Wormhole Attack Detection in Wireless Sensor
Networks
1st Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
Abstract—Security is one of the most important issue in
ad-hoc networks like wireless sensor networks because of its
unique characteristics like limited bandwidth, limited battery,
power and dynamic topology which makes it vulnerable to many
kinds of attacks. Besides ad-hoc networks share a common
wireless medium and lack central co-ordination which makes it
prone to attacks compared to wired network. Wormhole attack
is one of the most serious attack in wireless sensor network
and most proposed protocol to defend against this attack used
positioning devices, directional anteena or synchronized clock.
Most of them requires additional hardwares. In this paper,the
methods dealing with wormhole attack in wsn are surveyed and
a method is proposed to detect wormhole attack. A modified
AODV(Ad-hoc on demand distance vector) routing protocol is
used which is based on the RTT(Round Trip Time) mechanism
and other characteristics of wormhole attack. As compared to
other solutions shown in literature, proposed approach looks very
promising. NS-3 simulator is used to perform all simulation.
Index Terms—wireless sensor network, security, AODV routing
protocol, NS-3
I. I NTRODUCTION
Wireless sensor network comprise many interconnected
self-controlled devices(i.e sensor nodes) that are used in a
collective manner to monitor and/or control environmental
phenomena in local or remote environments[8]. Nodes in
the network communicate with each other using wireless
transcivers and it has no fixed infrastructure. Sensor nodes
are deployed in large number to monitor the environment
or system by measurement of physical parameters such
as pressure characteristics of object temparature and their
relative humidity or motion[1].WSN has gained popularity
for its versatile application in civil and military domains, such
as home automation, healthcare, battlefield monitoring and
tracking objects. Each node of the sensor network consists
of the three subsystem: the processing which performs local
computations on the sensed data, the sensor subsystem
which senses the environment and the communicatioin
subsystem which is responsible for message interchange with
neighbouring sensor nodes[1].
According to the layer of the OSI model classification
of security attacks in WSN is done. Wormhole attack operates
at the network layer of the OSI model.
2nd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
There are many types of attack in network layer described in
[2] are : Sybil attack, Wormhole attack, Sinkhole attack and
Flooding.
In section II description about wormhole attack is given
in details. In section III related work proposed by various
authors is described. In section IV our proposed work for
detection of wormhole attack is described. In section V we
present our results. In section VI we conclude.
II. W ORMHOLE ATTACK
Wormhole attack consists of two nodes. In wormhole
attack[7], a malicious node tunnels messages received in one
part of the network over a low latency link and replays them
in a different part. Due to the nature of wireless transmission,
the attacker can create a wormhole even for packets not
addressed to iteslf, since it can overhead them in wireless
transmission and tunnel them to the attacker at the opposite
end of the wormhole. The tunnel can be established in many
ways e.g in-band and out-of-band channel. For this, the tunnel
packet arrive either sooner or with a less number of hops
compared to the packet transmitted over a multi hop routes.
Routing mechanism can get confuse because wormhole node
take a route which may shorter than the original one in the
network as it rely on the knowledge about distance between
nodes. It can occur a variety of attacks against the data traffic
flow. Some of them are selective dropping , eavesdropping
replay attack etc.
Wormhole attack is classified into four attack models[3].
A. Encapsulation
In this attack data packets are encapsulated between the
malicious nodes where several nodes exist between two
malicious nodes.It prevents nodes from incrementing hop
counts on way.The packet is converted into original form by
the second end point. Since the two ends of wormhole do
not need to have any cryptographic information, or special
requirement such as high-power source or high bandwidth
channel this mode of attack is not difficult to launch.

Fig. 1. Encapsulation Wormhole
B. Out-of-band Channel
In this wormhole approach, it has only one malicious node
with much high transmission capability in the network which
attracts the packets to follow path passing from it. The chances
of malicious nodes present in the routes established between
sender and receiver increases on this case.
Fig. 2. Out-of-band Wormhole
C. Packet Relay
In this attak one or more malicious nodes can launch packet-
relay-based wormhole attacks. On this type of attack malicious
node replays data packets between two far nodes and fake
neighbours are created by this way.
D. High Power Transmission
In this mode of attack, without colluding node a single
malicious node can create a wormhole. It rebroadcasts the
request at a very high power level capability compared
to normal node when this single malicious node received
a RREQ. Then it attracting normal nodes to over-hear
this RREQ and further on broadcast the packet towards
destination.
III. R ELATED W ORK
Numerous detection schemes have been proposed to
confront the the wormhole attack in WSNs. In [11] An
efficient method for detecting wormhole attacks against
the routing functionality of network. The author propose
an algorithm which is meant to secure each link. In this
algorithm, each node considers the distance. The Distance
separates it from its direct neighbors. This estimate is
performed using an exchange of message simultaneously by
using a radio interferometry generating ultrasonic waves.
Then each node exchanges the information of these values
of calculated distances. Once these data are exchanged, each
node runs a set of geometric tests on the local data thus
obtained, in order to detect false links present due to the
Wormhole attack. The disadvantage of this approach is that
each node must be equipped with a second ultrasound radio,
allowing the estimation of distances between neighboring
nodes.
In [12], a statistical approach is proposed, known as SWAN,
in which each sensor collects a recent number of neighbors.
A wormhole attack is identified if the current number of
neighbors exhibits an unusual increase, compared to the
previous neighborhood counts taken outside of the wormhole
zones. This is a distributed approach so that it doesn’t
cause any overhead, unlike a centralized approach. However,
this schemes has been designed for and perform better in
a uniformly distributed network, but their performance is
in question for networks in which sensors are distributed
non-uniformly.
In [6], Hu and Evans propose a solution to wormhole
attacks for ad hoc networks in which all nodes are equipped
with directional antennas. When directional antennas are used,
nodes use specific ‘sectors’ of their antennas to communicate
with each other. Therefore, a node receiving a message from
its neighbor has some information about the location of
that neighbor, which knows the relative orientation of the
neighbor with respect to itself. This extra bit information
makes wormhole discovery much easier than in networks with
exclusively omni-directional antennas. This approach does not
require either location information or clock synchronization,
and is more efficient with energy. They use directional
antenna and consider the packet arrival direction to defend
the attacks. They use the neighbor verification methods
and verified neighbors are really neighbors and only accept
messages from verified neighbors. But it has the drawback
that the need of the directional antenna is impossible for
sensor networks.
HU et al [4] describe a defense based on the leashes
of the packet, where the distance of a message route is
limited, each message having a timestamp and a location of
its transmitter. The receiver compares this information with
its own location and timestamp to check if the intervals of
transmissions are exceeded. However, this proposal presents
two disadvantages: It requires a coordinate system such as
the GPS in order to obtain the geographic information about
each node; It requires a precise synchronization of clocks
between different nodes in order to use timely data.
In [1] it presented efficient method to detect a wormhole
attack called wormhole detection for multipath AODV
protocol(AOMDV). Based on the number of hops and delay
of each node in different paths from source to destination,
it detects wormhole attack. It requires no special hardware
and it do not require clock synchronization or positioning
system. Our methodology improves this method as our attack
detection algo is based on delay and packet loss.

IV. P ROPOSED MECHANISM TO DETECT WORMHOLE

ATTACK
A technique is proposed using modified AODV protocol
to detect the wormhole attack in the network efficiently.
Details of the proposed algorithm is as follows - First source
node broadcasts the spoofed RREQ packet. The spoofed
RREQ packet is broadcast to all the other neighbours in the
network. If any neighbour replies to this packet, those nodes
are marked as wormhole nodes in the routing table. The
reason is since the normal nodes which are not malicious
will not reply to this spoofed RREQ packet. So the routing
table updates this wormhole node information by marking it
as malicious. To discover multiple paths between the source
and destination the sender node checks if a route is present
or not for communication of any two node in the routing
table. If present,it gives routing information else it broadcasts
the packet. If the route is not present, then it broadcasts the
RREQ packet to its neighbour that checks if a route is present
or not. When AODV finds multiple paths, it will select the
main path for data transmission based on the time of routing
establishment. If the main path is down, then other path is
selected according to time.

Now at the time of broadcasting a packet, we note

time x1 and if multiple RREP packet is received, then
there is multipath available and we count x2i for each
path. Then calculate the round trip time x. By making
average of all round trip time for x2 we get the average
round trip time which will be denoted as threshold of RTT xh .

Then the method would analysis the packet. If the forwarded

and received packet difference is less than threshold value(lh )
of packet loss which is taken based on channel and other
looses then send the next packet. If not,then save the node
id from routing table. Then calculate the packet loss and
also calculate the probability of attack. The probability of
attack is calculated by the threshold of packet loss and the
threshold of RTT. If the probability of attack is not greater
than the probability of wormhole attack, then notify there is
no wormhole attack. Else there is wormhole attack.

Algorithm:
1) Source node broadcast spoofed RREQ packet
2) Calculate Round Trip Time for each route(Xs )
Xi = X2i - X1
Xsi = Xi / hopcounti
Fig. 3. The flowchart of proposed algorithm
Xh = Average of Xsi
3) Find the path and collect data and count the packet lossl
l = F P - RP
 4) If(l is equal to zero) go to 10
5) If(l is smaller than lh ) go to 10
6) Save the node id and attacker id from routing table and
calculate the probablity of attack p(a) and probability of
wormhole attack p(w) by lh and Xh
p(a) = probabilityof attackby((Xs < Xh )&(l < lh ))
p(w) = probabilityof attackby((Xh )&(lh ))
7) If(p(a) is smaller than p(w)lh ) then go to 10
8) Wormhole attack detected
9) Take prevention procedure
10) Forward next packet

V. S IMULATION E NVIRONMENT AND RESULTS Fig. 5. Packet delivery fraction for 10, 14 & 25 nodes

In this section the simulation results are shown for

parameters like average throughput, packet delivery fraction, the value of average end to end delay but when the proposed
average end-to-end delay and packet drop ratio by comparing AODV is used then the performance improves.
normal aodv, wormhole effected aodv and proposed aodv
protocols in a network. The following table shows the
simulation parameters.
Simulation Area 400 ∗ 400
Routing Protocol AODV
Packet Size 512 bytes
Traffic Rate CBR
Number of Nodes 10,14,25
Range of Transmission 200m
Simulation Time 400s
Mobility Model Fixed

In all figures below on x-axis are parameters and y-axis

are routing protocols. in Fig. 4, it shows the average
throughput are plotted against three routing protocols for
network density(nodes).
Fig. 6. Average end to end delay for 10, 14 & 25 nodes

Fig. 4. Average throughput for 10, 14 & 25 nodes
In fig. 5, it shows on the results for packet delivery fraction that
after implementing our proposed AODV the packet delivery
fraction improves for different network density.
In fig. 6, it shows the result for average end to end delay.
When the wormhole nodes are kept in the network, it increases
C ONCLUSION
In this paper we proposed a mechanism to detect wormhole
attacks, which is one of the most dangerous attack and difficult
to detect in WSN, and whose purpose is to create false logical
topologies. This attack also enterrupts the calcualtion process
of routes which establishes corrupt and incorrect routes and
makes a large amount of loss of connectivity. Our proposed
method is based on RTT mechanism. In this technique no
special hardware is required. All we need is to calculate
the round trip time and packet loss of every route and
the threshold value. According to simulation the results of
various parameters like throughput, average ETE delay, packet
delivery fraction it is proved that our proposed mechanism
performs better than wormhole affected AODV and this helps
to reduce the number of lost packets. This method will also
detect malicious nodes by which in routing operations, it can
prevent their particiaption. In future, This proposed method
can be implemented in mobile ad-hoc network also.
 R EFERENCES
[1] P. Amish and V. Vaghela, “Detection and prevention of wormhole attack
in wireless sensor network using aomdv protocol,” Procedia computer
science, vol. 79, pp. 700–707, 2016.
[2] P. Maidamwar and N. Chavhan, “A survey on security issues to detect
wormhole attack in wireless sensor network,” International Journal on
AdHoc Networking Systems (IJANS) Vol, vol. 2, pp. 37–50, 2012.
[3] M. O. Johnson, A. Siddiqui, and A. Karami, “A wormhole attack
detection and prevention technique in wireless sensor networks.”
[4] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Packet leashes: a defense
against wormhole attacks in wireless networks,” in INFOCOM 2003.
Twenty-Second Annual Joint Conference of the IEEE Computer and
Communications. IEEE Societies, vol. 3. IEEE, 2003, pp. 1976–1986.
[5] R. A. Prakash, W. Jeyaseelan, and T. Jayasankar, “Detection, prevention
and mitigation of wormhole attack in wireless adhoc network by
coordinator,” Appl. Math, vol. 12, no. 1, pp. 233–237, 2018.
[6] L. Hu and D. Evans, “Using directional antennas to prevent wormhole
attacks.” in NDSS, vol. 4, 2004, pp. 241–245.
[7] Z. Tun and A. H. Maw, “Wormhole attack detection in wireless sensor
networks,” World Academy of Science, Engineering and Technology,
vol. 46, p. 2008, 2008.
[8] M. N. A. Shaon and K. Ferens, “Wormhole attack detection in wireless
sensor network using discrete wavelet transform,” in Proceedings of the
International Conference on Wireless Networks (ICWN). The Steering
Committee of The World Congress in Computer Science, Computer
Engineering and Applied Computing (WorldComp), 2016, p. 29.
[9] M. Bendjima and M. Feham, “Wormhole attack detection in wireless
sensor networks,” in SAI Computing Conference (SAI), 2016. IEEE,
2016, pp. 1319–1326.
[10] M. A. Matin and M. Islam, “Overview of wireless sensor network,” in
Wireless Sensor Networks-Technology and Protocols. InTech, 2012.
[11] R. Shokri, M. Poturalski, G. Ravot, P. Papadimitratos, and J.-P. Hubaux,
“A low-cost secure neighbor verification protocol for wireless sensor
networks,” Tech. Rep., 2008.
[12] S. Song, H. Wu, and B.-Y. Choi, “Statistical wormhole detection for
mobile sensor networks,” in Ubiquitous and Future Networks (ICUFN),
2012 Fourth International Conference on. IEEE, 2012, pp. 322–327.
[13] V. Bhuse, A. Gupta, and L. Lilien, “Dpdsn: Detection of packet-dropping
attacks for wireless sensor networks,” in Proc. Fourth Trusted Internet
Workshop, vol. 107. Citeseer, 2005.
[14] K. Srinivasan, P. Dutta, A. Tavakoli, and P. Levis, “Understanding
the causes of packet delivery success and failure in dense wireless
sensor networks,” in Proceedings of the 4th international conference
on Embedded networked sensor systems. ACM, 2006, pp. 419–420.
[15] M. Lakde and V. Deshpande, “Packet loss in wireless sensor network:
A survey.”
[16] O. Doxygen, “Version 2.3. x,” 2015.
[17] L. Li, X. Hu, and B. Zhang, “A routing algorithm for wifi-based
wireless sensor network and the application in automatic meter reading,”
Mathematical Problems in Engineering, vol. 2013, 2013.
[18] R. Haboub and M. Ouzzif, “Secure routing in wsn,” International
Journal of Distributed and Parallel Systems, vol. 2, no. 6, p. 291, 2011.
[19] J. Govindasamy and S. Punniakodi, “Energy efficient intrusion detection
system for zigbee based wireless sensor networks.”