Appl. Math. Inf. Sci. 13, No.

5, 813-819 (2019) 813

Applied Mathematics & Information Sciences
An International Journal

[Link]

FSSAM: Detecting Wormhole Occurrence Using

Five-Stage Security Analysis Model in MANET
S. Muthukumar1,∗ and K. Ruba Soundar2
1 Department of Computer Science and Engineering, Sree Sowdambika College of Engineering, Aruppukottai, Tamilnadu, India.
2 Department of Computer Science and Engineering, P.S.R. Engineering College, Sivakasi, Tamilnadu, India.

Received: 23 Jan. 2019 , Revised: 16 Apr. 2019, Accepted: 19 Apr. 2019

Published online: 1 Sep. 2019

Abstract: The mobile ad-hoc network is a wireless network in which the nodes communicate with each other through wireless
channels. Security in this network is the crucial aspect to protect from the fraudulent actions. Due to the fraudulent actions the data is
lost, the route gets a failure and data route diversion takes place. The data transmission in the network also gets failure and this work is
aimed to model and implement a Five Stage Security Analysis Model (FSSAM) to detect the wormhole attacks in MANET. For that,
the proposed model collects and analyzes the information about all the nodes, routing paths and other communication details in the
network. Network Simulation-2 tool is used for simulating the proposed FSSAM and the performance is evaluated.

Keywords: Security, MANET, Malicious Activity, Wormhole Attack, Route Discovery, Route Failure.

1 Introduction

A large number of mobile nodes connected as a

temporary network, not depending on any existing
infrastructure is termed as MANET. All the nodes in the
network behave as a host as well as a router. Hence it
provides all the nodes to get connected within the network
and to communicate with one another. But MANET gets
struck due to lack of security issues such as open Fig. 1: Scenario of wormhole attack
medium, lack of central monitoring and management,
changing its topology dynamically and no cleared defense
mechanism. The nodes inclusion and exclusion in the
network without any constraints at any time is described currently proposed. The wormhole attackers aggregate all
in [1]. One of the security issues is the wormhole attack the data packets and transmit them in a normal route.
and it disturbs the entire communication in the
network [2]. The wormhole attack is represented in Fig. 1, In Fig. 1, S, D, M1 and M2 are the source, destination,
in which A, B, C and G are some of the nodes taken in the malicious-node-1 and malicious node-2 respectively.
network to describe the wormhole attack [3]. The nodes A Therefore the resulting route has a less number of
and B are treated as a normal node and C and G are hops in the usual routes. Thus, those attackers who use
treated as malevolent nodes in the network. Because C the wormhole could easily calculate the prioritized route
and G communicate in private route which does not in MANET in order to perform packet modification and
belong to the common route in the network. B chooses eavesdropping [3]. A wormhole link is created by
the first route because it is the shortest and fastest route, connecting a high-speed channel link with the data route
thus the transmission between the nodes depends upon in the network is explained in [4]. The wormhole attack
the relay node and a large number of routing protocols is consists of two different modes, called ”Exposed” and
∗ Corresponding author e-mail: muthukumarphd@[Link]
c 2019 NSP
Natural Sciences Publishing Cor.
814 S. Muthukumar, K. Ruba Soundar: FSSAM: detecting wormhole occurrence . . .

receiver node is available within a predefined space from

the sender node. The directional antennas [8] are also
used in the prevention of wormhole attacks. Every node
distributes their secret key with another node in the
network and it also keeps a list of its updated neighbors.
LITEWORP [7]—a light weighted counter measure–is
used in the wormhole attack. Local monitoring is carried
out, where the node tracks the traffic cost based on the
distance among their neighboring nodes. Also, it uses
their data structure of the first two neighbors. LITEWORP
eliminates fraudulent nodes. To identify the wormhole
attack, TTM attacks are created [9]. At the time of route
setup procedure, TTM identifies the wormhole attacks by
Fig. 2: Open, half-open and closed wormhole scenarios
stating the transmission time of every two consecutive
nodes on its recognized paths. In order to detect the
‘Hidden” modes. The two different modes can be wormhole attacks, two new mechanisms such as RTT-TC
identified by the packet header [2]. and topological comparisons are also incurred [10].
For preventing the network from wormhole attacks in
Wormhole attacks: the three different forms of wormhole WSN, a protocol is designed by using cryptographic
attacks are: mechanisms and also on the basis of GPS. The nodes get
–Open distinguished among themselves as GPS nodes and
–Half Open non-GPS nodes [11]. An efficient algorithm is developed
–Closed in the proposed approach, rather than TTM. Packet Travel
Open wormhole: Between the source (S) and Destination Time (PTT)-a new state is provided in this algorithm [12],
(D) nodes, malicious nodes (M1, M2) are available in where this state permits each device to monitor its
the network. The node on the traversal path A and B neighbor behavior. In order to provide security against
are hidden and these nodes are involved with attackers wormhole attacks, a method is newly adopted with the
automatically in the header by subsequent route help of honeypot [13]. The determination of honeypot is
finding method. The nodes are fraudulent-aware to find out the actions of intruders, who try to have
nodes in the data route of the network and thus it unauthorized access over the network and to improve the
limits the fraudulent nodes stating that they are direct network security.
neighbors.
Half-open wormhole: In the given scenario, consider two
different malicious nodes such as visible and hidden. 3 Existing System
One node closer to the source is visible and the other
malicious node closer to the destination is hidden. The 3.1 Earlier IDS’ Limitations
attacker doesn’t modify the data packet. Finally, they
club the end of the wormhole and then re-broadcast As the IDS technique is applied in MANET, certain
the packets. problem is obtained because of its specific nature. Some
Closed wormhole: All the intermediate node’s identities factors that affect network performance are:
are kept as hidden from S to D. Fake neighbors are
created, since the S and D hop just one-half for away
from each other shown in Fig. 2. 3.1.1 Congestion

Certain IDS tries to locate fraudulent nodes, in order to

send special packets to all or any other node involved in
2 Research Background the route. The network topology frequently gets changed
in MANET. As the nodes move freely, many messages
Indirect communication is created using a multi-hop are poured into the network, which creates congestion.
connection by all the nodes helping one another as This produces a negative issue on the network. Thus the
neighborhood nodes. Differentiating the neighbor nodes congestion also increases FPR of the IDS, where
from the entire nodes help to find out and communicate wormhole attacks are detected by time calculations.
with the non-neighbors. The routing protocols play a vital
role in the network. Wormhole influences several routing
protocols that include DSR, OLSR, AODV, TBRPF and 3.1.2 Routing Delay
DSDV etc. [5–7]. In order to detect and prevent the
wormholes, the theory of temporal packet is applied The consumed time for routing a data is used to calculate
in [7]. With the help of topographical information, the the delay which is obtained from route discovery and also

c 2019 NSP
Natural Sciences Publishing Cor.
Appl. Math. Inf. Sci. 13, No. 5, 813-819 (2019) / [Link]/[Link] 815

verify the routes before the actual data is sent. If the path 4 Proposed System
is established, then the IDS takes a minimum amount of
time, to evaluate the path between S and D nodes. Hence, Various stages for WHA detection of the proposed
it causes a delay in routing, which directly affects network approach is discussed below.
performance.
4.1 Route Analysis
3.1.3 Resource Overuse
The protocol AOMDV-is utilized to discover the various
It means that the additional use of resources used by a routing path from the source node to the destination node
node for any activity rather than transmitting the data and in each route. This protocol is an annex of AODV
finding its route. The mobile node also contains limited protocol. In this, the protocol is checked with the route
resources in the form of processing power, storage table, either the route is available or not for transferring
memory and life of a battery. Memory usage is larger the data between nodes. An RREQ packet is broadcasted
when IDS gets involved. in all the available routes and investigates the nodes
including destination node. If the destination receives the
RREQ, then it immediately sends back an RREP packet
3.1.4 Special Hardware in the same path. Even though a various number of RREQ
More utility of hardware is required rather than the packets comes from different data paths, they are all
hardware, which is generally required for the data transfer aggregated and transmitted in a single path to the source
and routing. Hence this special hardware could be in node. All the available routing paths that are known by
various forms such as special devices like directional the source node are updated in the routing table. In this
antennas, GPS devices and special nodes with additional manner, the paths are obtained [2]. The perspective view
features. Network cost is reduced by resource re-usability. of AOMDV is at the time of route discovery procedure, it
provides multiple paths to avoid link failure. AOMDV
creates various paths and it will choose the key path for
3.1.5 Node Mobility the transferring of data. Using AOMDV protocol this
paper detects the wormhole attack. The entire information
This is said to be the most important of the property of of the proposed model is explained below.
MANET, which means that each node in the network can Source node S establishes RREQ packet with sending
move anywhere in the network. The IDS blocks the time t1, it sends the respective RREP packet to S and
fraudulent nodes by transferring the block or trust further also receives the time of a packet. In case many
information. Because of mobility, False Positive Rate RREP packets are received then it must keep track of the
(FPR) could be increased. related time t2 i of every RREP packet. By using these
Wormhole attack detection methodology, where the values we estimate the round trip time t3 i of the
transmission depends on the range of the neighborhood broadcast route [8]. The round trip time of every route
without using extra tools was proposed in [14]. The t3 i is divided by each of its hop counts. The average of
simulation results denote that the proposed system could round trim time of all routes is calculated by the value
detect the wormhole attack efficiently in WSN. In this ts i. The value occurred in threshold is round trip time th.
work, a well-known algorithm of Transmission Once the threshold value is compared with each round
Range-based Method (TRM) is used. Due to the presence trip time th i, in such a case, if total round trip time ts i is
of wormhole, a new topology is demolished and the roots less than the threshold round trip time th i (ts i < th i)
are misled. Specialized hardware is not used anywhere, and the hop count of the particular ith route is equivalent
even though a large amount of data gets transmitted, this to 2 then the closest/first neighbor node is considered as
algorithm prevents wormholes by permitting the wormhole node. Fig. 3 shows that the neighbor node M1
neighborhood function to detect whether the network is wormhole node and sends a dummy RREP message to
topology is an original or fake one. An analytical M2 and the time difference is calculated. Considering M1
evaluation is provided for this algorithm in order to as the wormhole node, M2 replies to M2, hence M2 is
correct the simulation experiment which states its also detected as wormhole node. Now both M1 and M2
efficiency. are eliminated and the data is transmitted through another
The wormhole attack in the existing system is denoted routing path. The usage of AOMD protocol in this
only by investigating and verifying the communication proposed mechanism is that it minimizes the outlay and
route. Wormhole attack is created by very few fraudulent delay.
nodes, where they act like a normal node and hence
transfer the data in their private route. Thus this paper is
permitted to detect the methodology of Worm Hole 4.2 Node Location Analysis
Attack (WHA), by analyzing the entire network in terms
of location, neighborhood, route and time of Location of the particular node acts as a crucial role in
communication within the network. wormhole attack. When the current location of the mobile

c 2019 NSP
Natural Sciences Publishing Cor.
816 S. Muthukumar, K. Ruba Soundar: FSSAM: detecting wormhole occurrence . . .

node is known, then it is used to build a track on the

network. Certain special nodes contain a GPS receiver at
a specific location to get the location of neighboring
nodes. With the help of special antennas, the relative
location is collected. This GPS device decreases the
battery time of the node. The relative location is used as
the detection failure in order to increase the False Positive
Rate (FPR).

4.3 Time Analysis

The average time taken by the wormhole attack route is
more than the usual routing. In order to calculate the
difference in routing time among normal route and
wormhole route, the synchronization method is connected
with all the hop nodes in the route. It can also be
calculated in another form where the S node drives a
lightweight message to the node D in the order it
maintains the sent time of a packet. When a HELO
message is received by the destination node, it, in turn,
replies with the HELO-RPLY message. The minimum
time of every hop is obtained. Implementation of the
synchronized clock is expensive in MANET. In simple
time difference method, it is hard to find out the location
in order to identify the fraudulent nodes. During the route
discovery, the obtained route information is stored in a
routing table. Each time the routing table is verified
individually whether any wormhole node is presented in
the path or not. If it is present then it eliminates that path
and chooses another which doesn’t have any wormhole
attacks.

Fig. 3: Route analysis-based WHA detection

4.4 Hop Count Analysis
The number of hops and the network congestion more by 4.6 Data Packets
wormhole route is less and high than the normal route
respectively in shortest path routing. In order to detect a Certain intrusion detection technique detects the node in
wormhole attack, the hop count process is also wormhole by manipulating the proportion of packets sent
considered. The minimum time for one hop and received. The nodes in the network are to track the
communication is calculated by splitting the total number number of packets sent and received by its nearby nodes
of hop by the entire time it takes. When a minimum hop and persisted in a routing table, so that they could ascertain
time is higher than a normal hop, the fraudulent node is the states of its neighbors. This technique works efficiently
present. In order to obtain a minimum time or a distance in a larger network with a higher rate of mobility.
GPS device or a synchronized clock is required.

4.5 Neighborhood 5 Results and Discussion

One of the significant features helps to detect wormhole 5.1 Simulation Settings
attack is that it has only two neighbor nodes in its route.
So, a wormhole could be detected when it fetches the data The network simulator is focused to be implemented and
that is related to its neighboring nodes. This kind of executed as a simulation model for FSSAM method. Set
problems arises in a larger network where every node has of the parameter with some value is shown in Table 1 in
many neighbors. Hence more memory storage and power order to obtain a simulation environment. It also contains
are required. Because of these techniques, the neighbor the network area, mobility speed, propagation delay. By
list gets changed frequently and it also increases FPR. initializing and assigning the parameters in network

c 2019 NSP
Natural Sciences Publishing Cor.
Appl. Math. Inf. Sci. 13, No. 5, 813-819 (2019) / [Link]/[Link] 817

Table 1: Simulation parameter settings

Parameter Value
X, Y 1500, 1500
Routing Protocol AODV
PROB Radio Propagation
NN 100 to 500 Nodes
MAC MAC/802.11
Energy Model Energy-model = true
Mobility Random
Moving Speed 2 m/s
Traffic CBR
Bandwidth Link 2 Mbps
Propagation path loss model Two-Ray ground Model
Propagation channel frequency 600 KHz
Propagation speed 1500 meter/sec Fig. 4: Number of nodes versus throughput
Propagation limit 111 dbm
Propagation path loss model Free space
Transmit power 33 dbm
Receive sensitivity 98 dbm
Receive threshold 88 dbm
Data rate 100 kbps
Channel bandwidth 100 KHz
Antenna model Omni-directional
Maximum transmission range 100 meters

simulator software it is able to calculate the relevant

results in term of throughput, energy and so on.
Based on the control parameters like mobility, size of
the network, number of nodes with load and certain Fig. 5: Number of nodes versus delay taken for wormhole
performance values such as Packet Delivery Ratio (PDR), detection
delay, throughput and so on are calculated in the
simulation. The performance of FSSAM is evaluated by
calculating various parameters. The total number of nodes calculated according to the number of nodes deployed in
is changed in each round of operation and performance is the network. The quantity of node decides the density of
calculated. Throughput is calculated by the packets ratio the network and it may or may not increase the number of
that has been effectively received by the destination intermediate nodes in the network. Also, the
within the time duration. E-2-E delay calculates the communication rate and transmission of data depend on
quantity of time it takes to travel its data path. PDR is the the number of nodes communicating within a time of
ratio between the delivered packets to the total number of interval. The comparison results in terms of throughput
packets sent and it also determines the excellence of using both existing (RTT) and proposed FSSAM systems
request in the form of congestion control and congestion are shown in Fig. 4 Throughput obtained using FSSAM is
is caused in the network because of routing overhead. The higher than the RTT at each round of network operations.
NS2 simulator comprises some parameters control and For example, when the quantity of nodes is 500, the
performance metrics such as network size, number of S throughput obtained by RTT is 312.44 and by FSSAM is
and number D nodes, the load of the network, throughput, by 336.89. From the throughput value, it is decided that the
overhead, e-2-e delay and PDR. proposed FSSAM method is better than the RTT method.
In the existing algorithm, [14] obtained the simulation To verify the efficiency of the FSSAM, a number of
results such as wormhole detection rate and route failure wormhole attackers are created in the simulation and
rate. But in this paper, FSSAM method is verified in checked whether the FSSAM method detects them or not.
terms of various parameters like throughput, energy, delay If this happens, then the time taken for identifying the
taken for detecting wormhole attack, end-to-end delay, wormhole nodes in the network is estimated. The time
packet loss, and PDR. duration taken for values obtained from simulation, for
According to the number of nodes deployed, QoS 5% of wormhole nodes is calculated as shown in Fig. 5
parameters are calculated. The nodes taken in each round From the result, it is noticed that the time taken for
of the simulation process is 100, 200, 300, 400 and 500. detecting wormhole attack by FSSAM is very less than
The outcome results are compared with the results RTT. For example, time taken for detecting 5% of
mentioned by [15]. The throughput of both systems is wormhole nodes out of 500 nodes by FSSAM is 81.99

c 2019 NSP
Natural Sciences Publishing Cor.
818 S. Muthukumar, K. Ruba Soundar: FSSAM: detecting wormhole occurrence . . .

Fig. 6: Number of nodes versus remaining energy Fig. 8: Number of nodes versus packet loss

Fig. 7: Number of nodes versus end-2-end delay Fig. 9: Number of nodes versus PDR

seconds and by RTT is 84.22 seconds. Hence, in terms of

wormhole detection delay, FSSAM is better than RTT.
obtained packet loss using FSSAM is very less than the
For each communication, even for living in the existing RTT method and it shows that FSSAM is more
network each node needs some amount of energy. The efficient than the RTT method. From Fig. 8, it is identified
energy is consumed after certain functions like, transmit, that the number of attacker nodes detected by RTT is 14,
receive and listen, wakeup, idle and idle-listen. All the whereas FSSAM is 6. The reason for less wormhole
nodes are initialized by a fixed amount of energy (for detection is FSSAM which provides prevention in the
example initial energy = 100). When the node starts network and it avoids wormhole attack. Also, more
doing a function, the energy of the node is reduced due to packet loss determines the in-efficiency of the approach
function carried. To calculate the energy consumption, and it is decided that those kinds of approaches are not
here the remaining energy is calculated. The obtained suitable for better routing in MANET.
results in terms of remaining energy are shown in Fig. 6
The other QoS parameter which defines the Finally, the PDR is calculated in the simulation for
effectiveness of the proposed system is end-to-end delay. FSSAM approach and the obtained result is shown in
The time consumed to complete a single cycle of data Fig. 9 The number of packets effectively received in end
transfer from source to destination is the delay. The delay node is called as PDR. From the obtained result it is clear
calculated using RTT method and FSSAM method is that the amount of PDR achieved by FSSAM is higher
given in Fig. 7. From Fig. 7, it is understood that the than the RTT. For example, when 500 nodes are deployed
delay taken by FSSAM method is very less than the RTT in the network, the PDR obtained by RTT method is 77%
method where it shows that FSSAM is more efficient. The whereas FSSAM is 97%. The high PDR determines the
presence of wormhole attack transmits the data in their more quality of service of the method in general. From
private route which is illegal. This means that the data the comparative results, it is concluded that FSSAM is a
packet does not transmit through the original path to the suitable method for data transmission with very good
real destination and it is considered as packet loss. The detection procedure.

c 2019 NSP
Natural Sciences Publishing Cor.
Appl. Math. Inf. Sci. 13, No. 5, 813-819 (2019) / [Link]/[Link] 819

6 Conclusion [13] I. Mokube, Honeypots: concepts, approaches and

challenges, in: Proc. of the 45th Annual Southeast
The most important purpose of this work is to model and Regional Conference, 23–24 (2007).
implement a Five Stage Security Analysis Model [14] G. Wu, X. Chen, L. Yao, Y. Lee and K. Yim, An
(FSSAM). The proposed model is designed for efficient wormhole attack detection method in wireless
identifying the wormhole attacks in MANET. Network sensor networks, Comput. Sci. Inf. Syst., 11(3), 1127–1141
simulation-2 software is used to simulate the proposed (2014).
system and performance is analyzed. From the results, it [15] P. Amish and V.B. Vaghela, Detection and prevention of
is analyzed that the proposed FSSAM approach is wormhole attack in wireless sensor network using AOMDV
enhanced more than the RTT method in terms of various protocol, Procedia Computer Science, 79, 700–707 (2016).
QoS parameter.

References S. Muthukumar
received the B.E. degree
[1] C. Siva Ram Murthy and B.S. Manoj, Mobile Ad Hoc
Networks-Architectures and Protocols, Pearson Education,
in Computer Science and
New Delhi (2004). Engineering from Madurai
[2] M. Meghdadi, S. Ozdemir and [Link]̈ler, A survey of Kamaraj University in 2000.
wormhole-based attacks and their countermeasures in He received the M.E. degree
wireless sensor networks. IETE Technical Review, 28(2), in Computer Science and
89–102 (2011). Engineering from Annamalai
[3] R.S Khainwar, M.A. Jain and M.J.P. Tyagi, Elimination of University in 2005. At present
Wormhole Attacker node in MANET using performance he is working as Associate
evaluation multipath algorithm, Journal of Network and Professor in the department of Computer Science and
Complex Systems, IISTE, 3(7), 22–29 (2013). Engineering, SreeSowdambika College of Engineering,
[4] K.S. Win, Analysis of detecting wormhole attack in wireless Aruppukottai, Tamil Nadu, India. He has 14 years of
networks. In World Academy of Science, Engineering teaching experience to UG and PG classes. He is the Life
and Technology, International Journal of Electronics and member of Indian Society for Technical Education and
Communication Engineering, 2(12), 2704–2710 (2008). Computer Society of India.
[5] M. Imran, F.A. Khan, H. Abbas and M. Iftikhar, Detection
and prevention of black hole attacks in mobile ad
K. Ruba Soundar
hoc Networks, in: International Conference on Ad-Hoc
Networks and Wireless. Springer, Berlin, Heidelberg, 111–
received the A.M.I.E.
122 (2014). degree in Computer Science
[6] P. Nagrath and B. Gupta, Wormhole attacks in wireless and Engineering from
adhoc networks and their counter measurements: A survey, The Institution of Engineers
in: IEEE 3rd International Conference on Electronics (India) in 2000. He received
Computer Technology, 6, 245–250 (2011). the M.E. and Ph.D., degrees
[7] Y.C. Hu, A. Perrig and D.B. Johnson, Wormhole attacks in Computer Science
in wireless networks, IEEE Journal on Selected Areas in and Engineering from
Communications, 24(2), 370–380 (2006). Anna University, Chennai in the year 2004 and 2010
[8] V. Mahajan, M. Natu and A. Sethi, Analysis of wormhole respectively. Currently he is a Professor in Computer
intrusion attacks in MANETS, in: MILCOM’2008 IEEE Science and Engineering Department of P.S.R.
Military Communications Conference, 1–7 (2008). Engineering College, Sivakasi, Tamil Nadu, India. He has
[9] J. Zhen and S. Srinivas, Preventing replay attacks for secure authored / coauthored over 100 research articles in
routing in ad hoc networks, in: International Conference various Journals and Conferences in the areas of Cloud
on Ad-Hoc Networks and Wireless, Springer, Berlin,
Computing, Image Processing, Wireless and Wired
Heidelberg, 140–150 (2003).
[10] M.R. Alam and K.S. Chan, RTT-TC: A topological
Networking.
comparison based method to detect wormhole attacks in
MANET, in: 2010 IEEE 12th International Conference on
Communication Technology, 991–994 (2010).
[11] S. Keer and A. Suryavanshi, To prevent wormhole attacks
using wireless protocol in MANET, in: IEEE International
Conference on Computer and Communication Technology
(ICCCT), 159–163 (2010).
[12] A.S. Alshamrani, PTT: packet travel time algorithm
in mobile ad hoc networks, in: IEEE Workshops of
International Conference on Advanced Information
Networking and Applications, 561–568 (2011).

c 2019 NSP
Natural Sciences Publishing Cor.