A Novel Anomaly Behavior Detection Scheme for Mobile Ad Hoc Networks

Abstract

To sustain the security services in a Mobile Ad Hoc Networks (MANET), applications in terms of confidentially, authentication, integrity, authorization, key management, and abnormal behavior detection/anomaly detection are significant. The implementation of a sophisticated security mechanism requires a large number of network resources that degrade network performance. In addition, routing protocols designed for MANETs should be energy efficient in order to maximize network performance. In line with this view, this work proposes a new hybrid method called the data-driven zone-based routing protocol (DD-ZRP) for resource-constrained MANETs that incorporate anomaly detection schemes for security and energy awareness using Network Simulator 3. Most of the existing schemes use constant threshold values, which leads to false positive issues in the network. DD-ZRP uses a dynamic threshold to detect anomalies in MANETs. The simulation results show an improved detection ratio and performance for DD-ZRP over existing schemes; the method is substantially better than the prevailing protocols with respect to anomaly detection for security enhancement, energy efficiency, and optimization of available resources.

1. Introduction

Mobile Ad Hoc Networks (MANETs) are prospective communication systems for all devices. Unlike wired infrastructure networks, MANETs functionalities are independent of sophisticated architecture, i.e., they are infrastructure-less and decentralized. In addition to the infrastructure-less and decentralized characteristics of MANETs, the dynamic nature of nodes poses diverse research issues associated with security, quality of service (QoS), anomaly/outlier/abnormal behavior detection, and clustering, etc. QoS is the most challenging job for developers due to continuous variation in the topology of MANETs. To attain a certain QoS, and sustain it, is difficult when the settings of the network frequently change. Moreover, because of multi hop routing in MANETs, each node is a router that enables information sharing by forwarding packets to other nodes. Hence, the default route is unavailable, and the solution to routing issues is complicated as there is seamless connectivity to other devices in its zone.

Maintaining security in the wireless link is difficult as it is more vulnerable when compared to a wired link. Since the first encryption was carried out, issues such as eavesdropping, encryption cracking, etc. have increased along with the user’s input of spurious information, extended timeouts, and updates for the old routing table. There are several unresolved issues concerning security that require significant solutions for secure communication in ad hoc networks.

In traditional wired networks, the nodes are static; however, MANETs are capable of connecting any devices at a particular time in the network to communicate with one another. Researchers tend to focus on novel communication methods, i.e., wireless technology for data transmission, in which nodes are unrestricted in movement in the network; this is a restraint in wired networks. MANETs are widely employed in many applications due to the ease with which nodes can travel without restrictions and set up at a fast rate in such a network. Hence, MANETs have been used to establish a large set of applications. The nodes in the network communicate with one another by forwarding packets, consuming battery energy due to multi hopping in routes, and for transmission/reception of nodes in the network. The energy used by nodes i.e., battery power—means limited bandwidth and limited range of transmission; these are the most important concerns related to MANETs.

To construct and manage MANETs that are secure, efficient, and lightweight, mechanisms that involve reduced hardware resources are required; however, there is a lack of resources. Additional challenges include limited bandwidth, small subnets, traffic overhead, and high processing costs. The security primitives of confidentiality, authentication, authorization availability, and integrity need to work together for resource-constrained mobile devices. In the present study, resource-constrained key management networks are observed for the detection of outliers, and in addition, a lightweight key management network is built to ensure the stated security primitives through outlier detection. Also, we extend Teo and Tan’s model [1] by incorporating outlier detection methods to build a secure key management network. Teo and Tan [1] proposed a method for key management in hierarchical MANETs that lacks energy efficiency due to the escalation of key messages because of dynamic topology and distant nodes that are considered to be constituents of a cluster in the hierarchy. Moreover, they have not considered the traits of network and routing security in their entirety. Another methodology, proposed by Traag et al. [2], is centered on a social event using the Bayesian location interference framework to enable the detection of nodes in the event; they also propose a scheme of event detection in their imminent activities. Nevertheless, this approach does not include performance parameters when sensing futuristic activities. One more significant work in the same field was carried out by Cerpa et al. [3], who proposed a data collection system architecture incorporating different filters to detect outliers. For the verification of outcomes, the Habitat monitoring dataset was, used and the authors assert that the proposed method is efficient for outlier detection; however, the study does not reflect the performance issues of the network.

The major contributions of this paper are to design solutions that address the challenges, along with the approaches that are highlighted in the background literature. This paper also integrates the protocol that proposes an improved, data-driven hybrid approach based on widely accepted protocols that are superior in energy efficiency, security, and the optimization of available resources. In addition, security in the wireless link is maintained, with more vulnerabilities tackled compared to a wired link. The proposed technique namely, the data-driven zone-based routing protocol (DD-ZRP) helps in the detection of outliers and energy-efficient cluster head selection for fault-tolerant routing in MANETs placed on data collected at both the network and subgroup levels. The novelty of this work is (1) to develop techniques based on flexible outlier definition for fault-tolerant routing in MANETs, (2) to calculate the in-network outcome to decrease both bandwidth and energy usage, (3) and to make dynamic updates to the data-driven hybrid approach. The findings reveal that the algorithm converges to a precise result, with justified communication load and energy consumption.

In MANETs, devices communicate without any pre-existing infrastructure, and these devices are generally mobile. To investigate MANETs, either software-based simulators or experimentation networks are used. The experimentation testbeds are chosen when the implementation involves some features of MANETs to be incorporated as radio propagation or energy consumption, which is fundamentally difficult to model precisely in simulators [4]. The real-world implementation of MANETs requires more effort, involves huge costs, and lacks flexibility; hence, most researchers favor simulators when compared to testbeds [5]. This becomes an impediment when the experimentation network size grows; the software-based simulation then becomes a feasible alternate and is an extensively used solution. Thus, considering the stated pros and cons of each approach, software-based simulations are used to preclude the huge efforts and costs required for real-life implementation. On the other hand, the simulations each time involve certain assumptions about the real world; these may turn out to be too coarse to include all facets that influence the performance of algorithms and protocols, so the simulation results have to be tested in the real-world environment for which they are designed. In the present work, software simulation is used to test the proposed DD-ZRP.

The remainder of the paper is arranged as follows: Section 2 covers the background and related work for outlier detection and energy preservation in MANETs; Section 3 discusses the proposed methodology for the detection of outliers and energy preservation in MANETs; Section 4 presents the results and discussion of the proposed approach in various protocols used for routing in MANETs; Section 5 presents the discussion and conclusion.

2. Background

Routing is the means of interchanging data between nodes in a network. Many routing protocols that are used for packet transfer have been proposed for MANETs; they differ from one another with respect to mechanism and performance. This is important in order to increase the network performance appropriately. This section presents a discussion of the performance and mechanism of the routing protocols considered in the present work, along with the security issues in MANETs.

2.1. Ad Hoc On-Demand Distance Vector (AODV)

AODV follows a hop-to-hop routing methodology and belongs to the category of reactive protocols. In AODV, the node issues route requests (RREQs) if there is a requirement to identify the route for a specific target node. The transitional/intermediary nodes forward the RREQs; a reverse route is also generated for the target node [6]. When the target node gets the route to the destination request, it creates a route reply (RREP) that comprises multiple hops needed to reach the target, as shown in Figure 1.

In AODV, the connection setup delay is less, as there is on-demand routing; to find the latest routes, sequence numbers are used [5]. However, AODV can have multiple route reply packets generated in reply to a particular route request packet, which may result in heavy control overhead.

2.2. Dynamic Source Routing (DSR)

Dynamic source routing is an on-demand/reactive protocol. In DSR, the route information is stored in the header packet, which travels from source to destination. To discover the path, the header packet is broadcast to all nodes, and in response, the destination sends the reply. The route between source and destination is established with the intermediary nodes when required; this results in a reduction of overhead and collision. The route request (RREQ) and route reply (RREP) primitives are employed to establish the path from source to destination. There can be multiple paths established; however, the final path setup is based on the least hop count. Thus, to keep track of the latest route, the routing table has to be updated regularly, along with the information in the header packet. This involves more energy consumption and causes node mobility delays in the larger networks.

2.3. Destination-Sequenced Distance Vector (DSDV)

DSDV is a proactive protocol [8] that involves multiple hops to reach the target node. This protocol uses routing tables located on every node for the transmission of data packets in the network. The presence of a routing table facilitates the reduction of high routing overhead and avoids loops [6]. DSDV is particularly suitable for creating a network with a lesser number of nodes; it requires a consistent update of the routing tables, which involves battery power usage and bandwidth.

2.4. Optimized Link-State Routing (OLSR) Protocol

The optimized link-state routing protocol (OLSR) is a proactive protocol that recurrently contacts other network nodes and shares topology information. The set of neighboring nodes chosen by the node are called multipoint relays (MPRs). The MPRs forward the control information anticipated for dispersal in the whole network; this facilitates a decrease in the required transmissions. MPR nodes provide the link-state information and are used to create the route between the source and destination nodes. OLSR makes the shortest path routes available for all destinations using the link-state information issued by MPRs. MPRs are selected by nodes amongst their one-hop neighbors, establishing bidirectional links; this helps in overcoming the issues of unidirectional links related to the transfer of data packets. The OLSR design facilitates how to work autonomously from other protocols, and makes no assumptions related to the underlying link layer.

2.5. Zone-Based Routing Protocol (ZRP)

The ZRP is a hybrid protocol that offers the merits of both reactive and proactive schemes. It distributes the network into flexible size zones. The zone size is dependent on the radius of length ρ, where ρ is the number of hops to the perimeter of the zone and not the physical distance. The communication between the nodes commonly takes place in close proximity, i.e., within the zone. Hence, finding out the routing information is easy with ZRP, showing the benefits of proactive protocols termed interzone routing protocols (IERPs). To find the route between the zones, an intrazone routing protocol (IARP) is employed, i.e., a reactive protocol [9]. At the time of communication, when one node requests to send a packet to another node, it checks for the availability of a destination within the zone; if it is present, then it casts the route request to border nodes that, in turn, check the availability in their zones. This continues until the search for a destination ends. On the other hand, as the routing zones greatly intersect, a node may belong to more than one routing zone. The problems to be resolved arise when a node receives the same query multiple times. Sinha et al. [10] describe how to resolve some of these problems and to overcome the traffic.

2.6. Security Issues in MANETs

The security issues and design of routing protocols in MANETs are dependent on different parameters such as origin, environment, range, QoS, and security criticality. The implementation of security varies if the range of networks differs. If the nodes are distant from one another, the threat of security attacks increases. Security issues are always perilous and need to be addressed in different routing protocols for MANETs.

In MANET routing protocols, nodes also act as routers and, thus, are involved in the exchange of information related to network topology. This is a significant flaw, because a compromised node may transmit information that is not updated to transmit traffic, or merely halt it. In addition, the routing protocols are extremely vulnerable in terms of security. The causes of the problems with MANET routing protocols include (1) the dynamic topology of ad hoc networks, (2) the infrastructure of ad hoc networks, (3) issues related to wireless communication viz. reduced security against signal and noise interference in wireless channels, and (4) the implicit trust relationship between neighbors.

Varieties of security mechanisms are designed and developed to avert malicious attacks. The classical methods viz. digital signature, encryption, authentication, and access control offer the first line of defense. As a second line of defense, cooperation enforcement mechanisms and intrusion detection systems are implemented in MANETs to facilitate defense against attacks or implement cooperation, decreasing self-centered node behavior. Anomaly detection statistically defines anticipated behavior; it gathers data from genuine user behavior in a defined period, with statistical tests applied to regulate anomalous behavior with a high level of assurance. In real implementation, both approaches—preventive and reactive—are found to be more effective against attacks when combined [11]. The conventional MANET routing protocols assume that all contributors are honest; this directly permits malicious nodes to activate and attempt to paralyze the entire network, simply by providing erroneous information.

Some attacks—such as impersonated nodes, blackhole, and wormhole—are common to all routing protocols, whereas other types are specific to a particular routing algorithm. For instance, in AODV, a malicious node may reply to an RREQ assuming that it has the most recently updated routes to the destined node; however, it may not have. The AODV protocol was designed assuming that all nodes are trustworthy and lack security considerations; this vulnerability is often exploited by intruders. Security enrichments to the AODV protocol are constantly needed. Many scholars have explored this subject: Jasmine et al. evaluated the performance of the AODV protocol under blackhole attacks and no blackhole attacks by calculating the end-to-end delay of packets and the packet delivery rate [12]; the study’s results showed that the packet delivery rate of AODV under attack is more than normal. However, the end-to-end delay reduces abruptly when AODV is under attack. Sharma et al. studied the impact of blackhole attacks on MANET performance, and found that the throughput, packet delivery rate, and end-to-end delay of normal AODV are higher than blackhole Attacks [13]. In DSDV, a malicious node may subjectively tamper with the updated messages to interrupt the routing algorithm. In [14], a secure efficient ad hoc distance vector routing protocol (SEAD) based on the insecure DSDV protocol is presentedOLSR. The optimized link-state routing (OLSR) protocol is a proactive routing protocol [3] that offers promising performance in terms of bandwidth and traffic overhead but does not incorporate any security measures. As a result, OLSR is vulnerable to various kinds of attacks [15], such as flooding attacks, link withholding attacks, replay attacks, denial-of-service (DOS) attacks, and collision.

The classical ZRP routing protocol does not use any security mechanism; however, it is employed in many applications where security is predominantly required. As the ZRP is a hybrid protocol, it has the advantages of both preventive and reactive protocols. Researchers have proposed enhanced versions of the ZRP that incorporate security mechanisms [16,17,18]. Thus, from the literature insights above, it can be inferred that security enhancement in the routing protocols is essential to protect against hostile attacks.

3. Related Work

In MANETs, the outliers can be introduced from several sources, such as hardware/software [19], environment [20], deviance from consistent system arrangement for security conciliation [21], or uncertainty of data [22,23]. These outliers can arise at any level, such as a node, data, or network level [24]; they may be statistical/knowledge-based outliers [25], Markov-/hidden-Markov-based outliers [26], density-based outliers [27,28,29], distance-based outliers [30,31,32], or global/semiglobal/distributed outliers [33].

In statistical/knowledge-based outliers, the common methodology to solve the outlier detection problem is built on the construction of probabilistic data models utilizing mathematical methods of applied statistics and probability theory. The outlier detection system, based on a statistical approach, studies the behavior of users through measuring techniques. The system in its running state detects outliers constantly through methods based on regression analysis [25]. A Markov chain is a random process of discrete state space and is described as “the next state is dependent only on the current state and does not depend on how the system has been reached in the current state”. Generally, a normal profile using the Markov chain is constructed that captures the temporal dependency among the network activities [26]. The density-based approach was first proposed by Breunig et al. [27]. Such methods evaluate the various density-based distributions of the input keys, and find different outliers as the ones that exist in low-density regions [28]. Such outlier detection methods also evaluate different instances of data at various specified zones; these instances can be determined for distance-based methods of an outlier at a dense zone [29]. Such distance-based detections are calculated for distances for object data with geometric interpretations. For each outlier factor, a function F is specified as F: x → R, where an outlier can be given as object x from different objects R. Various common definitions associated with distance-based outlier detection are provided in [30,31,32].

As stated, the outliers are introduced in MANETs through various sources and at different levels. Various researchers in the field have faced the challenge of outlier detection: Imani et al. [34] combined misuse detection and anomaly detection to exploit the advantages of both techniques; They used the dynamic programming approach of the hidden Markov model (HMM) to share information history and scheduling in order to save on costs related to security requirements. The simulation results present the efficiency of the proposed scheme. Rammohan [35] proposed a C4.5 clustering-based anomaly detection method; the outcomes show that the proposed method efficiently detects anomalies where the false alarm ratio (FAR) is low, making sure that the detected anomalies are real attacks. Khan et al. [36] proposed a mathematical-model-based adaptive trust threshold (ATT) strategy for isolating misbehaving nodes in MANETs; The findings show that the ATT is robust in comparison with an existing approach in terms of convergence to the same trust threshold value computed at all neighbor nodes for malicious nodes, and is also energy efficient. Lakshmi et al. [37] proposed a method to improve security by an anomaly-based intrusion detection process, and used a zone-based, ad hoc, on-demand distance vector routing protocol to find the shortest path; this method comprises feature selection for anomalous IDs, and identifies new attacks by using decision rules from the database. Qasim et al. [38] used reactive protocols for routing traffic in MANETs, and analyzed anomalous activities to detect outliers that were then matched with ground data; the findings in their study show that a rapid rise in traffic pointed to an anomaly; this is useful for resource and path allocation, as well as fault avoidance. Gomathy et al. [39] proposed a heterogeneous, cluster-based secure routing scheme that offers trust-based secure networks for attack detection—such as wormholes and blackholes instigated by the existence of malicious nodesin MANETs. The simulation outcomes show that the proposed model works effectively for spotting malicious nodes efficiently. The efficiency of the proposed approach is 96% for malicious node detection; it is also 10% more efficient in terms of energy consumption. Narayanan et al. [40] state that clustering is a key routing technique used to reduce energy consumption and, in their work, they propose and evaluate energy-efficient cluster head selection for fault-tolerant routing to reduce single-link failure in MANETs; the simulation results show that the proposed model could implement improved fault tolerance and extend the lifetime of the network.

Venkana et al. [41] propose an algorithm called trust-and-energy-based ad hoc on-demand distance vector; this isolates malicious nodes by dynamic calculation of the trust and energy values of the nodes in the topology, and enhances the routing performance of the AODV algorithm—specifically, the packet delivery ratio and average end-to-end latency. Shan et al. [42] detected selfish nodes through their proposed approach, and quantitatively examined the influences of node selfishness triggered by energy depletion in MANETs in terms of packet loss rate, round-trip delay, and throughput. Gopal Krishnan et al. [43] developed a high-power-saving management system for MANETs via the use of means clustering; they achieved reduced power and energy loss compared to other methods, such as transmission and direct communication protocols; the experimental results suggest that the proposed scheme is suitable to decrease energy dissipation in comparison to other protocols, such as transmission and direct communication protocols. Abdulmunem et al. [44] discussed resource constraints in MANETs, and presented limited energy and system lifetime as challenges faced by MANETs; they give an account of protocols such as the highest degree clustering algorithm (HDCA) and lowest identifier clustering algorithm (LIDCA) under three headings of throughput, network lifetime, and packet delivery ratio; their proposed novel clustering algorithm’s simulation results show that it outperforms HDCA and LIDCA in terms of network lifetime and offers effective energy distribution. Arivarasan et al. [45] proposed a form of red deer algorithm (RDA)-based energy-efficient QoS routing for MANETs called RDA-EQRP. RDA finds the shortest path from a source to a destination while preserving energy, in addition to supporting reliability, bandwidth, static resource capacity, quality, and delay; simulation results show that the proposed RDA-EQRP consumes less energy in MANET routing.

4. Proposed Scheme

To isolate or detect outliers in MANETs, the cluster zones are observed. Here, ”Re” is the region chosen for observation during the period from the initial time (Ti) to the termination time (Tt) in one span. Moreover, TW = (Ti, Tt) is the chosen window. ${\mathit{T}}_{\mathit{W}}^{\mathit{i}-\mathit{d}\mathit{a}\mathit{y}}\in$ {$\left({\mathit{T}}_{\mathit{i}}^{\mathbf{1}},{\mathit{T}}_{\mathit{t}}^{\mathbf{1}}\right)$, $\left({\mathit{T}}_{\mathit{i}}^{\mathbf{2}},{\mathit{T}}_{\mathit{t}}^{\mathbf{2}}\right)$, (${\mathit{T}}_{\mathit{i}}^{\mathbf{3}},{\mathit{T}}_{\mathit{t}}^{\mathbf{3}})$, …, (${\mathit{T}}_{\mathit{i}}^{\mathit{n}},{\mathit{T}}_{\mathit{t}}^{\mathit{n}})$} are the total window sets chosen to observe on the nth day. In the same way, ${\mathit{T}}_{\mathit{W}}^{\mathit{x}-\mathit{m}\mathit{o}\mathit{n}\mathit{t}\mathit{h}}$ and ${\mathit{T}}_{\mathit{W}}^{\mathit{y}-\mathit{y}\mathit{e}\mathit{a}\mathit{r}}$ are the chosen observed windows during the xth month and yth year, respectively. In the proposed model, unsafe outlier levels escalate with an increase in time and performance. The outliers’ steps followed are:

• Calculate the probability of finding a node in a region “Re”
  The probability of node ”N_m” existing in a regular region ”Re” for the period of ${\mathit{T}}_{\mathit{F}\mathit{r}\mathit{a}\mathit{m}\mathit{e}}\in \left\{{\mathit{T}}_{\mathit{W}}^{\mathit{n}-\mathit{d}\mathit{a}\mathit{y}},{\mathit{T}}_{\mathit{W}}^{\mathit{x}-\mathit{m}\mathit{o}\mathit{n}\mathit{t}\mathit{h}},{\mathit{T}}_{\mathit{W}}^{\mathit{y}-\mathit{y}\mathit{e}\mathit{a}\mathit{r}}\right\}$ in the static slot of ${\mathit{T}}_{\mathit{W}}$ per ${\mathit{T}}_{\mathit{F}\mathit{r}\mathit{a}\mathit{m}\mathit{e}}$ is computed as:

  $${\mathit{P}}_{\mathit{S}}^{\mathit{A}\mathit{V}\mathit{G}}=(\mathbf{1}/\left({\mathit{T}}_{\mathit{F}\mathit{r}\mathit{a}\mathit{m}\mathit{e}}-\mathbf{1}\right){{\displaystyle \sum }}_{\mathit{v}=\mathbf{1},\mathit{v}=\mathit{w}}^{\mathit{W}}{\mathit{P}}_{\mathit{s}}\left({\mathit{N}}_{\mathit{m}},\mathit{R}\mathit{e}, {\mathit{T}}_{\mathit{W}}^{\mathit{v}}\right)$$

  (1)
• Calculate the probability of finding a node in an expected “Re”
  The expected presence with timestamp ${\mathit{T}}_{\mathit{S}}$ is computed as:

  $${\mathit{P}}_{\mathit{S}}^{\mathit{A}\mathit{V}\mathit{G}}=(\frac{\mathbf{1}}{{\mathit{T}}_{\mathit{F}\mathit{r}\mathit{a}\mathit{m}\mathit{e}}-\mathbf{1}})( {{\displaystyle \sum }}_{\mathit{v}=\mathbf{1},\mathit{v}=\mathit{w}}^{\mathit{W}}({\mathit{N}}_{\mathit{m}}{}_{\mathit{A}\mathit{c}\mathit{t}\mathit{i}\mathit{v}{\mathit{e}}_{\mathbf{1}}}^{(\left({\mathit{x}}_{\mathbf{1}}^{\mathit{i}}, {\mathit{y}}_{\mathbf{1}}^{\mathit{i}}\right)\dots \left(\left({\mathit{x}}_{\mathbf{1}}^{\mathit{n}}, {\mathit{y}}_{\mathbf{1}}^{\mathit{n}}\right)\right)}||{\mathit{N}}_{\mathit{m}}{}_{\mathit{P}\mathit{a}\mathit{s}\mathit{s}\mathit{i}\mathit{v}{\mathit{e}}_{\mathbf{1}}}^{(\left({\mathit{x}}_{\mathbf{1}}^{\mathit{i}}, {\mathit{y}}_{\mathbf{1}}^{\mathit{i}}\right)\dots \left(\left({\mathit{x}}_{\mathbf{1}}^{\mathit{n}}, {\mathit{y}}_{\mathbf{1}}^{\mathit{n}}\right)\right)}) . {\mathit{p}}_{{\mathit{x}}_{\mathbf{1}}{\mathit{x}}_{\mathbf{2}}}{\mathit{p}}_{{\mathit{x}}_{\mathbf{2}}{\mathit{x}}_{\mathbf{3}}}\dots {\mathit{p}}_{{\mathit{x}}_{\mathit{n}-\mathbf{1}}{\mathit{x}}_{\mathit{n}}}, \mathrm{Re}, ({\mathit{T}}_{\mathit{W}\dots \dots \dots }^{{\mathit{T}}_{\mathit{S}}}{\mathit{T}}_{\mathit{W}}^{{\mathit{T}}_{\mathit{S}}}{)}_v)$$

  (2)

  under the Markov chain, in which each subsequent sequence is dependent on preceding states.
• Identify outlier using anomaly score
  A node is in either an active (source, destination, intermediary, or switching on)—represented as $({\mathit{N}}_{{\mathit{m}}_{\mathit{A}\mathit{c}\mathit{t}\mathit{i}\mathit{v}\mathit{e}‘}}$)—or passive (sleep, switching-off node) $({\mathit{N}}_{{\mathit{m}}_{\mathit{P}\mathit{a}\mathit{s}\mathit{s}\mathit{i}\mathit{v}\mathit{e}}})$ state. An idle node is not considered to be either an active or passive node. The active or passive states’ anomaly scores are computed as:

  $$\mathrm{Anomaly} \mathrm{Score}= ({\mathit{N}}_{\mathit{m}}{}_{\mathit{A}\mathit{c}\mathit{t}\mathit{i}\mathit{v}\mathit{e}}^{\mathit{A}\mathit{t}\mathit{t}\mathit{e}\mathit{n}\mathit{d}\mathit{e}\mathit{e}}- (\mathit{A}\mathit{V}{\mathit{G}}_{({\mathit{N}}_{\mathit{m}}{}_{\mathit{A}\mathit{C}\mathit{T}\mathit{I}\mathit{V}\mathit{E}}+{\mathit{N}}_m{}_{\mathit{S}\mathit{L}\mathit{E}\mathit{E}\mathit{P})}}^{\mathit{A}\mathit{t}\mathit{t}\mathit{e}\mathit{n}\mathit{d}\mathit{e}\mathit{e}}))/\mathrm{STDEV}$$

  (3)

  where standard deviation (STDEV) is calculated as:

  $$Avg={{\displaystyle \sum }}_{k=0}^n\frac{S.R{R}_k}{n}$$

  (4)

  $$V={{\displaystyle \sum }}_{k=0}^n{\frac{\left(R{R}_k-Avg\right)}{n}}^{2 }$$

  (5)

  $$STDEV=\surd V$$

  (6)

Standard deviation (STDEV) is calculated using Equation (6). For instance, nodes X1, X2, X3, and X4 broadcast 10, 10, 20, and 100 request packets per second, respectively. X4 is a malicious node. The computed average (Avg), Variance (V), and STDEV are 35, 1425, and 38, respectively.

An outlier has an anomaly score lower than a specific threshold. Algorithms 1–3 are used to calculate the threshold value and for the identification of anomalous node behavior, while Algorithm 4 is used for cluster head selection and identifying outliers by using a threshold value.

Algorithm 1 works for the IDLE link and describes the variation in the threshold for a local event. The anomaly score ($\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}-\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$) is matched with the STDDEV anomaly score value of nodes in the network.

Algorithm 1: Threshold limit for a local event if a link is IDLE

if (($\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ $-$ $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$) <$\mathit{S}\mathit{T}\mathit{D}\mathit{E}{\mathit{V}}_{\mathit{N}\mathit{e}\mathit{t}\mathit{w}\mathit{o}\mathit{r}\mathit{k}}$) $\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{T}\mathit{h}\mathit{r}\mathit{e}\mathit{s}\mathit{h}\mathit{o}\mathit{l}\mathit{d}}$ = $\mathit{S}\mathit{T}\mathit{D}\mathit{E}{\mathit{V}}_{\mathit{U}\mathit{P}\mathit{T}\mathit{O}\_\mathit{C}\mathit{U}\mathit{R}\mathit{R}\mathit{E}\mathit{N}\mathit{T}\_\mathit{A}\mathit{N}\mathit{O}\mathit{M}\mathit{A}\mathit{L}\mathit{Y}}$ $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ = $\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$;

Algorithm 2 considers the QoS parameters (such as link capacity, bandwidth, throughput, packet delivery, end-to-end delay, and energy consumption) in threshold limit calculation. High throughput, link capacity, and bandwidth, as well as lower end-to-end delay and energy consumption, are adequate for a robust network.

Algorithm 2: Threshold limit for a local event if a link is BUSY

If ((throughput, link capacity, bandwidth, packet delivery) > QoS_positive_threshold) AND ((end-to-end delay, energy consumption) < QoS_negative_threshold) if (($\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ − $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$) $\ge \mathit{S}\mathit{T}\mathit{D}\mathit{E}{\mathit{V}}_{\mathit{N}\mathit{e}\mathit{t}\mathit{w}\mathit{o}\mathit{r}\mathit{k}}$) $\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{T}\mathit{h}\mathit{r}\mathit{e}\mathit{s}\mathit{h}\mathit{o}\mathit{l}\mathit{d}}$ = $\mathit{S}\mathit{T}\mathit{D}\mathit{E}{\mathit{V}}_{\mathit{U}\mathit{P}\mathit{T}\mathit{O}\_\mathit{C}\mathit{U}\mathit{R}\mathit{R}\mathit{E}\mathit{N}\mathit{T}\_\mathit{A}\mathit{N}\mathit{O}\mathit{M}\mathit{A}\mathit{L}\mathit{Y}}$ $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ = $\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$; Else No change in $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$

Algorithm 3 explains the scenario where the anomaly score’s threshold limit is calculated when packet loss or drop is high. In a high-packet-loss or -drop scenario, the value of the anomaly’s score varies exponentially until the packet loss or drop is beyond a threshold. The threshold value of packet loss or drop is the average value of the network’s packet loss or drop.

Algorithm 3: Threshold limit for a local event if packet loss is high

If ((packet loss or drop) > QoS_negative_threshold) While((packet loss ) < QoS_negative_threshold) Set t=0 If (t==0) $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ = $\mathit{C}\mathit{u}\mathit{r}\mathit{r}\mathit{e}\mathit{n}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ $\mathit{E}\mathit{l}\mathit{s}\mathit{e}$ $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ = 2*$\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$ Else No change in $\mathit{L}\mathit{a}\mathit{s}{\mathit{t}}_{\mathit{A}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{y}}$

Algorithm 4 explains the scenario of identifying the outliers and the selection of cluster heads. The node with the highest energy is selected as a cluster head, and a threshold value is used to identify outliers. This information about the outlier and a node is communicated to the cluster head, as well as to neighbor nodes, in order to avoid communication through the victim node. By doing so, this energy is preserved for nodes at different levels, ensuring the optimization of resources.

The objective of Algorithms 1–3: For outlier detection, the anomaly score threshold limit is calculated.

Algorithm 4: Energy calculation and identification of outliers

Set cluster_head = node with the highest energy Set threshold (value) If route reply of node (i) > threshold (value) Send alert to cluster head and neighboring nodes that the node is an outlier If the node is an outlier, then avoid routing through it Calculate energy discharge

Like outlier detection at the local level, outliers are also identified at the global or network levels, as shown in Figure 2.

5. Simulation Results

In this section, the results and analysis (for the detection ratios and QoS parameters) of the study are presented.

In the real-world environment, protocol testing involves huge costs, and is very time-consuming. Simulation tools are a good choice to create a scenario for the performance evaluation of a network, because of the dynamic nature of MANETs. In this article, we use the network simulation tool ns-3; ns-3 is a free, open-source discrete-event network simulator; ns-3 is widely used, as it is open source, operates in a high degree of complex network environment, and offers high reliability; its simulation results can be easily reproduced and analyzed; it is also cost-effective for constructing an application.

In the ns-3 simulator, the AODV, DSDV, DSR, OLSR, and ZRP routing protocols were implemented and the performance matrix was calculated. The analysis was carried out in terms of the impact on MANET performance and anomaly detection, in order to enhance security when the density of the network is increased.

To perform analysis of the AODV, DSDV, DSR, OLSR, and ZRP routing protocols using the ns-3 network simulation tool, several parameters were applied; these parameters were used to calculate and analyze the performance of the network (

Table 1. Simulation parameters.

Parameters	Value
Numbers of nodes	200–1000
Channel type	Wireless channel
Radio propagation model	Ray tracing
Network interface	Wireless PHY
MAC type	802.11
Interface queue	Priority queue
Antenna	Omni antenna
Max packet in queue	50
Dimension	1000 m × 1000 m
Mobility model	Random waypoint mobility
Data rates	5 packets/second
Packet size	512 bits
Simulator	ns-3
Simulation time	5000 s
Number of slots assigned to the reader at stretch( )	1
Time of each slot	10 ms
Velocity(minimum to maximum)	0.3–5 m/s

). ns-3 provides different frameworks and built-in libraries; these libraries can be linked to the (C++/Python) simulator program, either statically or dynamically. In this work, the ns-3 simulator Python language is used in conjunction with LINUX OS.

The various notations used in the proposed methodology are described in

Table 2. Summary of notations.

Notations	Meaning
Re	Region
Ti	Initial time
Tt	Termination time
TW	Window selected in one stretch
Nm	Mobile node
${\mathit{T}}_{\mathit{S}}$	Timestamp
${\mathit{T}}_{\mathit{F}\mathit{r}\mathit{a}\mathit{m}\mathit{e}}$	Timeframe
${\mathit{P}}_{\mathit{S}}^{\mathit{A}\mathit{V}\mathit{G}}$	Probability of finding a node in a region
${\mathit{N}}_{{\mathit{m}}_{\mathit{A}\mathit{c}\mathit{t}\mathit{i}\mathit{v}\mathit{e}‘}}$	Active node
${\mathit{N}}_{{\mathit{m}}_{\mathit{P}\mathit{a}\mathit{s}\mathit{s}\mathit{i}\mathit{v}\mathit{e}}}$	Passive node
$STDEV$	Standard deviation

. The simulation results of each routing protocol in the ns-3 environment have been fetched and presented in graphs (Figure 3, Figure 4, Figure 5, Figure 6 and Figure 7) and data tables (

Table 3. Comparative analysis of detection ratios with variations in the number of nodes.

	N = 200	N = 400	N = 600	N = 800	N = 1000
ADR	0.741	0.715	0.711	0.693	0.665
WCAR	0.080	0.11	0.12	0.14	0.16
ALADR	0.730	0.700	0.683	0.672	0.651
ALWCAR	0.055	0.07	0.08	0.09	0.10
ALWCAR–WCAR	0.025	0.04	0.04	0.05	0.06
ALADR-ADR	0.011	0.015	0.028	0.021	0.014

and

Table 4. Comparative detection ratio analysis at network level.

	N = 1000
Parameter	Yang et al. [26]	Branch et al. [33]	Proposed Approach
Minimum ADR	48.8%	57.8%	66.5%
Minimum WCAR	9%	10%	8%
Minimum ALADR	0.1%	0.2%	0.6%
Minimum ALWCAR	≤0.1%	≤0.2%	≤0.6%

). According to the simulation results, there is a clear indication that when the network density increases, the routing protocols under study are affected in terms of QoS. The comparative analysis of the routing protocols shows that the performance of the ZRP is enhanced concerning jitter value, end-to-end delay, throughput, and average energy consumption.

A. 

Comparative Analysis of Detection Ratios

To analyze the performance, the ns-3 simulator was used. In addition to the ns-3 simulator, Python language was used on LINUX OS.

The variation in the number of nodes on ns-3 was 200–1000 for the zone routing protocol (ZRP) for 5000 s. The comparison of detection ratios with node variation is presented in Table 3.

(i)

Anomaly detection ratio (ADR)

$$\mathit{A}\mathit{D}\mathit{R}=\frac{\mathit{a}\mathit{n}\mathit{o}\mathit{m}\mathit{a}\mathit{l}\mathit{i}\mathit{e}\mathit{s}\mathit{ }\mathit{d}\mathit{e}\mathit{t}\mathit{e}\mathit{c}\mathit{t}\mathit{e}\mathit{d} \mathit{b}\mathit{y} \mathit{p}\mathit{r}\mathit{o}\mathit{p}\mathit{o}\mathit{s}\mathit{e}\mathit{d} \mathit{s}\mathit{y}\mathit{s}\mathit{t}\mathit{e}\mathit{m}}{\mathit{number} \mathit{of} \mathit{anomalies} \mathit{in} \mathit{trace} \mathit{file}}$$

As the number of nodes increases, the value of ADR decreases; its minimum value is 66.5% in a 1000-node network. The reason for the decrease in ADR value is that, after transmitting control packets, many nodes become silent.

(ii)

Wrongly calculated anomaly ratio (WCAR)

$$\mathit{WCAR}=\mathit{number} \mathit{of} \mathit{inliers} \mathit{detected} \mathit{as} \mathit{outliners}$$

As the number of nodes increases, the value of WCAR also increases, ranging from 8% for 200 nodes to 16% for 1000 nodes.

(iii)

Average local anomaly detection ratio (ALADR)

$$\mathit{ALADR}=\frac{\mathit{value} \mathit{of} \mathit{ADR} \mathit{collected} \mathit{from} \mathit{each} \mathit{local} \mathit{subgroup}}{\mathit{number} \mathit{of} \mathit{local} \mathit{subgroup}}$$

The value of ALADR < ADR, and further declines with an increasing number of nodes. The different values of ALADR and ADR indicate the presence of outliers in the network that are not constituents of any local subgroup. The minimum and maximum values are 1.1% and 1.4% for 200 and 1000 nodes, respectively.

(iv)

Average local wrongly calculated anomaly ratio (ALWCAR)

$$\mathit{ALWCAR}=\frac{\mathit{acum}\mathit{ }\mathit{of} \mathit{WCAR} \mathit{values} \mathit{from} \mathit{each} \mathit{local}\mathit{ }\mathit{subgroup}}{\mathit{number} \mathit{of} \mathit{local} \mathit{subgroups}}$$

Here, ALWCAR < WCAR, and ALWCAR increases with an increase in the number of nodes.

To appraise ADR, WCAR, ALADR, and ALWCAR in real implementation:

ADR is one of the important factors to influence the performance of the network by detecting anomalies on time; WCAR should be minimal, as it constitutes the incorrect identification of inliers as outliers, which may significantly affect the performance in terms of energy consumption and security; ALADR is the parameter that helps to identify the outlier at the local subgroup level and network levels.

B. 

Comparative Analysis of QoS Parameters

Figure 3, Figure 4, Figure 5, Figure 6 and Figure 7 show the performance analysis of the proposed outlier detection mechanism over five MANET routing protocols using various QoS parameters in a network of 200–1000 nodes. The QoS parameters taken for performance analysis were jitter, end-to-end delay, throughput, and sender and receiver energy consumption. The five MANET routing protocols selected for analysis were destination-sequenced distance vector (DSDV) routing, ad hoc on-demand distance vector (AODV), dynamic source routing (DSR), optimized link-state routing (OLSR), and the zone-based routing protocol (ZRP). The observations of QoS parameters were as follows:

Figure 3 shows the comparative analysis of jitter in 200–1000-node networks using the proposed outlier detection mechanism over five MANET routing protocols. The findings reveal the lowest jitter value for the ZRP—a hybrid protocol that acclimatizes to dynamic settings of the network. As the number of nodes rises, the jitter value also increases. The reason for the increase in jitter value is the rise in traffic, which results in increased overhead in the network.

Figure 4 shows the comparative analysis of end-to-end delay in 200–1000-node networks using the proposed outlier detection mechanism over five MANET routing protocols. For end-to-end delay, the ZRP has the lowest value, while DSR has the highest value; with the rise in node numbers, the value of end-to-end delay rises; this is because of processing and propagation delays due to an increase in traffic that necessitates more processing time for the large number of requests received.

Figure 5 shows the comparative analysis of throughput in 200–1000-node network using the proposed outlier detection mechanism over five MANET routing protocols. With the rising number of nodes, throughput also increases; this is because there are several paths available to connect to the destination, and this, in turn, increases the probability of successful transmission. Among the five studied protocols, the ZRP breaks unidentified communication by creating different zones that become accustomed to dynamic settings in the network. Hence, the ZRP performs better in comparison to AODV, DSDV, DSR, and OLSR.

Figure 6 shows that average sender energy consumption is lowest for the ZRP and highest for the DSR protocol. This is because the ZRP makes a structured, connected, semi-hierarchical network that facilitates well-timed message delivery. In other protocols, the senders involved packet retransmission due to packet loss or discard in the unstructured network.

Figure 7 shows the comparative analysis of receiver energy consumption in 200–1000-node networks using the proposed outlier detection mechanism over five MANET routing protocols. The ZRP has the lowest value for average receiver consumption, as the network is structured—unlike other protocols, where it is unstructured. Unstructured networks have a higher probability of retransmission or loss of packet acknowledgment.

C. 

Comparative Analysis of the Proposed Approach with Existing Mechanisms

Table 3 presents the comparative account of detection ratios when the number of nodes is varied. The ADR value decreases in the 1000-node network, reaching a minimum value of 66.5% due to nodes being silent after control packet transmission. The value of WCAR for the 1000-node network is maximal—i.e., 16%; hence, the rise is observed when the number of nodes varies from 200 to 1000. In addition, the ADR value is greater than ALADR when the number of nodes increases, because outliers are detected that do not belong to a local subgroup.

The proposed scheme performs better than the other schemes [26,33] described in the literature, considering the comparison parameters of ALWCAR, ADR, ALDR, and WCAR. DD-ZRP performs better at the local subgroup level and network level, as shown in Table 4 and

Table 5. Comparative detection ratio analysis at subgroup level.

	N = 1000
Parameter	Yang et al. [26]	Branch et al. [33]	Proposed Approach
Minimum ADR	42.5%	51.7%	59.6%
Minimum WCAR	10%	9%	7%
Minimum ALADR	0.3%	0.5%	0.7%
Minimum ALWCAR	≤0.2%	≤0.3%	≤0.6%

, respectively.

To summarize, in this work outliers are detected in resource-constrained key management networks, and a lightweight key management network is constructed to ensure confidentiality, authentication, and integrity in outlier detection. The work is an extension of Teo and Tan’s model, in which outlier detection is incorporated to construct a secure network. The hybrid approach of DD-ZRP was designed by integrating three well-accepted protocols proposed by Teo and Tan [1], Traag et al. [2], and Cerpa et al. [3]. The simulation was performed using NS-3, and the proposed algorithms take link state and QoS parameters such as packet drop and energy consumption in the network into consideration in order to detect outliers. To identify outliers in a network, cluster zones in the network were put under observation.

Algorithm 1 explains the variation in threshold limit for the local event if the link is IDLE; in this algorithm, the anomaly score is compared with the threshold value to identify outliers. Algorithm 2 observes the QoS parameters in threshold limit calculation. QoS parameters such as throughput, link capacity, bandwidth, and packet delivery are considered for positive results, while end-to-end delay and energy consumption are considered for negative results. Higher positive results or lower negative results are acceptable for high-performing networks. Algorithm 3 explains the scenario where the anomaly score’s threshold limit is calculated when packet loss or drop is high. In a high-packet-loss or -drop scenario, the value of the anomaly’s score varies exponentially until the packet loss or drop is beyond a certain threshold. In this work, along with outlier detection at the local level, outliers are also identified at the network level.

On comparing the network outlier detection threshold with the average value of the local threshold, if the network threshold value is lower than it is recomputed after days and weeks to record observations. This process keeps going on until the network threshold value is higher than the average value of local subgroups, as a network must have an equal or higher number of nodes compared to the total number in all subgroups. Algorithm 4 selects the node with the highest energy as the cluster head, and by comparing the route reply of a node with the threshold, an outlier is detected and an alert to the cluster head and the neighboring node is set. The results are compared with the studies of Yang et al. [26] and Branch et al. [33], using the ADR, WCAR, ALADR, and ALWCAR parameters at the subgroup and network levels.

6. Conclusions

MANETs are a challenging research field because of their characteristics, such as dynamic topology, flexibility, open medium, and constrained capability. This makes MANETs pertinent to various applications. However, these features are a threat to the security of the system. Specifically, it is routing that is significant in the security of the entire network; this appears to be a non-trivial problem that cannot be solved effortlessly, i.e., MANETs are much more vulnerable to security attacks. In this paper, we have reviewed the state-of-the-art security protocols in MANETs. Although various researchers have proposed solutions to address the security and performance issues in MANETs, these proposed solutions are not comprehensive for effective and efficient performance and routing security; there are limitations on all solutions.

In this research, we have compared all of the protocols in the ns-3 simulation environment using jitter, throughput, average end-to-end delay, and anomaly detection. For the proposed DD-ZRP approach, a minimum 66.5% anomaly detection ratio is observed in a network of 1000 nodes. A minimum WCAR of 8% for 200 nodes and a maximum WCAR of 16% for 1000 nodes are observed. For ALADR, a minimum of 1.1% outlier for 200 nodes, and a maximum of 1.4% outlier for 1000 nodes, are present in a network that is not part of any subgroup. The ratios shown have significant improvement compared to the prevailing mechanisms. The ZRP protocol—being a hybrid protocol—exploits the advantages of both proactive and reactive approaches, and thus performs better for QoS and outlier detection mechanisms when compared to the other protocols considered in the study. The proposed ZRP-based approach is better for outlier detection with respect to end-to-end delay, jitter, sender/receiver energy consumption, and throughput for 200–1000-node networks. The findings reveal that QoS parameters rise with an increase in the number of nodes in the network. In effect, DSR outperforms at a lower level; however, the pre-eminent routing protocol is the ZRP.

Future studies could consider facilitating a protection mechanism to learn from experience and use the knowledge gained to detect novel intrusive activities. The development and deployment of network security policies is vital in MANETs; this is a further potential area of research. In addition, it would be interesting to investigate this method for other relevant types of applications and evaluate it in a realistic scenario, as this work has only included simulation results. As a final point, the attacks on existing protection schemes make it necessary to enhance existing solutions and make them more robust in order to combat new vulnerabilities introduced into the system.