Wireless Pers Commun

https://doi.org/10.1007/s11277-018-5378-1

Identifying Camouflaging Adversary in MANET Using

Cognitive Agents

R. Kumar1 • S. Lokesh2 • M. Ramya Devi3

 Springer Science+Business Media, LLC, part of Springer Nature 2018

Abstract Mobile ad hoc networks (MANETs) are often prone to variety of attacks like
denial of service, impersonation, eavesdropping, camouflaging adversary, blackhole,
wormhole, replay, jamming, man in the middle, etc. Among all these attacks camouflaging
adversary attack is the attack, launched by an insider and has a devastating effect on
network performance. In this paper, we present a cognitive agents (CAs) based security
scheme for identifying camouflaging adversaries in MANETs. The proposed scheme uses
CAs with observations-belief model to effectively identify camouflaging adversary nodes
and the identified nodes will be isolated from the network. The isolation of the camou-
flaged adversaries enhances the network performance with respect to various performance
metrics like bandwidth, throughput, packet drop ratio, reliability, etc.

Keywords MANETs  Camouflaging adversaries  Cognitive agents  Observations-belief

model  Dynamic  Performance  Cluster

& S. Lokesh
hit.it@hindusthan.net; lok.for.you@gmail.com
R. Kumar
rkeskumar@gmail.com
M. Ramya Devi
ramyamurugadasan@gmail.com
1
Department of Information Technology, Sri Ramakrishna Institute of Technology, Coimbatore,
India
2
Department of Computer Science and Engineering, Hindusthan Institute of Technology,
Coimbatore, India
3
Department of Computer Science and Engineering, Hindusthan College of Engineering and
Technology, Coimbatore, India

123
 R. Kumar et al.

1 Introduction
1.1 Attacks on MANETs

MANET is a kind of network that can self-configure itself and which does not require any
fixed infrastructure [1]. Compared to traditional infrastructure based network MANET’s
are more prone to attacks due to the threats from compromised member nodes, lack of
centralized infrastructure, dynamically changing network topology, scalability issues, and
so on [2–4]. Attacks on MANETs are often classified into passive and active attacks, based
on the nature of attack. A Passive attack is of eavesdropping in nature, which includes
passive listening of communication without interference and attacker attempts to be as
invisible as possible. An active attack involves modifications or insertion of fabricated
messages during communications, which mainly includes man-in-the-middle attacks,
masquerade attacks, replay attacks and so on. Passive attacks are difficult to detect, since
identification of attacker is difficult [5–7].

1.2 Camouflaging Adversary Attack in MANETs

Typical meaning of camouflage is to hide the presence of an object. MANETs are often
susceptible to camouflaging adversary attack. It is a kind of passive attack launched by an
insider i.e., an opponent may compromise a node and later use that node to masquerade as
a normal node. The node that has been masqueraded as normal node will create several
problems in the network like attracting the packets by flooding false routing information
and then misroute them, the misrouted packets may unnecessarily consume network
bandwidth and decrease the overall network performance; privacy analysis and traffic
analysis attacks will be launched by long term monitoring of traffic flow, which discloses
the secret information and affect the confidentiality of communication over the network;
location and identity of the nodes will be determined via traffic pattern analysis i.e., the
identity of the nodes will be leaked to intruder to perform malicious activities; inspection
of power traces and battery lifetime facilitates side channel attacks over the flow, which
physically affects the performance of cryptosystem; and so on [8–10].

1.3 CAs in Identifying Camouflaging Adversary Attack

CA is a software entity which functions continuously and autonomously in a particular

environment, able to carry out activities in a flexible and intelligent manner. The following
are few examples of how CAs will identify camouflage adversary in MANETs [11, 12].
• CAs in a cluster based MANET closely monitors the behavior of the incoming and
outgoing traffic. Within a cluster if there is any suspicious behavior then CA will detect
them.
• The proactive nature of CA helps in detecting the variations in node log file size i.e., if
the log file size is increasing rapidly over a period of time then CA suspects the node
prone to be malicious.
• Monitoring of battery drain rate, will give valuable information on node behavior, i.e.,
via side channel if information on draining out frequency of node’s battery is obtained,
a node can be suspected for possible compromise.

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

• CAs periodically checks the resource utilization by each of nodes within the network. If
a node is conserving resources compared to all other nodes in the network then the CA
suspects that node is selfish.
• CAs analyzes the traffic flow characteristics i.e., the frequency of message getting
exchanged, length of the message, etc. If there are any suspicious deviations in these
characteristics then CA identifies the traffic flow analysis attack.

1.4 Proposed CAs Based Camouflaging Adversary Identification Scheme

The proposed security scheme is used for identifying camouflage adversary in MANETs.
The scheme uses CAs with OB model deployed on authenticated nodes of cluster based
MANETs. These agents are assumed to be foolproof and tamper-resistant with secured
inter-communications based on group key. The scheme identifies the camouflage adver-
sary, by closely monitoring the node behaviors using cognitive principles. This identifi-
cation is built with certain tolerance before declaring a node as an attacker. Once the agent
decides the node as camouflage adversary, the same will be communicated to other nodes
in the network to initiate the defensive actions against the attacker.

1.5 Organization of the Paper

The rest of the paper is organized as follows: Sect. 2 gives some of the related works,
Sect. 3 provides the definition for key terms used in the paper, Sect. 4 describes the
proposed CAs based camouflaging adversary identification scheme in detail, Sect. 5
describes simulations and results, and finally Sect. 6 draws the conclusions.

2 Related Work

The camouflage event based malicious node detection architecture (CENDA) in [13] uses
camouflage events generated by mobile nodes to detect malicious nodes. Here the spatial
and temporal information of camouflage is used to identify camouflaged adversary attacks.
The scheme efficiently identifies malicious activity and its performance is found to be
good. But the proposed architecture only identifies malicious activity types, but counter
measures were not discussed.
MANET vulnerabilities, challenges, attacks and its applications are discussed in [14].
Here the attacks on MANET have been classified into different types like external, internal,
denial of service, impersonation, eavesdropping, routing attacks, blackhole, wormhole,
replay, jamming, man-in-the-middle, and gray hole. The vulnerabilities, routing loops and
MANET applications are also discussed.
A simulation on mobile ad hoc networks under wormhole attack is discussed in [15].
Here an evaluation is made on the impact of some of the adversaries effect on MANET. It
basically investigates the basic active and passive attacks on MANET and then measures
its performance with and without attacks. But the scenario considered here detects active
wormhole attacks and its passive nature is not considered.
In [16], a mobile agent based selfish node detection scheme is discussed. Here a set of
mobile agents that are capable of moving from one node to another node is used within the
network to detect the nodes that consumes more resources. The scheme mainly focuses on

123
 R. Kumar et al.

efficient usage of network bandwidth but other performance metrics like delay, reliability,
packet drop ratio are not considered.
Secure mobile agent based IDS for MANET is discussed in [17]. Here a mechanism is
proposed to manage the security of mobile nodes. First dummy agents will be sent to
wireless nodes which determine whether the node is malicious or not. If the node is
genuine, the dummy agent sends acknowledgement to the source node then the source node
sends the mobile agent to respective nodes. If the mobile agents suffer from intrusion at the
wireless node then another supervisor agent will be send along with the mobile agent. On
detection of intrusion supervisor agent will kill the mobile agent before intruder affects it.
Here only security of agent is discussed, its impact on network performance is not
mentioned.
Fast and Secure Transmission of Information among Groups Using a Key Management
Scheme (FSTIG) is discussed in [18]. Here the technology used is to allow the information
to be transmitted securely and efficiently. This scheme only overcomes the limitations like
limited communication from the group and sender.

3 Definitions

In this section the definitions for some of the key terminologies used in the paper.

3.1 Observations

The act of recording a phenomenon is usually referred as an observation. Observations are

deduced based on the collection of node parameter values.
Example: An observation reconnaissance traffic is unpredictable will be generated from
collection of node parameters like {power usage of node is 2000 J/s, number of hits on log
file is 2000 times/min, log file size is 1000 KB}, an observation Node-energy-level is
normal will be generated from collection of node parameters like {Bandwidth of node is
100 bps, power usage of the node is 100 J/s, number of hits on node log file is 80 times/
min}, and so on.

3.2 Belief

Primarily, a firmly held notion on something or someone is called as belief. Here firmly
held notion on a node i.e., whether a node is camouflaged adversary node or not is called as
belief. Beliefs are generated by meaningfully combining observations.
Example: Genuine node, camouflaged node, and camouflaged adversary node.
A belief called camouflaged adversary node is obtained from collection of observations
like {Node bandwidth consumption is chaotic, node energy level is chaotic, reconnaissance
traffic is unpredictable, log conduction is awful}, a belief called Genuine node is obtained
from collection of observations like {Node bandwidth consumption is normal, node energy
level is normal, reconnaissance traffic is predictable, log conduction is good}, a belief
called camouflaged node is obtained from collection of observations like {Node bandwidth
consumption is normal, node energy level is chaotic, reconnaissance traffic is unpre-
dictable, log conduction is good}. A sample belief generation model is shown in Fig. 1.

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

Fig. 1 CA on wireless router

3.3 Belief Database

This database is available at the cluster head for storing history of beliefs formulated over
the nodes within the cluster. The entries in belief database are represented in tabular form.
Every entry in the table contains the node-id and belief formulated over that node and the
time (HH:MM:SS) at which the belief was formulated. A sample belief database structure
is shown in Table 1. The belief database is used while analyzing the accuracy of generated
beliefs and confirming the change in belief.

4 CAs Based Camouflaging Adversary Identification Scheme

In this section, we first explain a typical cluster based MANET model considered for
deploying the proposed scheme and then discuss the functioning of various components
with corresponding algorithms.

Table 1 A sample belief

Node-ID Belief Time
database
192.50.25.12 Genuine node 01:12:20
192.50.25.12 Camouflaged adversary node 13:12:30
192.50.25.12 Genuine node 09:10:04
192.50.72.21 Camouflaged node 10:12:21
192.50.72.21 Genuine node 03:05:12
192.50.72.21 Camouflaged node 19:24:05
192.250.255.12 Camouflaged adversary node 12:50:02
192.250.255.12 Genuine node 03:55:45

123
 R. Kumar et al.

4.1 Cluster Based MANET Model

Consider a typical cluster based MANET environment, comprised of M clusters and N

mobile nodes within a cluster and a cluster head is elected periodically based on any
suitable cluster head election protocol like LEACH, BCDCP, RCLB, HEED, PEGASIS,
and so on [19, 20].
CA with O-B model is instantiated over every authenticated mobile node in a cluster by
a cluster head, this CA is referred as Node Cognitive Agent (NCA). A CA with belief
analysis logic is placed on every cluster head within the cluster by network management
node (assumed to be operated by network administrator) [21, 22], which is referred as
Cluster Head Cognitive Agent (CHCA). All NCAs within a cluster will periodically
transmit the beliefs formulated over the nodes to CHCA. Then CHCA analyzes the newly
received belief with the history of beliefs to determine whether the node is turning out to be
camouflaged adversary or not. Once a node is determined as camouflaged adversary, the
belief will be immediately forwarded to neighboring CH-CAs and actions will be taken
accordingly. A sample MANET model considered is shown in Fig. 2.

4.2 NCA

NCA mainly consists of two important components i.e., Observation-Identifier (OI) and
Belief-Generator (BG). OI accepts all incoming node parameters and then generates
observations based on collection of node parameters [23]. BG accepts all identified
observations and then generates belief over a node based on the collection of identified
observations. The NCA with its components is given in Fig. 3.

Fig. 2 Cluster based MANET model

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

Fig. 3 NCA components

4.2.1 Observation-Identifier

OI helps in identifying observation for every node based on the collection of node
parameters value exhibited by the node [24]. The node parameters are logically combined
to form observations. A sample working of OI is shown in algorithm 1.
Some of the examples are given below.
Example 1:
Bandwidth consumption of node is suspicious, ^ power usage of node normal/s _
Number of hits on node log file is suspicious ^ Log file size is suspicious ) Node
performance is poor.
Example 2:
Bandwidth consumption of node is suspicious _ power usage of node is normal ^
Number of hits on node log file is suspicious ^ Log file size is suspicious ) Log con-
duction is awful.

4.2.2 Belief-Generator

The BG generates beliefs based on the observations that are identified over each node.
These observations are logically combined to generate beliefs over a node [25, 26]. Sample
logic of BG is given in Algorithm 2.
Some of the examples are given below.
Example 1:
Node performance is good ^ Node energy level is usual ^ Reconnaissance traffic is
predictable ^ Log conduction is good ) Genuine node.
Example 2:
Node performance is good ^ Node energy level is usual ^ Reconnaissance traffic is
predictable ^ Log conduction is good ) Camouflaged node.
Example 3:
Node performance is good^ Node energy level is usual ^ Reconnaissance traffic is
predictable ^ Log conduction is good ) Camouflaged adversary node.

123
 R. Kumar et al.

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

4.3 CHCA

CHCA mainly consists of belief analysis logic i.e., it receives all the beliefs sent by all
NCAs within a cluster then finds the Cumulative Deviation Factor (CDF) between the
newly generated belief and the old set of beliefs on a node available in belief database. The
CDF is calculated as follows,
     
CDF ¼ DF bl ; blp þ DF bl ; blq þ    þ DFðbl ; blz Þ =Nbl ð1Þ

where, blp,….,blz are the old beliefs existing in the belief database. Nbl is the number of
beliefs available in belief database.
Two thresholds are used in identifying camouflaged adversary i.e., Thc1 and Thc2 based
on the history of beliefs in belief database. Values for thresholds are calculated using
Statistical Deviation (SD) of the new belief over the set of old beliefs in belief database
(bl), the weight Wbl will be assigned to various beliefs based on history and the step
function c will provide the distance between Thc1 and Thc2.
X
SDbl ¼ Pbli  DFðbl; bliÞ ð2Þ
i2bl

Thc1 ¼ SDbl  Wbl ð3Þ

Thc2 ¼ Thc1 þ c ð4Þ

where,

123
 R. Kumar et al.

X 2
c¼ Thic1  c =n ð5Þ

c is the mean of Thc1 computed so far and n is the number of times the thresholds are
computed.
If the CDF is within the Thc1 then the node will be considered as dependable and the
belief will be ignored by continuing the services as usual else if the CDF is between Thc1
and Thc2 then the node will be considered as selfish one and network services provided will
be reduced else if the CDF is greater than Thc2 then the node will be considered as attacker
node as it has malicious intention, the node will be isolated by confirming the belief. The
logic of CHCA is given in algorithm 3 and its components are pictorially depicted in
Fig. 4.

5 Results and Discussion

In this section, we discuss the performance of the proposed cognitive agents based cam-
ouflaging adversary identification scheme with respect to various networking parameters
like bandwidth, packet drops, packet retransmission rate, etc. Figure 5, shows a plot CDF
versus nodes presence time in the cluster. Here three types of nodes are considered for

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

Fig. 4 CHCA components

Fig. 5 Time versus CDF

observation, i.e., genuine node, camouflaged node and camouflaged adversary node. CH-
CA on every cluster calculates CDF between newly arrived belief and old beliefs existing
in the belief database and compares against two thresholds (i.e., Thc1 and Thc1). It has been
observed that when the generated belief over the node is genuine node, CDF value falls
below Thc1 and the node doesn’t have any malicious intention; when the generated belief
over the node is camouflaged node, CDF value will be between Thc1 and Thc2 and the node
is turning out to be malicious; when the generated belief over the node is camouflaged
adversary node, CDF value will be higher than Thc2 and the node is confirmed to have
malicious intent.
Figure 6, shows a plot on time versus efficiency in detecting the routing loops. In the
proposed scheme all nodes are built with NCA, which uses the OB model to identify
camouflaged adversary node in a cluster based MANET environment. In the beginning,
NCAs have less or no experience in identifying camouflaged adversary but as the time

123
 R. Kumar et al.

Fig. 6 Time versus efficiency in detecting the routing loops

Fig. 7 Number of nodes versus bandwidth availability

progresses NCAs gain knowledge through experience and using beliefs, therefore effi-
ciency in identification of camouflaged adversary increases.
Figure 7, shows a plot on number of nodes versus bandwidth availability. One of the
main intention of the camouflaged adversary nodes will be creating routing loops and there
by wasting the network bandwidth. Here NCAs are made intelligent enough to detect
camouflaged adversary nodes and those nodes will be immediately isolated from the

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

Fig. 8 Average bandwidth availability versus average delay experienced

network. Therefore, as the time passes the number of genuine nodes will increase inside the
cluster and routing loops will be reduced considerably, this in turn increases the network
bandwidth availability, which improves network throughput.
Figure 8, shows a plot on average bandwidth availability versus average delay expe-
rienced. Here NCAs formulate beliefs over the nodes and with minimum number of beliefs
camouflaged adversary nodes will be identified and defensive actions are initiated to
stabilize the network operations. This process will improve the availability of network
bandwidth and reduces the delay experienced by the packets at every node within a cluster.

6 Conclusion

In this section, we have presented a novel cognitive agents based camouflaged adversary
identification scheme for a cluster based MANET environment. Cognitive thinking is
employed in the nodes and cluster heads, which learns from experience and the gained
experience, helps in identifying camouflaged adversaries in the network and effectively
isolate them. The isolation of the camouflaged adversaries enhances the network perfor-
mance with respect to various metrics like bandwidth, throughput, packet drop ratio, and
reliability.

References
1. Bakshi, A., Sharma, A. K., & Mishra, A. (2013). Significance of mobile AD-HOC networks (MAN-
ETS). International Journal of Innovative Technology and Exploring Engineering (IJITEE), 2, 1–5.
2. Yadav, S., Jain, R., & Faisal, M. (2012). Attacks in MANET. International Journal of Latest Trends in
Engineering and Technology (IJLTET), 1(3), 123–126.

123
 R. Kumar et al.

3. Ramachandran, S., & Shanmugan, V. (2011). Impact of sybil and worm-hole attacks in location based
geographic multicast routing protocol for wireless sensor networks. International Journal of Computer
Science, 7, 973.
4. Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004). Security in mobile ad hoc networks: Challenges
and solutions. IEEE Wireless Communications, 11, 38–47.
5. Rai, A. K., Tewari, R. R., & Upadhyay, S. K. (2009). Different types of attacks on integrated MANET-
internet communication. International Journal of Computer Science and Security (IJCSS), 4, 265–274.
6. Ramachandran, S., & Shanmugam, V. (2012). Performance comparison of routing attacks in MANET
and WSN. International Journal of Ad hoc, Sensor Ubiquitous Computing (IJASUC), 3, 41.
7. Vanamala, C. K., Singhania, P., & Kumar, M. S. (2014). A survey of different lethal attacks ON
MANETs. International Journal of Advancements in Research Technology, 3(3).
8. Shrivastava, S., & Jain, S. (2013). A brief introduction of different type of security attacks found in
mobile ad-hoc network. International Journal of Computer Science Engineering Technology (IJCSET),
4(3).
9. Agarwal, R., & Motwani, M. (2009). Survey of clustering algorithms for MANET. International
Journal on Computer Science and Engineering. 1(2), 98–104.
10. Swapna, G., & Srivatsav, R. P. (2012). Securing web applications by analyzing the logs of the database
server or web server. International Journal of Engineering Research and Applications (IJERA), 2(6),
432–435.
11. Gaines, B. L., & Ramkumar, M. (2008). A framework for dual-agent MANET routing protocols. In
IEEE global telecommunications conference-IEEE GLOBECOM.
12. Mandal, J. K., & Hassan, K. L. (2013). A novel technique to detect intrusion in MANET. International
Journal of Network Security its Applications (IJNSA), 5, 179.
13. Pongaliur, K., Xiao, L., & Liu, A. X. (2009). CENDA: Camouflage event based malicious node
detection architecture. In IEEE 6th international conference on mobile ad hoc and sensor systems.
14. Goyal, P., Parmar, V., & Rishi, R. (2011). MANET: Vulnerabilities, challenges, attacks, application.
IJCEM International Journal of Computational Engineering Management, 11, 32–37.
15. Nadher M. A, Hassan, S., & Kadhum, M. M. (2011). Mobile ad hoc networks under wormhole attack: A
simulation study. In Proceedings of the 3rd international conference on computing and informatics.
16. Roy, D. B., & Chaki, R. (2011). MADSN: Mobile agent based detection of selfish node in MANET.
International Journal of Wireless Mobile Networks (IJWMN), 3, 225–235.
17. Jain, Y. K., & Ahirwar, R. K. (2012). Secure mobile agent based IDS for MANET. International
Journal of Computer Science and Information Technologies, 3, 4798–4805.
18. Kumar, R., & Lokesh, S. (2015). Fast and secure transmission of information among groups using a key
management scheme. International Journal of Computer Science and Mobile Computing, 4(11), 40–47.
19. Meyer, R. & Cid, C. (2008). Detecting attacks on web applications from log files. SANS Institute
InfoSec Reading Room.
20. Ramesh, K., & Somasundaram, K. (2011). A comparative study of cluster-head selection algorithms in
wireless sensor networks. International Journal of Computer Science Engineering Survey (IJCSES),
2(4). https://doi.org/10.5121/ijcses.2011.2411.153.
21. Kumar, P. M., & Gandhi, U. D. (2017). A novel three-tier Internet of Things architecture with machine
learning algorithm for early detection of heart diseases. Computers & Electrical Engineering, 65,
222–235. https://doi.org/10.1016/j.compeleceng.2017.09.001.
22. Varatharajan, R., Manogaran, G., & Priyan, M. K. (2017). A big data classification approach using LDA
with an enhanced SVM method for ECG signals in cloud computing. Multimedia Tools and Applica-
tions. https://doi.org/10.1007/s11042-017-5318-1.
23. Manogaran, G., Varatharajan, R., Lopez, D., Kumar, P. M., Sundarasekar, R., & Thota, C. (2017). A
new architecture of Internet of Things and big data ecosystem for secured smart healthcare monitoring
and alerting system. Future Generation Computer Systems, 80(5), 1–10. https://doi.org/10.1016/j.future.
2017.10.045.
24. Kumar, P. M., Gandhi, U., Varatharajan, R., Manogaran, G., Jidhesh, R., & Vadivel, T. (2017).
Intelligent face recognition and navigation system using neural learning for smart security in Internet of
Things. Cluster Computing. https://doi.org/10.1007/s10586-017-1323-4.
25. Kumar, P. M., & Gandhi, U. D. (2017). Enhanced DTLS with CoAP-based authentication scheme for
the Internet of Things in healthcare application. The Journal of Supercomputing. https://doi.org/10.
1007/s11227-017-2169-5.
26. Manogaran, G., Varatharajan, R., & Priyan, M. K. (2017). Hybrid recommendation system for heart
disease diagnosis based on multiple kernel learning with adaptive neuro-fuzzy inference system.
Multimedia Tools and Applications. https://doi.org/10.1007/s11042-017-5515-y.

123
Identifying Camouflaging Adversary in MANET Using Cognitive…

R. Kumar has received his Ph.D. in Information and Communication

Engineering in 2015 from Anna University, M.Sc. degree in S.S.M
College of Engineering, Komarapalayam, Tamil Nadu, India. He
completed his M.E. degree from Sri Krishna College of Engineering
and Technology, Anna University, Chennai, Tamil Nadu, India. Pre-
sently he is working as an Assistant Professor (Sl.Gr.) at Sri
Ramakrishna Institute of Technology, Coimbatore. He has 10 years of
teaching experience. His areas of interest are Mobile Ad Hoc networks
and Wireless Networks.

S. Lokesh got the B.E., in Computer Science and Engineering in 2005

from Anna University, M.E., Degree in Computer Science and Engi-
neering from Anna University in 2007 and Ph.D., in Information and
Communication Engineering in 2015 from Anna University, respec-
tively. He is working at Hindusthan Institute of Technology, Coim-
batore from 2009. His research areas are Human Computer Interaction,
Speech Recognition, Cluster Computing, Data Analytics and Machine
Learning.

M. Ramya Devi is Assistant Professor in the Department of Computer

Science and Engineering at Hindusthan College of Engineering and
Technology, Coimbatore. She got Diploma in Computer Networks
from PSG Polytechnic College in 2003, B.Tech. Degree in Information
Technology from Anna University in 2008 and M.E. Degree in
Computer Science and Engineering in 2011 from Karpagam Univer-
sity, respectively. Her research area is Vehicular Cloud Computing,
Human Computer Interaction and Wireless Networks.

123