WRHT : A Hybrid Technique for Detection of Wormhole Attack in Wireless Sensor Networks

Wormhole attack is a challenging security threat to wireless sensor networks which results in disrupting most of the routing protocols as this attack can be triggered in different modes. In this paper, WRHT, a wormhole resistant hybrid technique, is proposed, which can detect the presence of wormhole attack in a more optimistic manner than earlier techniques. WRHT is based on the concept of watchdog and Delphi schemes and ensures that the wormhole will not be left untreated in the sensor network. WRHT makes use of the dual wormhole detection mechanism of calculating probability factor time delay probability and packet loss probability of the established path in order to find the value of wormhole presence probability. The nodes in the path are given different ranking and subsequently colors according to their behavior. The most striking feature of WRHT consists of its capacity to defend against almost all categories of wormhole attacks without depending on any required additional hardware such as global positioning system, timing information or synchronized clocks, and traditional cryptographic schemes demanding high computational needs. The experimental results clearly indicate that the proposed technique has significant improvement over the existing wormhole attack detection techniques.


Introduction
Wireless sensor networks (WSNs) are infrastructure-less and self-configured wireless networks to monitor the environment or physical conditions, such as temperature, sound, and humidity, and to cooperatively pass their data gathered through the network to a central location or sink (base station) so that the data can be analyzed for further processing.WSN is deployed in the environments that are usually unfriendly and unsafe.WSN has a large number of constraints which result in new challenges.The sensor nodes have unreliable communication medium and extreme resource limitations which make it very difficult to deploy security mechanism.Most of the protocols for WSNs in the past assumed that all nodes are trustworthy and cooperative.But this is not the case for many sensor network applications today and a variety of attacks are possible in WSN including wormhole.
Wormhole attack is a severe security threat to WSNs.Wormhole attack in WSNs is one of the main attacks in which a malicious node entraps the packets from a single position in the network so that they can be tunneled to another malicious node at a far off point.In a wormhole attack, since attackers are directly connected with each other, they can, therefore, communicate at a fast speed in comparison to the other nodes in the WSN.However, for the implementation of such communication, there is a need for support of special hardware.For the tunnel distances that are more than the singlehop normal wireless transmission range, it is easier for the attacker to compose packets in the tunnel as compared to a regular multihop route.This is done due to the use of a single long-range directional wireless link or direct wired link.It is also achievable for an attacker in the wormhole attack to move forward every bit directly without waiting for receiving of the complete packet.Wireless transmission nature also makes it possible for the attacker to construct a wormhole for packets that are not addressed to it; this is possible as an attacker can overhear these packets in wireless communication and tunnel them in order to collude attacker at the other end of the wormhole.
For the setting of wormhole attack in WSN, attackers construct a wormhole tunnel that makes a direct link between two malicious nodes located at far off locations.Attackers make use of either a high-quality wireless out-ofband link or a wired link for the construction of wormhole tunnels.The tunnel constructed is used by malicious nodes for making Denial of Service (DoS) attack.It can also be used for traffic analysis or for dropping data or controlling packets.Wormhole attack can be made in the WSN, without compromising any sensor node or the authenticity and the integrity of the communication.Cryptographic methods are used for defending the network communications, but they fail for the detection of wormhole attacks as the success of the wormhole attack is independent of the cryptographic mechanism.Moreover, a wormhole attack is difficult to detect as it utilizes a limited amount of resources for the attack.Attackers can establish the wormhole attack in WSNs without disclosing their identities.Most of the routing protocols like AODV (Ad hoc On-demand Distance Vector) and DSR (Dynamic Source Routing) are vulnerable against this attack.In wormhole attack, since attackers are directly connected to each other through tunnel, they can communicate at a fast rate as compared to other nodes in the sensor network.However, there may be need of special hardware to support such kind of communication. Figure 1 shows the tunnel constructed by malicious nodes under wormhole attack.Assume that sensor nodes  and  are not neighbors of each other.An attacker with tunnel is able to transmit packets at  and  nodes, the two nodes that it controls.By transmitting packets from sensor node  to node , the attacker can make node  and node  believe that they are neighbors of each other and vice versa.The attacker can replay packets received by sensor node  at node  and vice versa; it would otherwise take a number of hops for travelling a packet from a location near  to a location near .Packets that are transmitted near sensor node  travelling through the wormhole will arrive at node  even before travelling of the packets through multiple hops to the network.The attacker can make the sensor nodes  and  believe that they are neighbors of each other, with the help of routing messages, and then can selectively drop out data messages in order to disrupt communications between sensor nodes  and .
Many countermeasures for exposure of wormhole have been proposed in WSNs.Those solutions diagnose the partial symptoms induced by wormholes for their detection.Most of the detection methods either make use of a dedicated hardware device such as global positioning systems, antennas with specific directions, and particular radio transceiver modules or make very strong assumptions regarding sensor networks such as large-scale clock synchronization, unique guard nodes, attack-free environments, and communication models with unit disk.These special needs and suppositions restrict their applicability to the networks that are made of a huge number of small cost resources constrained nodes.In order to completely tackle wormhole attacks in WSNs, we have to reply to the following questions.(1) The most necessary characteristics of wormhole attack are caused by which symptoms feature?(2) How can one propose the countermeasures without using significant needs or supposition?Our goal in this research work relies exclusively on connectivity information of sensor network in order to detect and isolate the wormholes.We focus our research study on elementary view on the packet loss and delay in multihop wireless sensor network topologies, targeting catching the packet loss and delay at hop level and for the complete route.
In this paper, we propose a hybrid wormhole detection technique WRHT (wormhole resistant hybrid technique) that is based on the concept of watchdog [1] and Delphi [2].We first calculate delay probability per hop and for the complete route caused by the wormhole in the selected route.In the next phase, WRHT finds the packet drop probability for each hop and the complete route in the sensor network.We also calculate the wormhole presence probability (WPP  ) for a path.The remainder of the paper is ordered as follows.We initially discuss present relevant countermeasures against wormhole attack in Section 2. In Section 3, the proposed WRHT is discussed.The simulation results are provided in Section 4, while performance evaluation is given in Section 5. Finally, we end with a conclusion and future work in Section 6.

Related Works and Problem Formulation
2.1.Related Works.In this section of the paper, we review related works in the literature for dealing with wormhole attack.A detailed study of these proposed solutions will help in the formulation of the problem and its possible solution.
Cho et al. [3] in their paper discuss vulnerabilities that the technique of watchdog and trust mechanisms has and finally they propose protective approaches that can remove weaknesses of the trust mechanism and the watchdog technique.Dias et al. [4] provide a cooperative watchdog system for detecting and acting against misbehaving nodes and sequentially reducing their impact on performance in the overall network.Its operation depends on a cooperative exchange of nodes character along the network.Dromard et al. [5] make the assumption that the attacked nodes drop both the acknowledgement and forwarded packets with different frequencies.The authors offered an extension to the watchdog scheme in order to detect misbehaving nodes in WMNs while considering packets loss over the links.The proposed scheme matches the sharing of a node acknowledgment to its distribution of the forwarded packets of data in order to detect misbehaving nodes.Hernández-Orallo et al. [6] proposed CoCoWa (Collaborative Contact-based Watchdog), a collaborative technique based on the dispersal of local self-centered nodes wakefulness in the case when a contact occurs.This is done so that the information about selfinterested nodes can be rapidly propagated.Hernández-Orallo et al. [7] proposed a collaborative based watchdog that is based on the contact spreading of detected self-centered nodes.The authors also bring in an analytical model in order to evaluate the discovery time and cost of the collaborative scheme.
Existing countermeasures against wormhole attack mostly depend on the observation of symptoms that are created by wormholes existing in the WSNs.All of the existing techniques have their own individual advantages and limitations.Applicability of a particular approach mostly depends on the specific network configurations and their applications.Hu et al. [8] presented the geographic packet leash.Making use of appending location information about sending nodes in every packet, they check whether hop-by-hop transmission in the network is physically possible or not and consequently detect the presence of wormholes.Wang et al. [9] in their work verify the end-to-end distance limits between the source node and the destination node.Zhang et al. [10] in their work proposed a neighborhood scheme based on location for authentication in order to find the wormholes.These approaches make use of the preknowledge of the node locations so as to find the difference in the distance.Some of the approaches for wormhole detection watch the symptom of time difference during packet forwarding.Hu et al. [8] introduced the temporal packet leash concept, which assumes the presence of fixed global clock synchronization.This detects the presence of wormholes from the exceptions in the packet transmission latency.Čapkun et al. [11] proposed the SECTOR concept, which calculates round trip travel time (RTT) for the packet delivery so as to detect presence of unusual wormhole channels.SECTOR removes the use of the clock synchronization; however, it assumes the presence of particular hardware that is prepared by each of nodes, enabling rapid sending of one-bit challenge messages without the involvement of the CPU in the network.Eriksson et al. [12] proposed one more RTT based technique called the TrueLink.
Some of the approaches for wormhole detection watch the symptom of mismatch neighborhood leading to the physical infeasibility in the network.Hu and Evans [13] make use of directional antennas in order to find communicating links that are infeasible in the network by making use of directionality of communication via antenna.Khalil et al. [14] proposed the scheme LiteWorp; it assumes the presence of attack-free situation before the launch of wormhole attack.During phase of deployment, each node in the network gathers its 2 hop neighbors and LiteWorp followed by selecting the guard nodes for detection of wormhole channels.This is done by overhearing transmissions that are infeasible among the nonneighboring nodes.They also proposed a complement to LiteWorp called MobiWorp [15], making use of the assistance of some location aware mobile node.Some of the approaches for wormhole countermeasure study the symptom of mismatch graph.These approaches make use of particular assumptions of the network graph models used in the network.Poovendran and Lazos [16] presented a framework to deal with wormholes based on the graph.The approach makes assumptions regarding the existence of safeguarding nodes having a communication range that is extraordinary.Wang and Bhargava [17] suggested finding the presence of wormholes graphically.The design of the network is reconstructed by MDS (multidimensional scaling) so as to find the wrap that is introduced by the malicious nodes wormholes.Authors in [18] make use of illegal packing numbers in UDG (unit disk graph).They provided a completely localized technique so as to detect malicious nodes wormholes with the use of only connectivity in the network.This approach may fall short when UDG model is not followed by connectivity graphs or an increase of packing number is not caused by the wormhole.Some approaches make use of mismatch in the traffic flow symptom based on the analysis of statistic on the traffic in the network.Song et al. [19] in their work monitor the truth that wormhole links are chosen for high-frequency routing, and, by matching this with regular statistics, wormhole links can be identified.Buttyán et al. [20] propose another statistical approach that captures the abnormal increase in the number of neighbors and the decline in smallest path lengths because of wormholes.The BS (base station) of the network centrally finds the presence of wormholes by making use of hypothesis testing, which is further based on prestatistics of usual networks.
The protocol in [21] is based on the randomized neighbor discovery idea and it executes randomly neighbor discover process.However, the performance of this was not explained in a network with a single hop.This work requires the advance knowledge of a number of neighbors.Angelosante et al. [22] proposed a new algorithm for neighbor discovery.It makes use of the concept of multiuser detection approach.But, in order to use this algorithm, there should be synchronization between nodes and, furthermore, each node needs the signature of other nodes in the network.Keally et al. [23] proposed the watchdog, which is a modality agnostic based framework for event detection.The framework combines the sensors in order to meet up the user's specific detection correctness during run-time.It also considerably reduces right energy usage.Kim et al. [24] proposed a safe method for the wireless network coding.This scheme is called the algebraic watchdog.In this approach, the technique enables network nodes to find the malicious behaviors probabilistically.It uses the overheard messages in order to police downstream neighbors locally.The algebraic watchdog provides a protected global network that is self-checking.
Liu et al. [25] propose a scheme with observer prototype and finite state machine for the implementation of watchdog.According to the authors, by making use of observer prototype along with finite state machine, the watchdog will automatically notify when the state of the program changes.Maheshwari et al. [26] proposed a novel algorithm for wormhole detection using only connectivity information for detecting forbidden substructures in connectivity graph.Zhang et al. [27] discuss a distance vector based robust localization scheme which can be used in WSNs to fight against wormhole attacks.The proposed technique does not use extra hardware or too much computational cost.Khabbazian et al. [28] proposes a timing based countermeasure to defend against the wormhole attack.The technique avoids the limitations of existing timing based solutions, no synchronized clocks are needed by the nodes, and they did not require guessing the sending time or being capable of quick switching among the receive and send nodes.Singh et al. [29] propose a cross-layer based intrusion detection method for wireless networks.In this work, a united weight value is calculated from Received Signal Strength (RSS) and time consumed for RTS-CTS handshake between the sender and receiver.
Ji et al. [30] proposed a centralized algorithm to detect wormholes and show its correctness rigorously.For the distributed wireless network, DAWN, a distributed detection algorithm against wormhole in wireless network coding systems, is proposed by exploring the change of the flow directions of the innovative packets caused by wormholes.Ji et al. [30] rigorously prove that DAWN guarantees a good lower bound of successful detection rate.Tsitsiroudi et al. [31] proposed a tool, called EyeSim, which is a humaninteractive visual-based anomaly detection system that is capable of monitoring and promptly alerting to the presence of wormhole links.In addition, it is capable of indicating the malicious nodes that form the wormhole link.EyeSim may expose adversaries by conducting cognitive network data analysis based on dynamic routing information.The efficacy of EyeSim is assessed in terms of detection accuracy.Biswas et al. [32] have proposed a novel wormhole attack detection technique in which node authentication has been used to detect malicious nodes and remove the false positive problem that may arise in wormhole detection techniques.Node authentication not only removes false positive but also helps in the mapping exact location of the wormhole and is a kind of double verification for wormhole attack detection.Patel and Aggarwal [33] projected two-phase detection method for wormhole attack in dynamic sensor networks.This method has a better accuracy rate than most of the existing techniques.

Problem Formulation.
Before the formulation of the problem, we first discuss the concept of watchdog and Delphi.Every intrusion detection technique for wormhole has its own advantages and limitations.The proposed technique is a hybrid technique based on watchdog and Delphi techniques.The proposed work is derived from the limitations of these techniques.The concept and the limitations of watchdog and Delphi are discussed below.

Watchdog Technique and Its
Limitations.The watchdog intrusion detection technique detects the presence of a malicious node in the network.In this scheme, source node forwards the message to destination node through a middle node; this node after receiving a packet from source forwards it to the destination.Figure 2 shows the working of watchdog technique in which node  will plan to send one of the packets to node .Node  can eavesdrop sent traffic of node  in order to determine whether node  in the network will send the packet to  or not.If node  does not forward the packet to node  after a threshold, then watchdog technique declares that node  is malicious.As a result, a new route from node  in the network to node  is discovered in order to isolate the malicious node .Let  be the set of nodes in the network that can listen to messages sent from node  to node  and let  be the set of nodes that can hear the messages sent from node  to node .The set of possible watchdogs of node  can be defined as an intersection of  and .Any node that lies in the intersection of above regions is able to hear messages from both.These nodes are able to decide whether or not node  forwards messages or not.
Cho et al. [3] discussed the below given limitations of watchdog technique for the intrusion detection of misbehaving node.Each of the cases discussed below makes use of following path sequence: (1) Uncertain Collision.Let us consider a state in which node  forwards one fake packet to node .Node  starts to listen in whether node  will send the packet to node .When node  sends packets to , node  might not be able to listen in this transmission in case some other neighborhood node (say ) at the same time sends packets to node .This uncertain collision may result in misleading node  to assume that node  is malicious.
(2) The Collision of Receiver.Collision is also possible on the other side of the receiver.Receiver node  may not receive the packet correctly because of this collision.Node  can only listen to node  whose packets are sent for forwarding.Node  has no idea whether the packet is received by node  or not.In such type of situation, a malicious node in network  can purposely skip the retransmissions of packets or malicious node in network  can result in generating collision for the reason to avoid the receiving of packets and forcing node  into the retransmitting.
(3) Power Transmission Limitation.If node  adjusts the signal transmission power in such a way that node  can listen in but node  in the network cannot receive, node  may drop the packets in order to increase the honesty (to node ).In the routings of geographic systems, where each node has idea about the location of itself and the neighbors, node  can with no trouble launch this type of attack by choosing a destination node  in the network from its list in such a way that distance (, ) > distance (, ), where distance (, ) is the distance between nodes  and .
(4) Detection of Fake Misbehavior.This happens in the situation when a mean node purposely reports about the misbehavior of other nodes.Consider the example in which node  might report that node  is reducing packets, although node  is not doing so.Then, node 's neighbor nodes (such as ) cannot openly communicate with node  (and therefore monitor) which will judge that node  is malicious.
(5) Collusion.In the network multiple-colluding, attackers are able to launch more complicated attacks.Consider two malicious colluding nodes  and .These nodes can entirely deceive node  if node  sends all the packets from node  to  but node  crashes all packets.Since node  cannot listen in node  misbehavior, node  will not judge nodes  and  to be malicious.
(6) Packets Partial Dropping.Instead of dropping each of the packets, node  may drop limited packets in such a way that the total failure rate will not go beyond the threshold of node  watchdog.This is very much similar to the gray hole attack.

Delphi Technique and Its
Limitations.Delay per hop indication (Delphi) detection mechanism is a solution to the wormhole attack.In this intrusion detection mechanism, in every path, delay per hop is determined.It is proven that wormhole path is usually longer than delay per hop for actual path in the wireless sensor network.It is assumed that the path is having wormhole attack, if the path in the network has markedly high delay per hop.In order to detect wormhole attack, the delays of various paths to the receiver are used as an observation.Delphi mechanism works by checking presence of any malicious node in the path from the sender to the receiver trying for the launch of wormhole attack.In order to identify the malicious node which is trying to trigger wormhole attack, the hop count and delay information about paths between sender and receiver will be utilized.Delphi technique can be used for the detection of both hidden and exposed attacks.The Delphi detection technique is based on the distinguishable difference of the DPH (delay per hop) values between the normal paths and the tunneled paths.The main limitation of the Delphi technique is that it does not work well in the case when all or most of the paths in the sensor network are tunneled due to wormhole attack.
The above limitations of watchdog and Delphi techniques indicate that none of the two are purely reliable for the detection of wormhole attacks in WSNs.Therefore, these limitations motivated us to propose a hybrid intrusion detection technique, WRHT, for detection of wormhole attack in sensor networks.The technique makes use of the advantages of both techniques so that the wormhole attack is not left untreated during the detection process.WRHT is discussed in detail in the next section of the paper.

Wormhole Resistant Hybrid Technique (WRHT)
The proposed technique, WRHT, is a hybrid technique based on the concept of watchdog and Delphi.Watchdog (packet drop) and RTT based technique Delphi are based on the assumption that the packet drop and RTT of a route in the network are very closely related to the value of its HC (hop count) and distance.In practical WSN environments, there exist probability that a normal route without wormhole with a small distance and short value of HC may produce a high value of RTT and packet drop value due to traffic congestion and other reasons.Conversely, a route in the sensor network that is infected with wormhole with a lengthy distance may result in providing a low value of RTT.This may be due to the small packet processing delays by all in-between nodes.Furthermore, there may be less packet drop by an attacker to force AODV to follow the wormhole affected path.For these reasons, sometimes wormhole exposure performance is compromised when separately watchdog and Delphi are used in realistic WSN environments.
WRHT makes use of the information about the packet drop and the delay per each hop and for the complete route in the sensor network.The foundation behind WRHT is to build up a wormhole detection methodology that is able to manage every category of wormholes and is possible for every type of WSN device and scenarios of the network, without the earning of significant computational costs.WHRT is considered as an extension to AODV protocol.The proposed WRHT allows the source node in the sensor network to calculate the wormhole presence probability (WPP  ) for a path in addition to HC information.
During the AODV route discovery phase, per hop time delay probability (TDP  ) is calculated in order to discover the presence of wormhole in the path.This information can be further used for the calculation of time delay probability for the complete path, that is, TDP  .In the next phase of the WRHT, per hop packet loss probability (PLP  ) is calculated.This is further used for the calculation of packet loss probability for the complete path, that is, PLP  .The values of TDP  and PLP  are used for making the decision whether a path P contains a wormhole or not.This will help the AODV to take a secure path for the transmission.The complete working of the proposed WRHT is given in Figures 3 and 4.
The sender at time   initiates process of detection broadcast of the RREQ (route request) packet and at time   it receives RREP (route reply) packet from its neighboring node.Assume that round trip time (RTT) of a path in the sensor network through node  is specified by RTT  =   −   ; then delay/hop value (DPH) of the path to the receiver via node  is given by DPH  = (RTT  )/2ℎ  = (  −   )/2ℎ  .Here, ℎ  is the hop count field in the RREP of node .Per hop time delay probability (TDP  ) is the probability of time delay caused at each hop in the established path from the source to the destination.The difference between the times when the packet was forwarded by hop to the time when the packet was received is used for the calculation of TDP  .Total time delay probability per hop is calculated by adding value during the  broadcast of RREQ and RREP; mathematically it is defined as where TDP RREQ is the time delay probability of a node during RREQ and TDP RREP is the time delay probability of a node during RREP.
The time delay probability of the complete path (TDP  ) is calculated as the product of time delay probabilities of individual sensor nodes in the path.Consider a sensor network having  sensor nodes in the path to the receiver.Then, mathematically, TDP  is defined as where TDP  is the time delay probability measured at node .
If the value of TDP  is less than a predefined threshold (TH TDP ), then the route discovery process is over and the next phase of WRHT starts; otherwise the routing protocol looks for a new route to the destination.The process is shown in Figure 3.
Next, in the working of WRHT, the sender sends Ps fake packets to the constructed route to check the possibility of wormholes and the destination node receives those packets.The destination node sends back the acknowledgement of the number of the packets received, that is, PR.The source node calculates the packet loss per path (PLP) through node  by PLP  =   −   .The per hop packet loss probability (PLP  ) is calculated by finding the number of dropped packets at hop  to the number of packets received by hop .Mathematically, it is calculated as The packet loss probability of the complete path (PLP  ) is calculated as the probability product of individual sensor nodes in the path.Mathematically, it is defined as where PLP  is the packet loss probability measured at node .
The complete process of calculating PLP  is shown in Figure 4.If the value of PLP  is less than a predefined threshold (TH PLP ), then the route is free from the wormhole and is safe for the data transmission; otherwise a new path is to be discovered again by broadcasting the RREQ.After calculating the values of TDP  and PLP  , we create a decision table in order to decide whether the current path is under a wormhole attack or not.The decision table is given in Table 1.We use the following symbols in order to define the entries of the table.
Let  min be the time delay probability for a path less than TH TDP , let  max be the time delay probability for a path more than TH TDP , let  min be the packet loss probability for a path less than TH PLP , and let  max be the packet loss probability for a path more than TH PLP .The nodes in the path are ranked according to their corresponding values as given in Table 1.A node with value 1 has no wormhole attack and a node with value 3 is under wormhole attack.A node with value 2 is suspected to be under wormhole attack, so that it cannot be used for forming a path to the destination.
Since the two events time delay and packet loss are not mutually exclusive (as there may be loss of packets and time delay at the same time), the wormhole presence probability (WPP  ) for a path can be defined as WPP  values of the normal paths having no wormhole tunnel usually appear to be small when matching up with those of the tunneled paths.Observations also show that TDP  values of the normal and the tunneled paths formulate two different groups, one for normal paths and another for tunneled paths.Let  and  be the set of TDP  values for normal and tunneled groups, respectively.Let  max and  min be the maximum and minimum values in their groups.Also, let  gap be the maximum difference between any two values of  or .Then, mathematically, we can write Let TDP  , TDP −1 , . . ., TDP 1 be the descending order values of TDP  .If TDP  is larger than TDP +1 by a threshold ( V ), then the path through sensor node  is under wormhole attack.Furthermore, all other paths having TDP  values greater than TDP  are also under wormhole attack.

Simulation-Based Implementation
The performance of WRHT was thoroughly tested in a wireless sensor network simulation environment developed in NS2, with the simulation parameters used being defined in Table 2.
We firstly deploy WSNs nodes by defining the network source node and destination nodes.As shown in Figure 5, source node 0 will flood packets of route request in the network to find the path to destination node 10.The adjacent nodes of the destination node will respond back to the source node with the route reply packets.The source node selects the best path from the source to the destination on the basis of the sequence number and hop count.It is assumed in the simulation that all the sensor nodes have identical hardware of IEEE 802.11b.These sensor nodes with the exception of  wormhole node are arbitrarily dispersed within the network area.
Figure 6 provides a scenario of the sensor network having selfish node (i.e., wormhole node) in the network.Node 6 in Figure 6 is the selfish node.In Figure 6, the established path from source node 0 to destination node 10 is represented with red color.
The algorithm for the WRHT works as the source waits for the destination to send an acknowledgement to it after every 10th packet.If source receives the acknowledgement, then there is no misbehavior in the WSN and the process continues as normal.But if the destination fails to acknowledge the data packets for a time period, then detection methodology starts its functionality.The established path will be tested to detect and isolate the presence of malicious nodes (if any) from the WSN.Here, we first apply the approach of the Delphi technique to locate any possible wormhole node during the process of route discovery.If a malicious node is detected, it will be the node for further processing in Table 1.But if Delphi fails to detect wormhole node (due to the presence of wormhole on most of the routes), the watchdog technique (using monitor mode) is applied to the sensor network in which nodes start observing their neighbor nodes and watch for possible packet dropping.
In order to calculate the packet drops by the nodes, the network must operate in promiscuous mode.In promiscuous mode, each sensor node in the network listens to the packets transmitted by its own neighbor nodes.The code below will put all the sensor nodes in the WSN in promiscuous mode.The code in function tap() is used if node  wants to listen to the packets from some other node  in promiscuous mode.This is used to check whether node  is forwarding the packets which are sent by .To test the established path to the source node sends ICMP messages in the network.The   nodes receive ICMP messages and go to monitor mode to watch their adjacent nodes.For this purpose, we make use of TclObject and MAC layer function tap in ns2.
Figure 7 shows that the proposed technique puts all nodes in the route to the monitor mode.The source node sends fake packets to check the possibility of any malicious node (wormhole) in the established route.
Figure 8 provides the scenario where the entire nodes other than malicious node (i.e., node 6) reply back to source node 0 with a RREP.
We make use of (1) to ( 5) for the wormhole detection processing.Equation ( 6) is used for finding out the presence of any wormhole in the established path; that is, we add the values of TDP  and PLP  .The nodes are given different rating values according to their behavior and those suspected to be malicious are given least rating value.A route table shown in Table 3 (sample) is created for this purpose.The scale rate has three values, namely, 1, 2, and 3, as shown in Table 1: a node gets value of 1 if it is not malicious, value of 2 if it is expected to be malicious, and value of 3 if it is malicious.The nodes are colored according to their rating values and the colors used are red, green, and yellow.Scale 1 node is represented by the color green, scale 2 node is represented by yellow, and scale 3  node is represented by red in the simulation.The node with green color is most trusted, with yellow color being averagely trusted and red color being the least trusted.Figure 9 shows the isolation of the wormhole node from the established path in the sensor network.A new path is established for the safe transmission of data from the source node to the destination node.

Performance Evaluation
In order to assess the efficiency and competence of the proposed technique, that is, WRHT, and some other well-known wormhole detection techniques, NS-2.3 based simulation is done for WSNs coding organizations and running wormhole detection techniques.

Experimental Set-Up.
The existing and proposed wormhole detection techniques are implemented on a Linux workstation (2.4 GHz Intel i5 processor with 8 GB RAM and 512 GB memory).The encryption library Beecrypt [41] is utilized to simulate the cryptographic and signature techniques.We adopted RSA [42] and MD5 [43] techniques with 9192-bit key size.The certificate authority (CA) is also implemented, which handles public keys and the individuality of sensor nodes.Therefore, a public key infrastructure is utilized in the experiments.The simulation is done several times by considering different set of sensor nodes every time.

Performance Measures.
The primary metrics considered in this paper are accuracy ( cc ), 1 score ( 1 ), and Matthews correlation coefficient ( cc ).These metrics are defined as follows.
(a) Accuracy ( cc ). cc represents the effectiveness of the given wormhole detection techniques.It states how much effective the detection rate is, which is calculated as Here, TP represents the accurate prediction of those in which wormhole attacks are detected successfully, whereas FP represents those in which non-wormhole nodes are detected as attackers.TN indicates those in which non-wormhole nodes are evaluated successfully, whereas FN represents in which wormhole nodes are detected as genuine nodes.
(b) 1 Score ( 1 ). 1 can be demonstrated as a weighted mean of the precision and recall, where  1 attains its effective value at 1 and worst score at 0:   [33], is 0.947, whereas in the case of the proposed technique it is 0.972.Therefore, proposed technique has minimum improvement in terms of  cc and it is 0.025, that is, 2.5%.Thus, the proposed technique is more effective than most of the existing techniques.
Table 5 represents the fact that the proposed technique has an optimistic wormhole detection rate compared to existing techniques.The mean  1 of the best known wormhole detection technique in literature, that is, Patel and Aggarwal (16) [33], is 0.8234, whereas in the case of the proposed technique it is 0.8451.Therefore, proposed technique has minimum improvement in terms of  cc and it is 0.0217, that is, 2.17%.Thus, the proposed technique is more effective than most of the existing techniques.
Table 6 proves that the proposed technique has an optimistic wormhole detection rate compared to existing techniques.The mean  cc of the best known wormhole detection technique in literature, that is, Patel and Aggarwal (16) [33], is 0.9127, whereas in the case of the proposed technique it is 0.9447.Therefore, proposed technique has minimum improvement in terms of  cc and it is 0.032, that is, 3.2%.Thus, the proposed technique is more effective than most of the existing techniques.
Most of the techniques proposed in the literature are able to gain high performance in their experiments.However, some of them need impractical assumptions about the sensor network or special hardware as listed in Table 7. So, we also compare WRHT with some of them as the proposed technique does not need impractical assumptions, such as zero delay time, precise synchronized time, or the awareness of locations of nodes, which are usually assumed in the schemes in the literature adopting the viewpoint of the administrator.In addition, WRHT does not need the use of any particular hardware either.Due to its robust, simple concept, WRHT can improve most of the routing protocols in wireless sensor network.

Conclusion and Future Works
Wormhole attacks in WSNs are rigorous attacks that can be launched easily even in sensor networks with implementing authenticity and confidentiality.Addressing of wormhole  [36] Neighborhood information No Yes No SPROUT [37] Multipath routing No Yes Yes Wang et al. [35] Neighborhood information No Yes No WRSR [38] Connectivity information No Yes Yes Packet leashes [8] GPS & clock Yes Yes No WARP [39] Multiple link-disjoint paths No Yes Yes De Worm [34] Neighborhood information No Yes No ODSBR [40] Binary search No Yes Yes attacks is a crucial issue as far as security of WSNs is concerned, since wormhole attacks are difficult to detect.This is because wormhole attacks can be launched in several modes, with each one enforcing its own unique requirements for the detection method.In this paper, we propose WRHT (wormhole resistant hybrid technique) for detection of wormhole attack in WSNs.The proposed technique is a combination of the concepts based on two techniques, namely, watchdog and Delphi.The proposed techniques make use of the advantages of both Delphi and watchdog techniques.WRHT ensures that the wormhole will not be left untreated in the sensor network as it makes use of dual detection mechanism.WRHT calculates probability factor TDP  and PLP  in order to find the value of WPP  ; that is, WRHT finds out the wormhole presence probability of the path established by the source node.The nodes in the path are given different ranking and subsequently colors according to their behavior.The simulation results have clearly shown that the proposed technique has quite effective results over the available techniques.In addition, WRHT scheme does not require any additional hardware or impractical sensor network assumptions and, therefore, it can be directly used in sensor networks.In the future work, simulation will be done by increasing the number of wormhole tunnels to check the effectiveness of the proposed technique for different performance parameters.

9 ) 5 . 3 .
) (c) Matthews Correlation Coefficient ( cc ). cc represents the degree of correlation between the actual wormhole nodes and predicted wormhole nodes. cc lies between −1 and 1, where being close to value 1 indicates more effectiveness of the wormhole detection techniques:  cc = TP * TN − FP * FN √(TP + FP) * (TP + FN) * (TN + FP) * (TN + FN).(Experimental Results.The proposed and the existing well-known wormhole detection techniques are applied on the designed simulation 15 times.The mean values of the simulation are taken for evaluating the best technique.However, the nodes are varied between 50 and 500 only, but the proposed and existing works are not limited to this set only.

Table 1 :
Decision table for detecting wormhole attack.

Table 3 :
Sample rating of nodes.

Table 4 clearly
(16)nstrates that the proposed technique has an optimistic wormhole detection rate compared to existing techniques.The mean  cc of the best known wormhole detection technique in literature, that is, Patel and Aggarwal(16)

Table 7 :
Security comparison of various existing techniques.