to be certain that a wormhole attacker is not causing the signal to propagate further than the specified normal transmission distance. There are two types of leashes; geographical leashes and temporal leashes. These two types of leashes can prevent the wormhole attack, because it allows the receiver of a packet to detect if the packet travelled further than the leash allows.
irregularities that their presence creates once they begin to drop traffic. They identified the existence of the wormhole, before the intruders began the packet-dropping phase of the attack, by applying signal-processing techniques to the arrival times of the routing management traffic. This is done by relying on a property of proactive routing protocols that the stations must exchange management information on a specified, periodic basis. For the simulation, a MANET test bed was set up and they programmed an active wormhole and the results showed that an intruder was actively dropping systems and this was shown when they monitored the HELLO message intervals. This approach can be used in MANETs that use a proactive protocol that relies on regular protocol messages. [8] described an end-to-end mechanism that can detect wormholes on a multi-hop route. This mechanism used geographic information to detect irregularity in neighbour relations and node movements. They presented a scheme, Cell-based Open Tunnel Avoidance (COTA), to manage the information. Wormhole attacks can be divided into three groups: closed, half open, and open and their mechanism is detected all the groups of wormholes. Simulations and experiments on real devices showed that the proposed mechanism can be combined with existent routing protocols to defend against wormhole attacks.
In a research paper [10] a novel trust-based schemes for identifying and isolating nodes that create a wormhole in the network without engaging any cryptographic mean. Their main goal was to design a protocol that not only prevents wormhole attacks but also avoids using strict clock synchronization.
They implemented the random way point movement model for the simulation, in which a node starts at a random position, waits for the pause time, and then moves to another random position with a velocity chosen between 0 m/s and the maximum simulation speed. Performance of the proposed scheme is evaluated based on the metrics such as Throughput, Packet Loss By malicious node. By using Trust Based Model, Packet Dropping was reduced by 15% without using any cryptography mechanism and throughput is increased up to 7-8%. This was because the trust level of any node was not capable of sustaining the required traffic flow. In the case of detection of a wormhole by an intermediate node, all packets leading towards the tunnel are dropped and a corresponding route error packet is generated. At higher speeds the number of interactions with the nodes creating the wormhole increase considerably. This helps to spread trust information in the network at a higher rate. According to their results, up to 60% of the nodes executing the trust based DSR protocol were able to correctly identify at least one end of the wormhole.
[3] in their paper analyzed the effects of wormhole attack in ad hoc wireless networks by using a simple wormhole algorithm called hybrid routing algorithm which combines three different techniques; Hop Count Based Detection (Alternate Route), Anomaly Based Detection (Route Reply Decision Packet), Neighbour List Based Detection. Their paper focused on combining three techniques based on hop count, decision anomaly, and neighbor list count methods to detect and isolate wormhole attacks in ad hoc networks. They implemented an Ad hoc Ondemand Distance Vector (AODV) protocol that simulates the behaviour of wormhole attack in Network Simulator 2. The simulation was performed in terms of average end-to-end delay, routing overhead, packet delivery ratio. This algorithm has better performance than the techniques being used individually (Hop count, Anomaly based, Neighbor list methods) to detect and isolate wormhole attacks in ad hoc networks. The solution detects the malicious

International Journal of information Systems and Informatics
e-ISSN 2746-1378 Vol. 2, No.4 December 2021 nodes and isolates it from the active data forwarding.
In [14] the objective was to find out the malicious node that performs the wormhole attack in network. They have assumed that the MANET consists of group of nodes. They proposed an algorithm in which intrusion detection is done in a group-based manner to detect the wormhole attacks. The group-based approach was used to reduce the load of processing on each group heads and also reduce the risk of a group head being compromised. The entire network into divided in groups. The group may be overlapped or disjoint. Each group has its own group head and a number of nodes designated as member nodes. Member nodes pass on the information only to the group head. The group head is responsible for passing on the information to all its members. The group head is elected dynamically and maintains the routing information. In multi-hop wireless systems, the need for cooperation among nodes to relay each other's packets exposes them to a wide range of security threats including the wormhole attack.
[11] implement a system that successfully detects the wormhole present in the MANET using network and physical layer parameters. The various network parameters such as throughput, average end-to-end delay, packets dequeued are used to detect the presence of wormhole in the network. In addition, the physical layer parameters such as signals transmitted and signals received and forwarded to MAC layer are considered in the detection process. Various MANETs are simulated using the Qualnet 5.0 network simulator. The system carries out a cross layer detection of wormhole which is done using the Fuzzy Inference System (FIS).
The study in [6] resulted to a number of routing protocols which can be classified as non-Location based routing protocols and Location-based routing protocols. Non-Location based routing protocol uses the traditional routing concept such as maintaining a routing table while the Location-based routing protocol uses the geographical location of the mobile nodes to route the packets from source to destination. In their paper, they performed and analyzed the wormhole attack at location-based protocol ALERT (Ananonymous Location Based Efficient Routing Protocol). In location-based routing protocols, the nodes use the information about the geographical position of other nodes to route packets to their destinations. When sending a packet to a destination, the source node gets the position of the destination node by the location service and adds this information in the header of the packet. Then, each intermediate node that receives the packet gets the location information of the destination from the packet and uses it to forward the packet comparing with its own location.
One of the efficient location-based routing protocol is the ALERT protocol which provides protection to source, destination and routes. It assumes the where the nodes in a network are randomly spread. ALERT uses the hierarchical zone partition and randomly chooses a node in the partitioned zone in each step as an intermediate relay node (i.e., data forwarder). In the ALERT routing, each source node executes the hierarchical zone partition. It checks whether itself and destination are in the same zone. If so, it divides the zone in the horizontal and vertical directions. The node repeats this process until itself and destination nodes are not in the same zone. It then randomly chooses a position in the other zone called temporary destination (TD), and uses the GPSR routing algorithm to send the data to the node closest to TD. This node is defined as a random forwarder (RF). The Network Simulator tool (NS-2) was used to evaluate the performance of different location based routing protocols in mobile ad-hoc networks. The wormhole attack was implemented on varying number of nodes in network and consequently isolated the wormhole attack using isolator to know the effectiveness of routing protocols. They compared the ALERT protocol and Stateless Routing (GPSR) protocol with wormhole attack based on the performance of routing protocols which was analyzed by; throughput, end-to-end delay, packet delivery ratio (PDR) and normalized routing load (NRL). Throughput; Throughput is the average rate of successful packet delivery over a network in per unit time. From the results, the throughput was decreased in the presence of wormhole attack for ALERT because wormhole receives packet from one location and tunnels it to another network.
In [7], the paper analyzed the nature of black hole attack and wormhole attack in Mobile Ad hoc Networks (MANETs). They proposed a mechanism called Advanced Optimized Link State Routing (AOLSR) protocol in order to analyse the attacks and this AOLSR is an improvement of the OLSR routing protocol, which will be able to detect the presence of malicious nodes in the network. In the solution, the AOLSR protocol senses the nodes in the network by broadcasting the behavior of the nodes. It monitors the number of broadcasts, inactive time period of nodes, data handover and log. If any suspicious activity is done by the malicious nodes during the transmission of data, those malicious nodes will be detected and an alert will be sent to source and destination. In the simulation, 35% of malicious nodes out of the normal nodes was used to launch the attack. The traffic load is simulated using 15 user datagram protocolcase based reasoning (UDP-CBR) connections generating traffic of 5 kb UDP packets (data payload 512 Bytes) with an inter departure time of 1s. Their experimental results showed that the proposed protocol achieved routing security with 22% increase in packet delivery ratio, 27% reduction in packet loss rate, 42% increase in throughput and 69% reduction in packet end to end delay than standard OLSR.
[12] proposed a fuzzy logic-based protection of wormhole and blackhole attack in mobile adhoc networks. The proposed method defines a set of rules to avoid wormhole and the blackhole attacks during communication. In this system, Sugeno model is employed and configured with three input linguistic variables namely; request forwarding probability (P1), reply forwarding probability (P2) and data dropping probability (P3) that characterize the quality of next hop neighborhood. After computing the probability of the nodes, the fuzzy process is invoked to detect the malicious nodes in the network. The performance of the proposed protocol was calculated by comparing it with a blackhole and wormhole of Secured Manet Transmission for Wormhole and Blackhole Attacks (SMTWB) using fuzzy inference system. The Efficiency of the proposed SMTWB protocol using FIS is analyzed on the basis of three performance metrics; throughput, packet delivery ratio and end-to-end delay, in the presence of different percentage of wormhole and blackhole nodes (1%, 2%, 3%, 4%, and 5%) in a network of 100 nodes.
[2] detected the existence of wormhole attack in MANET using Fuzzy Inference System. To detect the wormhole nodes in the system, they used measured parameters such as No. of dropped packets, Reply packets, Forwarded packets to collect the data for analysis. The wormhole nodes were identified by using soft computing algorithms such as Fuzzy Inference System (FIS) based on the above parameters.
In [18], A Machine Learning Framework for Length of Stay Prediction in Emergency Healthcare Services Department

Architecture of the Proposed System
The architecture of the proposed analysis of wormhole attacks on MANET for potential optimization is shown in Figure 3.1.

Findings and Discussions
This research work adopted the fuzzy logic model which has three basic elements: fuzzifier, inference engine and defuzzifier. Fuzzifier: The fuzzifier maps crisp input data into values in the fuzzy logic space. This is done by using membership functions. Mathematically, a membership function associates each element μX(x) in the universe of discourse U with a number in the interval [0, 1], as shown in equation (1) μA: X→ [0,1] (1) Inference Engine: The number of rules depends on both the number of inputs and membership functions associated to each input. The general form of the lth fuzzy rule in the rule base is: R 1 : if (x1 is f1 1 ) and (x2 is f2 1 ) and … (xn is fn 1 ) then (y1 is P 1 ) Defuzzifier: When the input data have been numerically processed by fuzzy reasoning, they are converted back to crisp values. There are several methods for doing so, and this research work used the algorithm called Centre of gravity, which computes in the simplest case the weighted average over all rule outputs.
Where µA(x) is the degree of membership of x in a set A.

Fuzzy Linguistic Variables
Linguistic Variables are non -numeric values which are used to facilitate the expression of rules and facts in Fuzzy Logic. The universe of discourse is shown in table 4.1.

Rule Base
Rules describe the relationships between input and output linguistic variables in words. A rule base is the set of rules for a fuzzy system. These rules have two parts, the rule antecedent (IF part) and the rule consequent (THEN part). The system rule base is shown in Table 4.2.

Membership Function Plots
The type of membership function employed for this work is the triangular membership function. Triangular membership function is defined by three parameters: left, center and right. A triangular membership function is defined as follows;

Simulation Parameters
The proposed system uses Fuzzy Inference System (FIS) for End-2-End Behavioural Analysis of Wormhole Attack. The system detects the existence of wormhole nodes which determines the rate of packet delivery, packet forwarding probability and packet dropping probability based on the simulation of the network. 10 nodes and 15 nodes were simulated respectively. However, 2 nodes acted as the wormhole nodes which generated output results as shown in Table 4.3.

Simulation Analysis
The proposed system uses Fuzzy Inference System (FIS) for End-2-End Behavioural Analysis of Wormhole Attack. The system detects the existence of wormhole nodes which determines the rate of packet delivery, packet forwarding probability and packet dropping probability based on the simulation of the network. 10 nodes and 15 nodes were simulated respectively. However, 2 nodes acted as the wormhole nodes which generated output results as shown in Table 4.3.         The simulation was carried out in NS-2, a total of 10780 packets were sent in the network. The graph represents the Packet analysis in a typical wormhole attack situation using the simulation of 15 nodes with two wormhole attacker nodes. It was observed that during the simulation, the number of packets dropped was more than the number of packets received. This is as a result of the wormhole attack, the attack forwards packets sent from the source and this makes the Time-To-Live (TTL) of a packet to elapse thereby causing a drop in the packet.

Conclusion
In this research paper, various types of wormhole detection algorithms in MANET were investigated. The work focused on detecting anomalous behaviour using Fuzzy Logic model. Particularly, security has become a primary concern in order to provide defense services in various communication networks; wireless as well as wired environments. Hence, the goal of