Hindawi
Journal of Computer Networks and Communications
Volume 2019, Article ID 4683982, 14 pages
https://doi.org/10.1155/2019/4683982
Research Article
Detection and Prevention of Man-in-the-Middle Spoofing
Attacks in MANETs Using Predictive Techniques in Artificial
Neural Networks (ANN)
Robert A. Sowah , Kwadwo B. Ofori-Amanfo, Godfrey A.Mills, and KoudjoM. Koumadi
Department of Computer Engineering, University of Ghana, PMB 25, Legon, Accra, Ghana
Correspondence should be addressed to Robert A. Sowah; rasowah@ug.edu.gh
Received 27 June 2018; Revised 21 November 2018; Accepted 13 December 2018; Published 20 January 2019
Academic Editor: Zhiyong Xu
Copyright © 2019 Robert A. Sowah et al. +is is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
properly cited.
A Mobile Ad-Hoc Network (MANET) is a convenient wireless infrastructure which presents many advantages in network
settings. With Mobile Ad-Hoc Network, there are many challenges. +ese networks are more susceptible to attacks such as black
hole and man-in-the-middle (MITM) than their corresponding wired networks. +is is due to the decentralized nature of their
overall architecture. In this paper, ANN classification methods in intrusion detection for MANETs were developed and used with
NS2 simulation platform for attack detection, identification, blacklisting, and node reconfiguration for control of nodes attacked.
+e ANN classification algorithm for intrusion detection was evaluated using several metrics. +e performance of the ANN as a
predictive technique for attack detection, isolation, and reconfiguration was measured on a dataset with network-varied traffic
conditions and mobility patterns for multiple attacks. With a final detection rate of 88.235%, this work not only offered a
productive and less expensive way to performMITM attacks on simulation platforms but also identified time as a crucial factor in
determining such attacks as well as isolating nodes and reconfiguring the network under attack. +is work is intended to be an
opening for future malicious software time signature creation, identification, isolation, and reconfiguration to supplement existing
Intrusion Detection Systems (IDSs).
1. Introduction malicious because the attacker can then alter the information
in the packets, potentially sending falsified data to either
Computer security is one of the areas in computer tech- party [2].
nology which have attracted much interest from many se- Regarding categorization, MANETs could be seen as
curity professionals and “lay” persons. +is field was VANETs, internet-based mobile ad hoc networks (MANETs),
necessitated by previously known and newly developing or military-based MANETs. +ese broad categorizations
techniques which afford attackers the means to launch so- imply that MANETs have comprehensive operational capa-
phisticated attacks, giving them access to resources on bilities. However, it is their diversity that makes such net-
networks and compromising those networks in the process. works very susceptible to the aforementioned attacks [3–5].
Notable among such established techniques are distributed It is interesting to note that attacks are not just limited to
denial of service (DDOS) attacks, man-in-the-middle particular devices. Mobile-targeted attacks can be performed
(MITM) spoofing attacks, and session hijacking [1]. With against small to very high targets and across multiple
man-in-the-middle spoofing attacks, the focus of this re- platforms [6, 7]. Even the various attacks could be broken
search, a third party—the attacker in this case—basically down based on which software application they have been
inserts himself between two parties or devices in stealth tuned to violate.+eman-in-the-middle attack, for instance,
mode in such a way that all packets between those two has a slight variant called the man-in-the-browser attack
legitimate parties are routed through him. +is is quite which is specific to browser-based applications and services
2 Journal of Computer Networks and Communications
[8]. It is aimed at intercepting communications between presents introduced neural network techniques for detecting
several clients on browser platforms. Numerous variants of fraudulent nodes involved in man-in-the-middle spoofing
session hijack attacks and buffer overflow attacks exist, with attacks which constitutes one of the most challenging types
such attacks, unlike in the past, being automatable via to detect and prevent.
software tools. Wireshark, Nmap, and Tcpdump are among +ere have been many works in the field of network
the variety of tools available to today’s hackers, and these security each adopting unique techniques to accomplish its
have even given rise to a new breed of hackers called click- purpose. +ere have been works such as “Secure data
kiddies who, in comparison to the earlier breed of hackers, protocol for distributed wireless sensor” [16], “Networks,
have relatively little or no programming experience [9]. secure program execution in wireless sensor networks,” and
+ese are also capable of initiating sophisticated attacks “Intrusion detection model in MANETs using ANNs and
against prime targets. With the sharp growth in the pro- ANFIS” [11]. +ese highlight the broad spectrum of re-
cessing power of hardware, as well as the exponential de- searches carried out and ongoing, from intrusion detection
velopment of software tools and programming languages, to tracing and prevention, cryptography, and network
the amount of power available to a single user in a cyber- monitoring. It is against the background of such good works
network has never been more significant than in today’s that this research sought alternative and improved tech-
world. It is therefore no surprise that numerous initiatives niques by adopting neural networks to investigate and solve
and investments are being made to protect wired and problems relating to man-in-the-middle spoofing attacks on
wireless networks from prying eyes. History shows that and across MANETs. Such methods offer more flexible
technological development has for centuries been military advantages which enable detection and manual prevention
driven. It is therefore ironic to see the military turn to ci- of such attacks, as well as functionalities that will allow
vilian experts in cyber defense [9]. Technological develop- administrators and security services to trace and apprehend
ment represents possibly the one single area where civilians offenders. It is worth noting that man-in-the-middle attack
can compete on a par with the military; thus, it has over the is one of the most difficult-to-detect kinds of attacks. +at is
last couple of years offered numerous challenges to both where intelligent techniques such as artificial neural net-
worlds. works come in since they offer the ability for the network to
Machine learning algorithms such as support vector learn and generalize to new scenarios [10, 11].
machines, neural networks, and others hold promise for Detection of attacks in MANETs is a growing field in
learning the complex behavioural patterns needed for cyber networks security. Although there have been several ap-
defense. Artificial neural networks (ANN)modelled after the proaches at preventing both proactive (attacks initiated
human brain functionalities have great potential. In recent without any prior information on the victim’s system) and
times, interest has been rekindled in ANN due to new reactive (attacks initiated based on an initial response of the
knowledge garnered from psychology and human behav- system under attack to a previous attack or stimulus such as
iour. +is has led to new frontiers and possibilities in deep SQL-injections), attacks as captured in Kurosawa et al. [17]
learning (a set of machine learning algorithms targeted at as well as Reidemeister and Böhm [18], none of these papers
modelling high-level abstractions) [10, 11]. It is against this provides an approach for the possible simulation and
backdrop that this research has been carried out to use ANN remedying of a man-in-the-middle attack on a simulating
techniques to solve the problem of the man-in-the-middle platform—the NS2 environment. Classification algorithms
attack. have been quite widespread in their use of intrusion de-
+is paper is organized into sections. Section 2 gives an tection systems but our approach adopted artificial neural
overview of some existing works that have already been networks.
carried out on MANETsecurity. +e problem statement and In [19], the authors introduce the concept of a formal
its formulation are presented in Section 3. Captured under validationmethodology forMANETrouting protocols based
Section 4 is the detection model design and development on nodes’ self-similarity. +e aim was to fill the gap left by
with its flowcharts. Section 5 presents the model imple- simulation or emulation tests without having to perform the
mentation and testing done on the developed modules and probable and feasible, otherwise costly alternative of actual
their integration. Results and discussions on the experi- testing. It sought to apply a conformance testing approach
mental setup and simulations are in Section 6. Finally, neglected in the aforementioned approaches, by using the
Section 7 presents the conclusions that were arrived at as Dynamic Source Routing Algorithm (DSR). It highlighted
well as recommendations for future work. the disadvantage of using simulation tests as their inability to
completely mimic real-world scenarios. However, the paper
2. Related Works also highlighted the problem of formal method-based ap-
proaches as being their inability to consider the inherent
+e central problem inherent in the operation of MANETs is MANETprotocol characteristics. +us, in this work, a trade-
the difficulty in detecting and counteracting man-in-the- off was made of the latter, adopting a simulation-based
middle spoofing attacks.+ese networks are quite unsecured approach in the process.
since they offer opportunities by which hackers can get and On the authentication schemes that have been in-
exploit resources on them [12–15]. +is has spawned several vestigated, Maag et al. [19] provides insights into various
researches into maintaining their security, some of which schemes, providing an alternative way of offering authen-
have been indicated in the previous section. +is work tication called HEAP—an HMAC-based algorithm which
Journal of Computer Networks and Communications 3
utilizes two keys. +e target of the new schemes was to presenting the possibility of adopting such an approach
prevent popular attacks such as DDoS and man-in-the- during the feature extraction and machine learning phase of
middle attacks. Although this approach offered the advan- any research for detecting spoofing attacks.
tages of lower memory requirement in comparison to other +ere were many possibilities for network attack crea-
existing schemes such as TESLA and LHAP, with limited tion, namely, (1) a real attack (which would have been re-
CPU and bandwidth overhead, it constrained itself to source utilization-intensive and quite expensive in its
detecting attacks from outsider nodes. execution) and (2) a simulated attack via the use of an
Insider attack detection was apparently left to the in- emulator or performing a computer simulation. After
stalled IDS. +us, in a scenario where an IDS was not in- reviewing the results given in [24], it was realized that a
stalled, such attacks could go undetected. +e approach simulation-based approach was more appropriate due to the
taken during this research did not have that constraint, costs involved. +is paper offered insightful thoughts and
having been envisaged to detect attacks from both outsiders advice on how to perform black hole attacks using the NS2
and insiders. simulation software. By making use of the RREQ, RREP
+ere are several attacks possible on MANETs as enu- packets, it could mimic scenarios of a black hole attack.
merated in [3, 20] with their corresponding techniques of Analysis of the analogies made was helpful in arriving at a
defending beside them. +e issue of performance was similar but considerably different approach towards simu-
specifically touched upon in this work for both MANETs lating a MITM attack on an NS2 platform. Instead of
with Internet access—the greatest source of most network- dropping packets as given in [24], it was chosen to induce a
based attacks in today’s world and for standalone MANETs. slight delay, as was hypothesized by this research to be
Suggestions were made at the end for the use of a framework expected in an MITM attack. Several factors had to be
that utilizes minimal public key cryptography interaction to considered before coming up with a classification algorithm.
offer security. +e conclusion was that an overelaborate use Almost every approach used in attack detection has the
of such key infrastructure overloaded the network and re- probable drawback of pulling in some false positives as at-
duced performance. +at also informed our using of using tacks. +at was highlighted by Mitrokotsa and Dimitrakakis
artificial neural networks with learning capabilities and good [23]. With a comparative analysis of cost-sensitive classifi-
generalizability. cation being done, tuning of hyperparameters was essential as
Abdalla et al. [21] showed the possibilities associated the experimental protocol for the goals of checking the in-
with a trio-ID message-based approach to perform attack fluence of altered cross-validation methods on classification
detection and node isolation. +e major advantage that this algorithms. +e comparative analysis investigated how
approach offered was the shift in the attack detection re- weighted classification schemes contributed to classification
sponsibility from all the interacting nodes to just the source accuracy improvements. +is paper offered a conclusion that
node. A cumulative effect could be a conservation of net- since several algorithms have security considerations as a
work power from the reduction in computation re- focus, it is better to err on the side of caution rather than to
quirements. However, the main disadvantage noted was that “clean up the mess later.” +e key idea put forward in several
smaller attacks running for comparatively shorter time spans prior published research works, which this work affirms and
could go undetected. Such attacks needed to be run for a adopts, was that the cost incurred by flagging a false positive
longer time to trigger the level of detectability that is so was far less in comparison to the damage that would result
obvious in larger attacks. +at is where a trained neural from an unnoticed attack. +us, the installation of IDSs does
network has the envisaged advantage of being able to notice not necessarily imply insulation from all attacks, but rather a
minute changes after training and retraining. +e published minimization of the possibility of an attack, or at least, a
literature that presented a detection and prevention ap- reduction in the probability of an attack not being reported.
proach is in [4, 17, 22, 23]. It differs from [21] not only in the +is paper aimed to minimize the number of false positives
approach used but also in the attack type which was con- while increasing the number of detected attacks using neural
sidered.While Abdalla et al. [21] focused on packet dropping networks. Overall, there is a lot of literature on MANET
nodes, Chen et al. [22] was more interested in IP-spoofed attacks but very little of it specifically addresses the problem of
initiated DDoS attacks, picking as its chosen method a man-in-the-middle attacks [4, 11, 15, 25, 26]. +is study aims
technique that essentially “coloured” the path a packet at remedying this situation. +us, this research specifically
traverses, to enable easier tracking of a promiscuous source focuses on (1) detecting such attacks and correcting first
for elimination from the network. Presenting an advantage instance cases (MITM attacks scenarios not noticed before)
of a lower deployment cost as opposed to other packet through learning and (2) using the learned experience gar-
marking schemes, it helped eliminate illegitimate nodes by nered to prevent future occurrences of such attacks, thereby
marking legitimate ones, a different approach to the Packet reducing the cost incurred fromunreported attacks or delayed
Identification (PI) mechanism it sought to compete against. ones. Having surveyed the existing literature and the tre-
It offered a 70% acceptance ratio realization when there were mendous effort put into maintaining security on MANETs,
only 20% of routers participating in the scheme.+at was far this work sought to build upon the foundations already laid.
better than the 60% acceptance ratio offered by PI, achieved Hence, the research involved the introduction of neural
with all routers participating. +e parameters used in de- network techniques and IP/MAC address mapping tech-
veloping the newer technique presented in the paper were niques to detect fraudulent nodes. +e study focuses on the
determined through heuristics. +at is informative in man-in-the-middle attack mode with the aim of crafting a
4 Journal of Computer Networks and Communications
viable software model for detecting, recovering from, and Conceptually, the Java application can be made to read
preventing future attacks as illustrated in the thesis located in logged data from any layer of the TCP-IP protocol stack.+e
the URL given in [27]. +e system monitored the network for features extracted from the logged details can then be used to
detecting and isolating promiscuous nodes and assessing train the ANN for attack detection. Software vendors or
malicious nodes involved in spoofing attacks. Finally, based system administrators wishing to use such a code could, as
on the information acquired from observed scenarios, the depicted in Figure 2, configure it for single layer logging or
system could adapt the network to counteract or curtail future multilayer (cross-layer) feature extraction for ANN training.
exploits. +e flowchart in Figure 3 was initially envisaged with an
IDS component being attached to the system to generate log
3. Problem Statement files and help in intrusion detection. +e final flowchart was
arrived at after the realization that the installation of an IDS
A man-in-the-middle attack is a computer-based attack in could result in extra resource (power and processing time)
which some third-party masquerades as either party in a consumption and that the ultimate neural network system
two-way communication scenario, to trick one party into shown in Figure 4 was adequate in detecting and preventing
thinking that he/she is talking to the other. Under such intruding nodes. +e model for implementation includes (1)
circumstances, an attacker can eavesdrop on the commu- data generation and network modeling, (2) attack formu-
nications between the two unsuspecting parties to glean lation, (3) feature extraction, (4) detection system (5) pre-
information. Such attacks are possible across both wired and vention system and recovery, and (6) testing and results with
wireless infrastructure, with the latter being more suscep- performance metrics.
tible. +at is due to the relatively more loosely-defined re- To implement a system that could perform attacks which
strictions on wireless networks. As such, MITM attacks are could also be monitored for malicious traffic detection and
potent techniques for compromising wireless networks, of recovery, the methodology was broken down into three steps
which MANETs form a part. as depicted in Figure 4 above. L1 represented the stage at
MANETs use two main routing protocols, namely, (1) which attack simulation and regular network traffic com-
Ad-Hoc-On-Demand Distance Vectoring (AODV) and (2) munication were carried out. At L2, attack detection was
Dynamic Source Routing (DSR). +ere have been several commenced and the last stage L3 catered for attack recovery
related works to address security in MANETs which have and reconfiguration.
been discussed in Section 2 of this paper. +e realization,
however, is that there exists no viable dynamic technique for 5. Detection Model Implementation
addressing MITM attacks on MANETs using, particularly, and Testing
the AODV protocol. +ere exist some static methods, as
discussed in Section 2; however, an adaptable method is 5.1. L1: Attack Simulation Implementation. To implement
necessary to address the ever-growing attack threads posed the attack simulations, the attack model as presented in
by new and emerging stealth attack threats. +e more Figures 1 and 3 was first implemented by creating the
versatile the technique, the easier it would be to handle AODV_MITM protocol using existing AODV protocol. +e
unanticipated attack vectors. Artificial neural networks AODV_MITM protocol was created by adapting the existing
(ANNs), due to their learning and generalizable qualities and AODV protocol. +is was to enable the system to send out
owing to their ability to discover information from un- attack-type packets during the simulation stage.
intelligible data and infer new information, are more suited To customize the protocol as desired, we altered versions
to handle such tasks. +erefore, the problem of detecting of all aodv files located in the ns-2.35 directory as depicted in
MITM attacks across MANETs running on the AODV Figure 5.
protocol was handled using ANN. Figure 5 gives a revised representation of the ns-allione-
2.35 directory structure with all the salient portions relevant
4. MITM Detection Model Design for development and simulations. All the codes relevant for
and Development the simulations to be carried out are placed there. +e tcl
folder which has subdirectories such as lib and tests contains
A 5-node architectural network presented in Figure 1 was most of the Otcl source code necessary for simulations to be
modelled for the network attack detection system. In the carried out. All additional alterations on all customized C++
network, one dedicated node N5 was used as the admin- codes and projects can be put directly in the ns-2.35 folder.
istrator which monitors the MANET for malicious nodes, +at was where the customized version of the aodv protocol,
dislodges them, and reconfigures the network. +e NS2 mitmaodv, installed as part of the simulator, was placed. It
(from ns-allinone-2.35.tar.gz package) simulator together was used in the simulation of the man-in-the-middle attack.
with the NAM animator were used for the model devel- +e files from the original protocol were renamed. +e
opment [28]. +e programming languages Perl, C/C++, and component diagram for the developed aodvmitm package is
Java were used with the combination of scripts and exe- illustrated in Figure 6 below. Apart from the aodv_packet.h
cutable codes on Linux Ubuntu 13.10 operating system. For file, every other file name in that directory was appended
the ANN and other machine learning algorithms, theWEKA with the “mitm” string. +at was done to ensure that packets
machine learning software package and its API provided the could be exchanged between nodes using the native “aodv”
essential resources [29]. protocol and the new customized variant “aodvmitm.”
Journal of Computer Networks and Communications 5
AODV-enabled node 
N2
AODV-enabled node AODV-enabled node
N1 with ANN detector 
AODV-enabled node 
N5 N3
AODV-enabled node 
N4
Figure 1: General system architecture of the new working system.
Application layer (NS2-tcl/otcl)/
Attack (Perl reconfiguration script)
simulation in ANN-based 
NS2 plus cross layer 
network solution in 
reconfiguration Java
Transport layer
Internet layer: mitmaodv (C++
code)
Data-link layer AODV
protocol
altered to 
mimic MITM 
attack
Physical layer
Figure 2: Conceptualization and design.
All classes and structures were renamed in the new pro- as per requirement, other additions were made in the ns-
tocol’s implementation except the ones in the aodv_packet.h packet.tcl file located in the “ns-2.35/tcl/lib” subdirectory.
file [19]. Apart from the addition of the new routing protocol +is file is necessary for packet format initialization anytime
Java implementation neural 
network
(MitmProtectorWithWeka)
6 Journal of Computer Networks and Communications
Start
Intrusion
detection Yes
No IntrusionNo type:
internal
Continue 
normal Evaluate at IDS
operation Yes
Evaluate using ANN
Tolerable Tolerable
No No
Yes Cut off offending Yes Cut off offending 
node node
Limit offending Limit offending 
node’s bandwidth node’s bandwidth
Reconfigure the Reconfigure the 
network network
Stop
Figure 3: Flowchart diagram of design.
5.1.1. OTCL: Parameters for sConfiguration. Tcl and Otcl
codes were written to carry out the simulations. +e node
L1: attack L2: attack L3: attack movement was set using the “setdest” script -which had as
simulation detection recovery initial parameters the values presented in the first column of
Table 1 captured in the “mitm_attack.tcl” and “mitm_at-
tack_reduced.tcl” files. Each simulation is done as in Fig-
Figure 4: Final condensed flowchart design for implementation. ure 7, with the attacking node being the red node and the
genuine nodes as those in black. +e simulation was done
using a minimum of 6 nodes and a maximum of 20 nodes
a simulation is started. +us, any new packet created needs and varied in-between during the stress testing phase.
to be registered in this file as shown in Code Listing 1.
Additionally, several lines in sample Code Listing 2 as
well as Code Listing 3 were added to the ns-lib.tcl file. +is 5.2. L2: Attack Detection System. To present a viable ap-
file contains the list of classes and functions that directly proach for attack detection during the second stage of the
mirrors the implementation of classes and function in C++ system’s working, the data generated from the attack sim-
for NS2’s Otcl/C++ linkage. ulation phase were analyzed using the “wrapper method.”
Journal of Computer Networks and Communications 7
ns-allinone-2.35
bin tk8.5.10 otcl-1.14 tclcl-1.20 ns-2.35 Nam-1.15
C++
source 
codes
Otcl code
tcl Indep-utils
lib mitmaodv tests
Altered aodv 
code
Figure 5: Revised directory structure of ns-allinone-2.35 package.
<<ip.h>> <<classifier/classifier_port.h>> <<priqueue.h>>
<<scheduler.h>> {include} aodv_packetmitm.h
{include} {include} {include} {include}
<<assert.h>> aodv_logsmitm.cc
{include}
{include}
{include} aodv_rtablemitm.h {include}
<<sys/types.h>> {include} aodvmitm.h
{include} {include} {include} {include}
<<config.h>>
{include}
<<hb/bsd_list.h>> {include} aodv_rtablemitm.cc
aodv_rqueuenit.cc {include}
<<random.h>> aodv_rqueumitm.h
{include}
{include} {include}
aodvmitm.cc
{include}
<<aodv/aodv_rqueue.h>> <<cmu_trace.h>>
Figure 6: Component diagram for aodvmitm package.
+e results from this analysis phase were then decomposed 5.2.1. Feature Extraction and Machine Learning (Wrapper
into the “dataCleanerBetter.pl” Perl script that was used Method). +ere are two popular methods used in feature
in the feature extraction stage of attack detection and selection, namely, (1) the filter method (more suited for data
classification. mining) and (2) the wrapper method (more suited for
8 Journal of Computer Networks and Communications
#PNB: added by me for protoname
AODV_MITM #for implementing man in the middle attack using the AODV protocol
{
set allhdrs [regsub -all {#.∗?\n} $protolist \n]; # strip comments from above
foreachprot $allhdrs {
add-packet-header $prot
}
CODE LISTING 1: Packet registration in ns-packet.tcl.
#PNB: a hack to satisfy the procedure node’s call to man-in-the-middle attack on using modified aodv protocol
AODV_MITM {
set ragent [$self create-aodvmitm-agent $node]
}
DSDV {
set ragent [$self create-dsdv-agent $node]
}
DSR {
$self at 0.0 “$node start-dsr”
}
CODE LISTING 2: Additions to ns-lib.tcl file.
#PNB: function definition for this function’s call online 626
Simulator instproc create-aodvmitm-agent {node} {
#Create Aodvmitm routing agent
set ragent [new Agent/AODV_MITM [$node node-addr]]
$self at 0.0 “$ragent start”
$node set ragent_ $ragent
return $ragent
}
CODE LISTING 3: Additions to ns-lib.tcl files.
Table 1: Parameters used in both “Setdest” and “Cbrgen” generated Conceptually, the wrapper method creates all possible
files. subsets from the feature vector and then uses a classification
“Setdest” generated parameters “Cbrgen” generated parameters algorithm to induce classifiers from each feature in each
for simulation for simulation subset. It would give the set of features in which the clas-
Number of nodes (n): 7 to 20 Type (type): cbr sification algorithm (multilayer perceptron in this case)
Pause time (p): 1 Number of nodes (nn): 7 to 20 performs the best. +e search technique adopted by the
Maximum speed (M): 20 Seed (seed): 2.0 evaluator (ClassifierSubsetEval was chosen) in its quest to
Simulation time (t): 500 Maximum connection (mc): 9 find the best classifier could be a depth-first search, a
Max X (x): 750 Rate (rate): 10.0 breadth-first search, a random search, or a hybrid search.
Max Y (y): 750 +e BestFirst search method was used in this case. However,
before using the multilayer perceptron, features that by
inspection added no new information (remained constant in
machine learning). Using the WEKA software tool, it was the values they presented) was eliminated. +ey were Pn, Po,
observed that the wrapper method was the best, because the Nz, Nw, Ne, Nl, Ma, Md, Ms, and If. +e pruned vector of
starting number of features—twenty-six (26) in total—which features contained Hs, Hd, Id, Ii, Il, ls, lt, lv, Mt, Ni, Nx, Ny,
were extracted by the Perl script “dataCleanerBetter.pl” was Pf, Pi, t, and PM, with It as the classification feature.
relatively small. Primarily, the problem at that stage was a To ensure further certainty as to which features con-
machine learning problem as opposed to a data mining tributed the most information, even before the selection of
problem. So, the wrapper method helped to identify the the classification algorithm, clustering was done using the
features that could offer better classification accuracy. simple K-means algorithm. To facilitate the necessary stages
Journal of Computer Networks and Communications 9
Figure 7: Simulation attack with 14 genuine nodes and 1 malicious
node.
Figure 8: Initial ANN model generation for classification.
of clustering and subsequent classification, the Perl scripts
were used to extract the essential features, as well as pre-
process the files obtained from the feature extraction phase To evaluate the performance of the system, the following
for possible presentation to the MitmProtectorWithWeka performance metrics for machine learning algorithms were
Java program —the software solution meant for attack used, namely,
detection. TP
recall � ,
TP + FN
5.3. L3: Attack Recovery System. Having identified the nec-
essary features for possible attack detection, the information TPprecision � ,
obtained was used to develop a Java software tool named TP + FP
“MitmProtectorWithWeka.” +at was an ANN tool that uses (1)TP + TN
the identified features to check log files of network simula- accuracy � ,
tions, blacklists the attacking nodes based on the information TP + TN + FP + FN
from the ANN classification, and then reconfigures the precision × recall
network while eliminating the offending nodes. +e most F−measure � 2 × ,precision + recall
common structure for multilayer perceptron neural networks
has three layers with full interconnections. +e input layer where TP� true positives: number of examples predicted
nodes are passive relaying information from their single positive that are actually positive; FP� false positives: number
inputs to their multiple connections in the hidden layer. In of examples predicted positive that are actually negative;
effect, the hidden layer and the output layer are active TN� true negatives: number of examples predicted negative
modifying the signal flows to generate corresponding outputs. that are actually negative; and FN� false negatives: number of
+e action of this neural network is determined by the weights examples predicted negative that are actually positive.
applied in the hidden and output nodes. +e initial ANN +e results presented per node for the multilayered
model generated during simulation is depicted in Figure 8 perceptron-based classification algorithm for the classes
with its learning rate of 0.3 and momentum of 0.2 and under consideration: cbr, AODV, and AODV_MITM in the
running different epochs. +e multilayer perceptron model various instances have a very high true positive rate (TP) and
with the above parameters was used in the experiments using a very low false positive rate (FP).
NS2 simulator with the Network Animator (NAM).+emain +is shows that the system (software) performs well
programming languages used for the implementation were when used in time signature fingerprinting of packets from
Perl, C/C++, and Java with the combination of all the different attacking nodes. It can viably distinguish between genuine
scripts and executable codes being done via shell scripts. and malicious sourced packets. Stress testing for multiple
+e Linux Ubuntu 13.10 operating system served as the nodes shows appreciably high percentages per node for
platform of choice for all the coding and simulations. +e correctly classified instances, with relatively lower in-
Java implementation of the final software sol- correctly classified instances.+emean absolute error as well
ution—MitmProtectorWithWeka.jar—makes use of the as root-mean-square (RMS) errors are quite low, each in-
WEKA API (Application Programming Interface). It auto- creasing gradually as node number increases.+at means the
matically selects the correct features and runs the trained system performs better for lower node numbers, and its
software against any user-configured attack detection log file. performance declines ever slightly with an increase in the
It is from this log file that it generates a possible blacklist, for number of nodes. +at provided some great insight into
automatic attack detection and system reconfiguration. future research.
10 Journal of Computer Networks and Communications
Model from 7 nodes Model from 12 nodes
100 100
99.5
99
99
98
98.5
97
98
96
97.5
6 8 10 12 14 16 18 20
6 8 10 12 14 16 18 20
No. of nodes generating test set
No. of nodes generating test set
Figure 9: Simulation results for 7 nodes. Figure 12: Simulation results of 12 nodes.
Model from 9 nodes
Model from 11 nodes 100
100
99.8 99.8
99.6 99.6
99.4 99.4
99.2 99.2
99
99
98.8
98.8
98.6
6 8 10 12 14 16 18 20 98.6
No. of nodes generating test set 6 8 10 12 14 16 18 20
Figure 10: Simulation results for 11 nodes. No. of nodes generating test set
Figure 13: Simulation results for 9 nodes.
Model from 8 nodes
100
Model from 10 nodes
99.8 100
99.6
98
99.4
99.2 96
99
94
98.8
98.6 92
6 8 10 12 14 16 18 20 6 8 10 12 14 16 18 20
No. of nodes generating test set No. of nodes generating test set
Figure 11: Simulation results for 8 nodes. Figure 14: Simulation results for 10 nodes.
6. Results and Discussion participatory nodes in the network. +is is because the
highest number of discarded/unknown instances occurred
Figures 8–21 present the plot of correctly classified instances for the results with 16 nodes during the preprocessing phase.
for each model generated. +e models for detecting attacks +e portion of the plot revealing relatively high percentages
were created with node numbers six (6) to twenty (20), and of detection is because it had a far lesser number of unknown
the results are presented in the figures above. Additionally, it instances.
is observed that there is a sharp drop in the percentage of +erefore, it can be concluded that regardless of the
correctly classified instances when the dataset presented to number of nodes used to generate the detection model,
the model for testing originated from using sixteen (16) detection is still influenced by the number of unknown
Percentage detection by model Percentage detection by model Percentage detection by model
Percentage detection by model Percentage detection by model Percentage detection by model
Journal of Computer Networks and Communications 11
Model from 13 nodes Model from 16 nodes
100 100
99 99.8
99.6
98
99.4
97 99.2
96 99
95 98.8
98.6
94 6 8 10 12 14 16 18 20
6 8 10 12 14 16 18 20 No. of nodes generating test set
No. of nodes generating test set
Figure 18: Simulation results for 16 nodes.
Figure 15: Simulation results for 13 nodes.
Model from 17 nodes
Model from 14 nodes 100
100
98 98
96
96
94
94
92
90 92
6 8 10 12 14 16 18 20 6 8 10 12 14 16 18 20
No. of nodes generating test set No. of nodes generating test set
Figure 16: Simulation results for 14 nodes. Figure 19: Simulation results for 17 nodes.
Model from 15 nodes Model from 18 nodes
100 100
99.8
99.5
99.6
99.4 99
99.2 98.5
99
98
98.8
98.6 97.5
6 8 10 12 14 16 18 20 6 8 10 12 14 16 18 20
No. of nodes generating test set No. of nodes generating test set
Figure 17: Simulation results for 15 nodes. Figure 20: Simulation results for 18 nodes.
instances. A reduction in this gure results in a signicant Tables 2 and 3 and Figures 8–20, it can be observed that the
and corresponding increase in detection rates. model generated for the classication performs admirably
well, having been tested for di
erent node numbers–each
7. Conclusion and Future Extension recording very high percentages, for correctly classied
instances, at reasonable root-mean-square error (RMS)

e computational times for the simulation for the di
erent values. 
e implication is that such an approach could be
nodes are given in Table 2. From the results presented in used by system administrators and security experts to time
Percentage detection by model Percentage detection by model Percentage detection by model
Percentage detection by model Percentage detection by model Percentage detection by model
12 Journal of Computer Networks and Communications
Model from 19 nodes
100
98
96
94
92
90
88
6 8 10 12 14 16 18 20
No. of nodes generating test set
Figure 21: Simulation results for 19 nodes.
Table 2
Number of Total number of Number of ignored class Correctly classied Computational
nodes instances unknown instances instances time (s)
7 29971 15609 12730 (88.6367%) 0.02
8 29971 14492 14021 (90.5808%) 0.00
9 29971 9759 17494 (86.5525%) 0.00
10 29971 14033 14029 (88.0223%) 0.02
11 29971 15826 12884 (91.0852%) 0.02
12 29971 14488 14469 (93.4509%) 0.02
13 29971 15992 11684 (83.5825%) 0.05
14 29971 15875 12606 (89.4296%) 0.05
18 29971 15407 11582 (79.5249%) 0.01
Table 3: Confusion matrices of di
erent numbers of node conguration scenarios for stress testing with computational times.
TP rate FP rate Precision Recall F-measure ROC area Class
1 0 1 1 1 1 Cbr
17 nodes 0.62 0 1 0.62 0.77 0.78 AODV
0 0.05 0 0 0 — AODV_MITM
Weighted average 0.95 0 1 0.95 0.97 0.971
1 0 1 1 1 1 Cbr
18 nodes 0.62 0 1 0.615 0.76 0.781 AODV
0 0.079 0 0 0 — AODV_MITM
1 0 1 1 1 0.999 Cbr
19 nodes 0.547 0 1 0.547 0.707 0.748 AODV
0 0.148 0 0 0 — AODV_MITM
Weighted average 0.852 0 1 0.852 0.904 0.916
1 0 1 1 1 1 Cbr
20 nodes 0.658 0 1 0.658 0.794 0.794 AODV
0 0.039 0 0 0 — AODV_MITM
Weighted average 0.961 0 1 0.961 0.977 0.98
signature ngerprint popular software used by attackers by number of instances that were not used because they were
using these ngerprints to train the ANN and then detect not distinguishable. 
e results provided based on simula-
attacks in the process.
us, applying ANN in time signature tion ignored the instances that do not contribute to the
ngerprinting of MITM attacks is e“cient and e
ective for overall detection of attacks. Table 2 results give an insight
detection, classication, and control of attacks. Future re- into the computational times realized for some models used
search could involve more of the unknown instances— in the detection and reconguration of the network after
which had to be discarded from the model recorded in attack attack detection.
decision making. One of the di“culties that were noticed To improve the detection rate of any future model should
during the training phase of the ANN algorithm was the be focused on getting higher true positive rates out of the
Percentage detection by model
Journal of Computer Networks and Communications 13
confusion matrix for AODV_MITM packets, since this Instrumentation, Communication and Computational Tech-
would suggest better detection rate for attacks. One of the nologies (ICCICCT), pp. 759–765, Kumarakoil, India, De-
possible ways could be to increase the time lapse for packet cember 2015.
time transmission between promiscuous nodes which send [5] J.-M. Chang, P.-C. Tsou, I. Woungang, H.-C. Chao, and
out AODV_MITM packets. C.-F. Lai, “Defending against collaborative attacks by mali-
+e original work could also be extended to include cious nodes in MANETs: a cooperative bait detection ap-
popular commercial or open-source spyware for performing proach,” IEEE Systems Journal, vol. 9, no. 1, pp. 65–75, 2015.
MITM attacks. Time signature fingerprinting them and [6] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Wormhole attacks in
adding their learned time signature fingerprints could be wireless networks,” IEEE Journal on Selected Areas in Com-munications, vol. 24, no. 2, pp. 370–380, 2006.
vital for security researchers in the detection and prevention [7] J. Ben Othman and M. Ayaida, “Special issue on last advances
of future attacks. Research plans are in place to compare the on QoS and security in wireless networks,” Journal of Com-
results to other well-established systems in the MANET munications and Networks, vol. 16, no. 4, pp. 358–362, 2014.
security ecosystem for attack detection and prevention since [8] RSA, “Making sense of man-in-the-browser attacks: threat
at the time of the writing of this paper, there was no known analysis and mitigation for financial institutions,” in RSA
similar standardized testing method offered by a simulated White Paper, RSA LLC, Bedford, MA, USA, 2010.
environment, suggesting a possible way for results [9] +e Department of Defense Cyber Strategy, Be DOD Cyber
replication. Strategy, US Department of Defense, Arlington, VA, USA,
2015, http://www.defense.gov/Portals/1/features/2015/0415_
Data Availability cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_
web.pdf.
+e data used to support the findings of this study are [10] J. Schmidhuber, “Deep learning in neural networks: an
available from the corresponding author upon request. overview,” Neural Networks, vol. 61, pp. 85–117, 2015.
[11] Z. Moradi and M. Teshnehlab, “Intrusion detection model in
MANETs using ANNs and ANFIS,” in Proceedings of CSIT
Disclosure 2011 International Conference on Telecommunication Tech-
Portions of this paper were presented at the GIC 2017 nology and Applications, Vol. 5, IACSIT Press, Singapore,
meeting. +e work was based on the thesis by the authors. 2011.[12] K. El Defrawy and G. Tsudik, “ALARM: anonymous location-
aided routing in suspicious MANETs,” IEEE Transactions on
Conflicts of Interest Mobile Computing, vol. 10, no. 9, pp. 1345–1358, 2011.
[13] W. S. McCulloch and W. Pitts, “A logical calculus of the ideas
+e received funding did not lead to any conflicts of interest immanent in nervous activity,” Bulletin of Mathematical
regarding the publication of this manuscript. Biophysics, vol. 5, no. 4, pp. 115–133, 1943.
[14] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, “Security in
Acknowledgments mobile ad hoc networks: challenges and solutions,” IEEE
Wireless Communications, vol. 11, no. 1, pp. 38–47, 2004.
+e authors of this paper wish to acknowledge the Carnegie [15] V. Rajamanickam and D. Veerappan, “Inter cluster com-
Corporation of New York through the University of Ghana, munication and rekeying technique for multicast security in
under the UG-Carnegie Next Generation of Academics in mobile ad hoc networks,” IET Information Security, vol. 8,
Africa project for financially supporting this research work. no. 4, pp. 234–239, 2014.
+e help has been immeasurable in the realization of this [16] Resource Centre, “Catalogue of B.Tech. Project Reports
research. Batch–2005-09 Abstracts,” Resource Centre, Gandhinagar,
India, 2010.
[17] S. Kurosawa, H. Nakayama, and N. Kato, “Detecting black-
References hole attack on AODV-based mobile ad hoc networks by
[1] P. Goyal, V. Parmar, and R. Rishi, “MANET: vulnerabilities, dynamic learning method,” International Journal of Network
challenges, attacks, application,” International Journal of Security, vol. 5, no. 3, pp. 338–346, 2007.
Computational Engineering and Management, vol. 2011, [18] R. +omas, K. Böhm, A. S. Ward, and E. Buchmann,
no. 11, pp. 32–37, 2011. “Malicious behaviour in content-addressable peer-to-peer
[2] J. Pearlman and P. Rheingans, “Visualizing network secur- networks,” in Proceedings of 3rd Annual Communication
ityevents using compound glyphs from a serviceriented Networks and Services Research Conference (CNSR’05),
perspective,” J. R. Goodall, G. Conti, and K. Ma, Eds., in pp. 319–326, Halifax, Canada, May 2005.
Proceedings of the Workshop on Visualization for Computer [19] S. Maag, C. Grepet, and A. Cavalli, “A formal validation
Security (VizSEC 2007), pp. 131–146, Springer Berlin Hei- methodology for MANET routing protocols based on nodes’
delberg, Berlin, Germany, 2008. self similarity,” Computer Communications, vol. 31, no. 4,
[3] D. Hurley-Smith, J. Wetherall, and A. Adekunle, “SUPER- pp. 827–841, 2008.
MAN: security using pre-existing routing for mobile ad hoc [20] A. K. Rai, R. R. Tewari, and S. K. Upadhyay, “Different types of
networks,” IEEE Transactions on Mobile Computing, vol. 16, attacks on integrated MANET-Internet communication,”
no. 10, pp. 2927–2940, 2017. International Journal of Computer Science and Security, vol. 4,
[4] P. Hari, V. K. Shukla, and P. R. Verma, “An innovative ap- no. 3, pp. 265–274, 2010.
proach for security on Mobile Ad-Hoc Network,” in Pro- [21] A. M. Abdalla, A. H. Almazeed, I. A. Saroit, and A. Kotb,
ceedings of 2015 International Conference on Control, “Detection and isolation of packet dropping attacker in
14 Journal of Computer Networks and Communications
MANETs,” International Journal of Advanced Computer
Science and Applications, vol. 4, no. 4, 2013.
[22] Y. Chen, S. Das, P. Dhar, and A. El-Saddik, “Detecting and
preventing IP-spoofed distributed DoS attacks,” International
Journal of Network Security, vol. 7, no. 1, pp. 69–80, 2008.
[23] A. Mitrokotsa and C. Dimitrakakis, “Intrusion detection in
MANETusing classification algorithms: the effects of cost and
model selection,” Ad Hoc Networks, vol. 11, no. 1, pp. 226–
237, 2013.
[24] S. Dokurer, Simulation of Black Hole Attack in Wireless Ad-
Hoc Networks, Atilim University, Ankara, Turkey, 2006.
[25] A. Anand, H. Aggarwal, and R. Rani, “Partially distributed
dynamic model for secure and reliable routing in mobile ad
hoc networks,” Journal of Communications and Networks,
vol. 18, no. 6, pp. 938–947, 2016.
[26] S. Imran, R. V. Karthick, and P. Visu, “DD-SARP: dynamic
data secure anonymous routing protocol for MANETs in
attacking environments,” in Proceedings of 2015 International
Conference on Smart Technologies and Management for
Computing, Communication, Controls, Energy and Materials
(ICSTM), pp. 39–46, Avadi, Chennai, India, May 2015.
[27] http://ugspace.ug.edu.gh/handle/123456789/7319.
[28] J. Chung and M. Claypool, NS by Example, Worcester
Polytechnic Institute, Worcester, MA, USA, 2002.
[29] G. Holmes, A. Donkin, and I. H. Witten, “WEKA: a machine
learning workbench,” in Proceedings of Australian New
Zealand Intelligent Information Systems Conference
(ANZIIS’94), pp. 357–361, Brisbane, QLD, Australia, 1994.
International Journal of
Rotating  Advances in 
Machinery Multimedia
En Jougrnail onf eering The Scientific Journal ofWorld Journal Sensors
Hindawi Hindawi Publishing Corporation Hindawi Hindawi Hindawi
www.hindawi.com Volume 2018 hwtwtpw:/./hwinwdwaw.hii.ncodmawi.com Volume 20183 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
Journal of
Control Science
and Engineering
Advances in
Civil Engineering
Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
Submit your manuscripts at
www.hindawi.com
Journal of
Journal of Electrical and Computer 
Robotics Engineering
Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
VLSI Design
Advances in
OptoElectronics
International Journal of
Modelling &
International Journal of Simulation Aerospace
Navigation and 
 Observation in Engineering Engineering
Hindawi Hindawi Hindawi
Hindawi Volume 2018
Hindawi www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018
www.hindawi.com www.hindawi.com Volume 2018
International Journal of
International Journal of  Antennas and  Active and Passive  Advances in
Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration
Hindawi Hindawi Hindawi Hindawi Hindawi
www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018 www.hindawi.com Volume 2018