Detection of blackhole attack in a Wireless Mesh Network using ...

J Supercomput DOI 10.1007/s11227-010-0547-3

Detection of blackhole attack in a Wireless Mesh Network using intelligent honeypot agents Anoosha Prathapani · Lakshmi Santhanam · Dharma P. Agrawal

© Springer Science+Business Media, LLC 2011

Abstract A Wireless Mesh Network (WMN) is a promising way of providing lowcost broadband Internet access. The underlying routing protocol naively assumes that all the nodes in the network are non-malicious. The open architecture of WMN, multihop nature of communication, different management styles, and wireless communication paves way to malicious attackers. The attackers can exploit hidden loopholes in the multipath mesh routing protocol to have a suction attack called the blackhole attack. The attacker can falsify routing metrics such as the shortest transmission time to reach any destination and thereby suck the network traffic. We propose a novel strategy by employing mobile honeypot agents that utilize their topological knowledge and detect such spurious route advertisements. They are deployed as roaming software agents that tour the network and lure attackers by sending route request advertisements. We collect valuable information on attacker’s strategy from the intrusion logs gathered at a given honeypot. We finally evaluate the effectiveness of the proposed architecture using simulation in ns-2. Keywords AODV · Blackhole · Grid · Honeypots · Malicious · Random · Spoofed · WCETT · Wireless Mesh Networks

A. Prathapani Department of Electrical and Computer Engineering, University of Cincinnati, Cincinnati, OH, USA e-mail: [email protected] L. Santhanam · D.P. Agrawal () School of Computing Sciences and Informatics, University of Cincinnati, Cincinnati, OH, USA e-mail: [email protected] L. Santhanam e-mail: [email protected]

A. Prathapani et al.

1 Introduction In recent years, there is an enormous growth in the field of wireless networking technology [16] due to an increasing demand for ubiquitous broadband Internet connectivity and a widespread use of applications such as multimedia streaming in VoIP services, video streaming, etc. Wireless Mesh Networks (WMNs) have drawn considerable attention due to their potential to supplement the existing wired backbone with a wireless scheme in a cost-effective manner. WMNs include some key advantages like their self-organizing ability, self-healing capability, low-cost infrastructure, rapid deployment feasibility, good scalability, and ease of installation. WMNs are capable of providing attractive services in a wide range of application scenarios such as broadband home/enterprise/community networking and disaster management [8, 15, 16]. The WMN is a promising technology that offers good coverage area through multi-hop communication without any degradation in the channel capacity. A typical WMN is organized in a hierarchical manner and consists of Mesh Routers (MRs), Mesh clients (MCs), and Internet Gateways (IGWs) as shown in Fig. 1 [2]. The Access Points (APs) are IGWs that are connected to the wired network and form the top level of the hierarchy. The MRs (layer 2) are nothing but static APs that are inter-connected by wireless links. The MRs route the traffic of MCs to the IGWs in a multi-hop fashion. The MCs (layer 3) connect to the nearest available MR in a single/multi hop fashion. The mesh-networking technology has attracted both academia and industry, stirring efforts for their real-world deployment in a variety of applications. MIT deployed WMN in one of its laboratories for studying the industrial control and sensing aspects. Several companies like Nortel Networks, Strix Systems, Tropos Networks,

Fig. 1 Hierarchical WMN architecture

Detection of blackhole attack in a Wireless Mesh Network using

and Mesh Dynamics are offering mesh networking solutions for applications such as building automation, small and large scale internet connectivity, etc., using customary products. Strix systems has deployed a city-wide Wi-Fi mesh network in Belgium spanning an area of 17.41 km2 to provide wireless Internet access to its residents, tourists, businesses, and municipal and public-safety applications and advertising systems around the city. Strix also deployed a wireless tracking system called project kidwatch that traces the real-time location of a child in a beach area or around a city. Though there are several ongoing researches in WMNs, security is very much in its infancy. It is critical to address the security concerns in order to realize their rapid deployment. The open infrastructure, wireless communication, multi-hop communication, different management styles of the WMNs paves way to malicious attackers in the network [3]. As WMNs are primarily deployed in public places such as parks and building tops, they lack tamper resistant hardware and hence the routing module can be manipulated. A malicious attackers in the network can exploit ambiguities in the underlying routing protocols and cause various attacks like Blackhole Attack, Selfish node Attack, etc. [4, 10, 18, 22]. In this paper, we specifically focus on the problem of detecting malicious MRs that bypass route lookup process and instead broadcast spurious route replies to all incoming route request query. It generates route replies such that any source is encouraged to choose this MR as an intermediate MR to route its traffic. It falsifies the sequence number field (high) and the hop count (low) field in the reply packet and advertises itself as the best possible route. A sequence number field in a routing protocol reflects the freshness of the route and the hop count reflects the distance between the replying MR and the destination MR under question. In essence, it traps all the MRs in its neighborhood and lures them to route their traffic towards itself. Upon receiving the data traffic, it unscrupulously drops all the traffic. Thus, in a way the malicious MR imitates the “blackhole” in the Universe that attracts all particles towards itself due to its enormous gravitational pull. Hence, we synonymously name this egregious MR as a “blackhole node” or “blackhole MR” in the network and the attack is called a “blackhole attack”. Thus, Blackhole attack is a severe attack that exploits the hidden vulnerabilities in the routing protocol of wireless networks. The only possible counter-measure to prevent infiltration of such an attack is to authenticate the sequence number and hopcount updates received from other nodes. Though secure routing protocols such as SEAD [9], Ariadne [14] attempt to address this issue, it is not a complete solution to thwart such an attack as MRs are deployed at public places. Here, we propose a pervasive monitoring that pro-actively supervises the routing process and ensures healthy operation. In this paper, we propose such a pervasive monitoring scheme employing intelligent software agents called honeypots that are deployed on MRs. Honeypots are popular agents that are used in tandem with Intrusion Detection Systems (IDS) to detect the malicious attackers [25]. They have been widely used in corporate networks along with Firewalls to prevent the infiltration of Denial of Service Attacks (DoS Attacks) [23]. Honeypots are a highly flexible security tool as they are used as decoys to lure attackers and discretely perform close monitoring of the network. We intend to employ such an intelligent software agent for detecting blackhole nodes.


We utilize honeypots that discretely tour the WMN, examining the status of each region. We chose to deploy honeypots as mobile software agents rather than deploying on a fixed MR to camouflage their location. In addition, if a honeypot is deployed on an MR, it results in poor coverage of the detection scheme owing to the static nature of WMNs. Honeypots are synonymous to secret police officers who conduct random investigation [26]. Nevertheless, honeypots are by default structured as an easy prey for attackers so that an attacker is lured to it. Honeypots traverse the WMN along random paths at random intervals in order to conduct stealthy monitoring and catch attackers red-handed. A honeypot generates a Route Request (RREQ) to a destination to which it already knows the route. This is called dummy RREQ because the honeypot does not originate any data traffic. Instead, it generates such a request for the sole purpose of luring blackhole nodes to send a falsified reply. Unlike traditional honeypots [1], which capture only packets directed to them, our proposed mobile mechanism is very attractive to lure all attackers in the network. Upon seeing the RREQ of the honeypot, a malicious blackhole node produces a falsified route reply (RREP). It advertises itself as the best path (high sequence number and shortest hop) to a given destination. The honeypot, in turn, generates a dummy data packet to be sent to a randomly chosen known destination. It is termed as a “known destination” because the honeypot is aware of an alternate route to that destination MR. Then the honeypot queries the destination through the known route that it is already aware of, to determine the integrity of the malicious node. Thus, we exploit the availability of multipath routing option available in WMNs [17] to validate the integrity of a route reply originating from a node. The honeypot serves as a powerful tool to distinguish legitimate MRs and malicious blackhole nodes in WMNs. The logs collected in the honeypots serve as a useful tool to understand the modus operandi of the blackhole node, so that new exploitation trends can be understood. Through our extensive simulation, we observe that, when the network is up to 20% compromised, a node advertising itself as best path was found to be a blackhole node with 97% accuracy. Though, the traffic reaching the honeypot is fairly small; it does provide deep insight on attacker’s location. The remainder of this paper proceeds as follows. In the next section, we review some of the related work. Section 3 shows various ambiguities in the route discovery phase of Ad hoc On-Demand Vector (AODV) protocol that can be exploited by a blackhole attacker for the topologies under consideration. In Sect. 4, we outline the architecture of our proposed honeypot based blackhole attack detection scheme. Section 5 gives an overview of the performance analysis of the proposed approach using simulations in the ns-2 simulator and compares the results for both the topologies [11]. Finally, we conclude the paper in Sect. 6 along with some pointers for future work.

2 Related work Although our work is not based on security related issues in ad hoc and sensor networks, we mention related work in this area. In [18], Ning et al. mentioned all the


misuses that can be done with the AODV protocol. This work covers several classes of insider attacks, and then explains how these goals are achieved through the misuses of the routing protocol. Bhargava and Agrawal [4] proposed an Intrusion Detection and Response Model to detect malicious activities that can be carried out in a routing protocol and respond if such an activity was found. This has been done by observing the anomaly behavior of the nodes in the neighborhood where an Intrusion Detection Model (IDM) is deployed on every node in the network and then is isolated with the process carried out in Intrusion Response Model (IRM) [14]. Huang et al. [11] proposed a cooperative Intrusion Detection System (IDS) in an ad hoc network for various kinds of attacks. The authors assume that an attacker may not only try to affect the routing protocol in the ad hoc network but also the IDS. The authors perform an anomaly detection technique using correlation, assuming that there exists a strong correlation if they are normally behaving. But this is not the same when malicious behavior is present. Hence, they use such correlation to detect the abnormal behavior. However, with the anomaly detection system, the results obtained for a blackhole attack are less effective. The authors also identify the attack type where they use a “monitoring” node and a “monitored” node, where the function of the monitoring node is to analyze the behavior of the monitored node [21]. For a blackhole attack, the assumption is that the monitoring node is observing the monitored node, which explains that there is a need to deploy the IDS [20] on every node in the network, which is a very expensive affair. The authors also propose various cluster based IDS protocols and detection schemes, where a cluster head among the nodes is elected for a given neighborhood. However, if a compromised node happens to be a cluster head, then the attacks can be launched easily without being detected as there may be a case where the IDS has been already disabled [21]. Ruiz et al. [20] mention about the blackhole attack injection in the ad hoc networks, where they deal with the blackhole attack in the OLSR routing protocol for VoIP calls. However, this work just mentions the fundamentals of the blackhole attack. Shurman et al. [24] proposed two solutions to detect a blackhole attack. However, the first solution suffers from excessive time delay, because the used concept of shared hops of sending packets along the redundant paths cannot be sent forever when the sending node has no shared hops or nodes between the routes. In the second solution, every node has two additional tables being updated whenever a packet is transmitted or received. However, these solutions fail if a group of attackers are present in the network. Deng et al. [7] propose routing security issues of mobile ad hoc networks and provide a solution for the blackhole problem in AODV. However, this algorithm fails in case of a group attack in the network. Ramaswamy et al. [19] proposed a solution to the cooperative blackhole in the network by introducing an extended Data Routing Information (DRI) table which maintains the information passing ‘from’ and ‘through’ the nodes. Here 1 stands for true and 0 stands for false [24]. Whenever a source node broadcasts a RREQ and a RREP is received from an intermediate node during the route discovery process, crosschecking is carried out to verify whether the RREP is from a reliable intermediate node or not. Although, a onetime process of crosschecking helps in identifying and securing against the cooperative blackholes in the network, the power constraints and low processing speeds in the wireless ad hoc and sensor networks limit the usefulness of this solution.


Karakehayov et al. [12] propose a routing algorithm called REWARD to detect blackhole attacks both in single attacker and group of attackers by utilizing two different broadcast messages. This algorithm takes advantage of promiscuous mode of inter-radio behavior among transmissions between the neighboring nodes and detects the malicious behavior in the network. A database is created which consists of malicious nodes or nodes under suspicion that can be detected, and the response is passed through two different broadcast messages called MISS and SAMBA [24]. However, this technique reduces the vulnerability of the network at the expense of utilizing large amounts of energy from the batteries. Karlof and Wagner [13] provide a detailed description of security threats against routing protocols and the counter measures in sensor networks. Along with the other attacks, the authors propose selective forwarding attacks and suggest the use of multipath forwarding against selective forwarding attacks. However, sensor networks have several resource constraints like power, memory that may get exhausted during the multipath forwarding [13].

3 Blackhole attack illustrated In this section, we explain the operation of a blackhole attack using AODV protocol analysis. We consider the route discovery phase in AODV protocol [6] and then delineate vulnerabilities in AODV protocol that the attacker can exploit. 3.1 Vulnerabilities of AODV The AODV protocol is an on-demand routing protocol [12] which initiates a route discovery process only when an originating MR desires to send some traffic to an unknown destination. The originating MR broadcasts a Route Request (RREQ) packet with a sequence number set to an unknown value. Then, the neighbors re-broadcast the RREQ packets only if it does not have a fresh enough route (i.e., sequence number is greater than the advertised sequence number in the RREQ packet). This process continues until the RREQ reaches the destination MR or an intermediate MR that has a fresh route. However, if a malicious blackhole node is present in the network, it generates a false RREP for all the RREQ packets received by it. The malicious blackhole node generates a false RREP packet irrespective of whether or not it has a route to a given destination. During a normal operation of route resolution, upon receiving a RREQ, MR first performs a route lookup for the destination in its routing table. If it is aware of the route to the destination, it generates a RREP to the source. Otherwise, it returns a NULL value. However, a malicious blackhole node bypasses this lookup process and always generates a RREP. It advertises itself to be closest to the destination (stamps lower hopcount value in RREP) and it also falsifies the sequence number to be an arbitrarily high value in order to ensure this RREP is favored by the source. The originating MR then sends the data packets to the malicious blackhole node, which then drops all the data traffic unscrupulously. In this manner, the malicious blackhole node systematically traps all its neighboring MRs by sucking their data traffic.


Such an attack results in severe performance degradation in WMNs, especially if the malicious blackhole node is located near the IGW. The blackhole node also decreases the network throughput, resulting in network partitioning, increasing end-toend delay and most severely causing denial of service to clients using User Datagram Protocol (UDP) kind of traffic (e.g., VoIP, FTP) which has no knowledge whether the packets have reached the destination or not. Thus, it is critical to prevent the infiltration of a blackhole attack in a WMN. 3.2 Vulnerabilities in WCETT Another routing metric that we use is the WCETT (Weighted Cumulative Estimated Transmission Time) which considers the intra-flow interference among multiple channels. The intra-flow interference occurs when there are different nodes which send traffic for the same flow [5]. This metric is a sum of the end-to-end delay. The routing algorithm selects the path with the lowest WCETT. The vulnerabilities that attackers can exploit are the advertisement of the least end-to-end delay. The blackhole attacker plays the same role of attracting all the traffic towards itself by advertising itself as having the least end-to-end delay and then dropping all the traffic of the network. Thus, the attacker can attract all the traffic and then drop the entire network traffic. Therefore, it is critical to prevent infiltration of the blackhole attack in a WMN. 3.3 Impact of black hole attack In this subsection, we illustrate the impact of a blackhole malicious node in WMNs through simulations in ns-2. We illustrate the effect of a blackhole attack in the following two topologies: 1. Grid Topology, and 2. Random Topology 3.3.1 Grid Topology We consider a simple IEEE 802.11s based network with 49 MRs (7 × 7) deployed in a grid fashion in an area of 1500 × 1500 meters. We randomly attach 2–3 mesh clients to each of these MRs. The MRs communicate with each other using the legacy IEEE 802.11 based interface, forming a wireless backbone. We assume that the communication between an MR and an MC does not interfere with the communication between two MRs. We start flows from the MCs that are being serviced by the MRs. From here on, when we say that a flow is started from the MR, we mean that the MC has started its flow. We initiate 20 UDP flows, sending traffic at a constant rate of 200 kbps. We use a constant packet size of 512 bytes. IEEE 802.11 is used for channel arbitration with the transmission range and the channel capacity set to 250 m and 11 Mbps, respectively. AODV is the underlying protocol. The total simulation time is set to 500 seconds. Each simulation was repeated with 10 different traffic profiles containing randomly chosen traffic sources. The destination is changed from time to time to obtain various flows and to determine the effect of blackhole nodes in the network when different routes are taken.

A. Prathapani et al. Fig. 2 Instantaneous throughput of flows under the blackhole attack for Grid Topology

3.3.1.1 Instantaneous throughput We randomly choose one of the nodes as the malicious blackhole node which attracts all the network traffic towards itself by advertising itself as the nearest route (highest sequence number and shortest hop count). For a randomly chosen traffic profile, Fig. 2 shows the effect of the blackhole node on the instantaneous throughput of three affected flows at the IGW. We consider the case where we select the blackhole MR which is randomly located and initiate the flows from one MR to the other MR. The throughput is very low for the flows where we consider the presence of blackhole MRs in the network as compared to the throughput of other flows where there are no blackhole nodes present. It is observed that the throughput decreases as the number of blackhole nodes in the network increases. Thus, the number of blackhole nodes determines the instantaneous throughput of the flow. We randomly initiated ten such flows in the network and observed the throughput of those flows. We check the profiles of three such flows. We have introduced an Attack Flow and observed by introducing many blackhole nodes in a route that was being selected during simulation. These blackhole nodes give RREQ packets to the destination and do not allow any other RREQ packets from any of the innocent MRs in neighborhood. Thus, the flow is flooded with all the malicious packets that do not allow other innocent MRs’ packets to be transmitted to the destination. In Fig. 2 for Flow-1, the throughput is very high when compared to the other flows Flow-2, Flow-3 and Attack Flow. The maximum throughputs of Flow-1, Flow-2, Flow-3, and Attack Flow are 105, 40, 110, and 60 kbps, respectively. Flow-2 has the lowest throughput among the three flows. This is because of the number of blackhole nodes present in this particular route of a flow. 3.3.1.2 Aggregate throughput In Fig. 3, we have shown the affect of a blackhole attack on the aggregate throughput of the mesh network for the grid topology. We study the aggregate throughput for different percentages of compromised nodes in the network. We evaluate the effectiveness of our scheme by measuring the normalized aggregate throughput of flows, which is the ratio of the throughput obtained to the offered load. We compare the normalized throughput of flows in the default case and for our scheme for different flows in the WMN. We start with 5% of compromised nodes in the network and observe the throughput by increasing the

Detection of blackhole attack in a Wireless Mesh Network using Fig. 3 Aggregate throughput obtained for various blackhole nodes

percentage of number of compromised nodes. We do this until we reach 25% of compromised nodes. Figure 3 shows the aggregate throughput for different percentage of compromised nodes. In Fig. 3, it can be observed that the aggregate throughput of the network is around 20 kbps when 5% of blackhole nodes are present, and as the percentage of blackhole nodes increases to 25%, the aggregate throughput of the network is observed to be around 5 kbps. 3.3.2 Random Topology We consider a simple IEEE 802.11s based network with 49 MRs deployed in random fashion in an area of 1500 × 1500 meters. The network setup is similar to the one used in the grid topology. We start flows from the clients that are being serviced by the MRs. We initiate 20 UDP flows sending traffic at a constant rate of 512 bytes. IEEE 802.11 is used for channel arbitration with the transmission range and the channel capacity set to 250 m and 11 Mbps, respectively. AODV is the underlying protocol. The total simulation time is set to 500 seconds. Each simulation is repeated with 10 different traffic profiles containing randomly chosen traffic sources. One of the MR acts as the IGW, which is the destination of all the flows in the network. The destination is changed from time to time to obtain various flows and to determine the effect of blackhole nodes in the network when different routes are taken. 3.3.2.1 Instantaneous throughput We randomly choose one of the nodes as the malicious blackhole node which attracts all the network traffic towards itself by advertising itself as a nearest route (highest sequence number and shortest hop count). Figure 4 shows the effect of the blackhole node on the instantaneous throughput of three affected flows at the IGW for a randomly chosen traffic profile. We consider the case where we select the blackhole MR randomly and initiate the flows from one MR to the other MR. The throughput is very low for the flows where we consider the presence of blackhole MRs in the network as compared to the throughput of other flows where there are no blackhole nodes present. It is observed that the throughput decreases as the number of blackhole nodes in the network increases. Thus, the number of blackhole nodes determines the instantaneous throughput of the flow. We randomly initiated ten such flows in the network. We observe the profiles of three such flows. In Fig. 4, the throughput is very high when compared to the other flows Flow-2 and Flow-3 for

A. Prathapani et al. Fig. 4 Instantaneous throughput of flows under the blackhole attack for Random Topology

Fig. 5 Aggregate throughput obtained for various blackhole nodes for Random Topology

Flow-1. The maximum throughputs of Flow-1, Flow-2, Flow-3 and Attack Flow are 100, 50, 105, and 40 kbps, respectively. Flow-3 has the lowest throughput among the three flows as there are a number of blackhole nodes present in this particular route of a flow. 3.3.2.2 Aggregate throughput In Fig. 5, we show the affect of the blackhole attack on the aggregate throughput of the WMN for a random topology. We study the aggregate throughput for different percentages of compromised nodes in the network. We start with 5% of compromised nodes in the network and observe the throughput by increasing the percentage of compromised nodes up to 25%. Figure 5 shows the aggregate throughput for different percentage of compromised nodes in a random topology. In Fig. 5, it can be observed that the aggregate throughput of the network decreases from 18.6 to 4.3 kbps as the percentage of the blackhole nodes in the network increases from 5% to 25%. The aggregate throughput of the network is observed to decrease for the random topology too with an increase in the percentage of blackhole nodes. However, with our proposed scheme, the aggregate throughput increases with the same amount of compromised nodes for the grid as well as for the random topology.

Detection of blackhole attack in a Wireless Mesh Network using Fig. 6 Aggregate throughput obtained for % of various blackhole nodes for Grid and Random

Thus, we can state that this scheme increases the overall throughput of the network by a considerable amount. 3.4 Aggregate throughput for Random vs Grid Topology Figure 6 gives us the details of the aggregate throughput of the network for both topologies without any prevention scheme. The aggregate throughput of the attack in the network is observed to be less for the random topology than that of the grid topology because of the connectivity issues that come into consideration due to the structural distribution. The AODV protocol initiates route discovery process whenever there is any link breakage between the MRs and the AODV updates the route table. Thus, AODV route discovery phase consumes some time before the actual process of transmission of the packets is resumed.

4 Honeypot based detection scheme In this section, we first present the system architecture and then we describe the proposed honeypot detection scheme. 4.1 Detection system architecture The system architecture of the proposed honeypot detection scheme is illustrated in Fig. 7. It consists of the following components: • Route module The Route module consists of a Route Reply Analyzer, Dummy Packet Generator, and Constant Bit Rate Unit. The honeypot positions itself next to a testee and generates a RREQ to a certain known destination. When the testee receives such a RREQ, it generates a RREP packet. In order to determine if this RREP is valid or spurious, the Route Reply Analyzer module analyzes the received reply packet. This module analyzes the RREP packet and makes a note of the sequence number and the hop-count in the RREP packet. It then triggers the Dummy Packet Generator to initiate dummy packets to be sent to the testee. These dummy packets are

A. Prathapani et al. Fig. 7 System architecture of the proposed scheme using honeypot

used to determine whether the ‘testee’ under consideration is malicious or reliable. Such traffic is sent towards a ‘testee’ to be forwarded to a given destination. The Dummy Packet Generator uses a Constant Bit Rate Unit that generates UDP packets at constant bit rate. However, the unit is modified so that the payload is stuffed and padded with random data. • Feedback module The feedback module plays a critical role in the detection of the blackhole node. A query packet is dispatched to a known destination to determine if it has received any traffic packets from the testee, and such information is stored in the feedback module providing what it has learned from the alternate path. If the destination node receives the packet, it acknowledges the receipt of the traffic and unicasts a trace reply to the honeypot. Depending on this answer, the feedback module then declares the testee as reliable; else it is a malicious attacker. • Alert module If the feedback module detects malicious activity, it is fed as input to the alert module. We consider the positive output as an indication of a normal condition and a negative output representing the presence of an attack. When an attack is detected, the alert module to block the intrusive activity issues an alert. The alert module broadcasts the identity of a malicious blackhole MR to all MRs in the network so that they stop forwarding traffic through it and discard any route reply packets originating from the blacklisted blackhole MR. • Interactive log It gives the information about the strategies that the honeypot applied to lure the malicious node. It also gathers information on the route replies that the attacker

Detection of blackhole attack in a Wireless Mesh Network using Fig. 8 Illustration of blackhole attack

used to lure other MRs in the network. The report of the entire route discovery phase and alerts is lodged in the Interactive log. 4.2 Honeypot agents in detection We model detection of a blackhole attack using honeypots as software detection agents. We illustrate a blackhole attack in a WMN in Fig. 8. As seen in the figure, the blackhole MR sucks the entire data traffic from the neighboring MRs and thereby drops the data traffic. The blackhole MR advertises itself as a best route to all other MRs by increasing the sequence number and decreasing the hop count (AODV) [12, 13]. The blackhole MR can also advertise that the route has the smallest end-toend delay (lowest WCETT) [13]. A honeypot agent places itself next to the testee. The Honeypot operates in two modes in order to find whether the testee is a malicious one or not. The two modes in which the honeypot operates is: 1. Network topology known to honeypot. 2. Network topology unknown to honeypot. 4.2.1 Network topology known to honeypot When we use WCETT as a metric, we consider the path having the smallest WCETT as the best path. The honeypot sits in the next hop of the testee. It estimates the delay


from this node to the destination through the testee. Then, we check the delay advertised by the testee. If the network topology is known to the honeypot, the network deployment is also known. The Internet Service Provider (ISP) knows the network deployed and it gives the information to the honeypot [19]. 4.2.2 Network topology unknown to honeypot When the network topology is not known to the honeypot, then the honeypot sits next to the testee. We estimate the delay by sending traffic to the testee. We later observe any deviation between the actual and the expected end-to-end delay. When the testee advertises its end-to-end delay to be the lowest, the honeypot places itself next to the testee, sends the testee traffic and observes whether the testee sends the traffic to the destination through the other route or not. Thus, the honeypot uses the WCETT metric to observe the testee under consideration [13]. We deploy the honeypots on MRs to lure the malicious attacker. These honeypots are synonymous to the network cops. The proposed scheme is explained through the illustrative Fig. 9. Various stages are as follows: 1. The honeypot agent sends an RREQ packet to the testee. The source address is that of the MR on which the honeypot is residing. The destination address is that of a randomly chosen known destination. We assume that the honeypot is already Fig. 9 Honeypot based blackhole attack detection


2.

3.

4.

5.

6.

7.

8.

aware of a route to the destination and issues an exclusive RREQ to determine the validity of the nodes in its neighborhood. The ‘testee’ sends an RREP packet back to the honeypot. This RREP could be a valid or a spurious one. A malicious ‘testee’ would include a spurious RREP with a high sequence number and a low hop count value. On the other hand, a valid testee would generate RREP only if it is aware of a route to this destination. The honeypot detection scheme in the subsequent steps is able to establish the integrity of RREP packets. Next, the honeypot prepares a testee data packet and forwards it to the ‘testee’. The testee packet is like any other regular data packet. However, its payload is masked and padded with a random data stream so that it would not be possible for the testee to conclude that it had originated from the honeypot. The honeypot sends a “Query packet” to the destination to inquire about the packet that it forwarded to the ‘testee’ in Step 3. The format of this packet is shown in Table 1. The feedback module uses the alternate path table to retrieve the known alternate route to the chosen destination. It then routes the query packet through this route. The various fields in the query packet consist of the Sequence number, Source IP address, Destination IP address, and the testee id. The source IP address is stamped with the address of the node on which the honeypot resides, and the destination IP address is that of the chosen destination. It also consists of a testee id field that is the source IP address of the testee, which is being evaluated. When the destination receives such a trace query, it processes it by examining its Most Recently Received Traffic Cache. This cache captures the most recently received traffic from different sources including the source ids, the timestamp when it was received and the count of the number of packets received from this source. If the destination finds the testee id in its traffic cache, it prepares a “Query reply packet”, the destination address of which is equal to the source address of the honeypot from which the query packet came. The query reply packet also includes the following data in its information field: the count of the number of packets received and the timestamp of the last received packet. Thus, the Query reply packet is unicast to the honeypot using the same route by which the trace packet came. Various fields in the Query reply packet are shown in Table 2. When the honeypot agent receives the query packet, it hands it to the feedback module. Depending on the content of the information field, the integrity of the

Table 1 Description of fields in trace query packet

Sequence number

The sequence number is the sequence number of the packet that it receives from the source

Source IP address

The source IP address is the address of the MR on which the honeypot resides

Destination IP address

The destination IP address is the address of the known destination

Testee ID

The testee ID is the source IP address of the testee being evaluated

A. Prathapani et al. Table 2 Description of fields in query reply packet

Sequence number

This is the sequence number of the IP packet being originated at the destination

Source IP address

This is the address of destination node that is being considered. The packet is being sent from the destination

Destination IP address

This is the address of the node on which honeypot resides

Packet count

This keeps count of the number of packets received from the testee under consideration.

Time stamp

The time stamp gives time information about the last packet that it received

Fig. 10 Format of query packets

testee is determined. If the packet has been received at the destination, the ‘testee’ is considered to be a “Good MR”. If the field is empty, then the ‘testee’ is considered a malicious attacker. 9. Then, the alert module in the honeypot advertises that the ‘testee’ under consideration is a malicious blackhole attacker. Thus, the other nodes in the network avoid forwarding their packets through the malicious blackhole. This information is also sent to the IGW which then passes it to the Internet Service Provider (ISP) to isolate, thereby removing the malicious MR. Thus, the honeypot acts as a network cop examining the integrity of the routing module of the MRs in the network. The mobile honeypot can be made to move along a pre-configured itinerary in the network. The honeypot can also conduct a random walk of the network, starting from the IGW to the leaf MRs in a depth first fashion. This way, it is not possible for a malicious attacker to determine if a honeypot is testing it. As the request packets originating from the honeypot agents are similar in structure to any other RREQ packets sent by other nodes, the malicious blackhole node cannot adapt to behave selectively.


5 Performance analysis In this section, we study the performance of our proposed detection of a blackhole attack using honeypots as detection agents with the simulations performed in ns-2 [26]. We use the same scenario described in Sect. 3. Although the honeypot can be run on top of any underlying protocol, we choose AODV (Ad hoc On-Demand Distance Vector routing) as the routing protocol. We start flows from the clients that are being serviced by the MRs. The IEEE802.11 standard is used for the channel arbitration, with the transmission range and channel capacity set to 250 m and 11 Mbps, respectively. The total simulation time is set to 150 seconds. We generate the UDP flows from each MR. We use the 7 × 7 nodes mesh topology for our simulation of grid topology and 49 randomly distributed MRs, all distributed in an area of 1500 × 1500 meters for random topology. We compromise the network for about 20%, observe the effect of a blackhole attack on the network, and calculate the throughput of the network. We evaluate the network performance based on the following detection metrics: • True Positives (TP): Number of times an alert is raised, when an attack is present. • False Negatives (FN): Number of times an alert is not raised when an attack is present. • False Positives (FP): Number of times an alert is raised, but attack is not present. • True Negatives (TN): Number of times no alert is raised, when no attack is present. The performance of our scheme is based on the TPR (True Positive Rate) and FPR (False Positive Rate). We define both TPR and FPR as: TPR: This is the ratio of number of alerts when there is an attack to total number of attacks. The mathematical expression for TPR is as follows: TPR = TP/(FN + TP). FPR: This is the rate at which a good MR is detected and reported as a compromised MR. The mathematical expression is: FPR = FP/(TN + FP). 5.1 Instantaneous throughput of WMN with scheme First, we illustrate the effect of the blackhole attack on the WMN for various flows. We initiate and observe the instantaneous throughput for the flows both for the random and the grid topologies. Finally, we compare the instantaneous throughput of both topologies in the network when our proposed scheme is incorporated. We randomly choose one of the nodes as a malicious blackhole node which attracts all the network traffic towards itself by advertising as the nearest route (highest sequence number and shortest hop count). We start a set of flows at different MRs and observe the throughput of each flow in the presence of blackhole nodes. From Fig. 11 and Fig. 12, we can observe improvements in the instantaneous throughput for the grid topology and the random topology due to the implementation of the scheme. We observe that for the case when the proposed scheme is not implemented, the instantaneous throughput of the flows reduces due to the presence of blackhole MRs. Throughput of the attack flow is very low when compared to the other flows in the network when we implement the proposed honeypot based detection scheme as shown in Fig. 9.

A. Prathapani et al. Fig. 11 Instantaneous throughput of the flows with our scheme for Grid Topology

Fig. 12 Instantaneous throughput of the flows with our scheme for Random Topology

5.1.1 Grid Topology The traffic flow, Flow-1, has a throughput of 100 kbps, which is an improvement over the default case. Flow-2 has a throughput of 200 kbps, and Flow-3 has the throughput of 300 kbps. Due to the implementation of our scheme, the attack flow has the minimum throughput of all the flows in the network. It can also be seen that the instantaneous throughput of other flows improves when compared to the case when the scheme is not implemented. The instantaneous throughputs of the network in the case when no scheme is implemented for grid topology are 105, 40, and 60 kbps for Flow-1, Flow-2, and Flow-3, respectively. The other flows like Flow-1, Flow-2, Flow-3 have increased instantaneous throughputs when the proposed scheme is implemented. The attack flow throughput has been reduced when the proposed scheme is implemented. From Fig. 11, we can observe that the instantaneous throughput for the attack flow is very small when compared to the other flows. This suggests that the attack detects and removes the blackhole nodes properly. However, we show that the proposed scheme has high detection rates.


5.1.2 Random Topology The traffic flow, Flow-1, has a throughput of 100 kbps, which is an improvement over the default case. Flow-2 has a throughput of 210 kbps, and Flow-3 has the throughput of 300 kbps. It can be observed that due to the implementation of our scheme, the attack flow has the minimum throughput of all the flows in the network. The instantaneous throughput of other flows has improved when compared to the case when the scheme is not implemented. The instantaneous throughputs of the network with no scheme, implemented for the random topology, are 100, 60, and 40 kbps for Flow-1, Flow-2 and Flow-3, respectively. When the proposed scheme is implemented, the flows Flow-1, Flow-2, Flow-3 have increased instantaneous throughputs, and the attack flow throughput has been reduced. In Fig. 12, we observe that the instantaneous throughput for the attack flow is very small when compared to the other flows. This suggests that the attack detects and properly removes the blackhole nodes. It can be deduced that there is no major difference in highest instantaneous throughputs of the random and the grid topology when our scheme is implemented because the honeypot effectively detects the blackhole MRs, even though there is a change in the topology. However, there is a difference in the instantaneous throughput from grid topology as the connectivity issue comes into play. The instantaneous throughput of each flow has been increased when our intelligent honeypots had been deployed as software agents in order to detect the blackhole MRs in the network thereby removing the blacklisted blackhole MRs in the network. The detected blackhole MRs are blacklisted, and then we suspend any activities to and from the blackhole MRs. We then pass a message to the IGW and also to the Internet Service Provider (ISP), and then isolate and effectively remove the detected blackhole MRs from the mesh network. 5.1.3 Random vs Grid It is observed that both topologies have almost equal throughputs when the scheme is implemented. It shows that even a change in the topology does not effect the performance of the scheme with the honeypot. But there is a major difference between the two topologies. However, the connectivity between MRs in the network topology comes into picture when we consider a random topology. Due to random deployment of MRs, the connectivity between MRs varies due to radio signals between them. Due to wireless connectivity between MRs, there can be link breakages between MRs. Then, there is a need for the route discovery phase of AODV to be initiated and for the selection of a route where the packets can be transmitted properly to the destination. This route discovery process of AODV protocol could cause some time delay, and this could reduce the throughput at some time instances. This does affect the instanteneous throughput as is shown in Fig. 13. Figure 13 gives an idea about the two different topologies considered in our work. The instantaneous throughput of the random topology is smaller at some instances as time is consumed in the route discovery phase by the AODV protocol due to link breakages between MRs. Figure 13 shows a comparison of the instantaneous throughput when the scheme is implemented for both the grid and the random topologies.


Fig. 13 Instantaneous throughput of the flows with our scheme for Random and Grid

Fig. 14 Aggregate throughput of the network with the scheme and without scheme for Grid Topology

5.2 Aggregate throughput 5.2.1 Grid Topology From Fig. 14, we observe that in the default case, the aggregate throughput of the network is 20%, even in the presence of 5% of blackhole nodes in the network. As the percentage of blackhole MRs in the network increases, the aggregate throughput decreases. When we observe the aggregate throughput of the network in the presence of 20% of malicious blackhole MRs, the total network throughput reduces to 5%. But when our scheme is applied, the aggregate throughput of the network increases as seen in Fig. 14. The achieved aggregate throughput of the network is almost 100%, when 5% of the network MRs are malicous blackholes. As the per-

Detection of blackhole attack in a Wireless Mesh Network using Fig. 15 Aggregate throughput of the network with the scheme and without scheme for Random Topology

centage of blackhole MRs increases from 5% to 20%, the aggregate throughput is observed to decrease from 100% to approximately 80%. The increase in the network aggregate throughput is approximately 75%—a remarkable achievement of the proposed scheme. 5.2.2 Random Topology We can see from Fig. 15 that the aggregate throughput of the network is 20% of the entire throughput, even in the presence of 5% of blackhole nodes in the network. This is due to the fact that as the percentage of blackhole MRs in the network increases, the aggregate throughput decreases. The aggregate throughput of the network in the presence of 20% of malicious blackhole MRs is less than 5% of the total network throughput. But when our scheme is applied, the aggregate throughput of the network increases as seen in Fig. 15. When 5% of the network MRs are malicous blackholes, the aggregate throughput is almost 97%, which means that our scheme is almost perfectly detecting the 5% of malicious MRs. It can be observed that as the percentage of compromised MRs increases from 5% to 20%, the aggregate throughput in the network decreases from 97% to 76%. But the aggregate throughput is not as low as that of the network throughput without our scheme. When the scheme is implemented, the network aggregate throughput decreases because of the number of deployed detection agents. This is due to the fact that as the percentage of the malicious blackhole MRs increases, the number of roaming honeypots needs to be increased in order to detect the malicious MRs. However, with the scheme that is being used in the network, the aggregate throughput increases with the same number of compromised nodes. Thus, we can state that our scheme increases the overall throughput of the network by a considerable amount varying from 70% to 80%. 5.2.3 Aggregate throughput in Random vs Grid In Fig. 16, we observe the aggregate throughput of the grid and the random topology with and without our scheme. In Fig. 15, the aggregate throughput of the grid topology seems to be high in both schemes. The aggregate throughput of the random


Fig. 16 Aggregate throughput for Random and Grid Topology

topology without scheme varies from 18% to 7% as the percentage of blackhole MRs increases from 5% to 20%. For the grid topology, the aggregate throughput varies from 20% to approximately 10% as the percentage of blackhole MRs increases from 5% to 20%. It can be observed that the aggregate throughput has been increased considerably when the proposed scheme of honeypots is applied for both the grid and the random topologies. From Fig. 16, we can observe that the aggregate throughput of the random topology varies from 96% to 85% as the percentage of blackhole MRs is increased from 5% to 20%. In the grid topology, the aggregate throughput of the network varies from almost 100% to 90% as the percentage of blackhole MRs increases from 5% to 20%. 5.3 TPR and FPR Variation We study the effect of our scheme in the presence of blackhole attacks and observe the TPR (True Positive Rate), i.e., the number of times when a correct malicious MR in the network is reported and an alarm is raised. The simulation is done by increasing the percentage of the number of malicious blackhole MRs in the network. 5.3.1 Grid Topology Figure 17 shows that when the number of network attackers has been increased from 5% to 20%, the TPR falls from 100% to approximately 87%. This shows that the scheme is detecting almost all the network attackers even when the numbers of attackers have been increased. The numbers of false alarms are very small when there are few attackers. But, as the number of attackers is increased, the FPR also increases. The graph in Fig. 17 proves that the proposed honeypot based detection scheme has a very high TPR (100%) and a low FPR (23%) for a grid topology.

Detection of blackhole attack in a Wireless Mesh Network using Fig. 17 TPR vs FPR variation in Grid Topology

Fig. 18 TPR and FPR variation in Random Topology

5.3.2 Random Topology It can be observed from Fig. 18 that in the random topology the malicious MR is correctly reported, and the TPR for 5% of blackhole MRs in the network is about 99.56%. If only a few of the MRs are malicious, our honeypot based detection system accurately detects them with a high TPR of 99.56% even for the random topology. We see that with our scheme, when the percentage of malicious blackhole MRs increases, the TPR decreases. For 20% of the malicious MRs in the network the TPR is around 85%. This is because, as the number of compromised nodes in the network increases, the probability of a malicious MR being detected becomes low with the same number of honeypot detection agents. We need to deploy more detection agents, thereby increasing the total cost. We see in Fig. 18 that the FPR (False Positive Rate), i.e., the number of times an alarm is raised when an innocent MR is reported as a malicious MR in a random topology is very low. In the case of 5% of malicious blackhole MRs present in the network, FPR is about 6% in the random topology. It can be observed that as the percentage of the malicious MRs in the network increases to 20%, the FPR increases to 24.6%. This means that a honeypot detection agent reports an innocent MRs as a

A. Prathapani et al. Fig. 19 TPRVs FPR for Grid Topology

malicious MRs and raises the alarm, as the percentage of the blackhole MRs in the network increases, and the detection agent may not be able to detect the malicious MR. From Fig. 17 and Fig. 18, it can be easily said that the proposed intelligent honeypot based detection scheme has a very high TPR (100%) and a low FPR (23%) for the grid topology, and a high TPR (99.56%) and a low FPR (24.6%) for random topology. There is a slight difference in the detection rate due to the delay in the initiation of route discovery during link breakages in the random topology. Thus, the proposed scheme detects malicious attackers efficiently in both topologies. 5.4 ROC curve We next study the Receiver Operating Characteristics (ROC) curve (TPR vs. FPR). The ROC curve reflects the tradeoffs in the sensitivity of the detection algorithm. 5.4.1 Grid Topology Figure 18 shows the ROC curve for the grid topology in our detection scheme. We observe that in our scheme, very few normal instances are misclassified as anomalies (as seen by 0 FPR value) and all attack instances are correctly identified as intrusions (as seen by the high TPR value close to 1). We observe that when our scheme is implemented on the grid topology, very few innocent MRs are reported as malicious MRs as seen from the value of 0.05 of the FPR. It can be observed that all the compromised blackhole MRs are correctly detected and reported as seen from the value of the TPR which is very close to 1. The False Positive Rate is defined as the number of good MRs detected and reported as blackhole attackers in the network. This is the misclassification of blackhole attackers in the network. Similar low FPR vs. high TPR values can be observed by varying the percentage of the number of malicious blackhole attackers in the system. 5.4.2 Random Topology Figure 20 shows the ROC curve for our proposed detection scheme for the random topology. We observe that in our scheme, very few MRs reported as malicious MRs

Detection of blackhole attack in a Wireless Mesh Network using Fig. 20 TPR vs FPR for Random Topology

Fig. 21 ROC curve for Grid and Random Topology

as seen from the value of 0.06 of the FPR, and all the compromised blackhole MRs are correctly detected and reported as seen from the value of the TPR which is very close to 1. Similar low FPR vs. high TPR values can be observed by varying the percentage of the number of malicious blackhole attackers in the system. 5.4.3 ROC curve for Random vs Grid From Fig. 21, we can observe the Receiver Operating Characteristics of both the random and the grid topologies. We can observe that there is a slight difference between the TPR and FPR rates for the two topologies. The ROC curve is observed to have TPR of about 1 and FPR of 0.05 for the grid topology. The ROC curve for the random topology is observed to have TPR of about 1 and FPR of about 0.06. In both topologies, very few innocent MRs are reported to be malicious MRs and all the compromised blackhole MRs are correctly detected and reported as seen from the

A. Prathapani et al. Fig. 22a TPR under varying number of misbehaving MRs for Grid Topology

Fig. 22b TPR under varying number of misbehaving MRs for Random Topology

values of the TPR which are very close to 1 and of the FPR which are 0.05 and 0.06 for the grid and the random topologies, respectively. However, there is a difference in the ROC curves of the two topologies, and it is due to the delay obtained during the route discovery of the link breakages. The difference between the two topologies is considered to be minimal, and both topologies provide good performance when our proposed scheme is incorporated. Figures 22a and 22b demonstrate the detection ability of our system when the number of malicious MRs generating malicious RREQ is increased in both topologies. Even if only a few of the MRs are malicious, we see that our honeypot based model accurately detects them with a high TPR of 98% and almost close to 100% detection rate for a largely compromised network. Similarly, Figs. 23a and 23b show the FPR for various number of good MRs. A large number of good MRs implies that very few MRs are compromised. It can be seen that the maximum value of the FPR is within 23% and 24.56%, for a largely compromised WMN in the grid and the random topologies, respectively. We also see that as the attack rate increases, the FPR increases, indicating that a small percentage of false alarms would be raised from time-to-time. Both graphs prove that the proposed honeypot based system has a very high TPR (100%) and a

Detection of blackhole attack in a Wireless Mesh Network using Fig. 23a FPR for varying number of well behaving nodes for Grid Topology

Fig. 23b FPR for varying number of well behaving MRs for Random Topology

low FPR (23% to 24%) in both topologies. The proposed IDS thus detects malicious blackhole MRs accurately and efficiently. 6 Conclusion In this paper, we propose an intelligent honeypot based system to detect blackhole attackers in WMNs for the considered topologies. We model the detection mechanism of malicious blackhole attackers using a honeypot as a detection agent. The blackhole attack severely affects the performance and other criteria of the WMNs and the honeypot based detection system raises a timely alert of an attack occurrence. Through extensive simulations, we demonstrate that our honeypot based detection model has a high detection rate and a low false positive rate. As a part of our future work, we plan to use honeypot detection agents to detect other attacks. We also plan to use the WCETT (Weighted Cumulative End-To-End Delay) as a routing technique to detect the blackhole attackers in the WMNs. References 1. Agrawal DP, Zeng Q-A (2006) Introduction to wireless and mobile networks, 2nd edn. Brookes Cole Publishing, Pacific Grove

A. Prathapani et al. 2. Akyildiz IF, Wang X (2005) A survey on Wireless Mesh Networks. IEEE Commun Mag (Sept) 3. Ben Salem N, Hubaux JP (2006) Securing Wireless Mesh Networks. IEEE Wirel Commun (Apr) 4. Bhargava S, Agrawal DP (2001) Security enhancements in AODV protocol for wireless ad hoc networks. In: IEEE vehicular technology conference, VTS 54th, vol 4, pp 2143–2147 5. Campista MEM, Esposito PM, Moraes IM, Costa LHMK, Duarte OCMM, Passos DG, Albuquereque CVN, Saade DCM, Rubistein MG (2008) Routing metrics and protocols for Wireless Mesh Networks. IEEE Commun Mag 22(1):6–12 6. Cordeiro C, Agrawal DP (2006) Ad hoc and sensor networks: theory and application. World Scientific, Singapore 7. Deng H, Li W, Agrawal DP (2002) Routing security in wireless ad hoc network. IEEE Commun Mag 40(10) 8. http://www.earthlink.net (2011) 9. Hu Y, Perrig A, Johnson DB (2002) Ariadne: a secure on-demand routing protocol for ad hoc networks. In: Proc of ACM Mobicom, pp 12–23 10. Hu Y, Johnson DB, Perrig A (2003) SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks. Ad Hoc Netw 175–192 11. Huang Y-A, Lee W (2003) A cooperative intrusion detection system for ad hoc networks. In: Proceedings of 1st ACM workshop on ad hoc and sensor networks, pp 135–147 12. Karakehayov Z (2007) Security–lifetime tradeoffs for wireless sensor networks. In: Emerging technologies & Factory automation, ETFA, IEEE, Sept 2007, pp 246–250 13. Karlof C, Wagner D (2003) Secure routing in wireless sensor networks: attacks and countermeasures. In: First IEEE international workshop on sensor network protocols and applications (SNPA 03), May 2003, pp 113–127 14. Khattab S, Melhem R, Mosse D, Znati T (2006) Honeypot back-propagation for mitigating spoofing distributed Denial-of-service attacks. J Parallel Distrib Comput 66:1152–1164 15. Nandiraju D (2009) Efficient traffic diversion and load balancing in wireless mesh networks. Ph.D. Dissertation, University of Cincinnati 16. Nandiraju N, Nandiraju D, Santhanam L, He B, Wang J, Agrawal DP (2007) Wireless mesh networks: current challenges and future directions of web-in-the-sky. IEEE Commun Mag 14(4):2–12 17. Network Simulator (NS-2) (2011) http://www.isi.edu/nsnam/ns/index.html 18. Ning P, Sun K (2005) How to misuse AODV: a case study of insider attacks against mobile ad hoc routing protocols. Ad Hoc Netw 3(6):795–819 19. Ramaswamy S, Fu H, Sreekantaradhya M, Dixon J, Nygard K (2003) Prevention of cooperative black hole attack in wireless ad hoc networks. In: Proceedings of the international conference on wireless networks, June 2003 20. Ruiz J-C, Friginal J, Andres D, Gil P (2011) Blackhole attack injection in ad hoc networks. In: Fault tolerance systems group (GSTF). http://www.ece.cmu.edu/~koopman/dsn08/fastabs/ dsn08fastabs_ruiz.pdf 21. Santhanam L (2008) Integrated security architecture for Wireless Mesh Networks. Ph.D. Dissertation, University of Cincinnati, Mar 2008 22. Santhanam L, Mukherjee A, Bhatnagar R, Agrawal DP (2007) A perceptron based classifier for detecting malicious route floods in Wireless Mesh Networks. In: 3rd Intl conference on wireless and mobile communications, Guadeloupe, French Caribbean, 4–9 March, 2007 23. Santhanam L, Nandiraju N, Yoo Y, Agrawal DP (2006) Distributed self-policing architecture for fostering node cooperation in Wireless Mesh Networks. In: Personal wireless communication, Sept 20–22, Spain. Lecture notes in computer science, vol 4217/2006. Springer, Berlin, pp 147–158 24. Shurman MA, Yoo S-M, Park S (2004) Blackhole attack in mobile ad hoc networks. In: Proceedings of ACM of 42nd annual south-east conference regional conference, pp 96–97 25. Spintzer L (2003) The honeynet project: trapping the hackers. IEEE Secur Priv Mag 1(2) 26. The Honeynet Project (2011) http://www.honeynet.org/