BAHIR DAR UNIVERSITY

BAHIR DAR INSTITUTE OF TECHNOLOGY

SCHOOL OF GRADUATE STUDIES

FACULTY OF ELECTRICAL AND COMPUTER

ENGINEERING

Machine Learning Based Network Layer Attack

Detection System in MANET

By

Lake Fereaw

Advisor: Dr. Abebe Tesfahun

A Thesis Submitted to the School of Graduate Studies of Bahir Dar

Institute of Technology in Partial fulfillment of the Requirements for the
Degree of Master of Science in Computer Engineering

September 2019
Bahir Dar, Ethiopia
 BAHIR DAR UNIVERSITY

BAHIR DAR INSTITUTE OF TECHNOLOGY

SCHOOL OF GRADUATE STUDIES

FACULTY OF ELECTRICAL AND COMPUTER

ENGINEERING

THESIS APPROVAL SHEET

Student:
Name: Signature: Date:
The following graduate faculty members certify that this student has successfully pre-
sented the necessary written final study and oral presentation for partial fulfillment of
the study requirements for the degree of Masters of Science in Computer Engineering.
Aproved by:
Advisor:
Dr. Abebe Tesfahun
Name Signiature Date
External Examiner:

Name Signiature Date

Internal Examiner:

Name Signiature Date

Chair Holder:
Mrs. Siranesh Getu
Name Signiature Date
Faculty Dean:
Mr. Solomon Lule
Name Signiature Date
 Declaration
I declare that this thesis titled, ”Machine Learning Based Network Layer Attack Detec-
tion System in MANET” is my own, and all sources of materials used for the thesis has
been clearly stated and acknowledged.

Student:
Name: Lake Fereaw Signature: Date:

This thesis has been submitted for examination with my approval as a University adviser.

Advisor:
Name: Dr. Abebe Tesfahun Signature: Date:

Co-advisor:
Name: Mr. Andargachew Gobena Signature: Date:

i
 Abstract
Mobile ad hoc network (MANET) is one of the common types of wireless network that
can be operated without the support of fixed infrastructure. It has dynamic topology
and routing information is based on the hop by hop approach. MANETs are subjected
to numerous attacks than wired networks as its routing protocols are limited in security.
Since MANETs are used on the battlefield or physically inaccessible areas, attack detec-
tion is a very substantial task.
Network layer attack is one of the most serious attacks that can affect MANET per-
formance by which a hateful node illegally uses network resources. Motivated by this
fact, this thesis focuses on the development of network layer attack detection system for
MANETs. The work in this thesis is carried out in two phases. The first phase of the work
focuses on dataset preparation. In this phase, data is collected by running simulations
with both normal and malicious behavior of mobile nodes using the Ad-hoc on-demand
distance vector (AODV) routing protocol. This was done by using Ns2 (network simula-
tor version 2). After preprocessing and analyzing the raw data, a total of 14150 dataset
records with sixteen features are generated from the trace file.
The second phase of the work is related to the development and evaluation of the pro-
posed attack detection system. For detecting network layer attacks, the proposed system
has been trained and evaluated using supervised machine learning algorithms (Support
Vector Machine and Random Forest). From the experiments, it is found that the de-
tection rate of the proposed attack detection system using Random Forest and Support
Vector Machine algorithms was 99.87% and 99.25% respectively. The results recorded
for accuracy, precision and F-score were not only an important indicator of the quality of
our dataset but also confirm the effectiveness of the proposed attack detection method.
Key Words: Attack, Blackhole, Flooding, Machine Learning, MANET, Net-
work Layer, Random Forest, SVM, Wormhole.

ii
 Acknowledgement
Foremost, I would like to thank God for all the success in my life.
I would like to express my deep gratitude and respect to my advisor Dr. Abebe Tesfahun
for their interest, support and suggestions throughout my thesis work. I would like to
extend my appreciation to my co-advisor Mr. Andargachew Gobena for helping me during
my work.
It is my pleasure to thank the Faculty of Electrical & Computer Engineering staff for
their commitment and support. I also thank my classmates for their respected guidance.
Lastly, I would like to thank my family who supported and encouraged me throughout
my thesis work.

iii
Contents

Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Ad hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.2 Mobile Ad hoc Network(MANET) . . . . . . . . . . . . . . . . . . 2
1.1.3 MANET Challenges . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.4 MANET Architecture . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.5 MANET Applications . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Problem Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 General Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.2 Specific Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5.1 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5.2 Data collection and Analysis . . . . . . . . . . . . . . . . . . . . . 7
1.5.3 Model Development and Implementation . . . . . . . . . . . . . . 7
1.5.4 Evaluation Method . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Scope of the Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

iv
 1.7 Thesis Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.8 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Routing Protocols in MANET . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 AODV Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.1 AODV Control Messages . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.2 AODV Route Discovery . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.3 AODV Routing Errors . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.4 AODV Route Maintenance . . . . . . . . . . . . . . . . . . . . . . 17
2.3.5 AODV Weakness . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.4 Security Threats in MANET . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.5 Network Layer Attacks in MANET . . . . . . . . . . . . . . . . . . . . . 20
2.5.1 Blackhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5.2 Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5.3 Flooding Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.6 MANET Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . 25
2.6.1 Average Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.6.2 Packet Delivery Ratio (PDR) . . . . . . . . . . . . . . . . . . . . 25
2.6.3 Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.6.4 Routing Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.6.5 Average Jitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.6.6 Packet Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.6.7 Remaining Energy . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.6.8 Goodput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.7 Machine Learning Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 27
2.8 Supervised Learning Methods . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8.1 Support Vector Machine (SVM) . . . . . . . . . . . . . . . . . . . 28
2.8.2 Random Forest (RF) . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.9 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3 Dataset Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

v
 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.2 Network Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3 Tool Command Language (TCL) . . . . . . . . . . . . . . . . . . . . . . 45
3.4 Network Scenario and Traffic Generation . . . . . . . . . . . . . . . . . . 46
3.5 Attack Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.5.1 Blackhole Attack Modeling . . . . . . . . . . . . . . . . . . . . . . 48
3.5.2 Wormhole Attack Modeling . . . . . . . . . . . . . . . . . . . . . 48
3.5.3 Flooding Attack Modeling . . . . . . . . . . . . . . . . . . . . . . 49
3.6 Parameter Selection for Simulation . . . . . . . . . . . . . . . . . . . . . 49
3.7 NAM (Network Animator) . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.8 Ns2 Trace file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.9 Abstract Window ToolKit (AWK) . . . . . . . . . . . . . . . . . . . . . . 53
3.10 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4 Model Development and Implementations . . . . . . . . . . . . . . . . . 56

4.1 Tools Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 Dataset Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2.1 Dataset Cleaning . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.2 Splitting the Dataset into Input and Output . . . . . . . . . . . . 58
4.2.3 Dataset Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.4 Feature Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.2.5 Feature Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3 Model Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.3.1 Model Development using SVM . . . . . . . . . . . . . . . . . . . 62
4.3.2 Model Development using Random forest . . . . . . . . . . . . . . 63
4.4 Cross-Validation Technique . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.4.1 Confusion Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5 Experimentation and Results . . . . . . . . . . . . . . . . . . . . . . . . 68

5.1 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.1.1 Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.1.2 Precision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.1.3 Recall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

vi
 5.1.4 F score . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.1.5 False Alarm Rate (FAR) . . . . . . . . . . . . . . . . . . . . . . . 70
5.2 Experiment using Random forest Algorithm . . . . . . . . . . . . . . . . 70
5.3 Experiment using SVM Algorithm . . . . . . . . . . . . . . . . . . . . . . 72
5.4 Experiment using Naı̈ve Bayes and Decision Tree . . . . . . . . . . . . . 73
5.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

6 Conclusion and Future Works . . . . . . . . . . . . . . . . . . . . . . . . . 77

6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

A TCL Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

B AWK Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

C Automation of all Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

D Python Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

vii
List of Figures

Figure 1.1 MANET architecture. . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 1.2 Methodology used for the proposed system. . . . . . . . . . . . . 8

Figure 2.1 AODV control messaging. . . . . . . . . . . . . . . . . . . . . . . 14

Figure 2.2 Illustration of AODV route establishment. . . . . . . . . . . . . . 16
Figure 2.3 AODV working principle. . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 2.4 AODV routing error messaging . . . . . . . . . . . . . . . . . . . 18
Figure 2.5 Illustration of blackhole attack . . . . . . . . . . . . . . . . . . . . 22
Figure 2.6 Illustration of wormhole attack . . . . . . . . . . . . . . . . . . . 23
Figure 2.7 Illustration of flooding attack. . . . . . . . . . . . . . . . . . . . . 24
Figure 2.8 Supervised classification process. . . . . . . . . . . . . . . . . . . . 29
Figure 2.9 Explanation of classification problem using SVM . . . . . . . . . . 31
Figure 2.10 RF working principle . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 3.1 Steps of dataset preparation for proposed work. . . . . . . . . . . 43

Figure 3.2 user’s view of ns2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 3.3 Sample NAM for MANET simulation. . . . . . . . . . . . . . . . 52
Figure 3.4 AWK script execution sequences . . . . . . . . . . . . . . . . . . 54

Figure 4.1 Dataset preprocessing steps . . . . . . . . . . . . . . . . . . . . . 57

Figure 4.2 Sample output of dataset after and before preprocessing . . . . . 62
Figure 4.3 Working principles of 10-fold cross validation . . . . . . . . . . . . 65

Figure 5.1 Random forest performances with different numbers of selected fea-
tures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Figure 5.2 SVM performances with different numbers of selected features . . 74
Figure 5.3 Comparison of classifier performance . . . . . . . . . . . . . . . . 76

viii
List of Tables

Table 2.1 Common attack types on the OSI model . . . . . . . . . . . . . . . 19

Table 3.1 Top five network simulators . . . . . . . . . . . . . . . . . . . . . . 44

Table 3.2 Sample ns-2 commands . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 3.3 Simulation parameters . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 3.4 Sample trace file naming conventions . . . . . . . . . . . . . . . . . 53
Table 3.5 Features description . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 3.6 Distributions of the dataset . . . . . . . . . . . . . . . . . . . . . 55

Table 4.1 Encoded attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 4.2 Feature importance value . . . . . . . . . . . . . . . . . . . . . . . 60
Table 4.3 Confusion matrix terminologies . . . . . . . . . . . . . . . . . . . 66
Table 4.4 Confusion Matrix for four-class classification . . . . . . . . . . . . 66

Table 5.1 Confusion matrix for Random Forest (selected features=14, n estimators=100) 71
Table 5.2 Summary of classification performance measuring metrics for Ran-
dom forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Table 5.3 Confusion matrix for SVM (selected features=12, kernel=rbf) . . . 72
Table 5.4 Summary of classification performance measuring metrics for SVM 73
Table 5.5 Summary of classification performance measuring metrics for Naı̈ve
Bayes and DT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 5.6 Comparison of classifier performance . . . . . . . . . . . . . . . . . 75

ix
Abbreviations

ACK Acknowledgment
AGT Agent
AI Artificial Intelligent
AODV Ad hoc On-Demand Distance Vector
ARP Address Resolution Protocol
AWK Abstract Windows ToolKit
BNF Backus Naur Form
CBR Constant Bit Rate
CSV Comma Separated Version
DoS Denial of Service
DSDV Destination Sequenced Distance Vector
DSR Dynamic Source Routing
DT Decision Tree
FIFO First In First Out
FTP File Transfer Protocol
GMM Gaussian Mixture Model
GUI Graphical User Interface
ID Intrusion Detection
IDS Intrusion Detection System
IP Internet Protocol
KKT Karush-KühnTucker
KNN K-Nearest Neighbor

x
LL Link Layer
MAC Message Authentication Code
MANET Mobile Ad hoc Network
MLP-NN Multi-Layer Perceptron Neural Network
NAM Network Animator
NB Naive Bayes
NS Network Simulator
OSI Open System Interconnection
OTCL Object oriented Tool Command Language
OVA One Verses All
OVO One Verses One
PCA Principal Component Analysis
PDR Packet Delivery Ratio
QoS Quality of Services
QP Quadratic Programming
RBF Radial Basis Function
RERR Route Error
RF Random Forest
RREP Route Reply
RREQ Route Request
RWP Random Way Paint
SVM Support Vector Machine
TCL Tool Command Language
TCP Transmission Control Protocol
UDP User Datagram Packet
VANET Vehicular Ad hoc Network
WSN Wireless Sensor Network
ZRP Zone Routing Protocol

xi
Chapter 1
Introduction

1.1 Background

A network is a collection of any nodes connected together over wireless or wired media.
Due to their simplicity, wireless networks are getting popular. One of the great features of
the wireless network is that it makes life attractive and easy compared to the traditional
wired networks. The user can able to move freely while being connected to the network.
Unlike wired networks, wireless networks are those in which nodes are attached to each
other without wire. Currently, wireless networks are commonly used as the user wants
wireless connectivity regardless of their topographical position [1]. There is nothing to
care about pulling wires in wall and ceilings. It can be configured according to the need of
the customers that range from a small number of users to large full infrastructure networks
where the numbers of users are in thousands. The target device must be placed within
each other’s radio range when a computer device wishes to link to another device. Users
can transmit and obtain information via electromagnetic waves in wireless networks.

1.1.1 Ad hoc Networks

Ad-hoc refers to a temporary, on the fly or on-demand. It is a kind of wireless network

that can be constructed to accomplish a specific purpose. Ad hoc networks have the
capabilities to handle any defects or modifications owing to topology differences that
1
they encounter. Whenever a network node is down or leaves the network, the connection
to other nodes to be broken. The impacted nodes are simply requesting new paths and
establishing new connections in the network. Because of high cost, low usage rate, poor
performance or other commercial reasons, access points can’t be set up in non-reachable
locations [2].
The Ad-hoc Mobile Network (MANET), Wireless Sensor Network (WSN) and Ad-hoc
Vehicle Network (VANET) are grouped under ad hoc networks. But this thesis focuses
on MANET.

1.1.2 Mobile Ad hoc Network(MANET)

MANET is a type of wireless, temporary, and infrastructure-less network that has mobile
nodes. The formation of the network is without any central administration. The network’s
mobile nodes operate together to properly run the network on a hop-by-hop basis. In this
network, every node works as a host as well as a router that is why forwarding packets
to the intended node is possible even though it is not in the transmission range of the
sender [3, 4].

1.1.3 MANET Challenges

MANET has various difficulties such as scalability, dynamic topology, lack of centralized
node, limited resources, and restricted bandwidth. MANETs are largely susceptible to
mobile nodes compared with wired networks. Since mobile nodes are moving randomly,
they will join or leave the network at any time. At this time, an attacker node will be
involved and then use the network resources. So, MANET is more vulnerable to gaining
access by an unauthorized party.
In MANET, there is no centralized administration object available to manage and moni-
tor the operation of mobile nodes. Nodes are transferable from time to time and can be
connected dynamically in an arbitrary manner. Network link varies timely and is based
on the proximity between one node and another node. Mobile nodes are highly depen-
dent on battery power, which is a limited resource. Storage capacity are also insufficient.

2
Wireless connections have considerably less ability than wired connections. Routing pro-
tocols in wireless networks always use the bandwidth in an optimal manner by keeping
the overhead as low as possible. The limited transmission range also imposes a constraint
on routing protocols in maintaining the topological information. Maintaining topological
data at all nodes includes more overhead control, which in turn leads to more bandwidth
wastage, especially in MANET owing to frequent modifications in topology.
The whole MANET infrastructure is dynamic and is the reason for the dynamic con-
nection and disconnection of the variable links. Low transmission quality is an inherent
problem of wireless communication caused by several error sources that result in degra-
dation of the received signal. Scalability is another issue for MANET. It is the capability
of the routing protocols to achieve robustly as many of the parameters (e.g number of
nodes and mobility) of the network raises [5].
Therefore, security is the main issue in MANET to provide communicating parties with
safe communication. It is crucial for fundamental network tasks such as routing and
forwarding of packets [6].

1.1.4 MANET Architecture

In MANET, mobile nodes are connected together without any physical medium. One
node is linked via a wireless link to its neighbor node. By convention, any node can
usually be described by a circular shape [7]. From Figure 1.1 , it is clear that there are
nine nodes connected together with a wireless link. The source node ’S’ has two neighbors
that are in the same range, namely node ’B’ and node ’C’. Similarly, the destination node
‘D’ has also two neighbors (‘F’ and ‘G’). In order to exchange information from source
to destination, there is no direct link from sender to the receiver node. However, they
are vulnerable to an intruder; intermediate nodes are used as a bridge to perform such
activities.

1.1.5 MANET Applications

MANETs are mainly appropriate to use in circumstances where infrastructure is unavail-

able. In today’s technology, mobile ad hoc network provides a lot of applications in
3
 Figure 1.1: MANET architecture.

different areas like in academic, economic, industry, health, military, and other critical
places. MANET would allow the military to take advantage of network technology to
maintain an information network between the soldiers and vehicles. MANET can be used
in emergency operations for disaster relief efforts, e.g. in fire, flood, or earthquake. A
commercial application for MANETs includes ubiquitous computing. By allowing nodes
to forward data for others, data networks may be extended far beyond the usual limit of
installed infrastructure. In collaborative and distributed computing, a group of people in
a conference can share data in ad hoc networks [8, 9].

1.2 Motivation

Security is an important component of any communication technology. MANET has

many advantages over the wired network, which makes it highly beneficial in many areas
where the wired network is impossible to operate. The network performance will be
corrupted if there is a non-genuine node happens in the network. A hateful node can,

4
therefore, waste network resources in various ways.
Another significant element in MANET is the routing protocol, which plays an important
role in data communication. A node can behave badly and disrupt the rules of routing
that cause harm to the transmission of information. Dropping a packet, falsifying of
routing control messages are some activities of malicious nodes. Thus, MANET can be
attacked by different attacks like black hole attack, wormhole attack, and flooding attack.
These are some of the common and dangerous network layer attacks. So, the malicious
property of any node should be detected in order to have reliable communication.

1.3 Problem Statements

Since the growth of mobile devices and the evolution of wireless communication, MANETs
are gaining strength with an increasing number of applications. MANETs can easily ap-
plicable everywhere, however, they are exposed to different attacks [5].
The network layer is more vulnerable to a variety of attacks than all layers in MANET.
The network layer attacks are the most sophisticated attack that destructs the normal
operation of MANET. The performance will be reduced if one of these attacks (Blackhole
attack, Wormhole attack or Flooding attack) is happened [6]. They will interrupt the
normal network processes by consuming the resources of authorized nodes. Increasing
delay, increasing routing load, decreasing throughput, losing packets, and consuming ex-
cessive power are some of its consequences.
Several solutions have been proposed in different ways targeted at detecting the mali-
cious attacks. A technique to detect flooding attack using grammatical evolution and
classification algorithm was proposed [10]. According to the proposed method, it has
been proved that the performance of the network was improved with the reduction of
features. Including other network layer attacks into the detection scheme was suggested
as the future work. A detection method was developed to detect blackhole attack us-
ing Support Vector Machine (SVM) algorithm. A Blackhole attack in the network was
simulated and necessary features were extracted to make the dataset. It was reported
that the detection precision was 95% [11]. Another researchers tried to build a detection
method for blackhole attack, flooding attack, packet dropping attack and forging attack.

5
Different features were collected to prepare a dataset from a simulated Glomosim library.
But selecting best network architecture for the development of the detection system was
leave as a recommendation [12].
MANET attack detection becomes an active area of research [13]. Hence, further study
needs to be carried out to develop an efficient detection technique. In this study, an
attempt is made to improve the detection rate of an algorithm by preparing appropriate
dataset. In line with this, the following research questions were explored:
1. What attributes can be functional for network layer attack detection?
2. Which tools are suitable for dataset preparation and dataset preprocessing?
3. How simulated dataset is applicable for attack detection?
4. What machine learning technique can effectively detect network layer attacks?

1.4 Objectives

1.4.1 General Objective

The general objective of this research is to develop the network layer attack detection
system in MANET using machine learning algorithms.

1.4.2 Specific Objectives

Specific objectives of this work are the following:

• To describe MANET performance metrics as an attribute of the dataset

• To run simulations set up in the presence of attacks and without attacks

• To make dataset from simulations

• To train and test machine learning algorithms

• To evaluate the efficiency of machine learning algorithms for our dataset

6
1.5 Methodology

In order to achieve the objectives of the research, the following methods and techniques
were employed.

1.5.1 Literature Review

To have deep understanding of the problem of this study, it is important to review several
literatures that have been conducted in the field so far. For this reason, related literatures
such as books, articles, proceeding papers, manuals and other sources that are retrieved
from the internet are consulted so as to understand how attacks are affecting the perfor-
mance of MANET under AODV (Ad hoc On-Demand Distance Vector) routing protocol
and the limitations of existing techniques for detecting blackhole attack, flooding attack,
and wormhole attack.

1.5.2 Data collection and Analysis

For the purpose of this study, simulated dataset is collected using network simulator
(NS-2). Different simulation scenarios with attacks and without attacks are considered.
Once the trace file is collected from NS-2, it is analyzed with AWK (Abstract Windows
ToolKit). In this stage,the raw data are processed in different ways to gather useful
information about the necessary features.

1.5.3 Model Development and Implementation

In this study, support vector machine (SVM) and random forest (RF) classifier are used
to build network attack detection model from the collected data set. In order to imple-
ment these machine learning algorithms, python library known as scikit-learn (or sklearn)
was used. Scikit-learn is a powerful open source machine learning tool for the Python
programming language.

7
1.5.4 Evaluation Method

The developed model is evaluated to ensure the performance of the system in meeting
towards established objectives. The performance measure parameters such as accuracy,
precision, recall and F-score are used to measure the detection accuracy of the proposed
system.The methodology used in this thesis work is summarized in Figure 1.2.

Figure 1.2: Methodology used for the proposed system.

1.6 Scope of the Study

However, there are many attacks in MANET,this study was limited to detecet some of
the network layer attacks such as blackhole attack, flooding attack and wormhole attack.
Among different MANET routing protocols, AODV is chosen. The routing protocol in
the presence of attacks and without attacks has been simulated using ns-2.35 to prepare
the dataset.

8
During the simulation, when the number of nodes is increased, the network will suffer
from congestion. But network congestion was not considered during data analysis.
Support Vector Machine (SVM) and Random Forest are the only algorithms checked for
the detection method, although NB(Naı̈ve Bayes) and DT(Decision Tree) have been used
to compare results without describing the background information.

1.7 Thesis Contributions

The significance of this thesis is to address the challenges that are facing the problem
of network layer attack detection by the use of a new approach. This thesis will have a
significance to the area of attack detection. Specifically, the following contributions will
be achieved.

• The one can able to understand how MANET performance metrics can be applied
as a feature for dataset preparation.

• It gives an idea on dataset preparation technique using ns2 and how the necessary
features can be extracted from the trace file.

• An experiment that compares the detection performance of random forest and SVM
algorithms for the given dataset has its own advantages.

• It identifies which algorithm performs better to which attack types.

• A simple and informative description of the technique will make it easier for other
researchers for quick understanding.

We believe that developing a technique to detect a group of attacks using a simulated

dataset has better performance than the previous techniques. It is also expected that
this thesis will fill some gaps in earlier studies in attack detection by pointed out areas
of upcoming work.

9
1.8 Thesis Organization

This thesis is organized into six chapters. The first chapter introduces the background
of the study and statement of the problem. It also presents objectives, methodology
and contribution of the study. In chapter 2, we addressed different background informa-
tion and distinct methods to detect MANET attacks under the network layer. Detailed
dataset preparation techniques processes are discussed in chapter 3. Chapter 4 shows
model development and implementation steps. Experiment results and discussions were
described in Chapter 5. Finally, chapter 6 illustrates the conclusion and future work.

10
Chapter 2
Literature Review

2.1 Overview

In this chapter, we discussed different concepts such as MANET routing protocols, se-
curity threats, performance metrics, and machine learning algorithms. Furthermore, we
have reviewed different related works about our thesis work.

2.2 Routing Protocols in MANET

In mobile ad hoc networks, routing protocol specifies how routers communicate with each
other and distributing information that enables them to choose paths between two mobile
nodes. Routing protocols are very weak in security. The three broad categories of routing
protocols [7, 14] are explained as follows.
Reactive routing protocol: reactive or on-demand routing protocol does not maintain
the routing information at the nodes if they are not the communicating entities. The
route calculation is done only when the node wants to connect to the destination node.
It broadcasts route request packet to the neighboring node in the network which further
broadcast packet. When the destination is found, it sends a route reply message via the
shortest path. The commonly used algorithm under this category is Ad hoc on Demand
Distance Vector Routing (AODV).

11
Proactive routing protocol: proactive or table-driven routing protocols regularly
maintain the updated information about the nodes in the network. Every node knows
about the other nodes in advance and thus the view of the whole network is within the
range of each and every node. The routing information is maintained in the routing
tables. Whenever the network topology changes, these tables are updated. DSDV (Des-
tination Sequenced Distance Vector) is one example of proactive routing algorithms.
Hybrid routing protocol: hybrid routing protocols are based on the combination of
both reactive and proactive protocols. The routes are established initially proactively
and then serve the data to other nodes through reactive flooding. The Zone Routing
Protocol (ZRP) is based on this type of protocol. The network is divided into zones and
uses different protocols in different zones i.e. two different protocols are used in between
inter and intrazone.

2.3 AODV Routing Protocol

Among different routing protocols of MANET, AODV routing protocol is the most widely
used protocol for routing information through mobile nodes. It is a combination of both
DSDV and DSR that uses the characteristics of these routing protocols. All portable
nodes operate together to discover a path from source to destination. Actual information
transmission occurs only after the path has been identified. In the AODV routing pro-
tocol, the routing table mechanism is an auto-update for a particular time period. This
protocol can be used for both unicast routings as well as multicast routing. AODV uses
a unique technique to provide routing information to its node in the coverage area and
uses predefined route tables, one entry to one destination node. It also uses sequence
numbers from source to destination node to identify the availability of the next node and
a solving problem of routing loops. To find the neighbor node, every packet uses this
sequence number. A unique characteristic of AODV is that it uses timer-based states in
its entire node.

12
2.3.1 AODV Control Messages

AODV routing algorithm uses four common control messages namely Route Request
(RREQ), Route Reply (RREP), Route Error (RERR) and HELLO messages. RREQ
is used to the route broadcasting in which a source node uses this route for broadcast
the route request. RREQ contains the source node’s IP, source node’s sequence number,
destination node’s sequence number, and destination node’s IP. First, the source node
broadcast RREQ packet to the network and all neighbor nodes receive RREQ. Second,
the neighbor nodes transmit the same packet for other nodes unless it has a fresh enough
route to the destination. On receipt of RREQ, a node sends an RREP packet, if it is
the destination or has a fresh enough route to the destination. Every node increases hop
count by one. On receipt of RREP, intermediate nodes update their route entry with the
new data. A node having a requested identity or any intermediate node that has a route
to the requested node generates RREP message back to the originator node. During
active paths, each node in the network continues to monitor the connection status to the
nodes of its neighbor.
When the node detects a link crack in an active route, RERR message is generated by
the node in order to notify other nodes that the link is down. Whenever a new RREQ,
RREP or RERR messages are sent, nodes increase their own sequence number. Higher
the sequence number more considered that information. Each node can get to know its
neighborhood by using local broadcasts HELLO messages. Although AODV is a reactive
protocol, it uses the periodic HELLO messages to inform the neighbors that the link is
still alive. The way of control messaging in AODV is shown in Figure 2.1 [15].
While transmitting RREQ messages through the network, each node notes the reverse
path to the source. The RREP message will travel along this route when the target node
is discovered so that no more transmissions are required.For this purpose, the node on
receiving RREQ packet from a neighbor records the address of this neighbor. When a
RREQ packet arrives at a node having a route to the destination, the reverse path will
be used for sending an RREP message. The forward route is set during the transmission
of this RREP message. This route can be said to be reversed to the reverse path. The
transmission of data can begin as quickly as the forward route is established. Data packets
waiting to be transmitted are buffered locally and transmitted in a FIFO (First In First

13
 Figure 2.1: AODV control messaging.

Out) queue when a route is setup. After RREP was forwarded by a node, it can receive
another RRE. Depending on its target sequence number, this fresh RREP will either be
removed or forwarded.

2.3.2 AODV Route Discovery

MANETs are based on the dynamic topology that changes randomly due to the mobile
nature of the nodes. The node behaves like the router and does the task of node discovery,
routing of the packet, maintenance of the information to relay the packets. The overall
functioning is to be performed by the node itself. So, the routing protocol in MANET
is different from the conventional protocols of the wired network in which the new node
broadcast message to its neighbor and make them aware of its presence in the network.
During the routing discovery phase, the source initiates the process of route discovery
only when there is a demand. The source node examines its route cache to authenticate
which routes are available from source to the destination. If no route is determined, it
starts a route discovery process. The packet sent by the source consists of the destination
node address and the address of the intermediate nodes to the destination. The node also
listens for the broadcast messages from its neighbor. When every node in the network
participates in this way, the nodes can be selected to route the packet to the destination.
Due to various factors, the routing protocols in MANET are vulnerable to numerous

14
attacks. The network consists of heterogeneous nodes which can be a malicious node,
whose intention is to attack the network and reproduce the false information. Every
node exchanges its routing table with the neighboring node periodically so that every
node may know the useful route. The following terms are commonly used with respect
to the AODV protocol.
Active Route: A routing table contains entries with a finite metric called as hop count
which is used for route establishment. The route is said to be inactive if it has infinite
value in its hop count field. So, there is only active route entries are maintained in the
routing table.
Broadcast: It means the packet is forwarded to all the nodes in the network and enables
flooding of the packet in the entire network.
Forwarding node: A node that agrees to forward packets for another target node by
retransmitting them to a next-hop nearer to the unicast location along a route that was
setup using control messages for routing.
Originating node: A node initiates AODV messages and retransmitted by other nodes.
Forward route: A route setup to send data packets from a source to a destination. The
RREQ message is used for forwarding the packet.
Reverse route: A route setup to RREP packet back to the source from the destination
or from an intermediate node having a route to the destination. Figure 2.2 illustrates how
the mobile nodes create the route for further communications using the AODV routing
protocol.
If source node S wants to establish a connection to destination node D, first source
node broadcast RREQ packet to the neighbor nodes. When RREQ packet is received by
neighbor nodes A, B and C, they broadcast RREQ further to other nodes by updating
the routing table and it continues until RREQ reaches the destination node. When the
destination (or fresh enough route to the destination) receives RREQ, send an RREP
packet back. The RREP message reached at source node through intermediate nodes
and these intermediate nodes will update their routing table. The source node accepts
RREP if the destination sequence number is higher than the one in the routing table. If
the destination sequence number is equal with the one in the routing table, the source
will check whether the hop count is lesser with the one in the routing table or not. As
the RREP message is received by the source node, it starts forwarding the data packets

15
 Figure 2.2: Illustration of AODV route establishment.

to the destination on the route with a smaller hop count. As long as the data packets are
transmitted by the source to the destination, the route remains active. Once the source
stops transmission of the data packet, the link will terminate and entries are deleted from
the routing table of intermediate nodes. In case of the link break, RERR message to
source node informing the unavailability of destination. After receiving this message if
the source still wants to set up the route, it can reinitiate route discovery [4, 16]. The
overall operation of AODV is summarized in Figure 2.3.

2.3.3 AODV Routing Errors

When there is a link failure or a link between source and destination is broken, the
RERR message is sent back to the source node. When RREQ message is publicized for
locating the destination node for example, if a source node S wants to communicate with
destination D, RREQ is broadcasted to neighbor nodes. If the link is broken (Figure 2.4)
between F and D, instead of route reply RERR message is generated at node F and send
back to the source node. So, the source node knows the communication failed due to link
is broken or route error.

16
 Figure 2.3: AODV working principle.

2.3.4 AODV Route Maintenance

Since the network has a vibrant topology, owing to the connection breakage, there is
sometimes a situation of a path failure. Therefore, the path should be maintained. AODV
routing protocol is a recognition mechanism that assists in the maintenance of the path.
But latency is introduced in the network because of this mechanism. Every node engaged
in the system of route maintenance adds network latency. They are usually preferred in
circumstances where there is a need for low overhead routing.

17
 Figure 2.4: AODV routing error messaging

2.3.5 AODV Weakness

It is difficult to determine reasonable expiry time because the nodes are mobile. The
sending rates of sources can vary widely and dynamically change from node to node.
AODV can collect a very limited amount of routing information. Route learning is limited
only to the source of any routing packets being forwarded. This causes AODV to rely
on a route discovery flood more often, which may carry significant network overhead
[16]. The performance of this protocol without any bad nodes is poor in larger networks.
The average path length is the primary distinction between tiny and big networks. A
lengthy path is more vulnerable to link breakages and requires high control overhead
for its maintenance. Furthermore, as the size of a network grows, various performance
metrics getting minimized.
AODV is vulnerable to various kinds of attacks because it based on the assumption that
all nodes will cooperate. No path can be created and no packet can be forwarded without
this collaboration.
There are two main types of uncooperative nodes: malicious and selfish nodes. Malicious

18
 Table 2.1: Common attack types on the OSI model

Layer Attack type

Application Layer Repudiation, data corruption
Transport Layer SYN flooding, session hijacking
Network Layer A black hole, wormhole, Flooding, Sybil, Rushing, grayhole
Data Link Layer Traffic analysis, MAC spoofing, ARP
Physical Layer Interception, Jamming, Eavesdropping
MultiLayer DoS, Man in the middle

nodes are either faulty and cannot follow the protocol, or are intentionally malicious
and try to attack the network. Selfishness is refusal in certain network operations, i.e.
dropping of packets which may affect the network performance.

2.4 Security Threats in MANET

Each node in MANET is responsible for delivering packets to its neighbor. Thus the
packets are delivered from source to destination through intermediate nodes. Since mo-
bile nodes can move around and join and leave the network at any time, MANET is
more vulnerable to gaining access by an unauthorized user. During communication, the
malicious node will be joined and then drops the packet at any time. Securing any infor-
mation should be an essential service in MANET communications.
Passive and active attacks are the two broad categories of attacks [8, 17]. The passive
type of attack is an attack in which the intruder only performs some kind of monitoring
on certain connections to get information about the traffic without injecting any fake
information. This sort of attack is used to obtain data from the recipient and to make
the footprint of the invaded network to effectively apply the attack. But active attack
performs an effective violation on either the network resources or the data transmitted.
On the other hands, MANET attacks can be studied on the basis of the OSI (Open Sys-
tem Interconnection) model. Table 2.1 shows the MANET attacks on this model [18, 19].

19
2.5 Network Layer Attacks in MANET

In the OSI model, there are two main protocols [20] used in MANET. Link layer protocol
is used to provide connectivity between different mobile nodes in order to ensure one-
hop connectivity by using multi-hop wireless channels. On the other hand, if we like
to extend connectivity to different multiple hops then the MANET uses network-layer
protocols. In the synchronization process distributed protocols typically assume that all
mobile nodes are cooperating with respect to communication but actually this assumption
is not possible in hostile mobile networks environment because cooperation is not enforced
in MANET. Why it is because of malicious attackers violating protocol specification to
disrupt network operations.
Ad hoc routing and data packet forwarding are two main network-layer operations in
MANET. They interact with each other and delivering packets from source to destination.
The main function of the ad hoc routing protocols is to provide routing among nodes.
They exchange routing messages between different mobile nodes in order to maintain
routing information at each node. Based the routing states, data packets are used to
forward data by intermediate next node which is an established route to the destination
node. These operations are vulnerable to malicious attacks, and which will lead to various
types of malfunction in the network layer. Due to this reason, network-layer will be
exposed to both routing attacks and packet forwarding attacks (based on the target
operation of the attacks).
Based on the context of the AODV routing protocol, there are different attacks. In this
type of protocol, an attacker advertises route with wrong distance metric with respect to
actual distance to the destination, advertise wrong routing updates with a large sequence
number with respect to actual sequence number and invalidates all routing updates from
other nodes. The nodes also operate in MANET as routers discovering and maintaining
paths to other network nodes.
The main issue of MANET’s routing protocols is to establish an ideal and effective path
between the communicating parties. Any attack on the routing phase may disrupt the
overall communication and the entire network can be paralyzed. Thus, security in network
layer plays an important role in the security of the whole network [2].

20
A number of attacks in the network layer have been identified and studied in security
research. An attacker can absorb network traffic, inject itself into the route between
source and destination, and regulate the flow of network traffic. The threats to MANETs
at different layers are similar to infrastructure wireless network, but at the network layer,
routing protocols are more vulnerable to attack because of the cooperative nature of the
nodes and lack of infrastructure for routing. The threats at different layers in MANET
are dealt in the same manner as these are dealt for infrastructure network, but at the
network layer, the routing protocols need to be protected [21].
Attacks are exploiting the basic network protocol in order to gain any available advantage.
The effects of the malicious node in AODV routing protocol is vulnerable to malicious
behavior. It functions as a real node when a node sends packets to the target without
failure. A node begins to behave as malicious during a malicious attack by maintaining all
packets together and not forwarding to the target node. After receiving all the packets,
malicious nodes starts dropping all these packets which affect whole networks by illegally
utilizing network resources. Some of the common attacks under the network layer [22, 23]
are discussed in the following subsections.

2.5.1 Blackhole Attack

Blackhole attack is an active network layer attack that can easily disrupt communication
among mobile nodes in MANET. On receiving an RREQ message, a blackhole node
immediately send an RREP with highest sequence number without checking for fresh
enough route. On receipt of this RREP, the route will be established and the source node
will send all data packets towards the black hole thinking it has fresh enough route to
the destination. The black hole will drop all the packets it receives and thus the attack
has taken place.
Blackhole attack can be either single or collaborative. In a single blackhole attack, there
is only one malicious node in a zone. Other nodes will be an authorized node. Unlike
single blackhole attack, collaborative blackhole attacks are more dangerous.
AODV is significantly subjected to a blackhole attacks because a blackhole node can
readily make the source node confidence that the route through the malicious node is the
shortest route by sending RREP packet with the largest sequence amount and a small
21
number of hops to the source node [24].
Figure 2.5 illustrates the blackhole attack in AODV routing protocol. First source node
broadcast RREQ messages for all neighbor nodes. The process is continued until the
RREQ reaches the desired destination. Being malicious, node M imagines, it has a fresh
enough route to the destination and will send RREP with the highest sequence number.
Once a source node received RREP from M through node B, it will update its routing
table with this RREP as it has the highest sequence number. Thus the route is getting
established and data packets will be sent to node M . Thus node M will drop all the data
packets [25, 26].

Figure 2.5: Illustration of blackhole attack

2.5.2 Wormhole Attack

Wormhole attack is one of the sever attack among all network layer’s attack [27]. Routing
can be disrupted when routing control message is tunneled. The tunnel between two
colluding attacks is known as a wormhole. Wormholes are hazardous because without
even understanding the network, they can do harm. An attacker can record the packets
(bits) at one location and tunnel them in another location in the same network or in
22
different networks. The attacker can transfer each bit directly without waiting for the
entire packet. It is difficult to find out the location of the wormhole attack without
having packet relay information or without the known infrastructure of routing protocols.
Wormhole attackers can make nodes far apart assume they are instant neighbors and force
all communications between nodes impacted to pass through them. If the source node
happens to choose this fake route the attacker has the option of delivering the packets or
dropping them [28]. Figure 2.6 explains how the wormhole attack in the network looks
like.

Figure 2.6: Illustration of wormhole attack

2.5.3 Flooding Attack

Flooding attack can be created by flooding the network with fake RREQ or data packet.
The attacker consumes the network resources such as bandwidth and the node battery
power. In AODV protocol, a malicious node can send a large number of RREQs in a
short period of time to a destination node that does not exist in the network. Since no
node is replies, the RREQs are going to flood the entire network.
Flooding attack is much harder to prevent when it is launched by collaborative attackers.
The main issue regarding the flooding attack is that the flooder node floods the whole
23
network. Flooder node receives the RREQ and it will generate the RREP with higher
sequence number. So, the source node assumes that it has the path for the destination
node. To launch the data flooding, the malicious node builds a path to all the nodes
then sends a large number of bogus data packets. These useless data packets exhaust the
network resources and hence legitimated user can not able to use the resources for valid
communication [29–31].
In AODV, if a node wants to send data packets to a destination that is not in its routing
table, it will buffer the data packets and broadcast RREQ into the network. The RREQ
packet will be forwarded by other intermediate nodes to the intended destination node.
The destination node, upon receiving the RREQ, will send an RREP on the reverse route
back to the source node. If no RREP is received after a fixed number of attempts, the
data packets from the buffer will be dropped. Figure 2.7 explains the activites of flooding
attack.

Figure 2.7: Illustration of flooding attack.

24
2.6 MANET Performance Metrics

Performance is one of the key aspects of developing a communication protocol in MANET.

In order to say the performance of the routing protocol is good or not, different perfor-
mance metrics should be known. And routing protocol must have:

• A minimum delay

• A maximum packet delivery rate

• A minimum overhead

• A maximum throughput

• Low energy consumption and other relevant metrics should be considered.

2.6.1 Average Delay

A specific packet is transmitting from source to destination and calculates the difference
between the time of sending and receiving. At the network layer, the end-to-end packet
delay or average delay is the sum of processing delay, packet, transmission delay, queuing
delay and propagation delay. A smaller value means the routing protocol has the best
performance.

2.6.2 Packet Delivery Ratio (PDR)

It is described as the proportion of the number of packets that the target receives to the
number of packets originated from the source.

2.6.3 Throughput

Throughput is a metric of the speed of information produced by the application(bits per

second). The total quantity of information a receiver receives from the sender is described

25
as split by the moment it takes for the receiver to receive the last packet. The size of each
packet has been added to calculate the throughput. This gave the complete transferred
information. The total time was calculated as the difference between starting the first
packet and reaching the destination the last packet. Thus, the transmission is equal to
the total transmitted data divided by the total transmission time it took.

2.6.4 Routing Overhead

It is the total number of routing packets, expressed in bits per second or packets per
second, transmitted over the network. Standardized routing load is described as the
complete amount of transmitted routing packets per data packet. It is calculated by
separating the complete amount of routing packets sent by the complete amount of data
packets received (including forwarded routing packets as well). The main reason behind
the calculation of this parameter is that the overhead routing decreases the data packet
delivery percentage and transfer rate [32].

2.6.5 Average Jitter

Jitter is the time variation between arriving packets triggered by congestion of the net-
work, timing drift, or modifications in the path. It is the time difference between arriving
packets. Jitter is widely used as an indicator of a network’s consistency and stability.
The router checks to see how much the packet is behind or ahead of its schedule when
a packet arrives at a router. Stored in the packet, this data is updated at each hop.
Measuring jitter is a critical element in determining network performance and the QoS
that the network provides and should be minimized to improve network performance.

2.6.6 Packet Loss

Small units of information called packets will be sent and obtained when accessing any
network. This is called packet loss if one or more of these packets fail to achieve their
planned destination. For consumers, packet loss is manifested in the form of disturbance

26
of the network, slow service, and even complete network connectivity loss. Any implemen-
tation may be interrupted by packet loss, but the most probable victims are applications
that depend on real-time packet processing, such as programs for video, audio, and gam-
ing. Packet loss impacts the application’s perceived quality. Several causes of packet loss
or corruption would be bit errors in a faulty wireless network or inadequate buffers.

2.6.7 Remaining Energy

The total number of energy consumed for packets transmitted and packet receiving during
information transmission. In order to say MANET’s performance is good, the remaining
energy of the network at the end of the simulation is not minimum.

2.6.8 Goodput

Goodput only measures the throughput of the original data. Throughput can be calcu-
lated by dividing the amount of data transmitted over the time it takes to transfer the
data which consists the packet header, acknowledgments and the retransmitted data while
goodput is calculated as dividing the original data by the time taken to transfer the data.
Since this calculation does not include the extra data transmitted, the measurement of
goodput will always be less than or equal to the throughput.

2.7 Machine Learning Algorithms

Machine learning is a subfield of an Artificial Intelligence (AI). It deals with the growth of
techniques and methods that allow the computer to learn. Simply put, it is an algorithm
development that allows the machine to learn and conduct various operations. Machine
learning overlaps with statistics in many ways. Over a period of time, many techniques
and methodologies were developed for machine learning tasks.
The machine learning way of doing things is divided into three categories. The first is
supervised learning which discovers patterns in the data that relate data attributes with
a target (class) attribute. But in the case of unsupervised learning, the data have no
27
target attribute. The goal of unsupervised learning is to find the patterns in the dataset.
Reinforcement learning is the third category of machine learning algorithm that learns
to react to an environment on a continuous scale. The algorithm’s inputs are a task to
solve and a reward function. In this work, supervised learning techniques were used to
detect mobile ad hoc network attack detection on network layer based on AODV routing
algorithm.

2.8 Supervised Learning Methods

The supervised learning method is a sort of labeling method that has predefined input
and produced known output with system parameters. The techniques address the infor-
mation provided as pairs of X, Y . If the Y variable is a numeric variable, it is called a
regression issue, and if the Y variable is a categorical data, classification algorithms can
solve these problems. Such learning technique’s ultimate objective is to map from X to
Y . This method was produced to identify node behavior in which performance data train
with labeled then output with defined processes is generated.
Two primary steps for supervised learning algorithms are learning (or training) and test-
ing. For classification issues, the supervised learning algorithm is frequently used. In
this work, we have used Support Vector Machine (SVM) and Random Forest (RF) al-
gorithms,however, there are different types of supervised learning algorithms. Figure 2.8
shows how the supervised learning algorithm works.

2.8.1 Support Vector Machine (SVM)

Vapnik (1995) originally proposed Support Vector Machines to solve classification and re-
gression problems. SVMs are a collection of associated supervised learning methods that
used to analyze classification and regression. Based on a set of training examples, each
labeled as one of the two categories, the SVM algorithm creates a model that predicts
whether a fresh instance falls into one of the two catagories [33].
Usually, a classification assignment includes training and testing information consisting
of some cases of information. Each example in the training set has one aim and several

28
 Figure 2.8: Supervised classification process.

characteristics. The goal of SVM is to produce a model which predicts the target value
of data instances in the testing set which is given only the attributes. Known labels help
to indicate whether the system is performing in the right way or not. This information
points to the desired response, validating the accuracy of the system, or be used to help
the system learn to act correctly. SVM has a capacity for reducing errors in training and
testing. It has an efficient prediction result based on the trained models.
The primary aim of this work is to use this model to identify common network layer
attacks. The framework trains SVM classifiers to accomplish classifiers learning on ordi-
nary and unpleasant characteristics. Then our model tracks incoming characteristics and
predicts the status of the system.

29
SVM can be implemented for both two- class problems and multiclass problems, however,
it was originally created for binary classification problems.
SVM for Two-class Problems:
Assume that the training data can be classified by a linear function. Let the training set
be:
S = (x1 , y1 ), (x2 , y2 ), . . . , (xm , ym ) and yi ∈ (1, −1) be the class label of training examples
(xi ). Where xi ∈ Rn , i = 1, 2, 3, . . . , m. The classification goal is to find the hyper plane to
separate the two classes that satisfies the following function:

w.x + b = 0 (2.1)

Where w is a weight vector, b is bias or offset value and x stands for a vector which will
be computed by the SVM in the training phase. The decision boundary should classify
all points correctly i.e. the classification function must return positive for positive data
points and negative otherwise; the two conditions should be satisfied:
w.xi + b > 1, if yi = 1 and w.xi + b 6 −1, if yi = −1.
Thsese can be represented our training data in the form:

yi [(xi , w) + b] > 1 (2.2)

Based on Figure 2.9, class 1 (w.xi + b 6 −1 ) and class 2 (w.xi + b > 1) are separated by
the line in equation (2.1). We can rescale w and b such that the hyper plane is at the
distance of 1
||w|| from the closest points (support vectors) of both classes. Therefore, the
margin becomes ||w|| .
2

Maximizing the margin is similar problem for minimizing 1

||w||2
subject to yi (w.xi − b) >
1, ∀(xi , yi ) ∈ S.
Now use the Quadratic Programming (QP) method to find the formulas for w and b.
Primal form of the Lagrangian is:

1 m
Lp = ||w||2 − αi [yi (xi .w + b) − 1] (2.3)
X
2 i

30
 Figure 2.9: Explanation of classification problem using SVM

where αi > 0, ∀i .
We need to minimize the Lagrangian with respect to w and b and maximizing it with sub-
ject to Lagrange multipliers αi . By computing the Karush-KühnTucker (KKT) conditions
[34], we obtain:

w= αi yi = 0 (2.4)
X X
αi yi xi and

Sometimes the primal formulation can be hard to solve, so it is better to represent the
problem in dual formulation. Moreover, from the dual presentation we can solve the αi ’s.
Hence

1X m X m
Ld = αi αj yi yj (xi , xj ) (2.5)
X
αi −
2 i=1 j=1

31
Because the support vectors have positive αi ’s and the rest are equal to 0, the optimal
solution of w can now be presented as:

w= (2.6)
X
αi yi xi
i∈SV

A new example x can be now classified according to the sign of the following decision
function.

f (x) = x.w + b (2.7)

SVM for Multiclass Problems:

Kernel-based learning utilizes an implicit mapping of input information into a high-
dimensional feature-space that a kernel function describes. In other words, for nonlinear
or multiclass issues, kernel-based learning utilizes the linear hyperplane as a decision
function and then performs a back conversion in nonlinear space.
SVM employs the Lagrange multiplier to compute the partial differentiation of each fea-
ture to acquire the optimal solution. In consequence, the model reduces the complexity
of the training data to a significant subset of support vectors. Support vector machines
are highly accurate and able to model non-linear decision boundaries. If the training data
is not linearly separable, there is no straight hyperplane that can separate the classes.
For the classification of nonlinearly separable data, linear SVMs must be extended to
nonlinear SVMs in order to learn a nonlinear function.
The process of using nonlinear SVMs to find classification functions consists of two steps.
First, the input vectors are converted into high-dimensional vectors in which the training
data can be divided linearly. SVMs are then used to find the maximum margin hyper-
plane in the new function. In the transformed feature space, the separating hyperplane
becomes a linear function but a nonlinear function in the original input space. Therefore,
the multiclass problem needs to be decomposed into several binary class problems. Each
of the binary classifiers is applied to the new data point and the frequency of the number
of times the point is assigned to the same label is counted and labeled with the highest
count.
The popular two methods for decomposition of the multi-class problem discussed as fol-
lows [35]:
32
A. One-Versus -All(OVA)
One-Versus-all or a winner takes all strategy is the simplest approach to reduce the prob-
lem of classification from k classes into k binary problems. Each problem is different from
other problems. This approach requires k binary classes in which we train a k th classi-
fier with a positive example and belonging to class k and negative examples belonging
to other classes. An unknown example is tested and the classifier for which maximum
output produced is considered to be the winner class.
B. One-Versus-One(OVO)
In the case of one-versus-one technique, for every pair of different classes, one binary
classifier is constructed. In this way, the multi-class problem is broken into a series of
a set of binary classification problems. So, we can apply the SVM model for each pair
k(k−1)
of classes. Total 2 classifiers are needed to classify the unknown data. The binary
classifier is trained taking one class as positive and other class as negative. For a new
data point x if that classifier classifies x in first class, then a vote is added to that class.
If the classifier classifies x in second class the vote is added to the second class. This
k(k−1)
process is repeated for each of the 2 classifiers.
Finally, the label of the class with a maximum number of votes is assigned to the new
data point x. This predicts the class to which the unknown data point belongs. Since
the one-versus-one approach is faster to train the model, we have used it.
In the real world, the datasets of applications are rarely linearly separable when the
the finding of hyperplane is easy. For this reason, we need the tools to handle also the
linearly non-separable datasets. The first extension was the invention of slack variables
ξi > 0, i = 1, 2, ..., m, where each ξi measures the penalty of misclassification of the training
point xi . Hence, the data can be reprsented by the inequalities ξ > 0. So equation (??)
becomes:

yi [(xi .w) + b] > 1 − ξi , i = 1, 2, 3, . . . , m (2.8)

Now, the objective function to be minimized has the form: 2 ||w|| + C i=1 ξi
1 2 Pm

Thus,

1 m m m
Lp = ||w||2 + C ξi − αi [yi (xi .w + b) − 1 + ξi ] − ξi µi (2.9)
X X X
2 i i=0 i=1

33
where αi , µi , ξi > 0, i = 1, 2, ..., m. Again, LP is minimized with respect to variables
w, b and maximized subject to αi , µi , i = 1, 2, ..., m. The Parameter C which is called box
constraint that controls the influence of outliers in the data and controls the trade-off
between maximum margin and minimum classification error [36]. The dual presentation
is same as in (2.4).
The use of kernel functions [35] was a radical innovation that extended the opportunities of
SVMs widely. The basic idea is to map the feature vector from an input space to a higher
dimensional feature space by a nonlinear transformation φ. Hence, the kernel function
evaluates the inner product between training points and classifying a new example, it
counts inner products between training points and test example.
K(x, z) = φ(x).φ(z)∀x, z ∈ X, where φ is a nonlinear mapping from an input space to a
feature space. Similar to in the linear cases, we get

1 m m m
Lp = ||w||2 + C ξi − αi [yi (φxi .w + b) − 1 + ξi ] − ξi µi (2.10)
X X X
2 i i=0 i=1

and Ld = j=1 αi αj yi yj K(xi , xj )

Pm Pm
αi − 21
P
i=1

Now, equation(2.6) has in the form:

w= (2.11)
X
αi yi φxi
i∈SV

And b = yi − φxi .w or we can take the mean of all possible values of b. Therefore, a new
example x can be classified according to the sign of the following decision function:

f (x) = φx.w + b = αi yi K(x, xi ) + b (2.12)

X

i∈SV

2.8.2 Random Forest (RF)

Random forest is one of the most common and strong algorithms for machine learning. It
is a sort of bootstrap aggregation or bagging machine learning algorithm. The bootstrap
is a strong statistical method to estimate a data sample amount. Lots of samples can be
taken from the data and then calculate the mean, finally average all the mean values to
get a better estimate of the real mean value.

34
In bagging, the same method is used, but most frequently choice trees are used to esti-
mate whole statistical models. Multiple samples of the training data are taken and for
each data, sample models are built. Each model makes a forecast when we need to create
a forecast for fresh information, and the results are averaged to offer a better estimate of
the real value.
In this strategy, the random forest is a tweak where decision trees are generated so that
suboptimal splits are produced by incorporating randomness rather than choosing ideal
split points.
Random Forest for Classification:
There are many decision trees in the random forest. Each decision tree gives a classifica-
tion for input information to classify a fresh example. It gathers the classifications and,
as a consequence, selects the most voted forecast. Each tree’s input is sampled from the
initial dataset. Moreover, from the optional characteristics, a subset of characteristics is
randomly chosen to develop the tree at each node.
Without pruning, each tree is cultivated. Essentially, a random forest makes it possible
to form a powerful classifier for a big amount of weakly correlated classifiers. The random
forest works like the other ensemble models where the user needs to specify the number
of base trees to be constructed. Since the internal base model is always a decision tree,
there is no specification for an explicit internal subprocess.
The random forest operator can specify all the tree-specific parameters such as leaf size,
depth, and split criterion. The number of trees is the main parameter specifying the
number of base trees. The majority vote determines the classification. A decision tree
is a predictive model made up of choice nodes and leaf nodes representing a predictive
label.
Random forest classifier’s primary benefits are not only handling the missing values and
maintaining precision for missing information but also being able to accomplish high ef-
ficiency on a big dataset. It can decrease the risk of overfitting and training time due to
the use of various trees. Similar to SVM, RF does not over-fit and has the robustness
to noise and irrelevant features and it requires almost no fine-tuning of parameters to
generate a good prediction [37]. For simplicity, the Figure 2.10 shows the architecture
of Random Forest. A pre-processed sample of n samples is fed to the random forest
classifier. RF creates ‘n’ different trees by using a number of feature subsets. Each tree

35
 Figure 2.10: RF working principle

produces a classification result, and the result of the classification model depends on the
majority voting. The sample is assigned to the class that obtains highest voting scores.
In a random forest algorithm, there are two stages. The one is the creation of random
forest and the other is to make a prediction from the classifier created in the first phase.
Random forest creation steps:
Step1: Randomly select k features from the total m features where k < m.
Step2: Among the k features, it should be calculated the node d using the best split
point.
Step3: Split the node into child nodes using the best split.
Step4: Repeat all the above steps until the leaf node.

36
Step5: Build forest by repeating the above steps for n number of times to create n num-
ber of trees.
The prediction steps:
Step1: Take the test features and use the rules of each randomly created decision trees
to predict the outcome and stores the predicted outcome.
Step2: Calculate the votes for each predicted target.
Step3: Consider the high voted predicted target as the final prediction from the random
forest algorithm.

2.9 Related works

Building secured and reliable communication is significant with the advancement of wire-
less networking systems. Wireless network security is designed to avoid the attackers
from unauthorized access. Since wireless networks are open in nature, different attacks
will be launched by an attacker. Therefore, wireless network security continues as a big
problem, and further inquiry is needed. Many researchers distinguish three prominent
attack classification techniques. These are based on OSI (Open System Interconnection)
models, the primary factors leading to an attack, and the target service selected by the
attacker [38–42].
Many research works are investigating routing protocols’ impacts and performance by
giving the attention for network layer attacks. Researchers proposed several systems for
detecting network layer attacks a few years ago. In this section, the related works for net-
work layer attack (blackhole attack, wormhole attack, and flooding attack) are reviewed.
The new scheme was suggested [10] to detect flooding attack. The authors have attempted
to construct an intrusion detection system (IDS) using the grammatical evolution and
classification algorithm. The traced file from simulation was taken as an input in which all
packet data from the network is contained. Source address, a destination address, RREQ,
RREP, a packet sent, a packet received, ACK (Acknowledgment) packet and timestamp
are the network features obtained from the trace file. The classification method is used
to classify patterns such as sending node data, receiving nodes, packet header size, etc.
To select the characteristics based on the routing behavior, all categorized patterns are

37
provided in feature selection. Using the BNF (Backus Naur Form) grammar, the rule
generator was used to create the production rules and then the laws were applied to cho-
sen characteristics to define the attack. The technique of classification and the efficiency
of the network is assessed. Efficiency was improved with reduced feature set.
In [11], the authors proposed the SVM method to classify packets that are secure and in-
secure and finally to detect attacks. For black hole and even gray hole attacks, they have
used classification methods. In the first stage, the source node sends the routing request
to the network and waits for the route reply to detect attacks. First, mobile networks are
simulated with attacks and without attacks. The amount and capacity of packets sent
by mobile nodes in the network path are extracted. The SVM classifier then predicts the
node behavior in the network. NS-2 simulator was used to perform the simulation. The
accuracy of the suggested technique was 95%.
In [12], the authors designed a method for MANT attack detection using classification al-
gorithms. In this paper, MANET attacks such as blackhole attack, flooding attack, packet
dropping attack and forging attack were detected by collecting a dataset from simulated
Glomosim library. RREQ, RREP, RERR, Data sent, percentage of the changed routed
entries and percentage of the changes of the sum of hopes of routing entries were the
selected features. From the result, genetic programming is not good for multiclass; how-
ever, the best result was recorded for each attack type while naı̈ve and SVM achieved a
similar result. On the other hand, it can be seen that for multi-class classification, the
outcome from MLP is regarded to be nearly equivalent to SVM.
There were few limitations in preparing the dataset. The first drawback is that the
features are not sufficient to define the performance of the network. The simulation pa-
rameters like simulation time, pause time, and packet size are too restricted. This can
be seen as the second gap of the work since the simulation parameters have a great role
on performance metrics that leads to incorrectly acted as normal or abnormal behavior
of the node.
In [43], the authors proposed a technique to detect normal and attacked system behav-
ior. The suggested strategy aimed to identify the best classification model in MANET to
address blackhole & gray-hole attacks. The work includes creating intrusions during sim-
ulation in the network and collecting audit information. Then the sample set consisting
of instances with attack and normal behavior was constructed by extracting the features

38
from this audit data. The training was performed using training data (extracted from
the sample set) which contain both normal and abnormal data. Node number, RREQ,
RREP, the variance of the delay, packets sent, packets received, and delay, and packet
drop ratio were chosen as a features of the dataset.
Decision Tree (C-4.5), Multilayer Perceptron (MLP), K-Nearest Neighborhood (KNN)
and Support Vector Machine (SVM) were applied for classification. Finally, trace analy-
sis was performed. C4.5 has achieved training accuracy of 99% for blackhole attack and
90% for the grayhole. C4.5 has also achieved testing accuracy of 61%-99% for both types
of attacks. MLP and SVM have achieved training accuracy of 99% and 97% for blackhole
attack, 82% and 71% for grayhole attack respectively and testing accuracy of 70%-99%
and 61%-95% respectively. Finally, KNN classifier has achieved the training accuracy of
87% for black hole attack and 56% for gray hole attack and testing accuracy of 56%-87%
for both attacks. The experimental results show that MLP has detected the attacks with
more accuracy and less error rate than the other methods while KNN archived the lowest.
In [44], the authors suggested an adaptive technique for detecting the blackhole and gray-
hole attacks. A course-based technique was proposed in the network layer to overhear
the action of the next hop. This scheme does not send additional control packets and
saves the detection node’s system resources. They advocated a collision reporting system
to dynamically alter the limit according to the status of network loading, but with no
convincing outcome, the authors did not check the suggested technique.
In [45], authors have proposed a method based on AODV behavioral metrics to detect
flooding attacks. This work generally has two stages (phase of behavior and phase of
classification). First, they collect the behavior of each node and then use this data to
find out the node that is malicious. When the node crosses the threshold limit, they are
detected as a flooded node after passing this behavior into the SVM.
The authors have used the packet delivery ratio, control overhead and packet misroute
rate as metrics for the prediction of flooding attacks. They have attempted to identify
flooding attack even though the detection algorithm’s efficiency wasn’t supported by any
experiment.
In [46], a method was developed to improve IDS performance by preparing the training
dataset. In the training phase of the proposed IDS, first a feature selection technique
based on Naive Bayes classifier was used. This technique observes the behavior of nodes

39
from the normal network and attacked network. Then compare to the unidentified net-
work and their nodes that can be used to detect malicious node. The network attacked by
grayhole and blackhole attacks and completely normal network were observed in bases of
node and network behavior. Then make the standard model by using the naı̈ve Bayesian
soft computing technique. Node features such as a number of a packet sent, a packet
received, packet drop and packet forward were regarded as the attributes of the dataset,
however, there wasn’t clear experiment whether or not the model operates.
The authors [47] suggested the technique of detecting network layer attack in MANET.
In this paper, identifying the existence of malicious nodes that drop packets intended for
other target nodes selectively or randomly. Ranks each packet drop attack by observing
and evaluating how each packet drop attack affects the features of the network according
to their attack type.
Features such as RREQ, RREP, data packet sent, received data packet and packet
dropped were used as an attributes of the dataset. To get input samples, obtain the infor-
mation from the simulated MANET and apply MLP-NN(Multi-layer Perceptron Neural
Network) to classify the sort of attack.
To assess the efficiency of the method being detected and classified, a number of simu-
lations were performed. But evaluating the model in terms of false positives, precision,
and false negatives is not sufficient to judge whether it is good or not.
The authors examined [48] how classification efficiency depends on the cost matrix for
intrusion detection. The features chosen from the network layer were RREQ, RREP,
RERR, data packets, number of neighbors, percentage of the change in route entries and
percentage in the number of hops. Authors have verified the classification tuning is a
robust performance enhancement method.
The proposed algorithms’ performance was evaluated by four kinds of attacks (blackhole,
information forging, packet drop, and flooding). The method of cross-validation also has
a major effect on classification under the specified dataset. The Naı̈ve Bayes classifier
has the lowest output while MLP classifier achieves the highest output as it has been
compared with the result of SVM, GMM(Gaussian Mixture Model) and linear classifier.
In [49], the wormhole attack detection system for MANET environment was proposed.
In this paper, a wormhole attack was assumed in the network and data was collected to
design the system. During the simulation, data were generated that used to extract the

40
useful features for identifying this attack. The ratio of routing traffic received, the ratio
of routing traffic sent, route request ratio, MANET traffic ratio, and packet drop ratio
are the selected features for dataset preparation.
SVM has been used to train and test the system. In this algorithm, different kernel
functions such as linear, radial and sigmoid function are used to adjust the training and
testing performance. When accuracy is best in the functions for different cost and gamma
parameters that model file could be considered as a detection engine for the model. Ac-
curacy of the system for wormhole attack was good in comparison with other models
although it lacks dataset reliability.
All the proposed method described above did not include the most important features
such as routing load, remaining energy, and throughput. We have chosen about sixteen
features in our work, including routing load, residual energy and throughput. The de-
tection model may be extremely influenced as these significant parameters were excluded
from the earlier technique. Therefore, we integrate three network layer attacks with
respective best features.

41
Chapter 3
Dataset Preparation

3.1 Introduction

Dataset selection is a significant task because of the performance of the detection system
is based on its correctness. The more accurate the data, the more the effectiveness of
the system. Generally, the dataset can be collected by different means, such as sanitized
dataset, simulated dataset, testbed dataset, and standard dataset. A real traffic method is
expensive, whereas the sanitized method is unsafe [50]. We are going to use the simulated
dataset approach for this thesis work.
A very powerful and commonly used network simulator (NS-2) was used to accomplish
the simulation. The network layer attacks (black hole, wormhole, and flooding) along
with normal behavior of the network should be simulated. The necessary features were
collected from the trace file.
To study the effect of MANET attacks, AODV routing protocol was simulated in the
absence of an attack and with the attack. The trace file was analyzed using AWK
(Abstract Windows ToolKit) tool. Different MANET performances metrics were used
for features identification purpose. Once the simulation is done, these important network
features were collected. Figure 3.1 illustrates the activities of dataset preparation.

42
 Figure 3.1: Steps of dataset preparation for proposed work.

3.2 Network Simulator

Network Simulator (NS) is an object-oriented and discrete event simulator for networking
research. As it is indicated in Table 3.1, the NS-2 has several capabilities to build the
network environment with all network layers. It can simulate both wired and wireless
networks [51]. Among different network simulators, NS2 is widely used and has more
than 88% popularity [52]. This simulator is building depending on two programing lan-
guage that is C++ and OTCL(Object Oriented Tool Command Language). It has many
kinds of models of mobility and generators of traffic. OTCL is used for simulation control
and for scheduling discrete occurrences while C++ is used to define NS2 internals. The
two common results of the simulation that performed based on NS-2 are NAM (Network

43
 Table 3.1: Top five network simulators

Simulator Popularity Availability

NS2 88.8% Open source
GloMoSim 4% Open source
OPNET 2.61% Commercial
QualNet 2.49% Commercial
OMNET++ 1.04% Free for academic use

Animator) file or display file and trace file (analysis file) that differ in storage size ac-
cording to the network size. The compiled objects, variables, and methods of NS-2 are
made available both for the C++ and OTCL interface via OTCL linkage. The OTCL
linkage creates a matching OTCL object for each C++ object and makes the methods
and variables specified by the C++ object to act as methods and variables of the cor-
responding OTCL object. This OTCL linkage makes the learning curve for NS-2 quite
steep to include OTCL, both on the user side and as function calls in the C++ code. It
provides a flexible and potential simulation environment. Figure 3.2 explains the user’s
view of ns2 [53].

Figure 3.2: user’s view of ns2.

44
 Table 3.2: Sample ns-2 commands

Command Description
namtrace-all Informs the simulator to record the simulation traces in NAM input format
fulsh-race Returns the namtrace file descriptor stored as the simulator instance variable
god general operational descriptor: storing the hop details in the network
node-config Used to configure nodes
setdest Used to trace the traffic connections of TCP & CBR between mobile nodes
trace-all Tracing all the events and configuration
setval Used to set different parameters
attach-agent Used to attaching transport agent to sender/receiver node
connect Connecting sending and receiving transport/ application agents
run Used to start the scheduler

3.3 Tool Command Language (TCL)

The Tool Command Language (TCL) is a string-based command language suitable for
web and desktop applications. This language has only a small number of fundamen-
tal constructs and relatively limited syntax, which inspires further investigation. TCL is
designed to collect software building blocks into an application and it gained wide accept-
ability on its own. It is generally thought to be easy to learn but is more powerful with
an experienced programmer. TCL is commonly used due to rapid prototyping, scripted
applications, and testing. In TCL everything can be dynamically overridden and rede-
fined. In this language, data types can be manipulated as strings, including codes that
follow simple syntatic rules. It enables event-driven flexible scope with variable visibility
restricted to the static scope. It has a simple exception handling using exception code
returned by all command executions. Some of the common TCL commands or functions
are listed in Table 3.2.
There are at least three considerations to be carried out on simulation:
The network appearance: The whole topology view of mobile network, this includes
the position of nodes with (x, y, z) coordinate, the node movement parameters, the move-
ment starting time, the movement is to what direction, and the node movement speed
with pausing time between two supposed movement.
Internal of the network: Since the simulation is on the network traffic, so it is im-
portant to tell the ns2 about which nodes are the sources, how about the connections,
what kind of connection we want to use.

45
Node Configuration: This involves the detailed setup of network parts on the mobile
node and needs to drive the simulation. So, it is neccessary to explain where to deliver
the outcomes of the simulation, which is the trace file, and how to organize a simulation
process.
To create simulations, the following steps should be taken place:
Step1: Create an instance of the simulator
Step2: Setup traces support by opening a file and call the procedure trace-all
Step3: Create a topology object that keeps track number of all the nodes within the
boundary
Step4: Set up the Operations Director
Step5: Node configuration
Step6: Create nodes and the random-motion
Step7: Give nodes
Step8: Setup node
Step9: Setup traffic flow between the two nodes
Step10: Define stop time
Step11: Define the command to start the simulation

3.4 Network Scenario and Traffic Generation

In ns2, we can write a TCL (Tool Command Language) script manually but for the
sake of simplicity, it is possible to generate automatically. The positions of node and
their movement can be generated by using CMU generator. Run the command “make”
to create executable “setdest” program by locating the CMU directory. In fact, this is
a third party which is CMU’s version auxiliary scenario creation tool. The following
command is used to generate mobility files.
/setdest [-n] [-p] [-s] [-t] [-x] [-y]
Where ’n’ is the number of nodes, ’p’ is pause time, ’s’ is speed, ’t’ is simulation time, ’x’
& ’y’ are dimensions of simulation area.
Similarly, network traffic can be generated by the help of cbrgen.tcl which is found in
$.../indep − utils/cmu − scen − gen/cbrgen.tcl under ns2 installation directory. We can

46
simply modify it so that the file will be more suitable as our need. For this network traffic
generating tool, random traffic connections of TCP and CBR can be set up between nodes.
To create a traffic-connection file, we need to define the type of traffic connection (CBR
or TCP), the number of nodes and maximum number of connections to be set up between
them, a random seed and in case of CBR connections, a rate whose inverse value is used
to compute the interval time between the CBR packets. The following command is used
for this purpose.
ns cbrgen.tcl [-type] [-nn] [-seed] [-mc] [-rate]
type: defines the type of traffic connection and this can be CBR or TCP.
nn: means the number of nodes could be used.
seed: a random seed, the traffic pattern will reappear if all parameters are the same.
mc: means the maximum number of connections to be set up between those nodes.
rate: implies a rate the inverse value of which is used to calculate the time interval,
which can readily be said to be the sending rate of packets.
Once the two files(mobility and traffic) were generated, we can incorporate these files into
the original Tcl files. After adding the generating results to the Tcl file, we have finished
one-time simulation but we need to repeat the test multiple times with different control
parameters.

3.5 Attack Modeling

Since MANET is vulnerable to many attacks in different layers of the protocol stack,
attack modeling should be concentrated on a specific layer. It has been a big task for
a network layer routing protocol to function correctly and efficiently in the presence
of a malicious node which attempts to disrupt the routing service. Routing attacks
can generally be categorized into routing, disruption and resource consumption by not
forwarding the packets or adding and modifying some parameters of routing messages.
As we explained above, simulation scenarios are without any attack although the network
congestion affects MANET performance as the mobility of node rises. In this section, we
are going to inject different attacks into normal network operation. Hence in our work,
the most common network layer attacks will be modeled.

47
3.5.1 Blackhole Attack Modeling

To create an attacker node, the following steps are performed:

Step1: modify aodv.h file
In aodv.h header file we have declared a Boolean variable
Step2: modify aodv.cc file
Initialize the attacker variable. We have assumed initially the network is attack free and
set the variable as false. Once the attacker is injected, the packet will be dropped, so the
declared variable should be set as true and set the condition for packet dropping.
Step3: compile the file
To compile the code in aodv.cc and aodv.h files the “make” command is used. If there is
no error, it is expected that successfully compiled.
Step4: modify normal Tcl file
Attacker node is set on the normal Tcl file like the following
$ns at 1.0 ”[$ node (3) set ragent ] blackhole”
Step5: run Tcl script
Step6: analyze trace file and collect the features in the form of CSV file using AWK
tool.

3.5.2 Wormhole Attack Modeling

To create an attacker node, the following steps are performed:

Step1: modify the ll.cc file
Step2: modify ll.h file
Step3: compile the file
Step4: modify normal Tcl file
Step5: run Tcl script
Step6: analyze trace file and collect the features in the form of CSV file using AWK
tool.

48
3.5.3 Flooding Attack Modeling

To create an attacker node, the following steps are performed:

Step1: modify aodv.h file
In aodv.h header file we have declared a Boolean variable
Step2: modify aodv.cc file
Initialize the attacker variable. We have assumed initially the network is attack free and
set the variable as false. Once the attacker is injected, the packet will be dropped, so the
declared variable should be set as true and set the condition for packet dropping.
Step3: compile the file
To compile the code in aodv.cc and aodv.h files the “make” command is used. If there is
no error, it is expected that successfully compiled.
Step4: modify normal Tcl file
Attacker node is set on the normal Tcl file like the following
$ns at 0.0 ”[$ node (21) set ragent ] flooding”
Step5: run Tcl script
Step6: analyze trace file and collect the features in the form of CSV file using AWK.

3.6 Parameter Selection for Simulation

In order to create and simulate MANET, different parameters were chosen. Some of the
parameters are the node mobility model, pause time, mobility speed, number of nodes,
transmission range, and so on. Appendix A illustrates some of the parameter settings of
the simulation.
Mobility model: Mobility models are an important issue in mobile ad-hoc networks.
Mobility in the real world is non-predictable and it has a dramatic effect on the proto-
cols developed to support node movement. The movements of mobile nodes are random
without any restrictions particularly, the destination, speed, and direction are chosen
randomly and independently of other nodes. In order to design the mobility of nodes,
Random Waypoint model (RWP) [54] is usually utilized. In our simulations, we have
used the RWP which was first proposed by Johnson and Maltz.

49
Number of nodes: In MANET simulation, the number of node is the first parameter
to be chosen . It can be any number but due to network congestion, the large number of
nodes leads to degrading network performance.
Pause time: Pause time is time duration for which mobile node holds the same position.
Any node stays at the same position for the specified amount of pause time then node
selects some random direction. If the node pause time is 20 means node will not change
its position for 20 seconds. The more pause time implies low mobility of nodes in the
network and low pause time implies high mobility of nodes.
Traffic type: Normally, the traffic in ns2 is generated from the traffic agents such as
TCP and UDP agents whose parameters are based on certain statistical distribution.
TCP is bidirectional, Reliable and connection-oriented that uses handshake mechanism
to establish the connection. It is a transport layer protocol or data while FTP (File trans-
fer protocol)-application layer protocol or a traffic agent. UDP (user datagram protocol)
is unreliable, unidirectional and connectionless transport layer protocol whereas CBR is
the application layer protocol. When we consider three scenarios (number of nodes, speed
and simulation time, throughput will be higher in the case of TCP. And delay high but
relatively constant trend i.e not far max and min. Packet delivery ratio is good for a
small number of the above scenarios but when they become increased, its performance
goes to down quickly. Therefore, for any cases, UDP has low performance[55].
Simulation time: The idea of time in a simulation is not directly related to the actual
time that it takes to run a simulation (as measured the real clock), but simply a variable
preserved by the simulation program. This variable is precisely referred to as simulation
time to which the overall simulation ends. It should be set in the Tcl script.
Simulation area: The mobile nodes move about within an area whose boundary is
defined in the form of X and Y dimension. In designing of MANET, it is an imortant
parameter that must be considered.
Transmission range: Both the source and destination node characterize the transmis-
sion using an ideal circle. If the receiver node is positioned near the edge of the commu-
nication range of the sender, it can only probabilistically receive the packets. Usually,
we have used the transmission range of 250m which is the default value of a node in the
wireless network.
Routing protocol:The performance of MANET can be detrmined by the type of routing

50
 Table 3.3: Simulation parameters

Parameter Value Remark

Protocol AODV –
Traffic type CBR and FTP –
Agent UDP and TCP –
Transmission range 250 m, Different values are used
Packet size 512 bytes Different values are used
Transmission rate 20k Different values are used
Pause time 5,10,20,50 s Different values are used
Maximum speed 250m/s Different values are used
Simulation time 40,50,60,200 s Different values are used
Number of nodes 20,40,50,60,100 Different values are used
Simulation area 500x500,800x600,1000x1000 Different values are used
MAC layer 802.11 –
Movement Model Random Way Point (RWP) –
Channel type Wireless –
Link Layer Type LL –
Antenna type Omni antenna –
Examined attack Black hole attack, Wormhole, flooding –

protocols used. Table 3.3 shows a sample simulation parameters used.

3.7 NAM (Network Animator)

The Network Animator is a completely isolated program that dispersed with the network
simulator. The program is called “nam” and it is used for showing the movement of
the packets over the network. The program can able to read an input file (containing
the packet transmission events) and draw the network events graphically. Since this is a
user-friendly GUI (Graphical User Interface), the clarification of the network topology is
easily created and visualized. It is the most widely used tool in network simulator. It can
be directly executed from a scripting language and a user can control, play, pause and a
facility to monitor packets, etc. In order to visualize the “nam” file, the command nam
followed by file name with corresponding “.nam” extension should be called. Figure 3.3
shows sample network animation.

51
 Figure 3.3: Sample NAM for MANET simulation.

3.8 Ns2 Trace file

The file written by an application to store coverage information or overall network infor-
mation in ns2 is known as a trace file. After the Tcl file is executed, the trace file will be
accumulated so that this file will be analyzed in order to get the network features. The
following trace format is just one row taken from the trace file for an explanation.

s 1.001408772 10 RT R −−− 0 AODV 44 [0 0 0 0] [energy 99.549335 ei 0.450 es 0.000 et

0.000 er 0.000] − − − − − − − [10 : 255 16 : 255 30 16] [ 0x4 1 [10 4] 10.000000] (REP LY )

For the sake of clarification, Table 3.4 illustrates the typical naming conventions for
the ns2 trace file. This naming approach is used for calculating the required network
performance measures and it will be discussed in the next subsections.

52
 Table 3.4: Sample trace file naming conventions

Column It shows Values

$1 Event type s(send),r(received),f(forward),d(drop)
$2 Time at which event happens Any values like 1.001408772
$3 Node id Any value like 10
$4 Layer at which event occurred AGT, RTR, LL, IFQ, MAC,. . .
$5 Flags A value like − − −
$6 Sequence number of packets Any value like 0
$7 Traffic type CBR, AODV, TCP, ARP,. . .
$8 Packet size Any value like 44
$9 [. . . .] packet duration, mac addresses, and the mac type
$10 flags A value like − − − − − − −

3.9 Abstract Window ToolKit (AWK)

The name AWK came from the brands of its inventors (Alfred V. Aho, Peter J. Wein-
berger, and Brian W. Kernighan) which refer to a specific program that tells this program
what to do. AWK is a programming language for the processing of texts.
Ns2 trace file is treated as a sequence of records and by default, each line is a record.
AWK tool can able to calculate all the necessary features that we will be used as input
for the machine learning algorithm. Figure 3.4 explains how the AWK works for trace
file analysis. AWK reads one line at a time from the input files. For each line, it matches
with specified pattern in the particular order. If it matches the corresponding action will
be performed otherwise the action will not be performed. On the other hands, if the
search pattern is not specified, then AWK performs the given actions for each line of the
input file or if the action is not given, print all lines that match with the specified patterns
which are the default action.
As it is indicated in the following fragment code, AWK script has two important patterns
which are specified by the keywords BEGIN‘ and END‘ and each statement should be
separated by a semicolon.
Syntax for AWK script:
#======================================
BEGIN {
#Begin block
#Variable declarations and assignment

53
 Figure 3.4: AWK script execution sequences

Packet recived=0;
}
{
if ($1 == ”r”&&$4 == ”AGT ”&&$7 == ”cbr”k$7 == ”tcp”)
{
Packet recived++;
#...
}
END {
# end block

54
printf(”number of packets received:%.3f”,Packet recived);
}
Therefore, we can analyze and calculate the necessary features from the trace file using
AWK tool. Features that we have used for dataset preparation are listed in Table 3.5.

Table 3.5: Features description

Feature name Short description

Packet sent Total data packets sent by the source node
Packet received Total data packets received by the destination node
Packet loss Total data packets dropped in the network
Throughput The data rate generated by the application
control overhead Total number of routing packets including forwarding packets
Normalized routing load Total number of routing packet transmitted per data packet
Average delay Total time required by the packet to arrive at the destination
Good put A Measure of the throughput the original data
Packet delivery ratio The ratio of the transmitted packet to sent packet
Jitter The variation in the time between packets arriving
Remaining energy Amount of energy left after anode consumed
Number of RREQ Total route request generated by the mobile node
Number of RREP Total route reply generated by the mobile node
Number of RERR Total route error generated by the mobile node
Number of HELLO The total hello message generated by the mobile node
Traffic type Traffic Agent (CBR and FTP)

3.10 Data Collection

In order to finalize a dataset, we have organized all related files and automated as make
file. Lastly, the dataset has been collected in the form of CSV. As shown in Table 3.6,
we have collected a total of 14150 instances with corssponding classes. The code for this
part is depicted at APPENDIX C.

Table 3.6: Distributions of the dataset

Class name Number of instances

Blackhole 2585
Flooding 2540
Normal 6385
Wormhole 2640

55
Chapter 4
Model Development and Implementations

As we have discussed the detail information in chapter 2, SVM and Random forest algo-
rithms are used for this thesis work.
In this chapter, we will discuss tools used, dataset preprocessing steps, feature selection
methods and other related issues.

4.1 Tools Used

Scikit-learn (or sklearn) was used for developing the proposed model. Scikit-learn is a free
library that works on Python. Both supervised and unsupervised learning are supported
by this library. It also supports Cross-validation, Datasets, Feature extraction, Feature
selection, Parameter Tuning, and so on. An input datasets format pandas.io provides
tools to read CSV, Excel, JSON and others. Scipy.io also provides tools to read in binary
formats such as .mat and .arff, images, videos and audios. Therefore, Scikit-learn is
the best tool [56] for data mining purpose although intermediate knowledge of Python
programming language is required. Scikit-learn is easily found on the anaconda platform,
which is open-source and freely available. This platform provides access to different
packages in python. Furthermore, different python libraries like pandas and numpy were
used for data analysis.

56
4.2 Dataset Preprocessing

The dataset that we have prepared in chapter 3 is ready to feed the selected algorithms.
To accomplish this task, the dataset should be preprocessed first since the training of the
model without dataset preprocessing might have poor performance. After collecting the
data, preprocessing is the first step of the process of a machine learning-based study. Data
preprocessing is used to transform the raw data into a structure that machine learning
algorithms can handle and which also helps to improve the quality of the model.
The very beginning steps of the data preprocessing is loading datasets that comes in
CSV format. This can be done using the ‘pandas’ library. It is important to locate
the directory of the file at first which is more efficient to keep the dataset in the same
directory as our python code and easily read it using a method called read csv. The flow
chart in Figure 4.1 shows the steps of dataset preprocessing.

Figure 4.1: Dataset preprocessing steps

57
4.2.1 Dataset Cleaning

During dataset preparation, some data will be missed. So, it is necessary to clean to
overcome the problem when we come through them. Evidently, we could avoid the entire
line of data but what if we are unintentionally eliminating important information from
the dataset?. One of the most common methods to handle such a problem is to take
an average of all the values of the same column and have it to replace the missing data.
After summarizing the missing values, we use scikit-learn preprocessing library like the
following for this purpose.
miss value = Data[‘col name0 ].mean()
Data[‘col name0 ].f illna(miss value, inplace = true)

4.2.2 Splitting the Dataset into Input and Output

In order to make the work easy, features except for the output (or class) should be grouped
into one say X and the remaining which is called the class is labeled as Y matrix. This
can be done like the following.
X = Data.iloc[:, 0 : 16].values # since our columns are 17 (0-16), this line excludes column
16
Y = Data.iloc[:, 16].values # the last column which is the class

4.2.3 Dataset Encoding

Sometimes a dataset will contain numbers, image, text or others form. In our case, both
numeric and text data are present. To make suitable for the machine learning algorithm,
we need to convert text data in to numeric. Because models are based on mathematical
equations and calculations, we have to encode the non-numeric data.
Since the goal of this work is to detect the common network layer attacks such as blackhole
attack, wormhole attack, and flooding attack, this is a multiclass problem that consists
of four classes including normal behavior of the nodes. So, the class label for the dataset
was labeled as blackhole, flooding, wormhole and normal. On the other hand, traffic type

58
from the attribute is in the form of “TRAFFIC TYPE” which needs a conversion. The
conversion can be done by automatic encoding mechanism. Table 4.1 shows the labels of
textual data after encoding.

Table 4.1: Encoded attributes

Tectual data Blackhole Flooding Normal Wormhole TCP UDP

Label 0 1 2 3 0 1

4.2.4 Feature Selection

To improve the detection accuracy of the model, we pick the more influential features
and discarding irrelevant ones. Features can contain information about target variable
(more features means more information) that will achieve better discrimination power.
But it can’t necessarily say that all features are relevant. A dataset might consist of less
relevant and duplicated features which lead to degrading the performance of the learning
algorithm.
The best and commonly used solution for such a problem is using a feature selection
method algorithm to have a good result with reasonable model training time. The process
of choosing features that contribute to the prediction variables from the dataset is called
feature selection. For this purpose, different feature selection methods are currently
available.
Filter Methods: This is the process of selecting features using statistical measurements
and each feature is scored based on statistical calculations. The threshold is specified to
decide the features to be included in model formation.
Wrapper Methods: The process of looking for the most optimal combination of features
by evaluating some combination of features and calculating the score based on model
accuracy.
Embedded Methods: The process of choosing features when building a model, for
example using regularization algorithm.
Chi-Square method is one of the common feature selection methods under the category of
filter method. This method is used to find out the degree of correlation between a group
of features and a dependent variable using their frequency distribution.

59
’SelectKBest’ module was used for Chi-Square method. The following line of code shows
the feature selection method called ’Chi-Square’.
f rom sklearn.f eature selection import chi2
f rom sklearn.f eature selection import SelectKBest
f s = SelectKBest(score f unc = chi2, k = 14)
# Fit the function for ranking the features by score
f it = f s.f it(X, Y )
# Apply the transformation on to dataset
Selected X = f it.transf orm(X)
Based on feature rank in Table 4.2, the selected features will involve for the training and
testing of the model.

Table 4.2: Feature importance value

Rank Feature name Feature importance values

1 PDR 0.23364335
2 THROUGHPUT 0.10048732
3 CONTROL OVERHEAD 0.09897457
4 GOODPUT 0.09332289
5 PKT LOST 0.07434772
6 PKT SENT 0.07431727
7 RREQ 0.0560342
8 RREP 0.05539996
9 AVG DELAY 0.04849365
10 JITTER 0.04716763
11 ENERGY 0.04261529
12 ROUTING LOAD 0.03174022
13 TAFFIC TYPE 0.02196332
14 PKT RECEVIED 0.0214926
15 RERR 0
16 HELLO 0

4.2.5 Feature Scaling

Feature scaling also called normalization is a method where the values are adjusted to a
suitable range, which is usually the range between 0 and 1 (or between -1 and 1 for nega-
tive values). Even though some algorithms like random forest can handle non-normalized

60
data, some algorithms like SVM can’t perform well. Since “MinMaxScaler” method pre-
serves the relationship among the original values (Equation 4.1) [57], we have chosen this
approach.

Xi − Xmin
Xin ew = (4.1)
Xmax − Xmin

Where Xi is attribute value. The above formula shows the simplified aproach used to
transform the values from the range [Xmax to Xmin ] to a new range [0, 1] .
In our dataset, there is a variation between minimum and maximum feature’s values but
all are positives. Therefore, it is required to transform all features into the same scale in
order to improve the detection performance of the algorithms.
MinMaxScaler is found on python and it was invoked from scikit-learn library. Every
observation of the column will apply the formula of scaling and fitting X that will trans-
form all the data to the same scale in the range [0,1] using ”fit transform” method . The
following fragment code was tested and the status of the dataset before and after prepro-
cessing is shown in Figure 3.6.
f rom sklearn.preprocessing import M inM axScaler
scaler = M inM axScaler(f eature range = (0, 1))
Scaled X = scaler.f it transf orm(Selected X)
From Figure 3.6, the original dataset has textual data (i.e TRAFFIC TYPE and CLASS)
and after encoding all data becomes in the form of numbers. It is clear that all features
have a similar range between 0 and 1 after normalization.

4.3 Model Selection

Model selection is performed on the basis of the result obtained from the training and
testing the model. Before selecting the best model, training and testing should be per-
formed. But before training and testing, the model should be built. To obtain the best
result from the model, we need to optimize the parameters of each algorithm during the
learning process.

61
 Figure 4.2: Sample output of dataset after and before preprocessing

4.3.1 Model Development using SVM

To develop a detection system using SVM, the more influential hyper parameters are
identified. Some of these are parameters are discussed below:
i. Kernel
It measures the similarity between two data points and it helps to conduct some calcula-
tions quickly with low computational costs. Among different kernel types, RBF (Radial
Basis Kernel Function) is a set of mathematical function and is appropriate when the
number of observations is larger than the number of features. It is a better approach for
multiclass classification.
ii. Regularization Parameter
The regularization parameter (C parameter) informs the SVM optimization how much we
want to eliminate misclassifying each training example. It is used to control the tradeoff
between achieving a low training error and a low testing error. If C is high, the model
will choose more data points as support vector while the low value of C will make the
model to choose fewer data points as support vector.

62
iii. Gamma
It tells the influence of data points on the decision boundary. If the value of gamma is
high, decision boundary will depend on data points near to the boundary while the low
value of gamma leads a decision boundary depends on faraway points.
The following fragment of python code shows how SVM is modeled along with their pa-
rameter optimization.
f rom sklearn.svm import SV C
model svm = SV C(kernel =0 kernel −type0 , decision f unction shape =0 ovo0 , C = c, gamma =
γ)
Both c and γ are positive numbers during the experiment.

4.3.2 Model Development using Random forest

Similar to SVM, to develop a detection system using a random forest algorithm, tuning
of some of the common hyper parameters are required. The number of trees in the forest
(also called ‘n estimators’) is the common parameters that we made some modification.
The following fragment of python code shows how random forest is modeled.
f rom sklearn.ensemble import RandomF orestClassif ier
model rf = RandomF orestClassif ier(n estimators = 100, random state = 60)
For both SVM and random forest algorithms, there are a lot of tuning parameters that
need to be considered during the training of the model. Except the parameters that we
have clearly stated in the above fragment codes, other parameters were left to keep their
own default values.

4.4 Cross-Validation Technique

In addition to parameter optimization, cross-validation method is another important

technique to get a better result.
In machine learning, data is divided into train and test sets. The former is used to train
the model while the latter is used to evaluate the performance of a model. This approach
may lead to variance problems (i.e a variance problem refers to the situation where our

63
accuracy obtained on one test is not similar to accuracy gained on another test set using
the same algorithm).
In this thesis work, we avoid training and testing a model on the same data because
it could lead to over fitting. To overcome over fitting problems, there are two more
techniques which perform the training and testing of the model. The first method is
train/test split method. Splitting the dataset into two parts or stages so that the model
can be trained and tested on different categories of data. Though this method is simple,
it doesn’t work well on small data sets.
To overcome such problem, we have used K-fold cross-validation (where K is any positive
integer) for this thesis work. Hence, every observation is used for both training and
testing. The data can be divided systematically into K folds. Out of the K folds, K − 1
sets are used for training while the remaining set is used for testing. The algorithm is
trained and tested K times, in each and every time a new set is used as a testing set and
the remaining K − 1 sets are for training. The average testing accuracy of the process
is the overall testing accuracy. We can use any value for K. But K = 10 is generally
recommended [58]. In this thesis work, we have used 10-fold cross-validation approach.
Steps for 10-fold cross-validation:
Step1: Split the dataset into 10 equal partitions: Since the total number of records in
our dataset is 14150, each fold contains 1415 records.
Step2: Use partition one as the testing set and the group of the other portions as the
training set and calculate testing accuracy.
The first 9 folds are used to train the model while the remaining one fold which is 1415
records is used to test the model. After this calculate testing accuracy of the model.
Step3:Repeat step 2 ten times using a different partition as the testing set each time.
After 10 iterations are completed, accuracy is taken from the average testing accuracy.
Figure 4.3 shows the working principles of 10-fold cross-validation. Scikit-learn provide
the method cross val score or cross val predict like the following fragment code.
#from sklearn.metrics import accuracy score
from sklearn.model selection import cross val predict
#for SVM the following line of code can be implemented
y pred svm = cross val predict(model svm, X=normalized X, y=y, cv=10)
#for Random forest the following line of code can be implemented

64
 Figure 4.3: Working principles of 10-fold cross validation

y pred rf = cross val predict(model rf, X=normalized X, y=y, cv=10)

4.4.1 Confusion Matrix

In this thesis work, we used the performance metrics such as accuracy, precision, recall
and F-score to compare the detection model. These performance metrics can be derived
from the confusion matrix.
Confusion matrix is a table that records the amount of initial class label information
and the class label that has been predicted. It is an m(actual) by n(predicted) matrix
for a specified ’ n’ class that includes data on real and predicted categories performed
by a classification schemeTo get confusion matrix, scikit-learn offer a technique like the
following fragment code.
#import the confusion matrix module from scikit-learn/sklearn library
from sklearn.metrics import confusion matrix
#Assigning a variable ‘Confusion svm’ to get the confusion matrix from SVM
Confusion svm =confusion matrix(y, y pred svm)
#Assigning a variable ‘Confusion rf’ to get the confusion matrix from Random forest
65
Confusion rf=confusion matrix(y, y pred rf)
The confusion matrix has four fundamental terminologies that can be interpreted in
relation to our issues:

• True Positive(TP): The total number of attack records detected by the algorithm
correctly as an attack.

• True Negative(TN): The total number of normal records detected by the algorithm
correctly as normal.

• False Positive(FP): The total number of normal records detected by the algorithm
incorrectly as attack.

• False Negative(FN): The total number of attack records detected by the algorithm
incorrectly as normal.

For the sake of clarification, these terms are explained in Table 4.3. When the classi-

Table 4.3: Confusion matrix terminologies

Term Actual class Predicted class by the algorithm

TP Attack Attack
TN Normal Normal
FP Normal Attack
FN Attack Normal

fication problem has only two classes, Table 4.3 is directly used to extract the values of
TP, TN, FP and FN without any further calculations.
In our thesis, the problem has four classes that need a 4x4 confusion matrix. Therefor, it
is necessary to extend the concepts of two class problem. Table 4.4 shows the labeling of
our classes of using confusion matrix. From this table 4.4, where ‘E’ is the error,TP-BH

Table 4.4: Confusion Matrix for four-class classification

Predicted
Blackhole Flooding Normal wormhole
Blackhole(BH) TP-BH EBH-F EBH-N EBH-WH
Actual
Flooding(F) EF-BH TP-F EF-N EF-WH
Normal(N) EN-BH EN-F TP-N EN-WH
Wormhole(WH) EWH-BH EWH-F EWH-N TP-WH

66
stands for true positive vales of blackhole and ‘EBH-F’ means the actual blackhole class
predicted as flooding class. Therefore, the result and discussion section are presented in
chapter five based on Table 4.4.

67
Chapter 5
Experimentation and Results

In this chapter, we will conduct different experiments. In addition to proposed algorithms,

we will test other supervised algorithms such as Decision tree (DT) and Naı̈ve Bayes (NB)
for result comparison. We will discuss the results from each experiment explain. Result
discussion will also present at the end of this chapter.

5.1 Performance Metrics

In fact, the performance measurement of a classification model is conducted by using the

confusion matrix that we have discussed so far. To evaluate the model, we measured the
performance of the classifier in classifying the data correctly. Accuracy, recall, precision
and F1-score are used to evaluate the performance of the developed model.

5.1.1 Accuracy

Classification accuracy is the most common model evaluation metric for classification
problems. It is the ratio of correct predictions to the total number of predictions. The
classification accuracy metric works better if there are an equal number of samples in
each class. Although classification accuracy is a good metric, it can give a false sense of
high value when class distribution is imbalanced. Scikit-learn offers a distinct technique

68
for evaluating the accuracy in the metrics module, which is accuracy score. For the
case of cross-validation technique, the accuracy estimator is built-in as a parameter in
cross val score. It can also be calculated from the confusion matrix using equation(5.1).

TP +TN
Accuracy = (5.1)
TP +TN +FP +FN

5.1.2 Precision

Precision is the fraction of correct predictions to the total number of predicted correct
predictions. Precision can be seen as a measure of correctness when predicting positive
instances. Like the above metrics, scikit-learn has a module ‘precision score’ to estimate
it. For the sake of simplicity, we can use equation(5.2) to calculate the precision.

TP
P recision = (5.2)
TP +FP

5.1.3 Recall

The recall or true positive defined as the ratio of the total number of detected attacks
by the proposed system to the total number of attacks in the dataset. It is a measure of
completeness. We can calculate it from the confusion matrix using equation (5.3).

TP
Recall = (5.3)
TP +FN

5.1.4 F score

Since both precision and recall are based on an understanding and measure of relevance,
we Since both precision and recall are based on an understanding and measure of rel-
evance, we need to create a balance between precision and recall. But it is difficult to
identify which values of precision and recall are best. The solution for such a problem
will take the average of the two and it will be better than tossing the coin. Still, it will
have a problem with the model. F1 is a single score which represents both precision and

69
recall that works on the idea of the harmonic mean. So, we can calculate it as:

P ∗TPR
F 1 score = 2 ∗ (5.4)
P +TPR

5.1.5 False Alarm Rate (FAR)

The false alarm rate also called false positive rate (FPR) is defined as the ratio of neg-
ative predictions that were determined to be positive to the total number of negative
predictions. Or, when the actual value is negative, how often is the prediction incorrect.
It can be calculated as:

FP
F 1 score = (5.5)
FP +TN

By comparing the original class label data and the predicted class label data, we can
estimate the number of true and false predictions Based on the above four equations, the
four parameters such as TP, TN, FP and FN are calculated based the following defini-
tions.
TP values: The corresponding class values of the diagonal of the confusion matrix.
FP values: The values of false positive for each class (predicted class) can be calculated
by adding all errors in the row of that class.
FP values: The values of false-negative for each class (true class) are calculated by
adding all errors in the columns of that class.
TN Value: The values of the true negative for the class can be calculated by adding all
rows and columns by excluding the row and column of that class.

5.2 Experiment using Random forest Algorithm

When we run all the code that we have coded so far, the first output of the model is the
confusion matrix which depicted in Table 5.1. Since the model performance is evaluated
with different number selected features, the confusion matrix for this algorithm is taken

70
from when the numbers of selected features are 14. So, it not necessary to show the
confusion matrixes for all scenarios of selected features. From Table 5.1 we can calculate
Table 5.1: Confusion matrix for Random Forest (selected features=14, n estimators=100)

Predicted
Blackhole Flooding Normal Wormhole
Blackhole 2575 10 0 0
Flooding 1 2535 4 0
Actual
Normal 0 1 6384 0
Wormhole 0 0 0 2640

each and every performance metrics. The performance measures of the random forest
algorithm based on different numbers of features is summarized in Table 5.2.
Table 5.2: Summary of classification performance measuring metrics for Random forest

Performance Metrics
Number of features Class Accuracy Recall Precision F1-score
Blackhole 0.996 0.994 0.982 0.988
Flooding 0.988 0.984 0.951 0.967
4 Normal 0.978 0.963 0.989 0.976
Wormhole 0.989 0.981 0.961 0.971
average 0.9878 0.9805 0.9707 0.9754
Black hole 1.000 1.000 0.999 0.999
Flooding 0.998 0.998 0.993 0.996
8 Normal 0.999 0.998 1.000 0.999
wormhole 1.000 0.999 1.000 0.999
average 0.9992 0.9986 0.9980 0.9983
Black hole 0.999 0.998 0.995 0.997
Flooding 0.998 0.993 0.995 0.994
12 Normal 0.999 0.999 1.000 0.999
wormhole 1.000 1.000 1.000 1.000
average 0.9989 0.9975 0.9973 0.9974
Black hole 0.999 1.000 0.996 0.998
Flooding 0.999 0.996 0.998 0.997
14 Normal 1.000 0.999 1.000 1.000
wormhole 1.000 1.000 1.000 1.000
average 0.9994 0.9987 0.9985 0.9986
Black hole 0.999 1.000 0.993 0.997
Flooding 0.997 0.985 0.998 0.991
16 Normal 0.998 0.999 0.997 0.998
wormhole 1.000 1.000 1.000 1.000
average 0.9984 0.9960 0.9970 0.9965

Figure 5.1 shows the performance of random forest with different numbers of selected
features. When we compare the detection performance of random forest algorithm along
71
 Figure 5.1: Random forest performances with different numbers of selected features

with the number of selected features, the highest performance metrics were recorded when
the numbers of selected features are 14.

5.3 Experiment using SVM Algorithm

A similar approach was applied as random forest algorithm. But the best performance
SVM algorithm was recorded when the numbers of selected features are 12. The confusion
matrix for SVM is shown in Table 5.3. Table 5.4 shows the comparison of the performance

Table 5.3: Confusion matrix for SVM (selected features=12, kernel=rbf)

Predicted
Blackhole Flooding Normal Wormhole
Blackhole 2563 21 1 0
Flooding 37 2486 7 10
Actual
Normal 1 2 6380 2
Wormhole 0 0 0 2640

72
 Table 5.4: Summary of classification performance measuring metrics for SVM

Performance Metrics
Number of features Class Accuracy Recall Precision F1-score
Blackhole 0.946 0.831 0.883 0.856
Flooding 0.956 0.938 0.808 0.868
4 Normal 0.938 0.941 0.920 0.931
Wormhole 0.972 0.877 0.988 0.929
average 0.9529 0.8968 0.8998 0.8961
Blackhole 0.994 0.978 0.991 0.985
Flooding 0.992 0.984 0.969 0.976
8 Normal 0.996 0.997 0.995 0.996
Wormhole 0.999 0.995 1.000 0.997
average 0.9953 0.9884 0.9888 0.9886
Black hole 0.996 0.985 0.991 0.988
Flooding 0.995 0.991 0.979 0.985
12 Normal 0.999 0.999 0.999 0.999
Wormhole 0.999 0.995 1.000 0.998
average 0.9971 0.9926 0.9924 0.9925
Black hole 0.994 0.980 0.985 0.983
Flooding 0.991 0.977 0.975 0.976
14 Normal 0.997 0.997 0.995 0.996
Wormhole 0.998 0.993 0.995 0.994
average 0.9949 0.9870 0.9878 0.9874
Black hole 0.994 0.980 0.985 0.983
Flooding 0.991 0.977 0.975 0.976
16 Normal 0.997 0.997 0.995 0.996
wormhole 0.998 0.993 0.995 0.994
average 0.9949 0.9870 0.9878 0.9874

of SVM classifier with different number of features (k=4, 8, 12, 14, 16). As it is clearly
shown in Figure 5.2, the performance was improved when the selected features are 12.

5.4 Experiment using Naı̈ve Bayes and Decision Tree

As we have discussed at the beginning of this chapter, Naı̈ve NB and DT algorithms

were tested for comparison purpose. Similar to random forest and SVM algorithms,
experimentation was performed on python using scikit-learn. Table 5.5 shows the average
performance metrics of these algorithms with different numbers selected features. From
this Table 5.5, Naı̈ve Bayes and DT performed well when the numbers of selected features
are 12 and 14 respectively.

73
 Figure 5.2: SVM performances with different numbers of selected features

5.5 Discussions

To compare the performance of tested classifiers, detection rate (DR) and false alarm rate
(FAR) are used. Table 5.6 shows the performance comparisons of random forest, SVM,
DT and Naı̈ve Bayes based on detection rate and false alarm rate. This table shows
the values of the average detection rates and false alarm rates of the tested classifiers
over all the classes. We can also compare the performance of these classifiers in terms of
accuracy, precision and F1-score. Figure 5.3 shows the comparison of the performance of
the classifiers.
A model is said to be well performed when it has a high detection rate and low false
alarm rate. Furthermore, precision and F1- score also other important indicators of
model performance. If a model scores high value in precision as well as F1-score, it is also
regarded as a good model. From Table 5.2, the detection rate of random forest classifier
was 99.87% and the value of false alarm rate was approximately 0.04%. From Figure

74
 Table 5.5: Summary of classification performance measuring metrics for Naı̈ve Bayes and
DT

Performance Metrics
Classifier Number of features Accuracy Recall Precision F1-score
4 0.9105 0.8306 0.7838 0.7927
8 0.9660 0.9140 0.9259 0.9194
Naive Bayes 12 0.9822 0.9547 0.9563 0.9552
14 0.9776 0.9434 0.9506 0.9465
16 0.9776 0.9434 0.9506 0.9465
4 0.9752 0.9752 0.9723 0.9737
8 0.9966 0.9920 0.9915 0.9917
Decision Tree 12 0.9957 0.9896 0.9885 0.9890
14 0.997 0.9925 0.9922 0.9923
16 0.9971 0.9933 0.9922 0.9927

Table 5.6: Comparison of classifier performance

Algorithm number of selected features DR(%) FAR(%)

Random forest 14 99.87 0.0356
SVM 12 99.26 0.1797
DT 14 99.25 0.1606
Naı̈ve Bayes 12 95.47 1.1791

5.3, random forest classifier has been scored 99.94%, 99.85%, and 99.86% of accuracy,
precision and F1-score respectively. Therefore, random forest classifier performed better
than the other.
The performance of SVM was better compared to DT and Naı̈ve Bayes. Among all the
tested classifiers, Naı̈ve Bayes classifier has low performance while DT was achieved better
performance than Naı̈ve Bayes.
It is obvious that the classifiers perform differently on the dissimilar classes since the
dataset used for this work contains four different classes including normal class. It is
necessary to compare and analyze how each class was classified by different classification
algorithms. According to the result shown in Table 5.2 and Table 5.4, not only Random
forest but also SVM classifier was achieved a better detection rate of wormhole class
than the other classes. The detection rate of the classifiers for Blackhole was better than
flooding class. This implies that both random forest and SVM classifier detects flooding
attack with the low detection rate compared to wormhole and blackhole attack.
From the result, we found that the random forest algorithm is the most efficient algorithm
for network layer attack detection. The performance of SVM classifier was improved

75
 Figure 5.3: Comparison of classifier performance

compared to the work in [10, 11, 43].

The success of this result comes from both the nature of features and tools used. Because
feature identification during dataset preparation played great role. Based on feature’s
rank, it was found that 12 and 14 features were identified when we applied SVM and
random forest classifiers respectively. From Table 4.2, all features except the last two
(RERR and HELLO) were used to train and test random forest classifier. But for the case
of SVM, the last four features including traffic type and packet received were excluded.
Instead of using Weka tool, we confirm that Scikit learn was efficient for building a better
attack detection model. The performance of the proposed method also confirms that
dataset preparation and model selection were the core part of our work.

76
Chapter 6
Conclusion and Future Works

6.1 Conclusion

In this thesis work, the network layer attack detection system using machine learning
algorithm in MANET under AODV routing has been developed.
The most common network layer attacks namely blackhole attack, wormhole attack and
flooding attack along with the normal traffic were identified as classes of a dataset.
AODV routing protocol has been implemented for data collection using network simulator
(NS2). Simulations with the presence of attack and without attack under different sce-
narios were conducted. Network features were extracted from trace file and the dataset
was prepared. Random forest and support vector machine classifier were trained and
tested. As it is described in Table 4.2, important network features, used for training and
testing, were successfully identified.
The proposed system gives an average detection rate of 99.87% and 99.26% for random
forest and SVM classifiers respectively. Meaning full detection performance measuring
was also recorded by theses classifiers for separate classes. DT and BN classifiers were
used as a comparison purpose to evaluate the proposed work.
From the result depicted in Table 5.6, Random forest classifier was achieved the best
result while NB was poorly performed. However, the performance metrics of SVM and
DT were approximately similar; the former performs better than the later.
It was found that the data collection from simulation using NS2 has played a great role

77
to improve the detection model. Therefore, the proposed work was an efficient method
to detect the network layer attack in MANET.

6.2 Future Works

The final result of this work shows the proposed approach performs well for a certain
number of attacks. But other attacks can be made to be involved either collaboratively
or one after the other.
For better performance of the proposed work, network layer attacks like Sybil attack and
rushing attack should be incorporated in the dataset. Other machine learning algorithms
should also be considered for the detection process. The work should be extended not
only other layers of MANET but also for various wireless networks like WSN and VANET.

78
Bibliography

[1] S. Kumar, M. Goyal, D. Goyal, and R. C. Poonia. Routing protocols and security
issues in MANET. In 2017 International Conference on Infocom Technologies and
Unmanned Systems (Trends and Future Directions) (ICTUS), pages 818–824. IEEE,
December 2017.

[2] M. R. Kumar and N. R. Babu. Security issues in mobile ad-hoc networks. Interna-
tional Journal of Engineering Inventions, 2:48–53, 2013.

[3] L. Raja and S S. Baboo. An overview of manet: Applications, attacks and challenges.
Int. J. of Comp. Sci. Mobile Comput.(IJCSMC), 3:408–417, 2014.

[4] S. R. Deshmukh, P. N. Chatur, and N. B. Bhople. AODV-based secure routing

against blackhole attack in MANET. In 2016 IEEE International Conference on
Recent Trends in Electronics, Information & Communication Technology (RTEICT),
pages 1960–1964. IEEE, May 2016.

[5] Z. Ishrat. Security issues, challenges & solution in manet. IJCST, 2(4):108–112,
2011.

[6] P. Joshi. Security issues in routing protocols in manets at network layer. Procedia
Computer Science, 3:954–960, 2011.

[7] A. M. Shabut, K. Dahal, and M A Kaiser, M. S.and Hossain. Malicious insider

threats in tactical MANET: The performance analysis of DSR routing protocol. In
2017 IEEE Region 10 Humanitarian Technology Conference (R10-HTC), pages 187–
192. IEEE, December 2017.
79
 [8] Al-Sakib K. Pathan. Security of self-organizing networks: MANET, WSN, WMN,
VANET. CRC press, 2016.

[9] Aditya Gupta, Prabal Verma, and GRS Sambyal. An overview of manet: Features,
challenges and applications. International Journal of Scientific Research in Com-
puter Science, Engineering and Information Technology, 4(1):122–126, 2018.

[10] B. Hemamalini and C. Ishwarya. Detection of network layer attacks in manet in-
trusion detection using grammatical evolution and feature selection. International
Journal of Advanced Computational Engineering and Networking, 4, 2017.

[11] M. Mohammad and A. Mirzaei. Attack detection in mobile ad hoc networks using
svm algorithm. Int. J. of Comp. and Info. Tech, 2017.

[12] S. Pastrana, A. Mitrokotsa, A. Orfila, and P. Peris-Lopez. Evaluation of classification

algorithms for intrusion detection in MANETs. Knowledge-Based Systems, 36:217–
225, December 2012.

[13] R. Meddeb, B. Triki, F. Jemili, and O. Korbaa. A survey of attacks in mobile ad

hoc networks. In 2017 International Conference on Engineering & MIS (ICEMIS),
pages 1–7. IEEE, May 2017.

[14] A. S. Chattopadhyay and N. Agarwal. Performance analysis of different routing

protocols for mobile ad-hoc network. IOSR Journal of Engineering (IOSRJEN), 8
(7):20–27, 2018.

[15] I. Chakeres and E. M Belding-Royer. Aodv routing protocol implementation de-

sign. In 24th International Conference on Distributed Computing Systems Work-
shops, 2004. Proceedings., pages 698–703. IEEE, 2004.

[16] P. K. Maurya et al. An overview of aodv routing protocol. International Journal of

Modern Engineering Research (IJMER), 2(3):728–732, 2012.

[17] P. Chahal, G. Kumar Tak, and A. Singh Tomar. Comparative Analysis of Various
Attacks on MANET. International Journal of Computer Applications, 111(12):42–
46, February 2015.

80
[18] Oussama Sbai and Mohamed Elboukhari. Classification of mobile ad hoc networks
attacks. In 2018 IEEE 5th International Congress on Information Science and Tech-
nology (CiSt), pages 618–624. IEEE, 2018.

[19] J G. Ponsam and R Srinivasan. A survey on manet security challenges, attacks

and its countermeasures. International Journal of Emerging Trends & Technology
in Computer Science (IJETTCS), 3(1):274–279, 2014.

[20] H. Vegda and N. Modi. Review paper on mobile ad-hoc networks. International
Journal of Computer Applications, 179(37), 2018.

[21] R. Kumari and M. Dutta. Efficient approaches to mitigate the effect of sybil attack
in manet for high network lifetime: A review. In 2018 Fifth International Conference
on Parallel, Distributed and Grid Computing (PDGC), pages 557–562. IEEE, 2018.

[22] R. Sheikh, Mahakal S. Chande, and D. K. Mishra. Security issues in manet: A review.
In 2010 Seventh International Conference on Wireless and Optical Communications
Networks-(WOCN), pages 1–4. IEEE, 2010.

[23] A. Singh, K. Pratim Kalita, and Smriti P. M. Blackhole attack on manet and
its effects. In Proceedings of the 5th International Conference on Computing for
Sustainable Global Development, New Delhi, India, pages 14–16, 2018.

[24] S. Gurung and S. Chauhan. A dynamic threshold based approach for mitigating
black-hole attack in manet. Wireless Networks, 24(8):2957–2971, 2018.

[25] F. Thachil and K.C. Shet. A Trust Based Approach for AODV Protocol to Mitigate
Black Hole Attack in MANET. In 2012 International Conference on Computing
Sciences, pages 281–285. IEEE, September 2012.

[26] D. Khan and M. Jamil. Study of detecting and overcoming black hole attacks in
manet: A review. In 2017 International Symposium on Wireless Systems and Net-
works (ISWSN), pages 1–4. IEEE, 2017.

[27] J. Thalor and M. Monika. Wormhole attack detection and prevention technique in
mobile ad hoc networks: a review. International Journal of Advanced Research in
Computer Science and Software Engineering, 3(2), 2013.

81
[28] P. A Patil and Anuradha T. An analysis of detection and prevention methods for
wormhole attack in manets. International Journal of Emerging Technology in Com-
puter Science & Electronics, October 2013.

[29] R. Khatouny L. Khoukhi M. Rmayti, Y. Begrichey and D. Gaiti. Flooding attacks

detection in manets. IEEE International Conference on Cyber Security of Smart
cities, Industrial Control System and Communications, 2015.

[30] C M Nalayini et al. Flooding Attack on MANET – A Survey. National Conference

on Information and Communication Engineering, 2017.

[31] S. Sahu. Impact Of Node Mobility, Pause Time And RREQ Flooding Attack In
MANET. International Journal of Engineering Research, 2(6), 2013.

[32] G. Bendale and S. Shrivastava. An improved blackhole attack detection and preven-
tion method for Wireless ad-hoc Network. In 2016 International Conference on ICT
in Business Industry & Government (ICTBIG), pages 1–7. IEEE, 2016.

[33] A. Mahajan N. Sharma and V. Mansotra. Machine learning techniques used in

detection of dos attacks: A literature review. International Journal of Advanced
Research in Computer Science and Software Engineering, 6(3):100–105, 2016.

[34] Cortes C. and Vapnik V. Support-vector networks. Machine learning, 20(3):273–297,

1995.

[35] H. Joutsijoki and M. Juhola. Comparing the One-vs-One and One-vs-All Meth-
ods in Benthic Macroinvertebrate Image Classification. In Machine Learning and
Data Mining in Pattern Recognition, volume 6871, pages 399–413. Springer Berlin
Heidelberg, 2011.

[36] N. Christiani, J. Shawe-Taylor, et al. An Introduction to Support Vector Machines

and other kernel-based learning methods. Cambridge University Press, 2013.

[37] N. Farnaaz and M. A. Jabbar. Random forest modeling for network intrusion detec-
tion system. Procedia Computer Science, 89:213–217, 2016.

82
[38] N. A Noureldien. A novel taxonomy of manet attacks. In 2015 International Con-
ference on Electrical and Information Technologies (ICEIT), pages 109–113. IEEE,
2015.

[39] Z. Chiba, N. Abghour, K. Moussaid, A. El Omri, and M. Rida. A survey of in-

trusion detection systems for cloud computing environment. In 2016 International
Conference on Engineering, pages 1–13. IEEE, 2016.

[40] R. Ahuja, A. Banga Ahuja, and P. Ahuja. Performance evaluation and comparison
of aodv and dsr routing protocols in manets under wormhole attack. In 2013 IEEE
Second International Conference on Image Information Processing (ICIIP-2013),
pages 699–702. IEEE, 2013.

[41] P Rajakumar, V. T Prasanna, and A Pitchaikkannu. Security attacks and detection

schemes in manet. In 2014 International Conference on Electronics and Communi-
cation Systems (ICECS), pages 1–6. IEEE, 2014.

[42] N. Raj, P. Bharti, and S. Thakur. Vulnerabilities, challenges and threats in securing
mobile ad-hoc network. In 2015 Fifth International Conference on Communication
Systems and Network Technologies, pages 771–775. IEEE, 2015.

[43] K. Pavani and A. Damodaram. Anomaly detection system for routing attacks in
mobile ad hoc networks. International Journal on Network Security, 5(2):13, 2014.

[44] D. G Kariya, A. B Kathole, and S. R Heda. Detecting black and gray hole attacks in
mobile ad hoc network using an adaptive method. international journal of emerging
technology and advanced engineering, 2(1):37–41, 2012.

[45] M. Patel, S. Sharma, and D. Sharan. Detection and prevention of flooding attack us-
ing svm. In 2013 International Conference on Communication Systems and Network
Technologies, pages 533–537. IEEE, 2013.

[46] J. Soni and D. Xaxa. Machine learning based approach for solving intrusion detection
system. International Journal of Innovations and Advancement in Computer Science,
5, 2016.

83
[47] I. Mapanga, V. Kumar, W. Makondo, T. Kushboo, P. Kadebu, and W. Chanda.
Design and implementation of an intrusion detection system using mlp-nn for manet.
In 2017 IST-Africa Week Conference (IST-Africa), pages 1–12. IEEE, 2017.

[48] A. Mitrokotsa and C. Dimitrakakis. Intrusion detection in manet using classification

algorithms: The effects of cost and model selection. Ad Hoc Networks, 11(1):226–237,
2013.

[49] H. Shahnawaz. Design of Detection Engine for Wormhole Attack in Adhoc Network
Environment. International Journal of Engineering and Technology, 4(6), 2013.

[50] I. Ahmad and F. Amin. Towards feature subset selection in intrusion detection. In
2014 IEEE 7th Joint International Information Technology and Artificial Intelligence
Conference, pages 68–73. IEEE, December 2014.

[51] F. Bai, N. Sadagopan, and A. Helmy. User manual for important mobility tool
generators in ns-2 simulator. University of Southern California, 2004.

[52] L. Raja and S. Santhosh. Performance analysis and simulation of reactive rout-
ing protocols. International Journal of Advance Research in Computer Science and
Management, 2014.

[53] A. Kumar S. Siraj and R. Badgujar. Network simulation tools survey. International
Journal of Advanced Research in Computer and Communication Engineering, 2012.

[54] D. Dobha and S. Dimri. Machine learning techniques used in detection of dos attacks:
A literature review. In International Conference on Electronics, Communication and
Aerospace Technology, 2017.

[55] F. AL-Dhief et al. Performance comparison between tcp and udp protocols in dif-
ferent simulation scenarios. International Journal of Engineering & Technology, 7
(4.36):172–176, 2018.

[56] B. Prithvi, N. Neeraj, M. Preeti, and C. Pushpanjali. A comparative study on

various data mining tools for intrusion detection. International Journal of Scientific
Engineering Research, 9, May 2018.

84
[57] B. Singh, K. Verma, and AS Thoke. Investigations on impact of feature normalization
techniques on classifier’s performance in breast tumor classification. International
Journal of Computer Applications, 116(19), 2015.

[58] R. C Sharma, K. Hara, and H. Hirayama. A machine learning and cross-validation ap-
proach for the discrimination of vegetation physiognomic types using satellite based
multispectral and multitemporal data. Scientifica, 2017.

85
Appendix A
TCL Scripts

#================================================================
# AODV routing protocol with Blackhole attack
# We simulate several times by varying at least the following parameters
# 1. Number of normal nodes
# 2. Simulation time
# 3. Pause time
# 4. Speed
# 5. X and Y dimension
# 6. Number of malicious nodes
#================================================================
set val(chan) Channel/WirelessChannel ;# channel type
set val(prop) Propagation/TwoRayGround ;# radio-propagation model
set val(netif) Phy/WirelessPhy ;# network interface type
set val(mac) Mac/802_11 ;# MAC type
set val(ifq) Queue/DropTail/PriQueue ;# interface queue type
set val(ll) LL ;# link layer type
set val(ant) Antenna/OmniAntenna ;# antenna model
set val(ifqlen) 50 ;# max packet in ifq
set val(nn) 90 ;# number of mobilenodes
set val(rp) AODV ;# routing protocol
set val(x) 800 ;# X dimension of topography
86
set val(y) 600 ;# Y dimension of topography
set val(stop) 100 ;# simulation time

#=================================================================
# Initialization
#=================================================================
set mobility [lindex $argv 0]
set ns_ [new Simulator]
set tracefd [open trace_output _[regexp -all -inline -- {[0-9]+} $mobility].tr w]
$ns_ trace-all $tracefd
set namtrace [open out_[regexp -all -inline -- {[0-9]+} $mobility].nam w] ;
$ns_ namtrace-all-wireless $namtrace $val(x) $val(y)
set topo [new Topography]
$topo load_flatgrid $val(x) $val(y)
set god_ [create-god $val(nn)]
set chan [new $val(chan)];
# Mobile node parameter configuration
#==========================================
$ns_ node-config -adhocRouting $val(rp) \
-llType $val(ll) \
-macType $val(mac) \
-ifqType $val(ifq) \
-ifqLen $val(ifqlen) \
-antType $val(ant) \
-propType $val(prop) \
-phyType $val(netif) \
-energyModel "EnergyModel" \
-initialEnergy 100.0 \
-txPower 0.9 \
-rxPower 0.5 \
-idlePower 0.75 \
-sleepPower 0.15 \

87
-channel $chan \
-topoInstance $topo \
-agentTrace ON \
-routerTrace ON \
-macTrace ON \
-movementTrace ON
for {set i 0} { $i < $val(nn) } { incr i } {
set node_($i) [$ns_ node]
$node_($i) random-motion 0
}
#===================================================
# Laod Mobility and traffic files
#===================================================
source $mobility
source cbr-90
#source tcp-60
# Attack creation
#==================================================
$ns_ at 0.0 "[$node_(3) set ragent_] blackhole"
$ns_ at 0.0 "[$node_(5) set ragent_] blackhole "
$ns_ at 1.0 "[$node_(17) set ragent_] blackhole "
$ns_ at 1.0 "[$node_(11) set ragent_] blackhole "
# Termination
#================================================
#Define a ’finish’ procedure
proc finish {} {
global ns_ tracefd namtrace
$ns_ flush-trace
close $tracefd
close $namtrace
exit 0
}

88
set rng_ [new RNG]
$rng_ seed 0
for {set i 0} { $i < $val(nn) } { incr i } {
$ns_ initial_node_pos $node_($i) 50
}
for {set i 0} {$i < $val(nn) } { incr i } {
$ns_ at $val(stop) "\$node_($i) reset"
}
$ns_ at $val(stop) "$ns_ nam-end-wireless $val(stop)"
$ns_ at $val(stop) "finish"
$ns_ at $val(stop) "puts \"done\" ; $ns_ halt"
$ns_ run

89
Appendix B
AWK Scripts

AWK scripts
#===================================================
# AWK scripts for data collection : AWKscripts.awk
# In this code the following parameters are extracted from the trace file
# 1. Number of data packets sent
# 2. Number of data packets received
# 3. Number of Packet loss
# 4. The packet drop
# 5. Number of control packets(control over head)
# 6. Normalized Routing Load
# 7. Throughput
# 8. Average End to End delay
# 9. Good put
# 10.REmaining Energy
# 11.Jitter
# 12. Number of Rout Request sent
# 13. Number of Route replay
# 14. Number of Route Error
# 15. Number of Hello Messges
#===============================================
BEGIN {
90
send-pkt = 0; #variable for storing number of packets sent
recv = 0; #variable for storing number of packets received
bytes = 0; #variable for storing number of bytes transmitted
st = 0; #variable for start time
end = 0; #variable for end time
rtr = 0; #variable for number of routing packets
Enrgy=0; #variable for storing Remaining Energy
rreq=0; #variable for storing Route Request
...}
...
if (( $1 == "s" || $1 == "f" ) && $4 == "RTR" && $7 == "AODV") { rtr++;
}
if ( $1 == "s" && $4 == "AGT" && $7 == "cbr")
{
...
}}
END{
if(recv >0)
#======================= Printing values==============================
printf("Packets_Sent: \t%.2f\n",send-pkt)
printf("Packets_Received: \t%.2f\n",recv);
printf("Packet_lost: \t%.2f %%\n",(send-pkt-recv));
printf("PDR: \t%.2f %%\n",recv/send-pkt*100);
printf("Control_Overhead: \t%.2f\n",rtr);
printf("Norm_Routing_Load: \t%.2f %%\n",rtr/recv*100);
printf("Delay:\t%.5f Seconds\n",delay/recv);
printf("Throughput: \t%.2f Kbps\n",bytes*8/(end-st)/1000);
printf("RREQ:\t%.2f\n",rreq);
...
}

91
Appendix C
Automation of all Scripts

# allinone.sh
# This code can able to automate all simulations many times and changes
#to csv format.
# In this code the following scripts and trace files are performed:
# TCL scripts, Awk scripts, Trace files and node mobilites
#============================================================
#Create required directories and set permissions
mkdir mobilites
mkdir -p Output/nam_files
mkdir -p Output/trace_files
mkdir -p Output/Results
chmod 777 -R mobilites
#Create required variables to store the parameter values.
send=0 # send packets
recv=0 #recive packets
...
#Create header of CSV file.
echo ""| awk ’BEGIN{printf "SN,Packets_Sent,Packets_Received,Packet_lost,PDR,
Control_Overhead,Norm_Routing_Load,Delay,Throughput,Enrgy,RREQ,RREP,RERR,
HELLO,Jitter,GoodPut"}’>Output/Results/CSVFile.csv
for (( i=1; i<=100; i++)) #loop
92
do
#Creates mobility files. We named as m1, m2, ... ,
./setdest -v 2 -n 100 -m 1 -M 25 -t 4 -p 2 -x 1000 -y 800 > mobilites /m$i

#Call TCL script

ns blackhole.tcl mobilites /m$i
#Call analysis file and redirect the parameter values to file Result.txt
printf "=================Simulation:$i=============\n" >> Result.txt
awk -f AWKscripts.awk trace_output_$i.tr >> Result.txt
printf "\n\n" >> Result.txt
#Call analysis file and redirect the parameter values to file tmp_result.
awk -f AWKscripts.awk trace_output_$i.tr > tmp_result
#Extract the value from the file tmp_result and redirect it to the temporary file 1.tx
grep "Packets_Sent:" tmp_result | awk ’BEGIN{}{print $2;}’ > 1.txt
send=$(<1.txt)
grep "Packets_Received:" tmp_result | awk ’BEGIN{}{print $2;}’ > 1.txt
recv=$(<1.txt)
grep "Packet_lost:" tmp_result | awk ’BEGIN{}{print $2;}’ > 1.txt
pkt_lost=$(<1.txt)
...
#=====Print all the values to CSV file=============
echo "$i" | awk ’{printf "\n%.5f", $1}’ >> Output/Results/CSVFile.csv.csv
echo "$send" | awk ’{printf ", %.5f", $1}’ >> Output/Results/ CSVFile.csv
echo "$recv" | awk ’{printf ", %.5f", $1}’ >> Output/Results/ CSVFile.csv
echo "$pkt_lost" | awk ’{printf ", %.5f", $1}’ >> Output/Results/ CSVFile.csv
...
done
#===Remove all temporary files for next use=====
rm 1.txt
rm tmp_result
#=====Move all output files to their locations=========

93
mv *.nam Output/ nam_files
mv *.tr Output/trace_files
mv *.txt Output/Results
echo " Successfully Completed"

94
Appendix D
Python Code

#===========Sample Python code=============

#import and check python libraries/modules
import pandas as pd
import numpy as np
import sklearn
from sklearn.preprocessing import LabelEncoder
from sklearn.metrics import confusion_matrix
from sklearn.model_selection import cross_val_predict
from sklearn.metrics import accuracy_score
import warnings
warnings.filterwarnings(’ignore’)
#========Load the data set=======
data=pd.read_csv("all-data.csv")
data.head()
#coose the model- SVM
from sklearn.svm import SVC
#========================================
# Preprocessing code
...
#========================================
# SVM Algorithm
95
model_svm=SVC(kernel=’rbf’,decision_function_shape=’ovo’,C=100,gamma=10)
# Training Models
y_pred_svm = cross_val_predict(model_svm, X=normalized_X, y=y, cv=10)
#Random Forest Algorithm
from sklearn.ensemble import RandomForestClassifier
model_rf=RandomForestClassifier(n_estimators=100,random_state=60)
#Calculate Confusion Matrix
confusion=confusion_matrix(y, y_pred_rf)
#Assign the row and columns of the matrix:
C00=confusion[0,0]
C01=confusion[0,1]
C02=confusion[0,2]
C03=confusion[0,3]
.....
#1. Calculate True postives
TP_B=C00
TP_F=C11
TP_N=C22
TP_W=C33
#Calculate False postives
FP_B=C01+C02+C03
FP_F=C10+C12+C13
FP_N=C20+C21+C23
FP_W=C30+C31+C32
#calculate Accuracy for each class
A_B= (TP_B+TN_B)/float(TP_B+TN_B+FN_B+FP_B)
A_F= (TP_F+TN_F)/float(TP_F+TN_F+FN_F+FP_F)
A_N= (TP_N+TN_N)/float(TP_N+TN_N+FN_N+FP_N)
A_W= (TP_W+TN_W)/float(TP_W+TN_W+FN_W+FP_W)

print("Accuracy for each class")

print("---------------------------")

96
print("Accuracy for black hole: %.3f"%A_B)
print("Accuracy for flooding: %.3f"%A_F)
print("Accuracy for normal: %.3f"%A_N)
print("Accuracy for worm hole: %.3f"%A_W)
...
#==================================

97