Ad hoc network  is a decentralized network type that distributed nodes communicate with each other without any pre-existing infrastructure. A great number of ad hoc applications have been proposed and investigated for many years, e.g., mobile ad hoc network (MANET) and vehicular ad hoc network (VANET). Through wireless medium, ad hoc nodes are movable, self-configured, selforganized, and are arbitrary to leave or join network. However, the non-infrastructure network architecture gives rise to critical security problems such as black hole, wormhole, flooding, and Sybil attacks. The detection of malicious attacks in ad hoc networks is vital and challenging .
A black hole attack means that one or multiple malicious nodes violate routing rules and drop all received packets. Malicious nodes are able to achieve their misbehaviors through many ways. It is often seen black hole attacks in MANETs . An example of black hole node with forged route reply (RREP) packet is shown as Fig. 1. The source node is node 1 and the node 6 is destination node. The node 3 is a malicious node that sends forged RREP packets. In the example, the source node sends route request (RREQ) to its neighbors as well as the node 2 and node 4 for establishing a path towards destination. The node 4 forwards the RREQ packet to node 5 then the node 5 forwards it to the destination node. After that, node 6 replies RREP packet and states that it is the destination node. However, on the other path, node 2 forwards the RREQ packet to node 3. In general, node 3 should forward the RREQ packet to node 6 for the establishment of routing path but it is a black hole node. The malicious node as well as node 3 sends forged RREP packet and claims that it has the shortest path to destination. Moreover, the node 3 drops the received RREQ packet sent by node 2 and does not forward it to destination. Network operation breaks down under the incorrect routing due to the malicious node 3. As a result, the network suffers from unsatisfying packet delivery ratio (PDR) caused by the attack from the black hole node.
A black hole attack based on forged route reply packet.
Although we had surveyed black hole attacks in MANETs and had published a survey paper  in 2011, a vast number of papers on black hole attacks detection and prevention have been published from 2012 to nowadays. In the paper, schemes for detecting and preventing black hole and other attacks in MANETs are studied. Note that we only survey the papers have been published in recent five years. We classify black hole attacks into non-cooperative and collaborative black hole attacks according to the attack behavior. The taxonomy of references in this survey is listed in Table 1.
Taxonomy of references in this survey
The rest of the paper, as the roadmap depicted in 0 shows, is organized as follows. In Section 2, routing protocols in MANET are classified and introduced, i.e., reactive, proactive, and hybrid routing protocols. Section 3 surveys existing literature on non-cooperative black hole attack detection and prevention. Section 4 surveys existing literature on collaborative black hole attack detection and prevention. Section 5 discusses other attacks in MANETs, e.g., intrusion, wormhole, flooding, and Sybil attacks. Section 6 discusses open issues of black hole attacks and the future trends. Finally, Section 7 concludes this survey.
2. Routing Protocols
Before studying attacks in MANET, routing protocols  should be introduced. We classify routing protocols in MANET into three types according to their routing operation, i.e., proactive, reactive, and hybrid routing protocols.
The reactive routing protocol is also known as the on-demand routing protocol. Two most wellknown reactive routing protocols are the ad hoc on-demand distance vector (AODV)  and the dynamic source routing (DSR) . In a reactive routing protocol, mobile nodes update their routing information only when a node expects to transmit its data packets or its previous connection disconnected. Therefore the reactive routing protocol outperforms proactive routing protocol in terms of network throughput and routing overhead. However, the passive routing method leads to higher packet loss ratio with compared to the active routing method of proactive routing protocols. The difference between AODV and DSR is that DSR not only records next hop information but also maintains the route cache in routing table, which is different to the AODV records the next hop information only. According to this survey, we found that most of researchers apply reactive routing protocols such as AODV and DSR to their detection and prevention schemes. This is attributed to the reason that PDR is vital importance to the operation of MANETs.
The proactive routing protocol is also known as the table-driven routing protocol. Two well-known proactive routing protocols are the destination sequenced distance vector (DSDV)  and the optimized link state routing (OLSR)  protocols. In a proactive routing protocol, mobile nodes broadcast routing information periodically that results in higher routing overhead. When network scale increases, the routing overhead raises due to more routing information from more mobile nodes. A node with proactive routing protocol needs to maintain its routing table once network topology changes. The routing table of a node records its neighbor information, such as adjacent nodes and reachable nodes. When a node leaves or joins the network, each node updates its routing table so that black hole detection and prevention can be more instantaneous.
The hybrid routing protocol integrates reactive and proactive routing protocols into a new routing method. Two familiar hybrid routing protocols are the temporally-ordered routing algorithm (TORA)  and the zone routing protocol (ZRP) . A hybrid routing protocol starts with proactive routing method that collects routing information in routing table, and updates routing table with reactive routing method when network topology changes.
3. Non-cooperative Black Hole Attack Detection and Prevention
A non-cooperative black hole attack means that a malicious node forges false information to accomplish its misbehavior without cooperating with other malicious nodes. For example, a malicious node is able to declare it has the shortest path to destination node so that other nodes mistransmit packets to the malicious node. However the malicious node drops these packets as well as a black hole attack and transmits fake routing packets to destroy regular routing operation. The comparison of existing literature on non-cooperative black hole attack in MANET is captured in Table 2.
The detection schemes for non-cooperative black hole attack in MANET
In , the authors proposed an agent-based AODV routing method to detect and prevent black hole attack. The proposed method is simple that only modifies two functions of standard AODV. The first modification is sendReply() function and the other one is recvReply() function. The sendReply() function accommodates flag RREP packets and the recvReply() function is used to detect malicious nodes. If a received packet records that the node is destination and it is not set, the agent judges the node is a malicious node that pretends it is the destination node. Therefore, the agent discards the received RREP packet which is generated by the malicious node, and removes the malicious node from routing path. Another situation if a received packet records that a node is an intermediate hop and has route but its flag is set, the agent judges the node is a malicious node that claims it has the shortest route. Thereby the agent discards the RREP packet and eliminates the node from route. Simulation-based results showed that the proposed agent-based method increases PDR to 99%, minimizes network routing load to 0.01, and improves 10% end-to-end delay in average with compared to the standard AODV routing protocol. However, the proposed agent method detects malicious nodes by examining the flag in sendReply() function. It will be failed when malicious nodes cooperate to forge fake reply packets and false flags.
In , the authors proposed two possible solutions to solve black hole attack. The first one is to find more than one route to destination and the other one is to exploit the packet sequence number in packet header. However, these two solutions were proposed by Al-Shurman et al.  in 2004. They proposed the idea of redundant route method and unique sequence number scheme to identify a malicious node. In the unique sequence number scheme, two values are recorded in two extra tables when any packet is transmitted or received. Based on the comparison of current and updated sequence numbers, malicious nodes can be found easily. On the other hand, the simulation results in  are completely the same with the results in .
In , the authors proposed the opinion AODV (OAODV) to detect malicious node by comparing the number of route request with the number of router reply. Two additional fields are used in the OAODV, i.e., request weight and reply weight. The request weight records the number of RREQ packets forwarded and the reply weight registers the number of RREP packets forwarded. In addition, two control packets are newly proposed, i.e., opinion request (OREQ) and opinion relay (OREP) packets. Source node broadcasts OREQ packets and receives OREP packets from intermediate nodes except destination node, and then calculates the ratio of request weight to reply weight on each path. The malicious node can be discovered if the calculation result as well as the weight ratio is very small. Simulation results showed that the OAODV achieves 78.65% PDR of standard AODV without attacks and yields better PDR than of the AODV protocol under black hole attack. However the OAODV may be failed when the destination node is an attacker. Besides, it may be compromised if several malicious nodes cooperate to send forged OREP packets or to provide false number of OREP packets. Last, the routing overhead might be increased so that should be estimated.
In , the authors proposed a trust based collaborative approach for detecting malicious node under AODV protocol in MANET. In the approach, every node calculates the trust value on its neighbor nodes and monitors the trust value. The trust value is a ratio of dropped packets to forwarded packets so that it ranges 0 to 1. A malicious node is detected when its trust value is lower than the predefined threshold value, i.e., 0.3 as well as 30% forwarded packets are dropped. After that, the node is monitored by its neighbors and marked as a malicious node, thus eliminated from routing path. Simulation-based results showed that the modified AODV protocol keeps 60% to 90% PDR when there are 20 malicious nodes. However, the approach will be failed when neighbor nodes cooperate to forge trust value. Attackers are capable of replying fake RREP to monitoring nodes, thereby the trust-based approach will be compromised. In 2013, Bar et al.  also used trust value to detect black hole attacks. The trust value of an intermediate node is obtained from two values, i.e., threshold value and weight factor. The threshold value (W1) is defined as the number of transmitted packet divided by number of received packet. The weight factor (W2) is defined as the number of transmitted RREP divided by number of received RREQ. After that, the trust value is calculated as Trust value=W1*W2*ptrust. However the authors did not explain what the variable ptrust is and how to obtain it. The authors utilized OMNeT++ to implement the simulation. Results showed that a higher threshold value leads to the lower average packet loss. However the proposed method will be failed if collaborative black hole nodes send fake RREQ and RREP packets. In 2014, Biswas et al.  also proposed a trust model to detect black hole attacks. In the proposed trust model, three parameters of each node are assigned and evaluated, i.e., rank, remaining battery power and stability factor. Experimental results showed that the proposed method yields higher PDR, throughput, and lower packet drop ratio with compared to previous methods. Black hole detection by trust value model has been investigated for many years, the concept of these papers are similar only different from evaluation metrics.
In , the authors proposed an ad-hoc on-demand distance vector with intrusion detection and prevention system (AODV-IDPS) to tackle with black hole attack. The AODV-IDPS module observes black hole attack and analyzes regular network’s behavior. Based on the observation and analysis of routing overhead, average delay, throughput and PDR, the AODV-IDPS module compares the performance of regular network with current performance to execute intrusion detection. The proposed AODV-IDPS module detects black hole attack by analyzing trace files when a node creates network loop. However the proposed module cannot eliminate black hole attacks in real-time because it needs time to analyze and compare network performance from trace files. In other words, the detection and prevention is not simultaneous while a malicious node is launching.
In , the authors proposed a solution to black hole attack, which uses promiscuous mode to intercept and read network packets. In the promiscuous mode, a node can overhear other nodes once it is within the communication range of other nodes, even if the node does not directly communicate with other nodes. For instance, node A sends an RREP packet to node B, at that time, node C switches to promiscuous mode and sends a Hello message to node B through node A. If node A does not forward the reply packet from node B to node C, the node A is regarded as a malicious node. After that, node C floods an alarm message to all nodes in MANET that node A is a black hole and should be isolated from routing path. Simulation results showed that the proposed method performs a similar throughput to the standard AODV without black hole attack. On the other hand, the proposed method only increases 0.04 second in average end-to-end delay with compared to the AODV without black hole attack. However, the concept of promiscuous mode was proposed by Vishnu and Paul  in 2010. In , the restricted IP’s neighbors change to promiscuous mode for monitoring the packets of designate node and suspicious nodes.
In , the authors proposed the ReceiveReply method based on destination sequence number, viz. RREP method. The RREP method examines the difference between the sequence number of source node or intermediate node who has sent RREP packet back or not. The destination sequence number is recorded in the route reply table. Simulation results showed that the proposed method yields higher PDR than AODV protocol but leads to larger end-to-end delay. However, we deem that the concept of using destination sequence number to detect malicious nodes was proposed by  in 2010. On the other hand, the idea of checking sequence number in route reply table was proposed by  in 2007. In , packet’s sequence number and received time are stored in a collected route reply table.
In , the authors utilized genetic algorithm (GA) to develop an intrusion detection system (IDS) for black hole attack in MANET. The proposed GA based IDS analyzes each node’s behavior and detects black hole nodes according to the consideration of network parameters, e.g., packet drop, request forwarding rate and request receive rate. However, GA needs time for evolution that may not be suitable for detecting malicious nodes in MANET because the nodes move frequently and rapidly. In , the authors implemented fuzzy and GA with AODV protocol to prevent black hole attacks in VANET. However, the authors did not explain the implementation of proposed fuzzy and GA in the paper. In addition, the authors did not compare the proposed method with other existing schemes. In , the authors claimed that an improved bacteria foraging optimization algorithm (IBFOA) is proposed to prevent black hole attacks in MANET. The paper presents the enhanced AODV routing protocol  and the concept of bacterial foraging . However the authors did not clarify how to combine the bacterial foraging method with the enhanced AODV. In addition, it cannot be observed that how the proposed method prevent hole attacks in the simulation results.
In , the authors proposed a concept of using ant colony optimization (ACO) system to detect black hole attack. The proposed ACO system is described as follows. Firstly, a start node is selected randomly. The trail of a path represents its selection possibility. A path with higher trail means that the path has higher selection probability. Ants continue selecting path until they reach the starting node. A finished tour in consequence is a solution of optimization. The higher probability of a selecting path will be part of a better solution. The ACO system repeats these steps until most ants select the same tour. However the explanation of the ACO system is unclear. For example, the formulation of pheromone calculation was missed in the paper. Besides, there is no experiment or simulation result.
In , the authors proposed the concept of an adaptive method of detecting black and grey hole attacks. In the paper, the authors claimed that extra control packet is unnecessary. They proposed a collision report mechanism to dynamically modify threshold according to the status of network loading. However the authors did not verify the proposed method with any convincing result.
In , the authors proposed a method of detecting black hole attack based on DSR, viz. DBA-DSR scheme. By sending fake RREQ packets, the DBA-DSR detects black hole nodes before actual routing process. It modifies DSR’s RREP packet to retrieve the address of initiator RREP packet, because normal nodes should not reply the fake RREQ packet. The DBA-DSR identifies malicious nodes by examining the RREP initiator address. Simulation results showed that the DBA-DSR yields higher PDR than that of the DSR with varying node mobility and numbers of malicious nodes. However the network and routing overhead of DBA-DSR might be slightly increased due to extra fake RREQ packets.
In , the authors proposed an IDS to detect abnormal difference in the number of data packets forwarded by a node. In the system, source node divides data into different blocks and separately sends them once a data block. It eliminates network and routing overhead before transmitting actual data packets. Once an attack is detected, the IDS nodes switch to promiscuous mode. When a black or grey hole attack is detected, source node sends query request (QREQ) packets to a nodes where within 2-hop distance and then receives query reply (QREP) packets. If data packet forwarded count does not match, the node sends QREP packet and its next hop node is moved to the suspected list. As a result, malicious nodes can be isolated from other nodes. Results showed that the proposed IDS reduces 64% packet drop ratio but raises 8% control packet overhead with compared to DSR under attack. However the assumptions of the work are too optimistic to be convincible. The authors assume that all nodes are authorized nodes which means that malicious node does not exist at the beginning. On the other hand, they also assume that source node and destination node are trusted nodes by default. In other words, malicious nodes exist in the intermediate nodes from source to destination only. After two years in 2015, Kumar and Dutta  proposed a similar intrusion detection technique to tackle with black hole attacks. The assumptions in  are almost the same with assumptions in . In other words, the assumptions still limit malicious node exists in intermediate nodes only. As a result, the method will be compromised if the source node is an attacker.
In , the authors utilized support vector machine (SVM) to detect black hole attacks under AODV protocol in MANET. The proposed SVM-based method classifies the nature of nodes by three performance metrics, i.e., PDR, packet modification rate and packet misroute rate. These metrics are calculated based on numbers of transmitted, modified and misrouted packets respectively. Results showed that the SVM-based method performs better result than previous method. It is novel to utilize a learning-based method to detect attacks in MANET. However the explanation of proposed SVM is unclear. Besides the simulation results are unclear. It only can be observed that the SVM-based method detects more malicious nodes than previous method but without clear explanation.
In , the authors proposed a mechanism named secure route discovery AODV (SRD-AODV) to prevent black hole attacks. In the SRD-AODV, source node and destination node verifies the sequence numbers in RREQ and RREP packet respectively. The verification of destination sequence number is based on three predefined thresholds, i.e., small, medium and large environments. The calculations of three thresholds are similar to each other only with different constants. The source node will receive two RREP packets once there is a malicious node in network. If the destination sequence number in an RREP packet is greater than the predefined threshold, the RREP packet will be regarded as a fake packet sent by a black hole node. Results showed that the SRD-AODV yields higher PDR 85% at least with compared to standard AODV protocol no matter in small, medium or large environments. However the method might be failed when various attackers cooperate to forge false sequence numbers.
In , the authors proposed a secure dynamic routing protocol (SDRP) to prevent attacks, e.g., modification attack, black hole attack and wormhole attack. The SDRP maintains three secure parts, which are neighbor maintenance, route discovery and route maintenance. It not only generates a secret shared key between source node and destination node but also reduces number of signatures. With secure neighbor maintenance, a signed Hello message is sent to neighbors periodically to ensure no malicious node. With secure route discovery, random number and sequence number are used to guard routing path from source to destination. With secure route maintenance, when a node detects disconnection it sends a router error (RRER) message with signature to the source node. Simulation results showed that the proposed SDRP achieves 90% PDR which is slightly lower than standard AODV. However, the SDRP also results in higher routing overhead and latency with compared to AODV protocol.
In , the authors implemented a watchdog mechanism, viz. watchdog-AODV (W-AODV) to detect black hole node. The W-AODV is implemented in a node that monitors all nodes within its transmission range. If a node is unwilling to forward packets to its neighbors or a forwarded packet is altered by its neighbors, the watchdog recognizes it as a malicious node and declares to all nodes. Simulation results showed that the W-AODV performs slightly higher PDR, lower MAC load and end-to-end delay with compared to standard AODV protocol. However the W-AODV mechanism is incapable of detecting collaborative black hole attacks even two malicious nodes without cooperation.
In , the authors proposed a new algorithm viz. intrusion detection system new AODV (IDSNAODV). The IDSNAODV identifies malicious nodes based on their behavior and then deletes them from route. The authors define some rules to identify malicious nodes. For instance, a node which has the smallest number of hops in RREP or has the highest number of sequences may be a malicious node, or the node receives many packets but only sends one packet may be an attacker. A node is regarded as a malicious node if the node receives some packets but does not send them to neighbors. Simulation results showed that the IDSNAODV outperforms the standard AODV in higher PDR, throughput and lower end-to-end delay. However the defined rules of identifying malicious nodes are not sophisticated. The reliability of detecting malicious nodes might be low and inaccurate.
In , the authors proposed a secure knowledge algorithm with considering packet drop reasons. An extra knowledge table is established in each node to record the information of packets, which is most recently transmitted. In promiscuous mode, each node monitors the packets forwarded by its neighbors then compares neighbor information with the information stored in its knowledge table. If the information is different, then the node waits a specific time and checks the reason of packet dropping. The knowledge table is composed of two fields, i.e., fm and rm fields, where fm maintains recent forwarded packets and rm maintains the information of neighbor nodes’ recent packets. Once fm is unequal to rm and packet drop reaches a predefined threshold, the node is recognized as a malicious node. Simulation results showed that the proposed method yields higher PDR than standard AODV under different number of malicious nodes. However the proposed method will be failed when attackers cooperate to forge knowledge table.
In , the authors proposed a harmony search algorithm (HSA) based on the modification of the cooperative bait detection scheme (CBDS) proposed by Chang et al. . The major object is to reduce the delay in detecting malicious nodes. Fahad and Muniyandi  claimed that CBDS might misdirect the source node because DSR may provide no information to distinguish malicious nodes (false RREP message) from normal nodes (true route reply). Therefore a HELLO message is added to the CBDS for identifying true neighbor nodes. The HELLO message traverses subsequent nodes in the range of one hop. However, in the second paragraph of Section III in , they stated “To resolve this issue, the function of HELLO message is added to the CBDS to help each node in identifying which nodes are their adjacent nodes within one hop.” Nevertheless, Fahad and Muniyandi  present that the HSA not only reduces lower routing overhead and end-to-end delay but also improves PDR and throughput with compared to CBDS and DSR in simulation results.
In , the authors proposed a secure and trust AODV (STAODV) to mitigate black hole attacks in MANET. In STAODV, each node has a trust value and a malicious node table. Every incoming packet has a safety value, which is used to examine its safety status. A threshold value is predefined to determine the reply is safe or not. The STAODV examines each RREP packet with the sequence number and the hop count of a node to destination, and also examines the safety status of route reply. The detection method by using sequence number has been proposed in many papers. The STAODV will be failed when attackers cooperate to forge fake sequence number in route reply message.
4. Collaborative Black Hole Attack Detection and Prevention
The detection schemes for collaborative black hole attack in MANET
A collaborative black hole attack coordinates several malicious nodes cooperate to forge fake packets for reaching their misbehavior. For example, a fake RREQ or RREP sent by single attacker may be detected due to the inconsistent information of hop count or sequence number. However, two or more attackers are able to collaborate with each other for deceiving above-mentioned detection schemes. In recent years, various schemes for collaborative black hole detection have been published. The comparison of literature on cooperation schemes is captured in Table 3.
In , the authors proposed an ‘algorithmic approach’ for improving the security of AODV. An additional route is proposed to request the identity of intermediate node to the node in next hop. Two main functions are used in the paper, i.e., data routing information (DRI) table and cross checking. However, the DPI table and cross checking method were proposed by Ramaswamy et al.  in 2003 and Weerasinghe and Fu  in 2007. In , we have surveyed and introduced  and  clearly. The concept of DPI table and cross checking was proposed in  and verified with simulation in . The simulation-based results showed that the proposed method in  yields a higher throughput performance around 50% than that of the standard AODV protocol, but increases 5% to 8% communication overhead of route request. The process of the algorithmic approach in  is introduced as follows. First of all, source node broadcasts RREQ packets and receives RREP packets from other nodes. Then the source node receives the further request, next hop node and DRI entry for next hop’s next hop. After that, the DPI entry is used to examine the intermediate node is a malicious node or not. However they did not verify the algorithmic approach in any experimental or simulationbased results. In the simulations of the paper, they discuss the effect of black hole attack in terms of PDR and throughput with varying node mobility.
In , the authors proposed a ‘modified AODV protocol’ and a ‘watchdog mechanism’ to detect black hole attack and wormhole attack. Two extra tables are maintained in each node, i.e., pending packet table and node rating table. The four fields of pending packet table are captured in Fig. 3 and the four fields of node rating table are captured in Fig. 4. The ID of packet sent, the address of next hop, the time-to-live of packet, and the address of destination node are filled in the pending packet table. In node rating table, the address of next hop, a counter for counting dropped packets, a counter for counting forwarded packets, and a tuple named misbehave are recorded. Note that the misbehave tuple is used to represent node behavior, i.e., 0 is well behaving node and 1 is misbehaving node. Based on the information in node rating table, the watchdog calculates the ratio of dropped packets to forwarded packets. All packets in MANET check any received packet to prevent false packets. If a data packet expires in the pending packet table, the packet drops field counts and deletes the data packet from pending packet table. If the calculation result is higher than a predefined threshold, the node is regarded as a malicious node and notes 1 in the misbehave field of node rating table. The proposed method is capable of detecting non-cooperative black hole attack even if two malicious nodes cooperate with each other to forge false packets. However, there is no simulation or experiment result to verify the proposed methodology.
The four fields of pending packet table in [ 45].
The four fields of node rating table in [ 45].
In , the authors proposed the detecting collaborative blackhole attacks (DCBA) scheme based on the concept of the cooperative bait detection scheme (CBDS) . In simulation results, the DCBA scheme yields higher network throughput and less packet loss percentage than that of the Bait DSR (BDSR)  scheme. Note that we have studied the BDSR scheme in our previous survey . On the other hand, Chang et al.  improved CBDS by using a dynamic threshold. The improved CBDS scheme implements a reverse tracing technique to alarm source node to trigger detection scheme again. The advantages of proactive detection and reactive response are both utilized to achieve collaborative black hole detection. Results showed that the improved CBDS yields the highest PDR compared with DSR, 2ACK  and the best-effort fault-tolerant routing (BFTR)  protocols.
In , the authors proposed a mechanism to detect and remove cooperative blackhole and grayhole attacks by maintaining the extended data routing information (EDRI) table in each node. In EDRI table, it records the count of a malicious node been catching by other nodes. The identification of a malicious node depends on its catch count, which is proportional to time. If the node is being caught frequently it will be regarded as a malicious node then removed from routing path. However the paper did not present any experiment or simulation. In addition, we consider that the proposed mechanism will be failed when collaborative malicious nodes forge their DRI table. In , the authors deployed the advanced DRI table with a check bit to AODV protocol for detecting cooperative black hole attacks. A table of RREP message and a timer are used in the proposed solution. However the concept of RREP table and DRI table is referred to  and , respectively.
In , the authors proposed the gratuitous AODV (GAODV) algorithm by using the gratuitous RREP packet. The concept of the gratuitous RREP packet is addressed as follows. In AODV protocol, when an intermediate node has a route to destination node, it sends RREP packet to source node. Then, the GAODV scheme unicasts a gratuitous RREP packet to the destination node. The authors took advantage of the gratuitous RREP packet to detect malicious nodes by applying it as a CONFIRM packet. In GAODV protocol, source node unicasts the CHCKCFRM packet to destination node. The black hole node will be detected because it fails to send the CONFIRM packet so that the destination node never generate CHCKC packet. Note that an extra check table is needed to record the relay value of each node regarding the CHCKCFRM and CONFIRM packets. Simulation results showed that the GAODV protocol outperforms standard AODV in higher data delivery ratio but leads to longer end-toend delay.
In , the authors utilized hash function to maintain data integrity for preventing black hole attack. When the destination node receives message, the hash value (SHA-TWO) of the message is computed. If hash values are the same between source node and destination node, the route is regarded as a secure route otherwise the destination node broadcasts data packet error message to source node. After that, the route is marked in routing table and will not be used any more. Simulation results showed the proposed method is superior to standard AODV in terms of higher PDR, throughput, and lower end-to-end delay.
In , the authors proposed a self-checking scheme (SCS) and an enhanced SCS (ESCS) to prevent collaborative black hole nodes. The SCS is composed of three main steps that are update and maintain neighborhood topology, liar checking, and consistency checking. In the first step, the authors utilized Hello message exchange method  to accomplish neighborhood topology table maintenance. In lair checking step, a node executes liar checking before updating reports to its two-hop neighbors when it receives a Hello message. If a node cheats other nodes with false message that is asymmetric to the destination cache of other nodes, it will be listed into liar list and the lying-count increases. Once the lying-count is higher than a predefined threshold, the node will be put into the black list. In consistency checking step, each node executes consistency checking to make sure that received RREP message is consistent to neighborhood topology. The ESCS improves SCS by periodically sending Hello message to two-hop neighbors. As a result, collaborative black hole nodes can be found. Simulation results showed that the ESCS is superior to SCS in terms of higher PDR and throughput but increases routing overhead and end-to-end delay.
In , the authors proposed a trusted AODV to detect and avoid wormhole and collaborative black hole attacks. Nodes are classified into three types regarding the trust level, i.e., unreliable, reliable and most reliable. An extra trust table is maintained in each node to record the trust value of its neighbors. The trust value of a node is calculated as T=tanh(R1+R2), where tanh() is a hyperbolic tangent function. Variable R1 is the ratio of packets actually forwarded to packets to be forwarded, and variable R2 is the ratio of packets received from a node sent by others to total packets received. When an incoming node joins the network, its trust level is set to unreliable. Then three threshold values are defined to determine its trust level, which are Tur, Tr and Tmr, Note that these threshold values are decided and set in simulation setting. Results showed that the trusted AODV provides higher PDR, throughput and remaining energy with compared to the wormhole AODV scheme. However, collaborative malicious nodes are capable of sending fake packets so that the trusted AODV will be compromised due to false trust value.
In , the authors proposed a strategy to detect malicious nodes in MANETs. To detect non-cooperative black hole attacks, the detection of multiple black hole (D-MBH) scheme is proposed to send a fake RREQ message to request an additional route with non-existent target address. The D-MBH scheme computes a threshold of average destination sequence number and creates a list of black hole nodes. The authors further proposed the detection of collaborative black hole (D-CBH) scheme. The difference between D-MBH and D-CBH is that the D-CBH scheme further extracts the next hop information from RREP. After that, the D-CBH also creates a list of collaborative black hole nodes. However, the paper only presents analysis result rather than simulation result. The analysis results showed that the proposed scheme outperforms existing scheme in terms of routing overhead and computational overhead. In , the authors proposed a solution to detect black hole attacks, which is similar to . The proposed method also uses fabricated RREQ message and next hop information to mitigate malicious nodes. Results showed that it reduces 70% end-to-end delay, and increases 12% throughput and 45% PDR with compared to standard AODV. However the technical novelty of the paper is thin because the used methods were proposed by other researchers in existing papers. In , the authors proposed the placebo packet protocol (PPP) to detect black hole attacks and to identify malicious routers. In PPP, a trusted source node sends a fake data packet as well as the placebo packet, which is similar to  and . The difference to them is that the placebo packet is sent along a pre-determined Hamiltonian path and traverses all routers. A malicious node is detected because it recognizes the placebo packet as a regular data packet and drops the packet. Simulation results showed that the PPP is capable of finding malicious nodes. In addition, the larger network scale needs to use more placebo packets to find malicious nodes. Last, the researchers did not compare the PPP solution with existing schemes in simulations.
In , the authors proposed the cluster and reputation based cooperative malicious node detection and removal (CRCMD&R) scheme. In CRCMD&R scheme, the cluster head node ID of originator field records the cluster head’s ID after it left the originator. In RREP packet, it records the node ID, the next node of the node sent RREP, prime product number, and the cluster head’s ID of the node sent RREP. Three additional tables are needed in CRCMD&R scheme, i.e., neighbor, legitimacy value and reputation level tables. In neighbor table, node ID and cluster head’s ID are recorded in each cluster head. In legitimacy value table, it records node ID, success count, total count and legitimacy value. The legitimacy value obtained from the success count divided by total count. In reputation level table, the promiscuous mode  is applied to cluster heads to calculate the reputation. The reputation value is calculated as the node sent RREP to the next node of the node sent RREP. The reputation levels are classified into four levels, i.e., malicious, suspect, less trustworthy and trustworthy. Simulation results showed that the CRCMD&R scheme outperforms standard AODV with higher total throughput. However the used methods are old-fashioned that were proposed by other researchers except the new idea of using cluster technique.
5. Other Attacks in MANET
In this section, other attacks in MANET are introduced and studied, e.g., denial-of-service (DoS), wormhole, flooding and routing attacks. The comparison of these attacks in MANET is captured in Table 4. Since a vast number of papers have been proposed, we study parts of representative papers.
With abnormal behavior detection, Tsai  proposed an incremental particle swarm optimization (IPSO) algorithm to enhance the performance of IDS. First of all, the IPSO classifies the type of network flows from training data set in the classification phase. Then it classifies the new incoming patterns in the clustering phase. The proposed IPSO algorithm can be applied to classify normal routing patterns and informal routing patterns for detecting black hole attacks in MANET. In , the authors investigated how classification performance depends on the cost matrix for intrusion detection in MANET. Five well-known classification algorithms are examined with a number of network metrics. The performance of these algorithms are analyzed under four types of attacks in MANET, i.e., black hole, data forging, packet drop and flooding attacks. In , the authors proposed an intrusion detection method based on probabilistic analysis. The k-dimensional feature space of multivariate normal distribution is used to apply anomaly detection on the distribution. Moreover, the Mahalanobis distance of normally distributed data is used to identify normal data and abnormal data.
With wormhole attacks, Jhaveri et al.  surveyed DoS attacks in MANET, e.g., blackhole, wormhole, grayhole attacks. They not only introduced the operation of these attacks but also surveyed parts of existing schemes on detection and prevention. In , the authors aimed at proposing a secure IDS to prevent distributed DoS (DDoS) attacks in MANET. The main concept of the paper is to use more and different parameters in the IDS, however the used parameters were not clarified clearly. In , the authors proposed an IDS called Enhanced Adaptive ACKnowledgment (EAACK) for MANET. The difference between EAACK with their previous work  is that the EAACK scheme uses digital signature to prevent attackers forging acknowledgment signature. In , the authors utilized analytical hierarchy process to elect special nodes for preventing wormhole attacks in MANET. A bi-directional wormhole location mechanism is further proposed to tackle with collaborative black hole attack.
Comparison of other attacks in MANET
In , the authors proposed a traffic flooding detection method and implemented it named the in-depth analysis system. The proposed system based on data mining technique classifies attack types, e.g., TCP-SYN flooding, ICMP flooding and UDP flooding attacks. In , the authors proposed an approach for reducing redundant RREQ packets by the cooperation of destination and the neighbor nodes where within one-hop distance from malicious node. In , the authors proposed the anonymous secure routing protocol with privacy preservation to establish a secure route. The anonymous secure routing protocol is established based on the proposed neighbor discovery scheme to connect all neighbor nodes with symmetric or asymmetric links. In , the authors proposed a lightweight scheme to detect Sybil attacks in MANET based on received signal strength. The proposed scheme detects Sybil identities without using centralized third party or extra hardware.
6. Open Issues and Future Trends
Although security issues in MANETs have been investigated for many years, there are still various open issues of detecting black hole attacks, especially the collaborative black hole attack. We believe that it is not so hard to detect and eliminate a non-cooperative black hole attack (see Section 3) since there are many existing schemes for the problem, but it is still hard to detect and prevent a collaborative black hole attack. Open issues and future trends of black hole detection are discussed as follows.
6.1 Open Issues of Black Hole Detection
Frist of all, how to choose the best detection/prevention method according to used routing protocol is a dilemma problem. No matter what scheme used, it has pros and cons. For example, a detection scheme based on reactive routing protocol reduces routing overhead but suffers from slight packet loss when routing starts. On the contrary, a detection method lies on proactive routing protocol yields higher PDR but leads to more routing overhead due to periodical broadcast. For this reason, when proposing a detection/prevention method for black hole attacks in MANETs, the critical issue is how to promptly detect malicious nodes without raising overhead.
A non-cooperative black hole attack can be easily detected by various methods, e.g., examination of RREQ and RREP packets, trust value of mobile nodes, check of data routing information in one or two-hop neighbors, usage of destination sequence number. However it is still hard to detect and eliminate collaborative black hole attacks correctly. Two black hole nodes are willing to collude in forging false information or fake packets for achieving their misbehavior. The existing schemes for non-cooperative black hole attacks will be failed in detecting collaborative malicious nodes. The detection and prevention of collaborative black hole attacks still need to overcome with great efforts.
Last, system performance is a vital issue to detect and prevent malicious attacks but challenging. No matter what scheme used, it trades certain overhead off for detection accuracy, e.g., more routing overhead for higher PDR, larger end-to-end delay for higher network throughput, higher computation load for higher PDR. For this reason, when applying detection and prevention method, the critical issue is how to trade suitable performance metrics off based on the major object, e.g., the highest PDR or network throughput, or the lowest routing overhead or end-to-end delay.
6.2 Future Trends of Black Hole Detection
There is no doubt at all that collaborative black hole detection method will still be a hot research issue in the future. In our opinion, a hybrid routing protocol is essential to improve the defects of reactive and proactive routing protocols. Except the well-known ZRP and TORA routing protocols, the integration of reactive and proactive routing protocols is also a favorable solution. For instance, it is proper to use an on-demand routing method at the beginning and to apply table-driven routing method when network topology changes. As a result, the packet loss problem of reactive routing and the redundant routing overhead of proactive routing can be improved.
In order to discover collaborative black hole attacks, we had proposed a brand-new detection concept, viz. cooperative bait detection scheme [46,47,52]. First of all, a hybrid routing protocol was proposed by composing reactive and proactive routing methods to improve their defects. In practice, DSR is adopted in our hybrid routing protocol. The primary idea is that source node sends bait RREQ packets with empty target address before route discovery. Note that the bait RREQ packets only survive a while to economize the use of network throughput. Black hole nodes can be easily found because they reply forged RREP packets with destination address to the source node. As a result, source node is capable of recognizing malicious nodes because it should not receive any reply packet due to the design of empty target address. The brand-new idea can be applied to all routing protocols with a slight modification.
According to this survey, we found that there is a novel tendency to detect black hole nodes. A few of researchers start to utilize metaheuristic or evolution-based algorithms to tackle with black hole attacks, e.g., GA , ACO  and GA with fuzzy logic . A metaheuristic algorithm has a higher probability of finding malicious nodes and detecting abnormal operations through its evolution and training process. However a comprehensive scheme for black hole detection is still unseen. Furthermore, it needs more time to complete evolution and training process but attack detection should be instantaneous. In other words, an evolutionary algorithm with significant computation complexity may not fit in with the malicious node detection at once. We deem that some modifications of these algorithms are necessary for detecting collaborative black hole attacks in MANETs.
A vast number of papers on black hole detection in MANET have been published during past five years. In this survey, we study and discuss various schemes for detecting malicious attacks in MANETs. The black hole attacks are surveyed and classified into non-cooperative and collaborative black hole attacks. More than 25 schemes for non-cooperative black hole attack detection are studied and compared to point out their pros and cons. At least 14 schemes of collaborative black hole attack detection are investigated to show the state-of-the-art research status. In addition, other attacks in MANETs are also investigated such as DoS, wormhole, flooding and Sybil attacks. According to the survey result, we list a number of open issues and provide some future trends for the reader and audience of the paper. We expect to facilitate more scholars and researchers to grasp black hole detection in MANETs.
This research was partly funded by the Ministry of Science and Technology (MOST), Taiwan, R.O.C. under grant (No. 105-2221-E-197-010-MY2, No. 106-2511-S-259-001-MY3, and No. 106-2811-S-259-001).