A wormhole attack is a type of attack on the network layer that reflects routing protocols. The classification is performed with several methods of machine learning consisting of -nearest neighbor (KNN), support vector machine (SVM), decision tree (DT), linear discrimination analysis (LDA), naive Bayes (NB), and convolutional neural network (CNN). Moreover, we used nodes’ properties for feature extraction, especially nodes’ speed, in the MANET. We have collected 3997 distinct (normal 3781 and malicious 216) samples that comprise normal and malicious nodes. The classification results show that the accuracy of the KNN, SVM, DT, LDA, NB, and CNN methods are 97.1%, 98.2%, 98.9%, 95.2%, 94.7%, and 96.4%, respectively. Based on our findings, the DT method’s accuracy is 98.9% and higher than other ways. In the next priority, SVM, KNN, CNN, LDA, and NB indicate high accuracy, respectively.

1. Introduction

A MANET (mobile ad hoc network) is a series of wirelessly interconnected, self-arranged nodes. Each mobile ad hoc network node functions as a router to transmit the packet to the destination node from the source node. Remote ad hoc networks are enormous and commonly used networks. Each movable node is a node that is self-managed, and there is no central mobile network management node. Based on their need, the mobile nodes have permission to go somewhere. It makes it possible for the nodes to join or exit the network [1] quickly. There is no restriction to the capacity of nodes for communication. If the relationship is formed and the nodes are outside the network radio range, data loss can occur. MANET is commonly used in numerous fields, such as science, rescue operations, and military. Cyberattacks are also growing due to improved connectivity across networks [2]. Because of shared channel illumination, unconfident operating environment, restricted resource mobility, rapidly evolving device topology, resource-limited [3], ad hoc wireless mobile networks are susceptible to many security threats.

Detection based on irregularities accepts interference based on a system’s everyday actions. The method of enumerating standard system output is demanding because system activity varies from time to time [4]. The anomaly procedure figures out fresh or unexplained attacks with high false positive rates. Signature-based IDS is characterized by searching for unique patterns such as byte sequences in network traffic as an attack detection method [5]. It merely recognizes proven attacks and fails to identify new attacks for which there is no trend. In MANET, safe connectivity is challenging due to the lack of fixed infrastructure, complex topology, etc. Detection of intrusion is a notion that holds up the balance by methods of cryptography and access management. It is displayed to resolve the attack that has happened or is in progress as automatic detection and root of warning. In various IDS such as host intrusion detection systems (HIDS), application-based IDS, and network intrusion detection systems, the notion of ID is stored (NIDS). Since they are passive, the IDS do not take protective action, and they only discover intrusion that triggers an alarm [6]. A wormhole attack is a sort of network layer assault that mimics routing mechanisms. Two or more malicious nodes detect a wormhole threat using a private channel named the tunnel. The wormhole tunnel would then continue to capture and relay the same data packets to some other location. A malicious node receives a control packet on one side of the tunnel. It transfers through a private channel to another interesting node at the other end and rebroadcasts the packet locally. The path for communication between the source and target is preferred via the private channel due to better prediction, e.g., fewer hops or less time, relative to packets exchanged through other routes [7]. One component that was developed in the late 1950s by artificial intelligence was ML. Over time, it has developed and evolved into algorithms that could be machine-based and efficient enough in medical, engineering, and computer sciences to solve different concerns, such as sorting, clustering, regression, and optimization [811] and medical image processing [1217]. ML architectures learn dynamically without human participation and take action accordingly. It builds a model by automatically, effectively, and correctly manipulating complex data. To have a general approach to improving device performance, ML can benefit from a generalized structure. It has many applications in scientific fields such as manual information entry, automatic spam detection, medical diagnostics, image recognition, data clearing, and noise reduction [9, 18], etc. The latest findings indicate that in WSNs, ML has been implemented to address several problems. Using ML in WSNs increases the efficacy of the system and prevents complex problems, such as reprogramming, manually accessing vast volumes of data, and extracting valuable data from data. In gathering vast quantities of data and producing useful data, ML methods are often beneficial [19, 20]. There are many applications of ML methods for identification and classifications such as unsupervised approach [2123], power electric usage [2427], and gas consumption analysis [2831]. KNN’s core idea is to look at your area, suppose the test dataset is comparable to them, and deduce the result. We find neighbors and predict using KNN. In KNN, no prior experience is required. During the test, neighbors with the shortest distance will be classified. With a few hyperparameters, it is simple to do. However, the drawbacks are that should be carefully chosen, that high computing costs will be incurred during runtime if the sample size is enormous, and that correct scaling will be required to ensure that all features are treated equally. KNN differs from other models in that it involves a lot of real-time processing compared to others [31]. Compared to other techniques, naïve Bayes is significantly quicker than KNN due to KNN’s real-time execution compared to other methods. SVM also handles outlier’s superior to KNN. KNN outperforms SVM when the training data is significantly more significant than the number of features. When there are many characteristics and little training data, SVM beats KNN. The DT algorithm is a tree-based method for solving regression and classification issues. An inverted tree is constructed to generate the result, with branches branching off from a homogeneous probability distributed root node to extremely heterogeneous leaf nodes. The significant benefits are that data does not need to be preprocessed or distributed.

Furthermore, DTs can offer a clear rationale for the prediction. However, when training complex datasets, the tree may become quite complex. DTs are better at dealing with categorical data and colinearity than SVM [8, 31]. The fundamental purpose of this paper is to suggest the technique of detecting a wormhole threat base on machine learning methods. The classification is performed with several ways of machine learning consisting of -nearest neighbor (KNN), support vector machine (SVM), decision tree (DT), linear discrimination analysis (LDA), naive Bayes (NB), and convolutional neural network (CNN). Moreover, we used nodes’ properties for feature extraction, especially nodes’ speed, in the MANET. The results are illustrated based on performance criteria in the form of a confusion matrix and ROC curve.

2. Literature Review

Wireless networks are very vulnerable to threats, and the lines of communication are open to hackers. In MANETs, the monitoring of attackers can be accomplished by program modules that track malicious network operations automatically. We ought to consider specific thoughts when developing an intruder identification method for MANETs [32]. For MANETs, the intruder detection systems will act separately from their wired counterparts. When developing intruder detection systems for MANETs, some problems need to be tackled. Unsupervised UOSDA method monitoring systems deploy node-level agents to track and record any unusual activities [33]. In determining the position of agents when the nodes are mobile, the most significant challenge lies. Similarly, the nodes hosting the intruder detection agents require higher bandwidth, battery capacity, and processing power. In MANETs [34], however, these services are restricted. An NP-complete challenge is increasing the attacker detection rate with minimal resources, and multiple writers have suggested algorithms to provide the closest solutions. For MANETS [35], there are many intruder detection architectures available. As in wired networks, many attacks can occur, some of which in MANETs are more destructive. The standard techniques for detecting attack traffic are inadequate due to the features of these networks. Intrusion detection systems (IDSs) are based on various detection techniques, but anomalies’ detection is one of the most important. Besides, if these IDSs are centralized, IDSs based on previous attack signatures are less effective. Artin et al. [36] have used a novel machine learning technique that predicts the traffic based on climate condition. A two-level monitoring method for detecting malicious nodes in MANETs is proposed by Amouri et al. Dedicated sniffers operating in promiscuous mode are installed at the first stage. Each sniffer uses a decision tree-based classifier that produces quantities that we apply to every reporting time correctly categorized instances.

In another study, the classified instances were transmitted to the algorithmically operated supernode. It determines the amounts related to the cumulative fluctuation measure of the classified samples obtained for each node being evaluated. The outcome approach has also been extended to wireless sensor networks and is a feasible IDS scheme for those networks [37]. Abasi et al. presented a novel method for the simulation and modeling of the control system in the power electronics of a 72 pulse [20]. Abasi et al. have designed a new artificial intelligence to solve unit commitment problem in the wind farms’ presence [27].

Abd-El-Azim et al. suggested MANET’s streamlined fuzzy-based intrusion detection method with an automation mechanism employing an adaptive neurofuzzy inference system to generate a fuzzy system (ANFIS). The next move was to configure the FIS and then use the genetic algorithm (GA) to optimize this initialized framework. The network increased with an average of 36 percent in the existence of only blackhole attacks [38]. Some other methods are fixed-time [39] and finite-time [40] fuzzy method and output-feedback decentralized neural network and fuzzy multiple attribute decision-making [41]. Sharifi et al. have modeled a sensitivity analysis for predicting NOx emotion and compared it with other methods [42]. The intrusion detection device for the jamming attack was suggested by Soni and Sudhakar. The jamming attacker slowly inserted the packets into the network and, depending on the time example, the number of these packets is quickly improved. Its unwelcome flooding actions recognize the IDS as the attacker nodes, and the attacker’s infection is detected. The suggested scheme continuously tracked all nodes’ actions in the network, and the malicious node’s behaviors were different from normal nodes and did not behave like a regular node [28]. Abasi et al. have analyzed a model classification for finding in GUPFC-compensated double-circuit transmission lines [26]. Also, in another research, Nezhadnaeini et al. have applied an optimal allocation of distributed generation using a new search optimizer algorithm in system of unbalanced loads [43]. Abasi et al. have studied a new dynamic and static technique for parallel transmission lines [25]. In the presence of the reputed packet dropping nodes in a MANET network, Sultana et al. analyzed the current IDS output. Whenever the packets obtain more than their handling capacities, the reputed intermediate nodes lose the packets, recognized as intermediate bottleneck nodes. The network simulator, NS-2, measured the efficiency. The findings have shown that the negligence by IDS algorithms of the reputed packet falling nodes is a significant problem and harms network performance [44] (see Table 1).

3. Methods and Materials

3.1. Wormhole Attack

One of MANET’s most significant security attacks is the wormhole threat. More MANET routing protocols (DSR), AODV, OLSR, DSDV, etc. can be damaged. A wormhole attack is detected by at least two malicious nodes using a private channel called a tunnel. At this stage, the wormhole tunnel will then start to collect the data packets and pass them to some other location [62]. A malicious node receives a control packet on one side of the tunnel. It transfers to another interesting node via a private channel at the other end, retransmitting the packet locally. The path for communication between source and destination is chosen via the private channel due to improved metrics, such as fewer hops or less time than packets sent over other routes usually. Typically, the assault operates in two steps. The wormhole nodes are interested in several paths in the first step. In the second point, the packets start using these malicious nodes. These nodes can complicate the functionality of the network in a variety of ways [63]. For malicious purposes, wormhole nodes may drop, alter, or send data to an outsider. Different forms of attack may be done through this allow, for example, DOS attack, Eavesdropping, and development. A wormhole attack can cut down the whole routing network in MANET. MANET describes how to run MANET in the wormhole attack in Figure 1.

3.2. Support Vector Machine (SVM)

SVM is a supervised technical group of ML that best classifies each observation from a given dataset using a hyperplane. SVM can deal with both linear and nonlinear questions and is more useful in large datasets. To address different problems such as routing [64], localization [65], fault diagnosis [66], congestion control [67], and communication issues [68], SVM is added to WSNs.

3.3. -Nearest Neighbor (KNN)

The most popular example-based approach to solve regression and classification problems is the -nearest neighbor (KNN). The distance between the sample given and the model being measured is mainly defined by KNN. The different distances are known in KNN, such as the Hamming distance, Euclidean distance, Manhattan distance, and Chebyshev distance function. The missing samples from the featured room are detected by this method, and the measurements are reduced. KNN was introduced in WSN applications by data aggregation and anomaly detection.

3.4. Deep Learning

DL is a type of machine learning that belongs to the ANN family with a multilayer understanding [69]. It has application in some studies such as transport and routing networks [70], health care, such as detection and segmentation [71]. Also, it imitates the human brain’s communication and information processing mechanisms and procedures the data for object identification, language translation, speech recognition, and decision making. In WSNs, DL is used to tackle many problems, such as abnormality and fault detection, energy harvesting, data efficiency calculation, and routing [72]. In the design of data safety, classification, and prediction activities, the security applications of deep learning models such as intrusion detection systems (IDS), malware detection, and spam filtering have become important. Based on intelligence, these various activities are structured to construct a paradigm that generally classifies and discriminates between “normal” and “malicious” samples, such as attacks and standard packets. With the exponential growth in deep learning models [73], the sophistication of attack strategy tools is enhanced.

3.5. Naïve Bayesian Learning

Bayesian learning is a mathematical technique that seeks the connection among the data by learning conditional dependency with various statistical approaches. To evaluate posterior likelihoods, Bayesian learning takes previous functions of probability and new knowledge. If represents a series of inputs and returns a mark , the likelihood of must be amplified. Bayesian learning approaches have resolved many problems in WSNs, such as routing [74], data location [75], aggregation [76], fault prediction, connectivity, and coverage problems [77].

3.6. Decision Trees (DT)

DT is similar to supervised ML algorithms that use arrays of it and then other rules to improve readability [78]. There are two kinds of trees in DT. The leaf node is one, and the decision nodes are another. DT forecasts a class or goal based on the judgment rules and generates a training model derived from training results. Decision trees offer many advantages, such as transparency, less complexity, and rigorous decision-making analysis. Decision trees are used to resolve different WSN problems, including connectivity, data aggregation, and mobile devices.

3.7. Convolutional Neural Network

CNNs are widely utilised for deep learning and the most well-known types of neural networks, mainly in large datasets such as photos and videos. Cortex neurobiology has resulted in a multilayer neural network design. It is made up of both convolutional and fully linked layers. Subsampling layers can occur between these two levels. They achieve the best of DNNs with complexity in well scaling and multidimensional locally correlated input data. Therefore, the immediate implementation of CNN takes place in dataset where relatively numerous nodes and factors require to be trained.

3.8. Proposed Process

Our method is helpful in the identification of malicious material. This wormhole attack mitigation is introduced in an ad hoc network of natural and malicious output file monitoring nodes. Initially, with their procedures, we describe the sum of normal nodes and malignant nodes. In this scheme, a tunnel between the malicious nodes and the message or packet is established. These are transmitted only over the tunnel. When the malicious node is neighboring to the traditional central node, the message is sent without using the data itself (see Figure 2).

We follow data from each moving node at that stage and accept a message that aids in data collection. The execution of the system can be expanded by specifying the essential role. At that point, to construct a dataset that was marked with the support of an outstanding hub address, we selected eight significant features. Therefore, six standard machine learning classifiers specifically organize ordinary and malicious data from study samples into two categories apply. Device efficiency is measured based on multiple mathematical criteria and compared to the new techniques.

3.9. Performance Analysis of Classification

Accuracy (ACC), precision (), and sensitivity or recall () metrics are used for assessment purposes. Four separate parameters are applied true positive (TP), true negative (TN), false positive (FP), and false negative (FN) to measure these metrics. Accuracy is the proportion, over the volume of data, of the correctly classified number of documents. Precision means the relevant percentage of the performance. On the other hand, recall corresponds to the rate correctly classified by the total functional outcome algorithm. The ratio of the number of abnormal records correctly flagged as an anomaly against the total number of anomaly records is also referred to as detection rate (DR) and true positive rate (TPR). When the total number breaks the anomaly of standard forms, the false positive rate (FPR) is the percentage of the wrongly flagged ordinary record number as follows:

4. Results and Discussion

4.1. Simulation of Wormhole Attack

With a finite number of nodes, we have simulated wormhole attacks in the MATLAB 2019b set. It generates a topology consisting of the node, computer, channel, and protocol. Different network programs transfer packets over a network in this simulation process. Packets are either generated or approved and processed, and the simulation model execution reaches the primary role and is processed until the termination state. The original location of nodes and contact nodes against their adjacent nodes is seen in Figure 3.

This simulation was done in an ad hoc network environment with 48 regular nodes and two malicious nodes. Topology room  m2, spontaneous node activity, and the 250-meter radio range of a node are the simulation environment’s experimental parameters (1000 for wormhole nodes). Regarding Figure 3, the normal nodes are indicated with red circles, and wormhole nodes are illustrated with black triangles. Moreover, the initial connection is shown with blue lines between nodes.

4.2. Feature Extraction Results

The selection of features is one of the central principles of machine learning that directly influences its performance. Unrelated or partly related functions may adversely impact the output of the device. The output file includes complete node information in which only any of the data for a given application is informative. Whenever irrelevant or less informative features that do not lead to classification are omitted, it may pick similar features for the dataset. There are many benefits of feature selection, such as decreasing overfitting, reducing training time, and improving accuracy. We have chosen eight essential features that optimize the system’s performance. Table 2 includes the characteristics of the MANET presented. Such attributes are either continuous or discrete. We use the specific node address to mark samples and presume that malicious nodes often yield malicious samples.

We have gathered 3997 different samples containing normal and malicious samples (normal 3781 and malicious 216). It builds a dataset that is compiled and tagged with eight chosen attributes. It is a high-volume dataset for wormhole attack detection created in an ad hoc network context.

4.3. Results of Classification

The results of classification with several methods of machine learning consisting of -nearest neighbor (KNN), support vector machine (SVM), decision tree (DT), linear discrimination analysis (LDA), naive Bayes (NB), and convolutional neural network (CNN) are illustrated in Figure 4. Regarding the confusion matrix of Figure 4, the green arrays show the true values, and red elements indicate false ones. For binary evaluation, the target class is usually considered a positive class. For this paper, our main objective is to find wormhole nodes between normal nodes. Therefore, the class of wormhole is regarded as a positive class. Base on the confusing matrix of Figure 4 from true values, the upper cell shows the true negative, and the lower one is true positive. Respectively, from red cells, the upper one is false negative, and the lower one is false positive class. The classification is performed based on two classes, including normal and malicious nodes.

Vertical gray cells represent accuracy and negative predictive values, while horizontal gray cells represent sensitivity and specificity. For example, in SVM results, from 216 wormhole nodes, 158 (73.1%) are diagnosed correctly. However, 58 (26.9%) are misdiagnosed as normal nodes. In other words, the sensitivity of the SVM method is 73.1%. On the other hand, the SVM method can diagnose the normal node with 99.6% specificity. It means that from 3781 normal nodes, only 15 (0.4%) are misdiagnosed. Moreover, in the DT classifier, 87.7% (precision) are in a true state from all detected wormhole nodes. On the other hand, the precision of the DT classifier is 87.7%. The total accuracy value that comprises DT is the value in the confusion matrix’s lower-right corner cell. This value equals 98.9%. To conclude, the results show that the accuracy of the KNN, SVM, DT, LDA, NB, and CNN methods are 97.1%, 98.2%, 98.9%, 95.2%, 94.7%, and 96.4%, respectively. Furthermore, the classifier’s overall error value is displayed in red writing in the lower-right corner. We calculated that DT outperforms all other classical classifiers in terms of accuracy.

Table 3 shows the deep convolutional neural network that was employed in this work. For every 3997 nodes in each layer, there are 8 features. As a result, the input matrix is . We also employed two convolutional layers with ten filters of size and stride [1] with zero paddings, as well as two convolutions with ten filters of size and stride [1]. We also utilised the Tanh and ReLU routines to activate the layers. Then, with 384 and 2 cells, respectively, two completely linked layers are employed. The SoftMax layer is then used to calculate likelihood and activate the final levels. The classification layer is then utilised, which is based on cross-entropy and takes mutually exclusive classifications into account. The categorization procedure’ outcomes are depicted in Figure 5. The procedure is carried out on a core i7 Intel processor with a clock speed of 3 GHz and 12 GB of RAM. The training procedure is repeated 3000 times. Figure 5 shows the accuracy and loss rate of the training procedure for a deeper understanding of machine learning techniques, and Figure 6 shows the ROC curve based on classifier. In the ROC curve, the horizontal axis represents the false positive rate, while the vertical axis represents the true positive rate. To put it another way, the graph is shown with wormhole nodes as the positive class. The area under the curve of the ROC curve, often known as AUC, is an important criterion for classifier performance assessment. The DT classifier has a higher AUC than the other approaches, as can be observed.

Table 4 shows the results of the evaluation of machine learning approaches. The sensitivity of the DT technique exceeds other methods, according to the findings. The sensitivity refers to the method’s ability to detect wormhole nodes in MANET. As a result, the size of it signified the classifiers’ capability. In other words, the DT classifier has a higher sensitivity than other approaches. The accuracy also reveals the method’s capability for producing outcomes or its dependability. The SVM approach, for example, has a precision of 91.3 percent. It means that, from all nodes that the SVM recognized as wormhole nodes, 91.3% are the positive test of the real wormhole. The specificity also shows that how the classifier detects the normal node. The higher specificity is belonging to KNN and SVM approaches. Finally, the higher AUC value has resulted from the DT method. To summarise the findings, the DT approach has a 98.9% accuracy rate, which is greater than other methods. SVM, KNN, CNN, LDA, and NB, in order of importance, indicate excellent accuracy.

5. Conclusion

A wormhole attack is a type of attack on the network layer that reflects routing protocols. To detect wormhole attacks using machine learning, a training dataset must train models in any training mode. Training datasets can be obtained from real-time conditions or tests for classification. As a function, the experimental data may be defined as a target value and a descriptive process. This article has obtained 3997 different samples containing normal and malicious samples (normal 3781 and malicious 216). It builds a dataset compiled with eight selected features and labeled. The classification is performed with several methods of machine learning consisting of -nearest neighbor (KNN), support vector machine (SVM), decision tree (DT), linear discrimination analysis (LDA), naive Bayes (NB), and convolutional neural network (CNN). To conclude, the results show that the accuracy of the KNN, SVM, DT, LDA, NB, and CNN methods are 97.1%, 98.2%, 98.9%, 95.2%, 94.7%, and 96.4%, respectively. Based on the results, the sensitivity of the DT method outperforms other approaches. The higher specificity is belonging to KNN and SVM approaches. Finally, the higher AUC value has resulted from the DT method. To conclude the results, the DT method’s accuracy is 98.9% and higher than other methods. In the next priority, SVM, KNN, CNN, LDA, and NB indicate high accuracy, respectively. Our strategy’s success encourages us to expand this work to address the limitations and simulation described in a 3D ad hoc network. In the future, authors should extend some methods to diagnosed different types of attacks related to WSN and IoT systems based on artificial intelligence and machine learning method.

Data Availability

We have simulated wormhole attacks data in the MATLAB 2019b set with a finite number of nodes, and it generates a network topology consisting of the protocol of the node, computer, channel, and network.


The funding sources had no involvement in the study design, collection, analysis, or interpretation of data, writing of the manuscript, or submitting the manuscript for publication.

Conflicts of Interest

The authors declare no conflict of interest.