1 Introduction

With the quick growth in wireless network, ad hoc networks have appeared in multiple forms. These networks act in the license-free frequency band and do not require any investment in infrastructure, making them yummy for military and selected commercial applications. Nevertheless, there are many unsolved questions in ad hoc networks. The open medium characteristics of MANETs such as changing topology, approximately no central monitoring, cooperative algorithms and no clear defense approach had made MANETs to be very delicate to various attacks. Furthermore, the use of wireless links in a MANETs generates the feasibility of link attacks from passive eavesdropping to active impersonation, message distribution and message falsification [1,2,3,4,5,6]. The information security principles could be easily compromised with eavesdropping that might give a malicious access to secret information. Other security principles of availability, integrity and authentication could be rejected by an active attack, which would be able to delete data, inject erroneous messages and impersonate a node [2]. One of the most dangerous attacks in MANETs is the wormhole attack. In wormhole attack, an attacker node captures packets from one position in the MANETs and tunnels them to another attacker node at a distant point, which replays them locally. The tunnel can be established in many different methods, e.g., via an out-of-band channel, a packet encapsulation or a high-powered transmission. This makes the tunneled packet arrive either quickly or with a smaller number of hop counts compared to the packets sent over ordinary multi-hop routes. This establishes the delusion that the two ends points of the tunnel are very close to each other [7,8,9]. As a result, these attacker nodes are captivated in the route between the source and the destination node; therefore, they can do many types of sabotages such as packet dropping and manipulating. Figure 1 shows an example of wormhole attack. Attacker nodes w1 and w2 are connected by an out-of-band channel, which they use to tunnel network data from one end of the network to the other.

Fig. 1
figure 1

MANETs with wormhole attack

Full size image

This paper employs fuzzy logic and AIS technique to design an AODV-based routing protocol, which is robust against wormhole attacks. DAWA (proposed approach) is implemented in the NS-2 simulator to evaluate its performance. The rest of this paper is organized as follows. Section 2 presents the preliminaries of the research. In Sect. 3, we present the related works around the defense approach against wormhole attack, and Sect. 4 brings details of the DAWA. Performance evaluation parameters and simulation results are introduced in Sect. 5. Finally, we present our conclusions in Sect. 6.

2 Preliminaries

In this section, we provide a brief review over some basic issues such as the wormhole attack, AIS and the fuzzy logic system.

2.1 Types of wormhole attacks

In the literature [10,11,12,13], wormhole attacks are categories based on its implementation and the medium used.

2.1.1 Implementation-based classification

Based on the implementation method, wormhole attacks can be classified into the following types: encapsulation method, out-of-band channel method and high-power transmission method.

2.1.1.1 Encapsulation method In this method, there are many nodes that are preoccupied along the route (nodes along the path may or may not be aware of wormhole attack) between w1 (attacker 1) and w2 (attacker 2). The packet is encapsulated at the both nodes and travels the route in encapsulated form, hence avoiding the increase in hop count. The attacker’s w1 and w2 in this scenario are not connected directly to each other, but make the other nodes feel that they are directly connected. The packets are transmitted using a virtual tunnel between w1 and w2. Once successfully launched, all paths will include a channel that will comprise of the link between the w1 attacker and w2 attacker.

2.1.1.2 Out-of-band channel method The attacker nodes are directly connected via a high-bandwidth out-of-band channel. The channel can be achieved by a wired connection or using a wireless channel which is long range and directional. Due to the requirement of extra hardware, it is difficult to launch but provides an ease because it will not need any encapsulation or decapsulation since the attackers are directly connected.

2.1.1.3 High-power transmission method This particular type of wormhole is launched from two attacker nodes that have a high-power transmission capability.

2.1.2 The medium used

Wormhole attacks can be also categorized as an in-band channel and out-of-band channel as shown in Fig. 2a, b, respectively.

2.1.2.1 In-band channel wormhole attack Attackers are using the same medium for creating a link between them, e.g., encapsulation, packet relay and protocol deviations. Our DAWA approach focuses on detection of this type of wormhole attacks.

2.1.2.2 Out-of-band channel wormhole attack Attackers are not using the same medium as normal network nodes, e.g., out-of-band channel and high transmission mode.

Fig. 2
figure 2

Two possible implementation methods of wormhole attacks. a Out-of-band channel. b In-band channel

Full size image

2.2 Artificial immune system

The human immune system (HIS) is a rather complicated mechanism that is capable of defending humans against a wonderful set of unessential pathogens. This mechanism is exceptionally efficient, mostly, in discriminating between self- and non-self-antigens. A non-self-antigen is anything that can initiate an immune response; examples are a bacteria or attacks. The opposite of non-self-antigens are self-antigens; self-antigens are human organism’s own cells [14]. Artificial immune system (AIS) is adaptive systems inspired by theoretical immunology and observed immune systems, principles that are applied to complex problem domains. Different areas of authors attempt to build a bridge between immunology and engineering by using the approaches of mathematical and computational approaches of immunology. The basic of AIS is rooted in the early theoretical work of Farmer et al., Perelson and Varela et al. [15,16,17]. It was first proposed in the mid-1980s and became a subject of its own in mid-1990s. AIS aimed to find efficient abstractions of processes in the immune system [18]. By carefully reviewing the efficient natural approach, a number of computer scientists proposed artificial immune-based computer models to solve different problems ranging from attacks detection, fault analyzing to clustering. Authors played an important role in crossing the divide between computing and immunology. Bersini and Forrest did many basic works rooted from immunology and their works formed a solid foundation of the area of artificial immune system. With regard to Bersini, he was focusing on the basic theory of immune network and examining how the immune system maintained its memory and how to build a model to mimic that progress. Moreover, for Forrest, she was focusing on the application region of the artificial immune system. She proposed the idea of introducing the immune system into the computer security region by using its ability to distinguish between self and non-self [15].

2.2.1 Learning

The flow of T-cells maturation in thymus gland is used as an inspiration for learning in artificial immune system (AIS). The maturation of T-cells (detectors) in thymus gland is a result of pseudorandom flow. After a T-cell is created (Fig. 3), it undergoes censoring flow named negative selection (NS). During negative selection, T-cells that bind self are destroyed. Remaining T-cells are introduced into the body. The recognition of non-self is then done by simply comparing T-cells that survived negative selection with a suspected non-self. This process is depicted in Fig. 4. It is possible that the self-set is incomplete, while a T-cell matures (toleration period) in the thymus gland. This leads to generating T-cells that should have been removed from the thymus and can cause an autoimmune reaction, i.e., it leads to false positives (FP).

Fig. 3
figure 3

T-cell (detector) generation by random generate and test process [17]

Full size image
Fig. 4
figure 4

Recognizing non-self is done by matching T-cells (detectors) with non-self-antigens (new strings) [17]

Full size image

2.3 Fuzzy logic system (FLS)

In the year 1965, fuzzy logic system (FLS) was presented by Lotfi A. Zadeh, as a form of reasoning, derived from fuzzy set theory. The fuzzy logic variables have a truth value that ranges between 0 (False) and 1 (True) [19]. These truth values can be used to specify how the brakes should control. Linguistic variables are the input and output variables of the system that is separated into a set of linguistic terms. For example, if milk filthiness is a fuzzy variable, then linguistic variables such as clean, almost clean, dirty and normal. Fuzzy logic system is shown in Fig. 5.

Fig. 5
figure 5

Fuzzy logic system

Full size image

3 Related works

Defense against wormhole attacks has received considerable attentions in the literature. Teotia et al. [20] proposed a novel wormhole detection approach for MANETs that includes the COTA flooding in the direction of the destination node. When a source node S wants to send packets to a destination node D, it first finds the so-called expected zone and request zone in order to discover the route to the destination node. All the neighboring nodes that fall in the request zone receive the RREQ from the source or any intermediate node. Then, the RREQ is forwarded to all the neighbors. This process is continued until the RREQ packet achieves the destination node. Once the route is discovered, the S node sends the data on the discovered route.

Lu et al. [21] proposed the method that first attempt toward creating a graph theoretical approach, called Worm Planar, that just utilizes localized connectivity information and is capable of capturing the global require symptoms of wormholes directly in the wireless networks. Worm Planar acts position-free network planarization approach to done connectivity-based wormhole detection. This design makes a successful attempt to detect wormholes by capturing the global symptoms of wormholes directly in the wireless networks. Worm Planar leverages the network planarization approach and works in a distributed method with solely relying on the network connectivity information.

Amish et al. [22] proposed a wormhole detection approach to detect the wormhole attacks. However, their scheme does not rely on any special hardware. All they have done is calculated the round trip time (RTT) of every route to calculate threshold RTT. When the source node (S) broadcasts an RREQ packet note time t1 and when the corresponding RREP packet is received by the source, again note the received time of the packet. If multiple RREP packets received, which means there is more than one route available to the destination node (D), then note the corresponding times \( {T}_\mathrm{2-{ i}}\) of each RREP packet. By using the above two values, one can calculate the round trip time \( {T}_\mathrm{3-{ i}}\) of the established route or routes [23]. Take RTT of each route \( {T}_\mathrm{3-{ i}}\) and divide it by respective hop count. Calculate the average RTT of all the routes with the help of this value say \( {T}_{\textit{s}-{ i}}\) . The value obtained is threshold \(\hbox {RTT}_{\mathrm{tth}}\). After comparing the threshold value with each RTT \( {T}_{\textit{s}-{ i}}\) , if the total RTT \( {T}_{\textit{s}-{ i}}\) is fewer than threshold \(\hbox {RTT}_{\mathrm{tth}}\) and hop count of that particular \(i\mathrm{th}\) route is equal to two, then wormhole link is existing in that route else no wormhole link present in that route. Since wormhole link spotted in that route, sender detects first neighbor node m1 as wormhole node and sends false RREQ packet via that route i and neighbor m1. At the destination end, receiver receives false RREQ packet from its neighbor’s m2 and detects neighbor m2 as wormhole node. Routing inputs for m1 and m2 are deleted from the source node and broadcast to other nodes. Thus, wormhole-affected link is shut off and is no more used. So from the next time when a source node needs a route to that destination node, first it checks in the routing table in the route established phase for a route and it will come to know that the route is having wormhole link and it will not take that route; instead, it will take another route from the routing list of the source node which is free from wormhole link if available. Benefit of using AOMDV protocol in our proposed approach is that it has less overhead and end-to-end delay.

In [24] proposed an approach for defending against wormhole attack in MANETs environment using NS-2 simulator with AODV routing protocol. It is based on the Hash based Compression Function (HCF) algorithm, which is really using any hash function to calculate a value of the hash field for RREQ packet.

DAWN mechanism [25] proposed a local information-based scheme to detect wormhole attacks that use network coding system. DAWN is a distributed detection algorithm against wormhole node in wireless network, by tracking the change in the flow directions of the innovative packets affected by wormhole nodes. The approach rigorously proves that DAWN guarantees a good lower bound of successful detection rate (DR). They find that the robustness belongs on the node density in the wireless networks, and prove a necessary condition to get collision resistance. DAWN does not rely on any position information, special hardware. It is only based on the local information that can be achieved from regular wireless network coding protocols and thus does not introduce any overhead by extra test messages.

A hash-based compression function (HCF), intrusion detection solution against the wormhole and black hole attack in MANET is proposed in reference [26] by Patidar et al. However, their scheme preoccupies the use of a counter for specifying correct AODV routing behavior and individual nodes monitor the routing behavior of their neighbors for detecting run-time violation of the specifications. Moreover, one additional field, count in the RREP message, is proposed to enable the monitoring. Another important modification is that RREP packets are broadcasted as opposed to unicast to the source in normal AODV.

Tan et al. [27] has proposed temporal packet leashes and geographic packet leashes to prevent wormhole attack in MANETs. In temporal packet method, accurate clock synchronization (ACS) is used to limit the propagation time of packets. In geographic leashes method, loose clock synchronization (LCS) and position information are used to limit the migration distance of packets. However, the clock synchronization (CS) and position information (PI) must be obtained via extra hardware (e.g., GPS or other positioning systems) [28,29,30]. In addition, both theirs are required to add authentication information to each packet, which takes up large amounts of storage.

An AODV-based wormhole attack detection solution (Delphi) in MANET is proposed in Reference [31] by Chiu et al. In these schemes applied a multi-path approach and recorded the delay and hop counts in transmitting RREQ and RREP (actually named DREQ and DREP in Delphi method) through the paths. In this method, the average time taken by each hop count can be calculated. In the case of a path subjected to wormhole attacks, the delay would be obviously longer than a normal path with the same hop count (i.e., the wormhole nodes may have a heavy load, and therefore, packet processing is slow). Hence, the path with longer delays would not be selected to transmit data packet and wormhole nodes could be avoided.

Because multi-path routing is vulnerable against wormhole attacks, a scheme called statistical analysis of multi-path (SAM) [32] has been proposed to detect malicious nodes. Due to tunneling by wormhole nodes, the number of hops of the path with wormhole nodes appears to be smaller than normal paths. Thus, the routing path with the wormhole nodes is more attractive to routing discovery of the sources. Through statistics calculation of the relative frequency of each routing path, the path that has the biggest relative frequency is identified as the path with the wormhole nodes. However, the drawback is that, in non-multi-path routing protocol, e.g., AODV, this proposal cannot work.

Su et al. [33] proposed a secure-based routing protocol (S-AODV) on the AODV routing protocol wormhole defending routing protocol. Based on the characteristic that wormhole nodes can easily grab the route from the source node to destination node, S-AODV enables the neighbors of the attacker nodes to discover that the wormhole nodes have abnormal path attractions. S-AODV does not require any hardware. It considers link-disjoint multi-paths during path discovery and provides greater path selections to avoid attacker’s nodes, but eventually uses only one route to sending data. Then, the attacker nodes would be gradually isolated by their normal neighboring nodes and finally be quarantined by the whole network. However, some nodes may be misjudged to be wormhole nodes because they are located at the key positions of connectivity within the MANETs.

Su et al. [34] proposed a method to detect wormhole attacks. This method is a modification of the [35] routing protocol and can only defend against in-band channels of wormhole attacks. Their method calculates the average time in transmitting RREQ through normal nodes so that a normal node can distinguish particularly long duration in transmitting a RREQ when malicious nodes executing in-band wormhole attacks.

4 Proposed approach

In this section, we design a wormhole-immune routing protocol by jointly employing the fuzzy logic and the artificial immune system.

4.1 Phase 1: Fuzzy approach to select high-performance routes

Before considering the security, we take into account the performance problem and follow a fuzzy logic approach to select some high-performance routes from among all possible routes between the source and the destination. For this purpose, we use three parameters i.e., residue energy (RE), distance between the source node and the destination node (D) and hop count (HC) to differentiate high-performance routes from others. As shown in Fig. 5, the three major processes of fuzzy inference system are the fuzzification, the fuzzy inference and the defuzzification [29, 30].

4.1.1 Step 1: Inputs fuzzification

As mentioned above, the three inputs to be fuzzified are the distance, residue energy and hop count. We use terms of ‘Low,’ ‘Medium’ and ‘High’ to fuzzify the residue energy, hop count and distance. Output of our fuzzy system is a set of fuzzy variables, called ‘fuzzy route priority.’ These variables give the fitness of any route in terms of performance. To increase the precision of our design, we consider 9 levels for our ‘fuzzy route priority’ variables which are Very Low (LL), Low Medium (LM), Low High (LH), Medium Low (ML), Medium (MM), Medium High (MH), High Low (HL), High Medium (HM) and Very High (HH). The membership functions (hop count, residue energy and distance) are shown in Figs. 6, 7 and 8, and fuzzy route priority is as shown in Fig. 9. The linguistic set always the interval between zero and one.

Fig. 6
figure 6

Fuzzy member function for hop count

Full size image
Fig. 7
figure 7

Fuzzy member function for residue energy

Full size image
Fig. 8
figure 8

Fuzzy member function for distance

Full size image
Fig. 9
figure 9

Fuzzy member function for the fuzzy priority

Full size image

4.1.2 Step 2: Inference engine and knowledge base

Knowledge is a set of rules developed by an expert system. These rules connect inputs and outputs. The fuzzy rules are in the form of IF–THEN structure. The inputs are combined using the AND–OR operators. As an example, if hop count is low, residue energy is high, and if distance is low, then the fuzzy route value is HH (Very High). The fuzzy rules are given in Table 1.

4.1.3 Step 3: Defuzzification

There are many kinds of defuzzifiers, such as centroid, maximum, center of maxima and height defuzzifiers. We use the maximum defuzzifiers in our design. That is, the routes with the priority levels of HH, HM and HL are selected for the next step.

Table 1 Fuzzy rules for fuzzification
Full size table

4.2 Phase 2: Proposed AIS-based defense scheme against wormhole attack

In order to make computer networks intelligent, we can make use of existing knowledge in the nature. One of these systems is the artificial immune system inspired by the human’s immune system mechanism, which is an effective solution for convoluted predicaments in computer networks, such as in misbehavior detection or various attacks. In AODV routing protocol, once the first RREP is received by the source node, the packets will be transmitted to the destination node. This shortest route path approach disregards route’s security. In this paper, we do not send immediately packets toward the destination node, upon the first RREP reception. Rather, source node considers entire received RREPs and then selects the most secure route by using the artificial immune system. The main idea of this approach comes from the human being immune system, where antibodies are trained to detect and eliminate malicious antigens. To this end, the proposed approach develops and updates a set of conditions that could detect the routes infected by wormhole attackers and avoid from selecting them. As shown in Figs. 10 and 11, the proposed scheme has two different phases. In the first phase, as discussed in Sect. 4.1, the fuzzy logic is used to select the efficient routes and in the next phase, immune routes are selected among them by using AIS approach. Table 2 represents the mapping between human body and mobile ad hoc networks, considered in this paper. As shown in Fig. 11, the source, the destination and the intermediate nodes, each one, have their own behavior in our design.

Fig. 10
figure 10

Flowchart training of the detectors

Full size image
Fig. 11
figure 11

DAWA description by the state diagram approach. a The state diagram of the source node. b The state diagram of the intermediate and destination node

Full size image
Table 2 Mapping between AIS and MANETs
Full size table

AIS has a detection phase that is based on a continuous training process. In this research, the proposed training of the detectors consists of different elements: antibody (conditions set for confining malicious node), antigen (all candidate’s routes) and reject, match with self, match with non-self, completion of detector set, safety memory and hypermutation. Each of these elements will be explained in the following steps. The proposed approach has two steps: initialization and AIS-based learning.

4.2.1 Step 1: Initialization

In this step, each route that is introduced by a received RREP would be examined in terms of security. The variable that is used to detect malicious node is \(\textit{P}_{\mathrm{wh}}(\textit{r})\), which is called the route infection probability. The initial value of \(\textit{P}_{\mathrm{wh}}(\textit{r})\) is 0. To dynamically update of \(\textit{P}_{\mathrm{wh}}(\textit{r})\), a test packet will be sent over the route and the destination node should send a confirmation packet. Obviously, if a route has a malicious node, the test packet would not reach to the destination, and therefore, confirmation packet would not be received. In this case, the probability of being a malicious node in the route will be increased by 50 and otherwise will be decreased by 20. The test packet will be sent three times to increase accuracy of the initialization step. If \(\textit{P}_{\mathrm{wh}}(\textit{r})\) value of a route is larger than 50, the route is labeled as infected and if its value is lower than 50 the route’s will be sent to Phase 2.

4.2.2 Step 2: AIS-based detection

As mentioned, the wormhole attack shows hop count much lower than actual amount; so, in the case of having smaller hop count by a route, the probability of infection of this route would be increased. Therefore, the desirable route is a route, which based on Eq. (1) maximizes \(F_r \) indicator.

Definition 1

In practice, RSS is defined as a voltage measured by a receiver’s circuit. Often, RSS is equivalently reported as a measured power.

$$\begin{aligned} F_r\,\left( {\mathrm{RTT,\,RSS}} \right) =\left( {\frac{\mathrm{Max\,RTT}}{\mathrm{RTT\,Route}\,\textit{i}}} \right) +\left( {\frac{\mathrm{Received\,signal\,strength\,node}\,\textit{i}}{\mathrm{Max\,received\,signal\,strength}}} \right) \end{aligned}$$
(1)

Integrating step 1 and step 2, an indicator of the immune route is as Eq. (2):

$$\begin{aligned} \mathrm{Immune\,Route}=\left( {1-\textit{P}_{\mathrm{wh}}\left( r \right) } \right) \times \,F_r\,\left( {\mathrm{RTT,\,RSS}} \right) \end{aligned}$$
(2)

Algorithm (1) shows the training procedure of the detectors according to which antibodies are trained in such a way they can recognize the self-antigens and defend against non-self-antigen (wormhole attack).

figure a

Affinity As definition in AIS, antibodies (Ab), which have a greater degree for attaching to an antigen (Ag), will be selected as a superior antibody in comparison with other antibodies. In the DAWA, those routes are selected that have low round trip time and high received signal strength. Hence, the affinity is calculated by using Eq. (3):

$$\begin{aligned} \mathrm{Affinity}=\sum \nolimits _{i=1}^L \left| {\mathrm{Ab}_i \,-\mathrm{Ag}_i } \right| \qquad \hbox {where L is antibody and antigen length} \end{aligned}$$
(3)

Details about first and second features of antibody in the matching step First feature, RTT between source and destination; it calculates and justifies RTT for the entire received RREPs from the source to the destination node.

Definition 2

RTT is defined as the time between the moment in which a ‘HELLO’ packet is transmitted to neighbors and the moment in which the answer to respective ‘HELLO’ message is received. \(\hbox {RTT}_{\mathrm{avg}}\) is computed as follows:

$$\begin{aligned} \mathrm{RTT_{avg}}\,\left( i \right) =\,\left( {\mathrm{RTT_{avg}}\,\left( {i-1} \right) {\times }\,a } \right) +\,\left( {\left( {1-a} \right) {\times }\,\mathrm{RTT}_i} \right) \end{aligned}$$
(4)

Once source node receives each ‘HELLO’ answer, it updates average round trip time or \(\hbox {RTT}_{\mathrm{avg}}\). The initial value for variable a has been set to 0.875.

As the final step, we find those routes that their \({P}_{\mathrm{wh}}({r})\) are lower than 50, but they are immune, yet. Algorithm 2 is used for this purpose.

figure b

5 Performance evaluation

In this part, we evaluate the performance of the proposed approach (DAWA) in the problem of prevention wormhole attack.

5.1 Performance metrics

We conduct extensive simulations to evaluate the effectiveness and performance of our DAWA approach and compare it with COTA [20] and Worm Planar approaches [12]. We evaluate the drop packets rate (DPR), packet lost rate (PLR), packet delivery rate (PDR), false positive rate (FPR), false negative rate (FNR) and detection rate (DR).

5.1.1 Drop packet rate

As mentioned above, when the malicious node recives a packet, doesn’t forward the packet to the next hop. It drops the packet and send an Ack to the sender node. Thus, we can define DPR as shown in Eq. (5).

$$\begin{aligned} \mathrm{DPR}=\left( {\frac{\sum _{j=1}^n \mathrm{Number\,of\,dropped\,packets}}{\sum _{j=1}^n \mathrm{Number\,of\,dropped\,packets+sent\,packets}}} \right) \times 100 \end{aligned}$$
(5)

5.1.2 Packet loss rate

Packet loss occurs when one or more packets of data traveling across a computer network fail to reach their destination. Packet loss is typically caused by network congestion. Packet loss is measured as a percentage of packets lost with respect to packets sent. The lower value of the packet loss means the better performance of the protocol. The PLR is calculated using Eq. (6) as follows:

$$\begin{aligned} \mathrm{PLR}=\,\left( {\frac{\sum _{j=1}^n \mathrm{Number\,of\,sent\,packets}}{\sum _{j=1}^n \mathrm{Number\,of\,received\,packets}}} \right) \times 100 \end{aligned}$$
(6)

5.1.3 Packet delivery rate

Packet delivery rate is the ratio of the number of data packets delivered to the destinations to the number of data packets generated by the sources. This evaluates the ability of the protocol to deliver data packets to the destination in the presence of malicious nodes. Thus, we can define PDR as shown in Eq. (7).

$$\begin{aligned} \mathrm{PDR}=\,\left( {\frac{\sum _{j=1}^n \mathrm{Number\,of\,received\,packets}}{\sum _{j=1}^n \mathrm{Number\,of\,sent\,packets}}} \right) \times 100 \end{aligned}$$
(7)

5.1.4 False positive rate

False positive rate is defined as the ratio of a number of well-behaving nodes mistakenly detected as misbehaving nodes to the total number of well-behaving nodes. The FPR is calculated using Eq. (8) as follows:

$$\begin{aligned} \mathrm{FPR}=\,\left( {\frac{\mathrm{FP}}{\mathrm{FP+TN}}} \right) \times 100\, \end{aligned}$$
(8)
Table 3 Parameters used for simulation
Full size table
Table 4 AIS parameters
Full size table
Table 5 Comparison of packet delivery rate of DAWA, COTA and Worm Planar (misbehaving node ratio = 50% and time = 1000 s)
Full size table
Table 6 Comparison of packet loss rate of DAWA, COTA and Worm Planar (misbehaving node ratio = 50% and time = 1000 s)
Full size table
Fig. 12
figure 12

Comparing DAWA performance with COTA and Worm Planar. a Detection rate versus misbehaving nodes ratio. b Detection rate versus simulation times. c Packet delivery rate versus misbehaving nodes ratio. d Packet delivery rate versus simulation times

Full size image
Fig. 13
figure 13

Comparing DAWA performance with COTA and Worm Planar. a False positive rate versus misbehaving nodes ratio. b False positive rate versus simulation times. c False negative rate versus misbehaving nodes ratio. d False negative rate versus simulation times

Full size image
Fig. 14
figure 14

Comparing DAWA performance with COTA and Worm Planar. a Packet lost rate versus misbehaving nodes ratio. b Packet lost rate versus simulation times. c Drop packets rate versus misbehaving nodes ratio. d Drop packets rate versus simulation times

Full size image

5.1.5 False negative rate

The false negative rate is defined as the number of good nodes that were considered malicious by the trust system. The FNR is calculated by Eq. (9).

$$\begin{aligned} \mathrm{FNR}=\,\left( {\frac{\mathrm{TP+TN}}{\mathrm{All}}} \right) \times 100\quad \mathrm{where}\,\mathrm{All=TP+TN+FP+FN} \end{aligned}$$
(9)

5.1.6 Detection rate

Detection rate is defined as the ratio of a number of detected misbehaving nodes to the total number of actual misbehaving nodes. On the other hand, the detection rate is defined as the probability that all wormholes nodes are successfully identified. Thus, we can define DR as shown in Eq. (10).

$$\begin{aligned} \mathrm{DR}=\left( {\frac{\mathrm{TP}}{\mathrm{TP+FN}}} \right) \times 100. \end{aligned}$$
(10)

5.2 Simulation setup and comparing algorithms

A simulation is a fundamental tool in the development of routing protocols because of the difficulty in deploying and debugging them in real networks. The simulation eases the analyzing and the verification of the protocols, mainly in large-scale systems. Network simulator version 2, widely known as NS-2 [6, 36], is simply an event driven simulation tool that has proved useful in studying the dynamic nature of communication networks. In general, NS-2 provides users with a way of specifying such network protocols and simulating their corresponding behaviors. To visualize the result, it is possible to use a network animator (NAM) in the NS-2 environment. In this section, we evaluate the performance of our proposed approach with simulation tool NS-2 and describe the simulation results. The proposed DAWA was compared with COTA and Worm Planar. All parameters and settings of DAWA, COTA and Worm Planar are considered equally.

5.3 Simulation results

We have implemented DAWA approached in the NS-2 on Fedora 10. The simulation parameters and AIS parameters are given in Tables 3 and 4.

Tables 5 and 6 compare the performance of DAWA with that of COTA and Worm Planar in terms of PDR and PLR as shown in the following tables.

Figure 12 compares the performance of DAWA with that of COTA and Warm Planar for detection of the wormhole attacks. As shown in the figure, DAWA increases the detection rate by more than 15 and 25% and increases the packet delivery rate by more than 22.5 and 22% those of COTA and Worm Planar, respectively.

Figure 13 compares the performance of DAWA with that of COTA and Worm Planar for detection of the routing attacks. As shown in the figure, DAWA decreases the false positive rate by more than 11.95 and 16.4% and decreases the false negative rate by more than 11.35 and 13.35% those of COTA and Warm Planar, respectively.

Figure 14 compares the performance of DAWA with that of COTA and Worm Planar for detection of the routing attacks. As shown in the figure, DAWA decreases the packet loss rate by more than 8.45 and 17.05% and decreases the drop packets rate by more than 22.6 and 27.15% those of COTA and Warm Planar, respectively.

6 Conclusion

In this paper, we proposed an approach for detecting wormhole nodes in MANETs based on the fuzzy logic and the artificial immune system. First, the fuzzy logic system was used to consider parameters such as node’s residue energy, path’s hop count and path’s distance to differentiate the stable routes from others. Then the artificial immune system was employed to develop a learning approach to detect and bypass the wormhole attackers without affecting the overall performance of the MANETs. We compared the efficiency of our defensive scheme, i.e., DAWA with COTA and Worm Planar algorithms. Simulation results showed that, in average, the overall performance of DAWA is around 20% better than COTA and Worm Planar in terms of packet delivery ratio, wormhole node detection ratio, false positive ratio, false negative ratio and packet drop ratio. Also, the results show that DAWA can correctly detect wormhole nodes in many kinds of the network models.