MOpt Shield: An Intrusion Detection System based on Meld Optimization Algorithm to mitigate Amalgam Attacks

Background/Objectives: To mitigate network from amalgam attacks, this study is focussed on designing an eﬃcient approach that can prevent the networks from intruders and secure the communication. Methods: A crossbreed approach, named ‘MOpt Shield,’ is proposed in this study. This proposed protocol utilizes the eﬃcacy of the existing Cuckoo Search and Fireﬂy Optimization Algorithm on basic AODV protocol along with the promising factors of the Intrusion Detection System. The proposed protocol is simulated using an NS-2 simulator with two diﬀerent simulation scenarios, and PDR, Throughput, PLR, and Delay parameters are considered performance measures for the same. Findings: The proposed protocol ﬁnds the best selected nodes for communication and prepare separate list for the doubted nodes which further analyzed for attacker or non-attacker nodes. This will help to identify the best path with high energy and other capabilities for the eﬃcient transmission of data. The performance of this proposed protocol is analyzed under 5 attacker nodes in which 2 are blackhole and 3 are DoS attacker nodes. For simulation, the scenario includes minimum 5 connections and maximum 25 connections between the 50 nodes with CBR traﬃc and 20m/s speed. The evaluated results show the astounding performance of the proposed protocol over the other existed protocols in terms of PDR, Throughput and Delay, and hence it reveals its capabilities. Novelty/Applications: The proposed protocol eﬀectively handles the amalgam attacks and its novelty lie in its features of hybrid optimization and intrusion detection approach to ﬁnd the route of transmission and the trusty nodes.


Introduction
With the advent of technology, most of the services become online provided by various service providers. These services' main components are network architecture that plays https://www.indjst.org/ a vital role in transmitting data and services. Adhoc is one of them where it offers services in agriculture, military, education, and many more. Nowadays, all the facilities to provide these services are available in the market, and these devices are well suited for such areas to provide services to the users. Mobility, Adaptability, Computation, and Battery power are features of these devices to build an Adhoc network. All these features are for a limited period, so there are some restrictions in using the devices (1) . The main problem arose when it lost its battery power because the maximum features are dependent on this. All becomes unavailable in the absence of battery power and results in poor performance. The researchers developed a significant number of techniques to increase the performance parameters based on numerous factors. But nowadays, forged attacks have become a prominent reason for the poor performance of the network. In MANET, it was found that several attacks compromised the security of data and other vital parameters. Forged nodes were performing their attempts to be successful so that vulnerabilities can find out in the system, and accordingly, the attack can also be imposed on the network. The primary reason behind this security comprise is as given below: • In MANET, every node is a forwarder and is considered a capable node. It is not necessary that every node can handle the risk of security, which may compromise information security. • Because of its temporary and dynamic behavior, this network is considered an Adhoc network, which means it is usually created for a short time. So, this network can also be regarded as a temporary network. The network is created temporarily among nodes that want to communicate with each other. In this network, nodes are movable, and they may change their location dynamically. • As the network is infrastructure-less in MANET, so, nodes participating in this network depend upon resources that are carried by these nodes themselves. When good and sufficient resources are required, a node may look for such type of intermediate node. If any malicious node will come and be selected with such provisions, security may be easily compromised. • The selection of an intermediate node for routing is an essential step in MANET. In most cases, every node needs to send its packet to the destination by the following route. Suppose a malicious node presents itself as the most-nearest node of the goal during the route discovery phase and is selected based on it. In that case, this forged node can start getting access to information, and the probability of security compromise increases accordingly.
So, any of the above reasons may be the cause of compromised security in the Adhoc network. MANET Attacks are categorized into two types: (a) Active Attacks and (b) Passive Attacks. In the active attack, attackers can access the data or node and modify or drop it, whereas passive attacks contain silent attackers that listen to the traffic or nodes. Blackhole and DDoS (2) attacks are under the active attacks category, and their combination is considered in this paper. The paper's following sections delineate some of the existing approaches to deal with the blackhole, DDos, and hybrid Attacks. The proposed protocol is also described in the coming section and the implementation and analysis of it.

Related Work
This section deals with the work done by various researchers on forged networks. It also discusses the optimization techniques used in Mobile Adhoc Network to provide security and route optimization. Hybrid approaches are nowadays popular among the other methods in almost every field. It also provides some benefits in the area of MANETs to cater to security against various attacks. Like, Justin et al. (3) proposed an SVM-based Hybrid Intrusion Detection System to detect DoS attacks in MANETs. This proposed approach reduces the training time and includes signature and anomaly-based methods to detect malicious nodes. They calculated the results only for the detection of forged nodes and achieved 100% for the same. The other hybrid approach was proposed by Funde and Chourasia (4) to detect hybrid attacks in MANETs. Here, hybrid attacks mean the combination of more than one attack. They also used SVM and the dendritic cell algorithm to detect normal and abnormal traffic. They also achieved 100% accuracy for the detection of attackers or anomalous traffic data.
Furthermore, anomaly-based IDS was proposed by Kaur and Singh (5) to detect and prevent the network from DDoS attacks. They simulate the proposed approach using a network scenario with 30 nodes in an 800 x 800 area. The performance was analyzed based on different performance metrics and hence conclude that the proposed approach works as a defensive approach in the presence of DDoS attackers. The other method to deal with DDoS attacks was proposed by Gautam et al. (6) . They implemented AODV, SAODV, and HWMP protocol using an NS-2 simulator and evaluated the performance by conducting the ANOVA test. They considered the MANETs scenario for the healthcare system and perceived the need for the security approach. From the performance analysis, they elect the best protocol, which is less vulnerable to DDoS attacks.
Moreover, Optimization-based approaches also play a vital role in mitigating the attacks and provides security. Keerthika and Malarvizhi (7) proposed a trust-based Bee optimization algorithm with 2-Opt AODV. This hybrid approach used the artificial https://www.indjst.org/ bee colony algorithm and improved it using the 2-Opt process to evaluate the local search by combining global optimization effectively. The results of the proposed approach justify its effectiveness against the Blackhole attack. For mobile Adhoc networks in IoT, Gowrishankar et al. (8) proposed a trust-based protocol. In this, the sensor nodes have direct, indirect, and mutual trust between them, and they calculate the combined trust values based on a probability distribution on the individual trust values. The results demonstrate the efficiency of the proposed protocol. Pathan et al. (9) proposed another trust-based approach in which the best and reliable path was selected to ensure secure communication.
Cryptography is another approach to secure the data and information from malicious users, and it can be more beneficial for passive attacks. Naveena and Reddy (10) proposed a hybrid security model, where they used anonymity, one-way trapdoor protocol, hash functions, and elliptic curve cryptographic approach to mollify the attacks. They presented this hybrid model to provide security for different layers. They simulate the proposed model using an NS-2 simulator and prove the performance efficacy in various parameters. The other cryptography-based security approach was proposed by Hossain et al. (11) . In this, they used an SHA-3 and Diffie Hellman algorithm to select appropriate routes. They implemented the proposed approach on both AODV and AOMDV protocols using an NS-2 simulator. The proposed approach's performance is evaluated based on different parameters, concluding the proposed solution's potency.
The Timer-based Baited technique was proposed by Yasin and Zant (12) for the detection and evacuation of the Blackhole attack. This proposed approach worked in two phases: Baiting and Non-neighbour response, and based on that, they detect the blackhole nodes and add them to the blacklist. The proposed approach results were calculated both with a single blackhole node and cooperative blackhole nodes and figured out that the proposed approach's performance was improved. Optimization plays an inevitable role in various fields, and communication optimization is one of them. It selects the optimized and best route while data is traveling from source to destination. Nowadays, optimization is also opted in the field of the network to provide security. Mukhedkar and Kolekar (13) proposed an optimization-based approach and combined it with the Encrypted trust-based system to protect the Mobile Adhoc Network. The glowworm swarm optimization (GSO) algorithm was used to detect the attackers and achieve the 99% detection rate. The other Cuckoo search and M-tree-based approach were proposed by Babu and Ussenaiah (14) to enhance the Adhoc network's performance. The other heuristic and metaheuristic approaches based on an optimization algorithm were developed by several researchers (15)(16)(17)(18)(19)(20)(21)(22)(23)(24)(25)(26)(27)(28) that optimize the network's performance and provide a secure communication environment.
Hybrid attacks deteriorate the mobile Adhoc network's performance; its detection and prevention must maintain the network's performance. Joshi and Mishra (29) dealt with the rushing and data modification attack simultaneously and proposed a detection algorithm for this. They proposed a trust-based approach and tested performance based on different measures. The other hybrid attack scenario was proposed by Tahboush and Agoyi (30) and analyses its effect with and without detection algorithm.

Mopt Shield: An Intrusion Detection System Based on Meld Optimization
MOpt Shield also called Meld Optimization Shield, which helps to protect the network from different attacks. This shield saves every node of a network from the attacker and works as a safeguard, as shown in the figure. The attacker may or may not be a part of the network, but it always tries to harm the network either by data loss or link breaks. So, it is the necessity of the network that intruders can be avoided somehow. For this, a proposed shield uses an intrusion detection system. It added an optimization algorithm for efficient route selection that directly or indirectly protects the attacker nodes based on different parameters. This is named meld optimization because it contains two different algorithms, Firefly Algorithm (FA) and Cuckoo Optimization Algorithm (COA), that works together to form a perfect route while transferring data from one node to another node in Mobile Adhoc Networks (MANETs).
The base protocol used to implement this is the AODV protocol that sends the request packet to find the data transmission route and select the best path. In this proposed protocol, the aim is not to provide the best approach; the main focus is to find the ideal route that protects the data from intruders and delivers it effectively. This protocol works end to end for more robust results and record the elements to handle different attacker types at one go. These elements are based on some parameters and are calculated before the transmission. https://www.indjst.org/

Mathematical Formulations
A network with 'n' number of nodes communicates with each other and transfers their data from one end to another end. Data is traveled through the network by following different routes, say 'k' routes, in bits. The Adhoc network's example, so nodes of the network work as a forwarder and transfer the data. So, whenever a node sends or receives the packets, it computes the following parameters: Firstly, the Packet Travelling Time () is calculated, it is defined as a time for which a packet traveled from source to destination, and it is calculated based on Packet Receiving Time (Ť) & Packet Sending Time (Ŧ) using the following formula: Then Packet Roaming Time (∅) is calculated for both request and reply packet using the following equation: Here, n is the number of nodes through which the packet traveled, the transmission range, and the network's propagation speed. Delay (φ) is an essential factor that defines the performance of a network protocol, so here delay is calculated as: Here, Accumulated Delay () is calculated and used to provide QoS for the path selection process. This factor is dependent on the Delay factor and is calculated as: Where i=1,2,3,……n and, (1) = 0 The other factor like Energy (Ę), has a significant impact on the performance, and it is calculated both at transmitting and receiving node, is calculated as: The Energy at Transmitter side: https://www.indjst.org/ where b is the number of bits d is the distance between the nodes. F is the energy dissipated per bit to forward a packet and R is the energy dissipated per bit to receive a packet and the following formula calculates it: All the above factors are calculated and used to perform a different operation.

Data Structure
Some of the additional data structures are required to store the computed information during the packets' transmission. So, some new data structures, like Node   Table   (b) Bin: It is also a new data structure that is added to maintain the dumped node list. Whenever an attacker node identifies as an attacker, it will be added to this list and avoided in any future transmissions.
(c) Routing Table: This table maintains the route information like in the AODV protocol, but the new additional parameters are added to it, as shown in the figure below.

Pseudo Code
MOpt Shield combines a hybrid optimization algorithm and an Intrusion Detection system to select the best data transmission path. Here best means the path which doesn't affect by the attackers of any type. It means it provides a protective environment for the communication between the nodes. The pseudo-code of this new proposed protocol is given in the following figure: https://www.indjst.org/

Proposed Work
This proposed work's primary focus is to provide a secure environment for communication in MANETs under different attack scenarios. For this work, the performance is measured in the presence of two separate attacks simultaneously. The attacks are Blackhole and DDoS attacks.

Amalgam Attack Scenario-Example
Amalgam attacks mean a combination of different attacks simultaneously on the same network for the same transmission. Here Blackhole and DDoS attacks are implemented, as shown in the figure below. The figure shows that in the given network scenario, 5 attackers are there, from which 2 are blackhole, and 3 are DoS attacker nodes. Blackhole attack drops the packets which it received from the source or any intermediate nodes. In contrast, DoS attackers continuously attacked the destination node to stop the destination node from receiving any data.
In this example, Source 'S' wants to communicate with Destination Node 'D' and send its packets to the selected routes. If it sends its packet through route-1, where the black hole node is just the neighbor node, all the packets will be dropped, as shown in the figure below. Similarly, if the packet follows route-2, the other blackhole node will drop all the packets. On the other hand, the DoS attacker node attacks the destination node with multiple packets to make it busy. So, even if route-3 is followed for transmission, it will be an unsuccessful transmission. Because the destination node will not accept packets, and it will again drop. So, in all three cases, packets will not receive by the destination node, and all the data sent by the source node will be lost. This work proposed a scheme to mitigate amalgam attacks and prevent the network from the above situations. Different types of attackers attack together on the network with multiple attacker nodes.

Proposed Methodology
The primary purpose of this work is to provide a secure environment for data transmission, even in the presence of more than one attack. For this, an Optimization-based protocol is proposed with IDS features. This proposed work, divided into four phases: (a) Initialization Phase, (b) MOpt Departure Phase, (c) MOpt Returning Phase, and (d) MOpt Acceptance Phase. The details of these phases are as given below: (a) Initialization Phase: The first phase of this proposed work is the initialization phase in which 'k' nodes are distributed over the 'm x n' area. Nodes are initialized with some parameters like Packet Forward Count (µ)=0, Energy (Ę), Delay (φ)=0, Node_ID, and other general parameters. All 'k' nodes are placed randomly on the area and start to communicate with each other.
https://www.indjst.org/ (b) MOpt Departure Phase: This phase originates whenever a node wants to communicate with the other node. In this, the source node initiates nest discovery in which the cuckoo selects one of the neighbor nests randomly. The following process begins from that nest chosen in which the firefly starts its discovery process and forwards the firefly to the neighbor nodes. Whenever a node receives a firefly, it computes parameters as defined in the pseudo code. Here, two cases arise where; the first case is if an intermediate node receives firefly, then it computes the parameters and store them in the node table. Still, if firefly received by a destination node, then MOpt Return Phase called.
(c)MOpt Return Phase: In this phase, the destination sent the firefly back to the source with the flag firefly_return. Whenever an intermediate node receives this firefly_return, it updates its parameters, adds a delay of the current packet to the firefly packet, and then forwards it to its next hop. Finally, when this firefly reached its source node, then it calls MOpt Acceptance Phase.
(d) MOpt Acceptance Phase: In this phase, the source node first evaluates fitness for all the received firefly_return packets based on Accumulated Delay, Energy, and forward count. The two different lists are generated based on this fitness value: (a) Accepted List and (b) Worst Nest List. The worst nest list will be evaluated for the final worst decision based on quality parameters, and this list is maintained in the bin. On the other hand, the Accepted list is again evaluated the fitness after ranking. The ranking is done to reduce the computations for future transmission, which reduces the algorithm's complexity. This fitness is assessed based on the average value, and the current best will be selected for transmission of the data.
The above phases are called whenever a node wants to communicate with the other node until the data transmission will be completed.

Simulation Results and Analysis
The proposed protocol is implemented using the NS-2 simulator to verify its performance based on different factors. In this MOpt Shield, a threshold value is used for fitness evaluation, as mentioned in the previous sections. So, firstly, the proposed work's performance is evaluated based on different threshold values, and then the value with the best results is used for other analyses. In the other scenario, the performance is analyzed based on several connections. It means the performance analysis is done by increasing the network rate in the network, which is a crucial factor that affects the network. In both scenarios, two blackhole attackers and three DDoS attacker nodes are implemented to disturb the network. In total, 5 attackers are present in the network to scrutinize the effectiveness of the proposed protocol.

Scenario-1: Absorption Coefficient (Th(D))
In this scenario, simulation is run with different delay thresholds to identify the best-fitted threshold value used to determine the best results. Delay is an essential factor that affects network performance. Here, delay threshold values, which are also represented as an Absorption coefficient Th() in MOpt Shield protocol, are varied. Results are evaluated along with the simulation parameters as defined in Table 1. To analyze the results, different performance parameters are used: Packet Delivery Ratio (PDR), Throughput, Packet Loss Ratio (PLR), and Delay. Here Delay is the transmission delay, which is calculated for the whole scenario like other parameters. Table 1 shows the performance analyzed after the simulation using the above simulation parameters.
https://www.indjst.org/ The above results show that the proposed protocol's performance with Th 2 () is the best from other values in all the defined measures. This may be because of the following reasons: 1. Th 1 () is a relatively lower value that is impossible to achieve for every path (group of nodes) because of attackers' presence and the nodes' dynamic behavior. 2. Attackers are always trying to cause different performance issues. With the higher threshold value like Th3() and Th4(), it might be possible that intruders become part of communication cause some delay. So, as a result, performance gets reduced. Secondly, the higher accepted delay may select the unfitted path, which does not provide the desired results.
The above defines factors that might affect the performance and becomes the reason for poor performance with the lower and higher threshold values. In contrast, the best performance is achieved with the threshold value of Th 2 (),i.e., 0.003 sec, so, for other analyses, this value will be considered. The results for each factor are also shown in the figure below. The above results show that the performance of the proposed protocol is varied with the threshold change. In PDR, the results of Th() value of 0.003 sec is 8.5%, 5%, and 11% better than the Th 1 (), Th 3 (), Th 4 () values, respectively. Similarly, for throughput, the improvement percentage is 22.7% from Th 1 (), 16.5% from Th 3 (), and 25% from Th 4 (), which is quite impressive for Th 2 (). PLR is also significantly less in the case of Th 2 (), and if compared with the other threshold values, it is 36.7%, 25.5%, and 43.8% better than the Th 1 (), Th 3 (), Th 4 () respectively. Finally, the minor transmission delay is again achieved by the Th 2 (). The improvement is not much in percent and is 4.7%, 2.4%, and 8.9% respectively, but still, it is the best https://www.indjst.org/ performance. So, the proposed protocol's performance with Th 2 () value becomes the reason for selecting this value in further analysis.

Scenario-2: Traffic Transition
Traffic is also an influential factor with which the performance transforms from high to low or vice versa. Here, in this scenario, the number of connections is varied to increase network traffic. For this analysis, the MOpt Shield performance is also compared with the other existing protocols, namely, Cu-IDS, which is a cuckoo-based Intrusion detection system, and FF-IDS, a fireflybased intrusion detection system proposed earlier for the blackhole and DDoS attacks separately. But here, these protocols are tested on the Amalgam Attacks. The simulation parameters used for this scenario are as defined in Table 3. The performance is analyzed using the same parameters as done in the previous scenario, and the evaluated results are given below.
(a) Packet Delivery Ratio: The PDR defines the number of packets delivered to the destination. The results presented in the figure below forecast the performance of the proposed protocol and conclude that when traffic rate increases, the PDR reduces, but the MOpt shield's performance is better than the other protocols even in the higher traffic rate. The above results show that the performance achieved by the proposed protocol is better in all cases. With statistical analysis, it is clear that, on average, the MOpt shield's performance is improved by 4.6% and 9.2% from FF-IDS and Cu-IDS, respectively. The proposed protocol's maximum achieved delivery ratio is 90.2%, which is pretty impressive in the presence of Amalgam attacks with 5 attackers.
(b) Throughput: This is another factor that helps measure network performance, which defines the rate of data transmission in kbps (kilobits per second). The figure below exhibits the performance of the proposed protocol and the other existing protocols in terms of Throughput and provides another evidence for the effectiveness of the MOpt Shield.
Like PDR, Throughput is also reduced in the immense traffic; however, the attained performance is better than the other protocols. The MOpt Shield performance in terms of throughput is 19% better than the Cu-IDS, whereas it is 11% better than FF-IDS. So, it is clear from the results that the proposed protocol beats other existing protocols and showcases its capabilities.
https://www.indjst.org/  This performance parameter increases with the number of connections but is better than the existing protocols by 13.7% and 8.4 % from FF-IDS and Cu-IDS, respectively. So, the potency of the proposed protocol can also be noticed from the delay factor.
(d) Packet Loss Ratio: PLR is also the crucial factor in transmission that defines the loss ratio of the data while transferring from one location to another. The results of this parameter are exhibits in the figure below: The packet loss increases with the increase in connections but with proposed protocol it is always lesser than the other protocols. https://www.indjst.org/

Conclusion and Future Scope
This proposed Protocol 'MOpt Shield' is designed to handle the amalgam attacks in different scenarios. The proposed protocol used the effectiveness of the most standard optimization techniques, namely, Cuckoo Search and Firefly, along with the generosity of the Intrusion Detection System. To simulate this protocol, an NS-2 simulator is used. In this approach, the absorption coefficient is selected from the different values based on parameter analysis. The simulation is done in the presence of five attacker nodes. We consider the amalgam attacks so that two blackholes and three DDoS attackers are part of this simulation. The proposed protocol's performance is compared with the existing Cu-IDS and FF-IDS by increasing the traffic in the same scenario. The analysis shows that the average PDR of MOpt Shield is 85.9%, 82% for FF-IDS, and 77.9% for Cu-IDS. The other performance measure is throughput, and results depict the average throughput is 115.63, 102.84, and 93.61 kbps for MOpt Shield, FF-IDS, and Cu-IDS, respectively. The last and essential factor, Average Delay, is lesser in the proposed approach and is 0.085 sec. The other approaches, like FF-IDS, have a delay of 0.098 sec, whereas Cu-IDS has 0.093 sec. Overall, the performance of the proposed 'MOpt Shield' is on the top in all aspects, and it is concluded that this approach is the conqueror even in the existence of amalgam attacks. The performance of the proposed protocol is quite effective, the only limitation of this protocol is its threshold parameter which is fixed. As we know, the network is of dynamic nature so fixed threshold might fails in some cases (not necessarily). In the future, the main attention can be paid on the network parameters in order to test the performance of the proposed protocol and work can also be done to find the dynamic threshold value for absorption coefficient.