Survey of Security Issues in Cognitive Radio Networks

Survey of Security Issues in Cognitive Radio Networks

1
Wassim El-Hajj1, Haidar Safa1, Mohsen Guizani2

Computer Science Department, American University of Beirut, Lebanon
2
Computer Science Department, Western Michigan University, USA
{we07, hs33}@aub.edu.lb, mguizani@ieee.org
Abstract
Cognitive Radio (CR) is a novel technology that
promises to solve the spectrum shortage problem by
allowing secondary users to coexist with primary users
without causing interference to their communication.
Although the operational aspects of CR are being explored
vigorously, its security aspects have gained little attention.
In this paper, a brief overview of the CR technology is
provided followed by a detailed analysis of the security
attacks targeting Cognitive Radio Networks (CRNs)
along with the corresponding mitigation techniques.
We categorize the attacks with respect to the layer they
target starting from the physical layer and moving up
to the transport layer. An evaluation of the suggested
countermeasures is presented along with other solutions
and augmentations to achieve a secure and trusted CRN.
nodes discover white spaces by performing spectrum

sensing; the ability to identify or detect holes in a spectrum.
The techniques used to make use of these holes fall under
the term Dynamic Spectrum Access (DSA). The Two
most significant challenges in CRNs are: Transparency to
primary users and non-interference.
Keywords:
1 Introduction
The ever increasing demand of spectrum due to the
rapid introduction of novel wireless applications has led
the Federal Communication Commission (FCC) to approve
in September 2010 new rules to allow unlicensed users
to utilize the spectrum reserved for wireless broadband
services (300MHz and 400MHz). The technology
developed to take advantage of this unused spectrum is
Cognitive Radio Networks (CRNs) which are intelligent
networks that adapt to changes in their environments to
make a better use of the radio spectrum. CRNs help solve
the problem of spectrum shortage by allowing unlicensed
users to use primary systems without interference. This
technology allows the coexistence and sharing of licensed
spectrum resources between two types of users, licensed
and unlicensed.
Cognitive Radio (CR) nodes have unique capabilities
which allow them to take advantage of available white
spaces in a spectrum. A study made at the Berkeley
Wireless Research Center (BWRC) shows that most
spectrum, particularly from 1 GHz to 10 GHz is underutilized, as shown in Figure 1. The nodes can sense
their environment and spectrum, analyze the discovered
information, and adjust to the sensed environment. CR
Figure 1 Spectrum Utilization Measurement
The successful deployment of CRNs includes the

correct construction and maintenance of security measures
to combat attacks launched against them. We categorize the
attacks on CRNs into four major classes: Physical Layer
attacks, Link Layer attacks (also known as MAC attacks),
Network layer attacks, and Transport Layer attacks. In
Physical Layer, we discuss Primary User Emulation (PUE),
Objective Function Attack, and Jamming. In Link Layer,
we discuss Spectrum Sensing Data Falsification (SSDF),
Control Channel Saturation DoS Attack (CCSD), and
Selfish Channel Negotiation (SCN). In Network Layer,
we mainly discuss the routing attacks that are relevant to
CRNs, for instance, HELLO Flood attack and Sinkhole
attack. In transport Layer, we discuss the Lion Attack.
Some of these attacks might target different layers such as
jamming which can be done in either the physical or MAC
Layers. After presenting each attack we discuss in details
the techniques used to mitigate it. We then evaluate these
countermeasures showing their strengths and weaknesses.
The rest of the paper is organized as follows. In Section
2, we give a brief overview of the CR technology. In
Section 3, we discuss spectrum sensing which is considered
the most essential step in CRNs. In Section 4, we discuss
*Corresponding author:
00-Invited Paper.indd 1
2011/3/10 13:00:58
Journal of Internet Technology Volume 12 (2011) No.2
in details the attacks targeting CRNs and the corresponding

countermeasures. In Section 5, we present an evaluation
study of the existing countermeasures. In Section 6, we
present general frameworks for secure and trusted CRNs.
In Section 7, we conclude the paper and present our future
work.
2 Brief Overview of Cognitive Radio

Technology
CRNs are intelligent networks that adapt to changes
in their environments to make a better use of the radio
spectrum. Sometimes a frequency may be licensed to a
primary system, but it is not used fully. Consequently,
spectrum holes or white spaces are created. CRNs help
solve the problem of spectrum utilization by allowing
unlicensed users to use primary systems without
interference. For example, a device with CR capabilities
may locate spectrum holes in the frequency band of a TV
network with the existence of a GSM network. The device
can then decide to make calls and communicate with other
CR devices using these holes.
There are two types of CRs [1]: Policy Radios and
Learning Radios. Policy radios have some predefined
policies that determine the behavior of a radio. When
a radio gathers information from the surrounding
environment, the information is then turned into statistics
that determines the radios state. Learning radios have an
extra component which is a learning engine, this engine
allows them to configure and re-configure their states.
Radios with a learning engine are able to try out different
parameters and determine which works well in a particular
environment. It is important to point out the different types
of CRs in order to be able to demonstrate the different
effects similar attacks have on them. For example; in a
policy radio, an attacker with knowledge of how statistics
are calculated can affect them and force a desired output.
This attack can affect learning radios as well; however, as
they have a learning engine the attack can have a longer
affect on them as they learn or accumulate information
from this experience which may dictate a certain behavior
in the future. The Objective Function Attack discussed in
section 4 is an example of such an attack that has a bigger
impact on learning radios than policy radios.
A CR node has the following capabilities [2]: Cognitive
capability by which the node can sense the environment
and the spectrum, Self-organized capability which is the
nodes ability to analyze discovered information, and
Reconfigurable capability where the node is able to adapt
to the sensed environment. Cognitive capability includes
spectrum sensing which refers to the ability to identify or
detect spectrum holes. This operation must be done with
limited to none interference to the licensed users traffic

or communication. In addition, it includes network and
service discoveries; for example, what kind of networks
are near-by (WiFi, GSM, ..., etc.) and what are the services
provided by these networks. A self-organized capability
provides management of the connection between the
different CR nodes that happen to be in the same area. A
good connection management can help CR nodes in route
selections. The ability of the radio to change its frequency
and adapt to available networks and services is one of the
reconfigurable capabilities. Figure 2 presents a generalized
snapshot of CR architecture.
CRNs are organized in three different architectures:
Infrastructure, Ad-Hoc and Mesh. An infrastructure CRN
(Figure 3) has base stations or access points. A device with
CR capabilities may communicate with other devices within
the range of the base station through the base station itself.
Communication between devices in different cells is routed
by the base stations. On the other hand, ad-hoc CRNs
(Figure 4) are formed by devices without the need for base
stations, the devices can establish links between each other
using different communication protocols. For example,
they may use existing protocols such as: Bluetooth or
they may use spectrum holes. The final architecture is the
Mesh (Figure 5) which is basically a combination of the
aforementioned architectures. It allows devices to connect
to the base stations through neighboring devices, and then
the base stations work as routers and forward the packets.
Discussion about cognitive radio cannot be complete
without discussing its most important component Spectrum
Sensing. Spectrum sensing is the task of obtaining
awareness about the spectrum usage and existence of
primary users in a geographical area. In the next section,
we give a brief overview about how spectrum sensing is
done in CRNs.
Figure 2 General Architecture of Cognitive Radio
2011/3/10 13:00:59
Figure 4 Ad Hoc Architecture
Figure 3 Infrastructure Architecture
Figure 5 Mesh Architecture
3 Spectrum Sensing
In order for a CR node (secondary user) to acquire a
service, it undergoes spectrum sensing to decide on the
band to use for transmission, i.e., it searches for spectrum
holes in a specific frequency, and then it exploits the
existence of these holes to be able to use that frequency
for communication. This technique is called Dynamic
Spectrum Access (DSA). However, making sure that this
sensing process is reliable is a challenging task for CRs
because of the signal fading due to the low received signal
strength which may result in the hidden node problem. This
problem lessens in distributed spectrum sensing (DSS)

where multiple secondary users cooperate and share their
sensing measures and send them to a data collector [3].
Indeed, each sensing terminal conducts the local spectrum
sensing then reports these local sensing results to the data
collector which in turn executes data fusion techniques
and determines the final spectrum sensing result. Sensing
can also be done in a completely ad hoc architecture where
no data collector is present as shown in Figure 6 [4]. The
Common Control Channel (CCC) is used to facilitate the
message exchange between users and support spectrum
sensing coordination.
Figure 6 Spectrum Sensing in an Ad Hoc Architecture
2011/3/10 13:00:59
Depending on the CRN architecture, many techniques

have been suggested to determine the final spectrum
sensing result. The three most popular ones are matched
filter, energy detection and cyclo-stationary feature
detection. Although other techniques have been suggested,
we decided to include a brief description of these three
mechanisms for completeness. The energy detection
technique is the most common because of some features
it possesses that prevail over the other techniques. For
example, Matched filter utilizes the signal-to-noise ratio to
detect the presence of a primary user [5]. The disadvantage
is that it needs to have former knowledge of the primary
user signal characteristics, such as modulation type and
order, pulse shaping and packet format. On the other hand,
when such knowledge is unavailable, energy detection is
used as an alternative.
Cyclo-stationary feature detection can detect primary
users signals with low signal-to-noise ratio, but it is
very difficult to implement because it is computationally
complex [5-6]. In addition, it requires having prior
knowledge of the primary user signal. In cyclo-stationary
feature detection the primary user signal is sampled and
the amplitude is normalized. If the amplitude is periodic
and there exists a peak value for each period, this value is
compared to a predetermined threshold. If a periodicity is
found, the band is then determined to be used by a primary
user. Otherwise, the band is determined to be free of
primary users signals.
Energy detection works according to the following
rationale: The channel with low power has high
probability to be an unoccupied channel [5]. Therefore,
the entire detected bandwidth is scanned, and then some
channels are selected by sorting them in an ascending order
based on the power of each channel. The channel with the
lowest power is then chosen for use by secondary users.
The disadvantage of energy detection is its nave way of
differentiating between primary user and secondary user
signals [7]. If a secondary user detects a signal it recognizes
then it assumes that it is another secondary user; otherwise,
it determines that it is the signal of a primary user. This
shortcoming has severe repercussions in CR security as it
facilitates Primary User Emulation attacks.
Many other spectrum sensing and access techniques
have been suggested in the literature. For instance, in [8] a
sensing method which improves the efficiency of spectrum
access without causing interference to licensed bands
was formulated as a constrained parameter optimization
problem, and solved using a numerical algorithm. In [9],
a Distributed Medium Access Control access protocol for
CR ad-hoc networks is suggested. The protocol relies on
time slots for scanning primary system frequencies to allow
secondary users to use the frequency. In [10], a technique
called Sensor Network Aided Cognitive Radio is suggested

to enable licensed and unlicensed wireless users to use
available networks with minimum interference to each
other. The nodes of the CRN send queries to the sensor
network exploring the existence of spectrum holes in the
primary network. Upon receipt of the query, the sensor
network scans the primary network, and responds with the
available holes back to the secondary users. Yucek et al.
present a good survey of spectrum sensing algorithm for
CRNs [11].
4 Cognitive Radio Networks: Attacks

and Countermeasures
Unlike most of the surveys that address the attacks on
CRNs, we categorize the attacks according to the layers
they target: Physical, Link, Network, and Transport. Since
CRNs can be considered a special kind of Ad Hoc network,
most of the attacks targeting Ad Hoc networks can also
target CRNs. In this survey, we analyze the attacks that are
most relevant to CRNs.
It is important to note that there already exist some
surveys on CRNs [12-13], but they have many weaknesses
in the sense that they miss to address some very important
attacks, they are outdated, and most importantly
none presents an evaluation study of the various
countermeasures.
Any solution suggested to counter CRN attacks should
abide by the FCC requirement which states that no
modification to the incumbent system should be required
to accommodate opportunistic use of the spectrum by
secondary users [14]. Having this requirement in mind,
any security solution suggested to protect or thwart an
attack on CRN should be introduced to the secondary user
system, not the primary one.
4.1 Physical Layer Attacks
Before discussing the physical layer attacks on CRN
and the corresponding countermeasures, we highlight the
work done in [15] that addresses the physical-layer security
issue of a secondary user in CRN from an informationtheoretic perspective where a secure multiple-input singleoutput (MISO) cognitive radio channel was considered. In
MISO, a multi-antenna SU transmitter sends confidential
information to a legitimate SU receiver in the presence
of an eavesdropper and on the licensed band of a primary
user (PU). The approach defines the Secrecy Capacity as
the maximum achievable rate at which the data can be
reliably sent from the SU transmitter to the legitimate SU
receiver but is kept perfectly secret from Eavesdropper.
The secrecy capacity of a secure MISO CR channel has
been characterized. Two numerical approaches have been
2011/3/10 13:00:59
proposed to compute the secrecy capacity and the capacityachieving transmit covariance matrix. By exploring the
inherent convexity, the first approach has transformed the
original quasiconvex problem into a single semi definite
program by exploring its inherent convexity, which
can be solved efficiently. By exploring the relationship
between the secure CRN with the conventional CRN, the
second approach has transformed the original problem
into a sequence of optimization problems related to the
conventional CRN.
4.1.1 Primary User Emulation (PUE)
One of the Cognitive Radio principles is that a
secondary user is allowed to use a specific band as long
as its not occupied by a primary user. However, once the
secondary user detects the presence of a primary user, it
must switch channels immediately to an alternative band
in order not to cause interference to the primary user. If the
secondary user detects another secondary user using the
same band, certain mechanisms should be used to share the
spectrum fairly.
Primary User Emulation (PUE) attack [14][16] is
carried out by a malicious secondary user emulating a
primary user or masquerading as a primary user to obtain
the resources of a given channel without having to share
them with other secondary users (Figure 7). As a result,
the attacker is able to obtain full bands of a spectrum. The
motivation behind the attack is divided into two categories:
Selfish PUE attack and Malicious PUE attack. In the Selfish
PUE attack, the attackers goal is to increase its share of
the spectrum resources. In addition, this attack can be
conducted simultaneously by two attackers to establish a
dedicated link between them. In the Malicious PUE attack,
the attackers goal is to prevent legitimate secondary users
from using the holes found in a spectrum.
Data collector
( Fusion center)
Sensing
Terminals
Primary User
Local
Spectrum
Sensing
Results
Data
Fusion
Final spectrum
sensing result
Sensing
Terminals
Signals with the same

characteristics as
Primary User signals
Sensing
Terminals
Malicious user
Figure 7 Primary User Emulation Attack
The PUE attack can target both types of cognitive

radio Policy Radios and Learning Radios [1] with different
severity. When dealing with policy radios, the effect of the
attack vanishes as soon as the attacker leaves the channel.
The secondary user will then sense that the spectrum is idle
and claim it. On the other hand, when dealing with learning
radios, information about primary users current and past
behavior can be gathered in order to predict when they will
leave the channel, i.e., make it idle. The attacker can then
perform the PUE attack during these idle times. Now the
attack will have a long term effect on secondary users and
they might never use the affected channel ever again.
As mentioned in [12], new and more sophisticated PUE
attacks can be performed when having some knowledge
about the cognitive radio network. For instance, an
attacker can utilize the CRNs quiet periods to perform
PUE attacks. A quiet period is the time during which all
secondary users refrain from transmitting to facilitate
spectrum sensing. During these periods, any user whose
received signal strength is beyond a certain threshold
is considered a primary user. This CRN feature can be
exploited by an attacker who transmits during quiet
periods fooling the rest of the nodes as being a primary
user. Another example is an attacker that performs new PUE
attacks whenever the CRN makes a frequency handoff, i.e.,
switches from one channel to another, thus degrading the
data throughput of the CRN or completely leading to DoS.
Such an attack assumes that the attacker can find the next
CRN in a limited time.
Apart from the experimental PUE attacks, an analytical
model is described in [17] to obtain the probability of
successful PUE attacks on secondary users. The authors
provided lower bounds on the probability of a successful
attack using Fentons approximation and Markov inequality.
We discuss next the approaches used to thwart PUE attacks.
yyDefending Against Primary User Emulation Attack
To defend against PUE attacks, the identity of the
transmitting source needs to be identified, i.e., is the
transmitting source a primary user or a malicious user? The
usual and best approach of knowing the user identity is to
apply cryptographic authentication mechanisms, such as
digital signatures. But such an approach cannot be adapted
because of the FCC regulation that prohibits altering
primary user systems. Given this restriction and knowing
that primary users locations are known ahead of time,
researchers resorted to finding efficient ways of pin pointing
the location of the transmitting source. If the location of the
source matches the location of a primary user, the source is
considered to be a primary user. Otherwise it is considered
to be an attacker trying to emulate a primary user.
In [14], two approaches have been suggested to
determine the location of the transmitting source: Distance
Ratio Test (DRT) which is based on received signal strength
measurements and Distance Difference Test (DDT) which
is based on signal phase difference. Both approaches are
2011/3/10 13:00:59
based on a transmitter verification procedure. The procedure

uses a location verification method to distinguish between
primary signals and secondary signals masquerading
as primary signals. Some assumptions are set to create
the environment where the attack is likely to occur. The
primary users are TV broadcast towers with fixed locations,
and there are some secondary user nodes within the range of
the towers signals. There are trusted location verifiers (LVs)
to perform DRT and DDT, and there are two types of LVs:
master and slave LVs. A master LV has a database with
the coordinates of the TV towers. LVs know their location
from a secure GPS system. Finally, there exists a control
channel between LVs used for their communication. LVs
calculate the distances between them and the transmitters
as they receive their signals. The signals can be from the
towers or an attacker masquerading as a tower. Then the
LVs compare them to their database of towers locations.
If the verification fails, the transmitter of a given signal is
considered to be an attacker. For these approached to work,
the data exchanged between the LVs must be encrypted
and authenticated to avoid eavesdropping, modification or
replay attacks executed by the attacker.
Although DDT does not suffer from the drawbacks of
DRT, DDT requires tight synchronization among the LVs
that may be expensive to implement. These transmitter
verification methods which verify the authenticity of a
given signal by estimating its location and comparing it
with the location of known incumbents are insufficient in a
full mobile network where the incumbents are mobile and
have low power [18].
Both DRT and DDT can be fooled if the attacker is
transmitting from the vicinity of the TV tower. A solution to
this problem is presented in [7] by combining localization
of transmitters with signal energy level detection. The
following scenario is used to describe the suggested
approach: The network consists of TV towers transmitters
and receivers which represent the primary users. The
secondary users are mobile devices with cognitive radio
capabilities. The TV towers have a fixed location and
energy level of hundreds of thousands of Watts while
the mobile devices have energy level of few hundred
milliwatts. This is important because an attacker may try
to deceive other secondary users by transmitting from the
vicinity of the TV tower, and here the level of the energy
of the transmitter will be used in conjunction with the
location.
The authors named their approach Localization-based
Defense (LocDef) which does transmitter verification
in three steps: verification of signal characteristics,
measurement of received signal energy level, and
localization of the signal source [7]. LocDef uses RSSbased localization that exploits the relationship between
signal strength and a transmitter location. The strength of

a signal decreases as the distance between the transmitter
and receiver increases. If a node was able to collect enough
signal strength data from the nodes spread through a
network, it can create a signal strength model which it
can use then to estimate the location of the transmitter. To
collect the RSS measurements, an underlying Wireless
Sensor Network (WSN) will be used. WSN helps
secondary users in spectrum-sensing and informing them of
opportunities in the network.
In [19], another localization strategy was suggested
by first applying the Time Difference of Arrival (TDOA)
method and then the Frequency Difference of Arrival
(FDOA). TDOA will run first to provide certain inputs
(motion vector) to FDOA, which in turn pinpoints
the accurate location of the transmitting source. Both
approaches ([19-20]) rely on many assumptions that make
them very restrictive and not applicable to general CRN.
Apart from localization, fingerprinting has been used
to authenticate the transmission source [21]. Initially,
Radio Frequency Fingerprinting (RFF) has been proposed
as means of enhancing security in wireless networks [22].
RFF consists of using a certain unique, short duration
distinctive behavior of emitter present in the waveforms
emitted by a transceiver when activated to identify an
emitter. It has been attributed to the acquisition behavior
of frequency synthesis systems, modulator subsystems,
RF amplifiers as well as physical properties of the emitter.
The idea is that by monitoring and analyzing a networks
analog signal at the physical layer, it is possible to identify
emitters and address security related issues. Although an
optimal solution was claimed, this approach requires heavy
computation and large samples for training data. To address
this drawback, a cross layer signal pattern recognition
technique was proposed in [21]. This approach exploits a
unique property called Electromagnetic Signatures (EMS)
(which can be compared to the human biometric feature)
of each CR device to build a security sub-system. A PHY
attacker model that exploits the adaptability and flexibility
of CRN was described. Then to thwart this attack,
waveform pattern recognition is used to identify emitters
and detect camouflaging attackers by using the EMS of the
transceiver. In this approach, a malicious device is detected
based on its signal pattern with certain levels of deviation.
The main two processes that are involved in the execution
of this scheme are the enrollment for data collection and the
testing in order to identify a user. This approach is a crosslayer security module which is capable of highlighting
distinctions among cognitive radio devices. It is designed
to learn the foul-proof initial unique characteristic of CR
devices and compares it with subsequent transmissions
for validation and authentication. Although this approach
2011/3/10 13:00:59
was initially suggested to mitigate DoS threats in general,

it can be perfectly tailored to defend against PUE attacks
since it can be used to authenticate the transmission source.
However, there is a likely increase in storage requirement
and total sensing time due to possible overhead of extra
signal processing operations.
Another fingerprinting approach was suggested in [20].
The suggested approach works by erasing the modulation
of all received signals to get the carrier with phase noise.
The phase noise for each transmitter is random but unique.
After applying wavelet and higher-order statistics analysis,
the authors generated what they called the fingerprint
of the signal. The fingerprint is then used as the basis of
transmitter identification to defend against PUE attacks.
In [23], Walds sequential probability ratio test is
used to detect PUE attack. The authors assumed that the
transmission power of the attacker is fixed. Although
detecting PUE attacks is a challenging problem, a more
challenging one is to develop effective countermeasures
once an attack is identified.
4.1.2 Objective Function Attack
One of the many definitions of cognitive radio
states that Cognitive radio is a smart radio that has the
ability to sense the external environment, learn from
the history, and make intelligent decisions to adjust its
transmission parameters according to the current state
of the environment [24]. The cognitive engine in the
adaptive radio is the one responsible for adjusting the radio
parameters in order to meet specific requirements such as
low energy consumption, high data rate, and high security.
Radio parameters include center frequency, bandwidth,
power, modulation type, coding rate, channel access
protocol, encryption type, and frame size [1]. The cognitive
engine calculates these parameters by solving one or more
objective functions, for instance find the radio parameters
that maximize data rate and minimize power.
When the cognitive engine is running to find the
radio parameters appropriate to the current environment,
the attacker can launch his attack by manipulating the
parameters he has control on (transmission rate) in order
to make the results biased and tailored to his interest. In
[1], a scenario of an Objective Function attack is presented
where the cognitive engine needs to maximize an objective
function composed of transmission rate (R) and security (S),
i.e., f = w1R + w2S, where w1 and w2 represent the weights
of R and S. Whenever the cognitive engine attempts to use
a high security level S, the attacker launches a jamming
attack on the radio, thus reducing R and hence reducing
the overall objective function. The cognitive engine will
then refrain from increasing the security level in order not
to decrease the objective function. This way, the attacker
forces the radio to use a low security level that can be
hacked. It is to be noted that this attack is affective on

on-line learning radios only and has no effect on off-line
learning radios [1][12].
yyDefending against Objective Function Attack
No good solution has been suggested to defend against
the Objective Function Attack. A simple suggestion has
been made in [12] to define threshold values for every
updatable radio parameter. If the parameters do not meet the
thresholds, the communication stops. They also suggested
getting help from a good Intrusion Detection System (IDS).
4.1.3 Jamming
In jamming, the attacker (jammer) maliciously sends out
packets to hinder legitimate participants in a communication
session from sending or receiving data; consequently,
creating a denial of service situation. The jammer may
send continuous packets of data making a legitimate user
to never sense a channel as idle, or he can send these
packets to the legitimate users and force them to receive
junk packets. The jammer can also disrupt communication
by blasting a radio transmission resulting in the corruption
of packets received by legitimate users. A more dangerous
attack a jammer can do is to jam the dedicated channel
that is used to exchange sensing information between CRs
(Common control data attack [25]). An attacker can still
do damage if he just eavesdropped on the control data and
knew the new channel the CRN is switching to. He can
then jam it. Jamming is an attack that can be done in the
physical and MAC layers. For this reason, we discuss it in
the end of the Physical Layer Attacks section, just before
the Link Layer Attacks section.
There exist four types of jammers: Constant Jammer,
Deceptive Jammer, Random Jammer, and Reactive Jammer
[26]. The constant jammer sends out packets of data
continuously with no regard to MAC-layer protocols. It
doesnt wait for the channel to be idle as the attacker starts
sending its packets without any regard to other users on
that channel. The deceptive jammer tricks the legitimate
users. It sends out packets continuously making the other
users switch into a receive state and remain in that state as
they detect a constant stream of incoming data packets. The
random jammer takes breaks between the jamming signals,
and during its jamming phase it may behave as a constant
or deceptive jammer. It takes some time off to reserve
energy in case the jammer doesnt have unlimited power
supply. The reactive jammer senses the channel at all times,
and whenever it senses communication in the channel it
starts transmitting the jamming signals. This jammer is
harder to detect because its not transmitting all the time.
To perform MAC Layer denial of service attack, an
attacker can send out packets on a specific radio channel
making all devices within radio range to assume that the
2011/3/10 13:00:59
channel is occupied and postpone their transmission of data

[27]. To perform Physical Layer denial of service attack,
an attacker may use a device capable of emitting energy at
the same frequency used by other devices to communicate
and interfere with their communication. Examples of such
devices are programmable radios and waveform generators.
An attack scenario is presented in [28], where a single
cognitive radio jams multiple channels by switching
through channels quickly after sending the jamming
packets for a fixed period. There is an inter-jamming
interval between each jamming period on each channel.
After sending the jamming packets in the last channel, the
attacker revisits the previous channels at the end of the
inter-jamming interval, and repeats the jamming cycle.
yyDefending against Jamming
Since DoS can be performed at the Link and Physical
layers, the detection should be addressed at both layers. In
the MAC-layer detection, devices can detect a denial of
service attack by sensing the channel they want to transmit
their packets on. A popular class for medium access control
protocols is the one based on carrier-sensing multipleaccess (CSMA). In CSMA, a device will continually sense
a channel until it detects that its idle. Even then, it will
wait for some time before starting transmitting (propagation
delay) in order to make sure that the channel is clear.
Suppose an attacker is sending packets on the same channel
that the legitimate device wants to use for transmission,
the legitimate device will never pass the carrier-sensing
and will be forced to back off. Therefore, the device will
know that its a victim of a denial of service attack. In the
PHY-layer detection, legitimate devices should be able
to distinguish between the normal and abnormal level of
noise in a channel. They can do so by collecting enough
data of the level of the noise in the network and building
a statistical model to use for comparison when a denial of
service attack occurs [27].
In [26], a jamming detection technique that investigates
the relationship between Signal Strength (SS) and Packet
Delivery Ratio is suggested. Packet Delivery Ratio (PDR)
is the ratio of packets delivered to a destination compared
to the number of packets sent by a transmitter. If SS is
high, but PDR is low; a legitimate user may assume that
its being jammed unless one of its neighbors has high
SS and PDR. This technique is called Signal Strength
Consistency Checks. Another technique called Location
Consistency Checks is suggested to detect jamming where
the location of the neighbors is important and can be
acquired through GPS and then advertised by each node.
A node is jammed when its neighbors should have been
delivered at least a minimal amount of packets. A node will
check its PDR and decide whether the PDR is consistent
with what it should see given the location of its neighboring

nodes. Theoretically, neighboring nodes that are close to
a particular node should have high PDR values, and if all
nearby neighbors have low PDR values this may lead to
concluding that this user is either being jammed or have
poor link quality with its neighbors.
Given the Jamming detection techniques just discussed,
two strategies could be used to defend against jamming
(DOS). The first strategy to escape denial of service is
channel surfing, or frequency hopping. In this approach,
communicators agree to use a different channel once a
denial of service attack is detected through any of the
abovementioned detection techniques. The second strategy
is spatial retreat where legitimate users change their
location to escape the interference range imposed by the
attacker. Two things must be kept in mind in this approach,
the users must leave the region where the attacker is located
and they must stay within range of each other to continue
communication [27].
4.2 Link Layer Attacks
4.2.1 Spectrum Sensing Data Falsification (SSDF)
Spectrum Sensing Data Falsification, also known as
the Byzantine Attack, takes place when an attacker sends
false local spectrum sensing results to its neighbors or to
the fusion center, causing the receiver to make a wrong
spectrum-sensing decision [29][30]. This attack targets
centralized as well as distributed CRNs. In a centralized
CRN, a fusion center is responsible for collecting all the
sensed data and then making a decision on which frequency
bands are occupied and which are free. Fooling the fusion
center will either deny some legitimate users from using
a free band or allow users to use a band that is already
occupied causing interference. Similar problems occur in
a distributed CRN where decisions about the frequency
bands status are made via collaboration between CRs. But
SSDF attack could be more harmful in a distributed CRN
because the false information can propagate quickly with
no means to control them. While in the centralized CRN,
the fusion center can lessen the effect of false information
by comparing the data received from all CRs and devising
some smart techniques to know which CR might be lying.
An analytical treatment of the attack was presented
in [31] in which performance limits are established in
terms of the fraction of Byzantine attackers that will make
the fusion center blind and when no trust based approach
would work. In [32], the system performance under certain
quality of service (QoS) constraints was investigated, and
the performance of collaborative sensing under malicious
attacks and various conditions was studied.
2011/3/10 13:00:59
yyDefending against Spectrum Sensing Data Falsification

Several data fusion techniques were proposed to detect
the Spectrum Sensing Data Falsification (SSDF) Attack.
In [33], a Decision fusion technique is proposed where
all collected local spectrum-sensing results are summed.
If the sum is greater than or equal to a certain threshold
(which is a specified value between 1 and the number of
sensing terminals), then the final sensing result is busy,
i.e., it denotes the presence of incumbent signal. Otherwise,
the band is determined to be free, i.e., it denotes the
absence of incumbent signal. Because interference to
incumbents should be minimized, usually a conservative
strategy is favored, which takes a threshold value of one.
In this case, even if a band is free, as long as there is one
sensing terminal that erroneously reports the presence of
an incumbent signal, the final result will be busy, causing
a false alarm. If an SSDF attacker exploits this feature
and always reports the presence of an incumbent signal
as its local spectrum sensing result, then the final result
will always be busy. To prevent such a scenario, one can
increase the threshold value. However, increasing the
threshold value has the downside of increasing the miss
detection probability. Moreover increasing the threshold is
ineffective in decreasing the false alarm probability when
there are multiple attackers.
In [18], a data fusion technique called Weighted
Sequential Ratio Test (WSRT) was proposed to counter
Byzantine attacks. In an ad hoc architecture any node
that needs to conduct spectrum sensing, it becomes a data
collector and collects local sensing reports from neighboring
nodes. WSRT is composed of two major steps. The first one
is reputation maintenance step where every node initially
has a reputation value equal to zero, upon each correct local
spectrum report the reputation value will be increased by 1.
The second step is the actual hypothesis test step of WSPRT
which is based on Sequential Probability Ratio Test [34] but
with some adjustments so that the decision value takes into
consideration the terminals reputation unlike the ordinary
SPRT applied to the previous data fusion techniques. This
WSRT approach is similar to various trust based data fusion
schemes which are employed in wireless sensor networks
(WSNs).
A similar weight based fusion scheme was proposed in
[35] to counter malicious nodes that transmit false sensing
signals. In this approach, a trust approach and pre-filtering
techniques are used. Permanent Malicious nodes are of
two types, the Always Yes type and the Always No
type. The always yes advertises the presence of a primary
user nearby (i.e., increases the probability of false alarm)
and the always no advertises the absence of a primary
user nearby (i.e., decrease the probability of detection).
The approach relies on pre-filtering the data to identify and
nullify the malicious users that are sometimes Faulty and

sometimes not permanently faulty, assigning a trust factor
to each user (based on statistics from many users) that
quickly identifies Always Yes and Always No nodes,
and quantizing the data.
In [36], a detection mechanism is proposed to identify
Byzantine attackers by counting mismatches between their
local decisions and the global decision at the fusion center
over a time window and then removing the Byzantines from
the data fusion process. The proposed scheme was shown
to be robust against Byzantine attacks and it successfully
removed the Byzantines in a very short time span.
In [37], another Bayesian detection mechanism was
proposed that requires the knowledge of a priori conditional
probabilities of the local spectrum sensing result (i.e.,
presence or absence of incumbent). It also requires the
knowledge of a priori probabilities of the final sensing
result. Several combination cases exist from these local
and final sensing results. These cases are either correct or
wrong. A small cost is assigned to the correct ones and a
large cost is assigned to the wrong ones. The overall cost
is the sum of all the costs weighted by the probabilities
of the corresponding cases. Bayesian detection outputs a
final spectrum sensing result that minimizes the overall
cost. When a network is under SSDF attacks, the values of
the a-priori conditional probabilities of the local terminal
sensing are not trustworthy. As a result, Bayesian detection
is no longer optimal in terms of minimizing the overall
cost.
In [38], the Neyman-Pearson test was proposed which
does not rely on the knowledge of a-priori probabilities
of the final sensing or any cost associated with each
decision case. Instead, it needs to define either a maximum
acceptable probability of false alarm or a maximum
acceptable probability of miss detection. The NeymanPearson test guarantees that the other probability is
minimized, whereas the defined probability is acceptable.
As with Bayesian detection, the Neyman-Pearson test
also requires the knowledge of the a priori conditional
probabilities of the local sensing.
A malicious user detection algorithm that calculates
the suspicious level of secondary users based on their past
reports was proposed in [39]. This algorithm calculates
trust values as well as consistency values that are used to
eliminate the malicious users' influence on the primary
user detection results. The results show that even a single
malicious user can significantly degrade the performance
of collaborative sensing. The trust value indicator can
effectively differentiate honest and malicious secondary
users. Furthermore, when a good user suddenly turns bad,
the proposed scheme can quickly reduce the trust value of
this user. If this user only behaves badly for a few times,
2011/3/10 13:01:00
10
its trust value can recover after a large number of good

behaviors. If the bad behavior is consistent, the trust value
becomes almost impossible to recover.
In all the previous approaches, sensing results must
be authenticated and a robust data fusion scheme must be
deployed. This can be ensured through utilizing a sequential
probability ratio test which collects more results and thus
guarantees better decisions. Another solution would be
to incorporate a reputation-based scheme into the DSS
that ensures reputation maintenance and apply reputation
information to data fusion.
Although the trust based schemes, presented above,
have shown satisfactory performance in some settings,
but an analytical study of their performance has not been
carried out. Moreover, there is a lack of references on how
severe the attacks would degrade the system performance.
4.2.2 Control Channel Saturation DoS Attack (CCSD)
In a multi-hop CRN, CRs communicate with each
other after performing a channel negotiation process in a
distributed manner. During the negotiation phase, MAC
control frames are exchanged to reserve the channel.
When many CRs want to communicate at the same time,
the common control channel becomes a bottleneck as the
channel can only support a certain number of concurrent
data channels. An attacker can utilize this feature and
generate forged MAC control frames for the purpose of
saturating the control channel and thus decreasing the
network performance due to Link layer collisions. As
discussed in [40-41], the Control Channel Saturation DoS
Attack leaves the CRN with a near-zero throughput. It
is important to note that this attack only works on multihop CRNs and does not work on centralized CRN. This
is because in centralized CRNs, all MAC control frames
are authenticated and stamped by the base station. This
fact makes forging MAC control frames an infeasible task.
The mechanism used to defend against this attack will be
discussed in the next section.
4.2.3 Selfish Channel Negotiation (SCN)
In a multi-hop CRN, a CR host can refuse to forward
any data for other hosts. This will allow it to conserve its
energy and increase its own throughput which resulted
from selfish channel concealment [41]. Similar objectives
can be achieved if the selfish host was able to alter the
proper MAC behavior of the CR devices. For instance, if
the host decreases its own back-off window size, it will
have a higher chance of claiming the channel at the expense
of other CR hosts. This attack can also severely degrade the
end-to-end throughput of the whole CRN [41].
yyDefending against Control Channel Saturation and

selfish channel negotiation
Mitigating CCSD and SCN can be done by adapting
a trusted architecture where any suspicious CR host will
be monitored and evaluated by its neighbors. A neighbor
can then perform a sequential analysis on the set of
observation data, and conclude a final decision whether it is
misbehaving or not. The Sequential Probability Ratio Test
can be used for that purpose as it has proven its efficiency
in terms of detection time [41].
4.3 Network Layer Attacks
Much research has focused on the development of
MAC and PHY layer protocols for CRNs, unfortunately
end-to-end flow of the packets received insufficient
attention. In addition, CR introduces challenges to routing
due to the novel way they operate. Routing challenges
faced in CRNs originate from the need for transparency in
the existence of CR activities to primary users. In addition,
CR nodes are required to leave any channel as soon as a
primary user is detected on that channel which complicates
the routing design even more. The three architectures of
CRNs make the network vulnerable to some old fashion
wireless network attacks. Also CRNs exhibit many
similarities with sensor networks in the sense that they both
use multi-hop routing protocols, and both of them have
power constraints. A good survey on sensor network attacks
can be found in [42]. In what follows, we discuss two of
the most relevant attacks on CRNs namely: sinkholes and
HELLO floods.
4.3.1 Sinkhole Attacks
In a sinkhole attack, an attacker advertises itself as
the best route to a specific destination, luring neighboring
nodes to use it to forward their packets [42]. An attacker
may use this way to perform another attack called
selective forwarding where an attacker is able to modify
or discard packets from any node in the network. The
attack is particularly effective in the infrastructure and
mesh architectures as all traffic goes through a base station
allowing the attacker to falsely claim that it is the best route
for packet forwarding.
yyDefending against Sinkhole Attacks
A sinkhole attack is hard to detect because it exploits
the very design of the routing protocol and network
architecture. However, there are protocols that are fortified
against the attack which are geographic routing protocols.
Geographic routing protocols construct a topology on
demand using only local communications and information
without initiation from the base station. Thus, traffic will be
routed to the physical location of the base station and will
be difficult to lure it to go elsewhere to create a sinkhole [42].
2011/3/10 13:01:00
4.3.2 HELLO Flood Attacks

The HELLO flood attack is accomplished when an
attacker sends a broadcast message to all the nodes in a
network with enough power to convince them that it is their
neighbor [42]. For example, an attacker sending a packet
advertising a high quality link to a specific destination will
encourage even far away nodes to use this route convincing
them that he is their neighbor. However, their packets will
be lost, and if a node discovers the attack it will be left with
no neighbors to forward its packets because all of them will
be using the same route.
yyDefending against HELLO Flood Attacks
To countermeasure the HELLO flood attacks, a
symmetric key should be shared with a trusted base station
[42]. The base station will act as a Trusted Third Party
as in Kerberos and facilitate the establishment of session
keys between parties in the network; in order to protect
their communication. Consequently, two nodes may use
the session key to verify each others identity; as well as,
authenticate and encrypt the link between them. Now, to
prevent an attacker from creating a session key with every
node on the network, the number of shared keys must be
limited. In addition, a node claiming to be the neighbor
of so many nodes in the network should raise an alarm.
Symmetric key algorithms are suggested because they are
known to be faster and have lower overhead on system
resources.
yyGeneral Techniques to Defend against Network Layer
Attacks
In general, one can defend against routing attacks by
using a secure routing protocol, such as Secure Efficient
Ad hoc Distance vector routing protocol (SEAD) [43].
SEAD protects against denial of service attacks as it uses
a one way hash function instead of asymmetric encryption
to prevent attackers attempts to cause other nodes to use
more network bandwidth or processing time. The protocol
operates as the vector routing protocol, and the design is
based on Destination-Sequences Distance-Vector protocol
(DSDV).
Another effective mechanism to defend against
routing attacks is to use a cross layer solution to make the
transmission more efficient [44]. It suggests that, instead of
routers direct decision, the routing algorithm and spectrum
management should be considered together to make
decisions for the channel scheduling.
4.4 Transport Layer Attacks
As with the other layers, the Transport layer in a CR
node is also vulnerable to many of the attacks that target
wireless Ad Hoc networks in general, for instance, the
11
JellyFish attack [45]. In what follows, we only consider a

transport layer attack named Lion Attack [46] because of its
close relevance to CRNs.
4.4.1 Lion Attack
The Lion attack uses the primary user emulation (PUE)
attack to disrupt the Transmission Control Protocol (TCP)
connection. The Lion attack can be considered a cross-layer
attack performed at the physical link layer and targeted at
the transport layer where emulating a licensed transmission
will force a CRN to perform frequency handoffs and
thus degrading TCP performance. When a PUE attack is
performed, all SUs have to do frequency handoff in order
to free the channel for the primary user. When this handoff
takes place, TCP will not be aware of the handoff and will
keep creating logical connections and sending packets
without receiving acknowledgments. The TCP segments
will then start to timeout and consequently TCP retransmits
them with an increased timeout value. As a result, the
retransmission timer backs off doubling the value, resulting
in delays and packet loss. Additionally if an attacker can
intercept the messages, it can predict the frequency band
tested in a handoff, and claim it using PUE resulting in a
total network starvation.
yyDefending against Lion Attack
To Mitigate the Lion attack, Hernandez-Serrano et
al. suggest a mechanism that starts by making the TCP
protocol aware of what is happening in the physical layer
by employing cross-layer data sharing between physical/
link and transport layers [47]. This way, the CRN devices
will be able to freeze TCP connection parameters during
frequency handoffs and adapt them to the new network
conditions after the handoff. To secure the control data in
order to prevent the attacker from eavesdropping current
and future actions of the CRN, a group key management
(GKM) can then be used to allow CRN members to
encrypt, decrypt and authenticate themselves. Finally, a
cross-layer IDSs specifically adapted to CRNs can be used
as a technique to find the attack source if it still exists.
Finally, cognitive radios must have some common
sense [1]. Policies must be defined to cover all scenarios.
In addition, some sort of cooperation between the different
cognitive radios can be beneficial. In [1] a technique called
particle swarm optimization (PSO) is mentioned. Each
cognitive radio is a particle, and each has its own idea about
what is the best behavior in a particular situation. However,
this behavior is not dependent solely on its own idea, but a
weighted average of all the ideas in the network. Next, we
evaluate the countermeasures suggested in section 4.
2011/3/10 13:01:00
12
5 Evaluation Study
In this section, we evaluate the suggested
countermeasures putting a grade for each one. For every
layer, we include the attack, its countermeasures, an
evaluation discussion, and a grade. Three grades are used as
follows:
- indicates that the suggested countermeasure is
good and works for almost all scenarios
- indicates that the suggested countermeasure is
very restrictive in the sense that it only applies to
very specific scenarios or it requires the addition
of extra infrastructure that does not normally exist
in CRNs, for instance WSNs or LVs.
- indicates that the suggested countermeasure
includes some minor drawbacks, but is
acceptable.
Tables 1, 2, 3, and 4 present the evaluation of the
attacks countermeasures of the Physical, Link, Network,
and Transport layers, respectively.
The conclusion that can be made from table 1 is
that a complete solution can be formulated to defend
against Physical Layer attacks in CRN by combining
fingerprinting, frequency hopping, and thresholding (to
thwart OFA). The conclusion extracted from Table 2 is
that by adopting a trusted CRN architecture and using a
Weighted Sequential Ratio Test one can defend against Link
Layer attacks. Tables 3 and 4 indicate that the suggested
countermeasures are well suited to defend against Network
and Transport layer attacks. Therefore, by combining
these countermeasure (the ones graded as ), one can
achieve a secure CRN. Although this suggestion can
potentially produce the ultimate secure CRN, it might face
performance problems. Other approaches were suggested to
achieve a secure CRN; we discuss their approaches next.
6 Sample Frameworks for Secure

CRNs
It is obvious from section 4 that CRNs are vulnerable
to many serious attacks that hinder their usefulness. As
discussed earlier, various mitigation techniques were
suggested to each category of CRN attacks. In order to
form a secure CRN, all these mitigation techniques need
to be incorporated in the same CRN. On the contrary, such
a solution becomes a bottleneck as most of the CR nodes
processing power will be spent on doing security checks.
As an alternative, some researchers suggested building
various security frameworks for CRN. The suggestions can
be mainly categorized into: cryptography based, reputation
based, and trust based.
In [48], a CRN security framework based on

cryptography is suggested that aims to provide
authentication, confidentiality and integrity on CR nodes
interactions. The framework uses 802.1X access control
mechanism, a Key Distribution Center (KDC), a new
CR terminal identification policy, and modified DHCP
servers, which in turn work together to provide proper
resource allocation and message authentication in DHCP
transactions. The KDC is also used to authenticate the
mapping between the addresses used in the ARP protocol
(MAC and IP addresses), and to distribute session keys
to neighbor CR terminals allowing them to share a secure
dedicated channel. This architecture achieves security in
CRNs since all services are supported by secret, shared
session keys between interacting devices. Hence, no
experimental evaluation was done to prove the effectiveness
of this approach.
In [49], a reputation based mechanism is suggested to
identify and mitigate the harm done by misbehaved CRs
who falsify sensed data while cooperative spectrum sensing
is taking place. The scheme starts by choosing some nodes
as trusted. It then categorizes the reputation of each CR into
three states: discarded, pending and reliable. The sensing
information of the trusted nodes is reliable by default. The
reputation of the other CRs is initially assigned a pending
state and they are accumulated through a consistency
check between global and local sensing decisions. Those
that exceed the trusted threshold are updated to reliable,
and their sensing results are then incorporated in CSS. The
others are changed to discarded. Simulation results show
that the scheme works well even when there is a large
number of misbehaviors.
In [50], a trusted cognitive radio networking (TCRN)
concept is suggested to facilitate network functions such
as association in dynamic spectrum access and routing.
The authors argue that two major components should
be present in CRN trust model: trusted association and
learning algorithms. Trusted association consists of the
initial decision for a node to accept or reject the trusted
association from a neighboring CR node. Moreover,
each CR node should keep track of the information it
collects and employ appropriate learning algorithms in
order to make better decisions regarding trust measures,
packet forwarding, and routing. TCRN was formulated
mathematically and a conclusion was made that TCRN
can allow more homogeneous operation of CRN as a
heterogeneous wireless network.
7 Conclusion
In this paper, we described the most recent and
important attacks targeting CRNs. We classified them
2011/3/10 13:01:00
13
Table 1 Physical layer threats, countermeasures, and evaluations
Threat
Countermeasure
Evaluation
Grade
Cryptographic authentication of
primary users
Does not work as it requires altering the primary user

system which violates FCC regulations
Distance Ratio Test (DRT) -- based on

signal strength measurements [14]
Depends on trusted nodes called Location Verifiers

(LVs). Major drawback is that tight synchronization
among LVs is required and it can be fooled if the
attacker is close to the tower
Distance Difference Test (DDT) -based on signal phase difference [14]
Same as DRT
LocDef -- based on localization of the

primary user [7]
Depends on a Wireless Sensor Network to collect

RSS measurements. The RSS measurement of the
primary user is compared to the collected ones. Major
drawback is the addition of the WSN
Localization strategy that applies

TDOA then FDOA [19][20]
Major drawback of this approach is that it relies on

many assumptions that make them very restrictive and
not applicable to general CRN
Walds sequential probability ratio

test is used to detect PUE [23]
Major drawback of this approach is that it assumes that

the transmission power of the attacker is fixed
Fingerprinting approaches that are

used to authenticate the transmission
source [21]
Out of the suggested countermeasures, this approach

is considered the best, but there is a likely increase
in storage requirement and total sensing time due to
possible overhead of extra signal processing operations
Define threshold values for every

updatable radio parameter. If the
parameters do not meet the thresholds,
Objective
Function Attack the communication stops [12]
Use Intrusion Detection System (IDS)
[12]
The major drawback of this approach is that depends

on fixed thresholds. A considerable improvement will
be to make these thresholds adaptive.
Collect enough data of the level

of the noise in the network and
build a statistical model to use in
distinguishing between normal and
abnormal level of noise [27]
Drawback lies in the definition of enough data i.e.,

what is the appropriate amount of data that should be
used to build the model
Compare Signal Strength and Packet

Delivery Ratio - If SS is high, but
PDR is low; a legitimate user may
assume that its being jammed unless
one of its neighbors has high SS and
PDR [26]
There is no rule that decides on the relation between

high and low when the authors say If SS is high,
but PDR is low. This issue presents a major weakness
in the suggested approach.
Location Consistency Checks [26]
The location of the neighbors is important and can be

acquired through GPS, but the drawback is that GPS
might not always exist in a CRN.
Frequency hopping
Good solution for jamming
Spatial retreat
The user should be very careful when escaping from

the jamming signal of the attacker since he needs to
stay in range with the other user he is communicating
with.
Primary User
Emulation
Jamming
Using an IDS is a very general countermeasure that

does not defend against all kinds of OFA
according to the layer they operate on and presented

their existing countermeasures. We then evaluated all the
countermeasures giving each one a grade that presents its
effectiveness. According to these evaluations, we suggested
to combine the countermeasures that we think will produce
the ultimate secure CRN. Such a suggestion should be
normally supported by simulation results, but we keep this

as part of our future work. We also overviewed the works
that suggest building from scratch security frameworks for
CRN.
2011/3/10 13:01:00
14
Table 2 Link Layer Threats, Countermeasures, and Evaluations
Threat
Countermeasure
Evaluation
Decision fusion technique where

all collected local spectrum-sensing
results are summed and compared to a
threshold to detect an attack [33]
The major drawback is in using fixed thresholds.

In this particular countermeasure increasing and
decreasing the threshold has major impact on the
decision. Moreover, the method is ineffective in many
scenarios that include multiple attackers.
Weighted Sequential Ratio Test [18]
Solution is composed of 2 steps: a reputation

maintenance step and the actual hypothesis test.
No analytical studies have been conducted, but
performance is good.
Weight based fusion scheme [35]
Uses trust approach and pre-filtering techniques.

Shows good performance.
Detection mechanism that runs in the

fusion center [36]
The fusion center identifies the attackers and removes

them from the data fusion process. Only works when a
centralized fusion center exists.
Detection mechanism that requires a

priori knowledge [37]
The major drawback is that the a priori knowledge

becomes not trustworthy when a network is under
SSDF attack, and thus the suggested detection
mechanism becomes no longer optimal in terms of
minimizing the overall cost
Neyman-Pearson Test [38]
Works by defining either a maximum acceptable

probability of false alarm or a maximum acceptable
probability of miss detection. It still requires a priori
conditional probabilities of the local sensing
Detection mechanism based on trust

[39]
The major drawback is that the scheme cannot be

applied to multiple malicious users scenario.
Detection mechanism based on trust

Control
[41]
Channel
Saturation DoS
Attack
The suggested countermeasure adapts a trusted

architecture where any suspicious CR host will be
monitored and evaluated by its neighbors. A neighbor
can then perform Sequential Probability Ratio Test to
reach a final decision whether it is misbehaving or not.
Its performance is proven to be good.
Selfish Channel Detection mechanism based on trust

Negotiation
[41]
Same countermeasure suggested for Control Channel

Saturation DoS Attack works for this attack.
Spectrum
Sensing Data
Falsification
(Byzantine
attack)
Grade
Table 3 Network Layer Threats, Countermeasures, and Evaluations
Threat
Sinkhole Attack
HELLO Flood
Attack
Other Attacks
Countermeasure
Evaluation
Grade
Geographic routing protocols [42]
Traffic will be routed to the physical location of the

base station. Presents a good solution for sinkhole
attacks
Symmetric Key based algorithm

[42]
The base station will act as a Trusted Third Party and

facilitate the establishment of session keys between
parties in the network. Presents a good solution for
HELLO Flood attacks
Use a protocol called SEAD [43]
Protects against attacks by using one-way hash

function.
Table 4 Transport Layer Threats, Countermeasures, and Evaluations
Threat
Lion Attack
Countermeasure
Cross Layer detection based
mechanism [47]
Evaluation
Good solution
Grade
2011/3/10 13:01:00
References
[1] T. Charles Clancy and Nathan Goergen, Security in
Cognitive Radio Networks: Threats and Mitigation,
International Conference on Cognitive Radio
Oriented Wireless Networks and Communications
(CrownCom), Singapore, May, 2008, pp.1-8.
[2] Kwang Cheng Chen, Y. J. Peng, Neeli Rashmi Prasad,
Y. C. Liang and Sumei Sun, Cognitive Radio Network
Architecture: part I -- General Structure, Proceedings
of the 2nd International Conference on Ubiquitous
Information Management and Communication,
Suwon, South Korea, January, 2008, pp.114-119.
[3] Vinod Sharma and ArunKumar Jayaprakasam,
An Efficient Algorithm for Cooperative Spectrum
Sensing in Cognitive Radio Networks, Proceedings
of National Communications Conference (NCC),
Guwahati, India, January, 2009.
[4] Cognitive Radio Ad Hoc Networks, Broadband
Wireless Networking Lab, School of Electrical
and Computer Engineering, Georgia Inst of Tech.
URL: http://www.ece.gatech.edu/research/labs/bwn/
CRAHN/projectdescription.html
[5] Wenjing Yue and Baoyu Zheng, A Two-Stage
Spectrum Sensing Technique in Cognitive Radio
Systems Based on Combining Energy Detection and
One-Order Cyclo-Stationary Feature Detection,
Proceedings of the 2009 International Symposium
on Web Information Systems and Applications
(WISA09), Nanchang, China, May, 2009, pp.327330.
[6] Rajesh K. Sharma and Jon W. Wallace, Improved
Spectrum Sensing by Utilizing Signal Autocorrelation,
Proceedings of IEEE Vehicular Technology
Conference, Barcelona, Spain, April, 2009, pp.1-5.
[7] Ruiliang Chen, Jung-Min Park and Jeffrey H. Reed,
Defense against Primary User Emulation Attacks in
Cognitive Radio Networks, IEEE Journal on Selected
Areas in Communications, Vol.26, No.1, 2008, pp.2537.
[8] Huahui Wang, Leonard Lightfoot and Tongtong
Li, On PHY-Layer Security of Cognitive Radio:
Collaborative Sensing under Malicious Attacks, 44th
Annual Conference on Information Sciences and
Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.
[9] Eric Wong and Rene Cruz, On Physical Carrier
Sensing for Cognitive Radio Networks, Forty-Fifth
Annual Allerton Conference on Communication,
Control, and Computing, Allerton House, UIUC, IL,
September, 2007.
[10] Bertrand Mercier, Viktoria Fodor, Ragnar Tobaben
et al., Sensor Networks for Cognitive Radio: Theory
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
15
and System Design, ICT Mobile Summit, Stockholm,

Sweden, June, 2008.
Tevfik Yucek and Huseyin Arslan, A Survey of
Spectrum Sensing Algorithms for Cognitive Radio
Applications, IEEE Communications Surveys &
Tutorials, Vol.11, No.1, 2009, pp.116-130.
Olga Len, Juan Hernndez-Serrano and Miguel
Soriano, Securing Cognitive Radio Networks,
International Journal of Communication Systems,
Vol.23, No.5, 2010, pp.633-652.
Xueying Zhang and Cheng Li, The Security in
Cognitive Radio Networks: A Survey, Proceedings of
the 2009 ACM International Conference on Wireless
Communications and Mobile Computing: Connecting
the World Wirelessly (IWCMC 09), New York, 2009,
pp.309-313.
Ruiliang Chen and Jung-Min Park, Ensuring
Trustworthy Spectrum Sensing in Cognitive Radio
Networks, First IEEE Workshop on Networking
Technologies for Software Defined Radio Networks
(SDR), Reston, VA, September, 2006, pp.110-119.
Yiyang Pei, Ying-Chang Liang, Lan Zhang, Kah Chan
Teh and Kwok Hung Li, Secure Communication Over
MISO Cognitive Radio Channels, IEEE Transactions
on Wireless Communications, Vol.9, No.4, 2010,
pp.1494-1502.
Ruiliang Chen, Enhancing Attack Resilience in
Cognitive Radio Networks, Dissertation, Virginia
P o l y t e c h n i c I n s t i t u t e a n d S t a t e U n i v e r s i t y,
Blacksburg, VA, 2008.
Santhanakrishnan Anand, Zituo Jin and Koduvayur
Subbalakshmi, An Analytical Model for Primary User
Emulation Attacks in Cognitive Radio Networks,
3rd IEEE Symposium on New Frontiers in Dynamic
Spectrum Access Networks (DySPAN), Chicago, IL,
October, 2008.
Ruiliang Chen, Jung-Min Park, Y. Thomas Hou
and Jeffrey H. Reed, Toward Secure Distributed
Spectrum Sensing in Cognitive Radio Networks, IEEE
Communications Magazine, Vol.46, No.4, 2008,
pp.50-55.
Lianfen Huang, Liang Xie, Han Yu, Wumei Wang
and Yan Yao, Anti-PUE Attack Based on Joint
Position Verification in Cognitive Radio Networks,
International Conference on Communications and
Mobile Computing (CMC), Vol.2, Shenzhen, China,
April, 2010, pp.169-173.
Caidan Zhao, Wumei Wang, Lianfen Huang
and Yan Yao, Anti-PUE Attack Base on the
Transmitter Fingerprint Identification in Cognitive
Radio, 5th International Conference on Wireless
Communications, Networking and Mobile Computing
(WiCom 09), Beijing, China,September, 2009, pp.1-5.
2011/3/10 13:01:00
16
[21] O. Richard Afolabi, Kiseon Kim and Aftab Ahmad,

On Secure Spectrum Sensing in Cognitive Radio
Networks Using Emitters Electromagnetic Signature,
Proceedings of 18th International Conference on
Computer Communications and Networks (ICCCN
2009), San Francisco, CA, August, 2009, pp.1-5.
[22] Oktay Ureten and Nur Serinken, Wireless Security
through RF Fingerprinting, Canadian Journal of
Electrical and Computer Engineering, Vol.32, No.1,
2007, pp.27-33.
[23] Zituo Jin, Santhanakrishnan Anand and Koduvayur
Subbalakshmi, Mitigating Primary User Emulation
Attacks in Dynamic Spectrum Access Networks Using
Hypothesis Testing, ACM Mobile Computing and
Communications Review, Special Issue on Cognitive
Radio Technologies and Systems, Vol.13, No.2, 2009,
pp.74-85.
[24] Qusay Mahmoud, Cognitive Networks: Towards SelfAware Networks, Wiley E-Book, New York, 2007.
[25] Yuan Zhang, Gaochao Xu and Xiaozhong Geng,
Security Threats in Cognitive Radio Networks, 10th
IEEE International Conference on High Performance
Computing and Communications (HPCC 2008),
Dalian, China, September, 2008, pp.1036-1041.
[26] Wenyuan Xu, Wade Trappe, Yanyong Zhang and
Timothy Wood, The Feasibility of Launching and
Detecting Jamming Attacks in Wireless Networks,
Proceedings of ACM MobiHoc, Urbana, IL, May,
2005, pp.46-57.
[27] Wenyuan Xu, Timothy Wood, Wade Trappe, Yanyong
Zhang, Channel Surfng and Spatial Retreats: Defenses
Against Wireless Denial of Service, Proceedings
of the 3rd ACM Workshop on Wireless Security,
Philadelphia, PA, January, 2004, pp.80-89.
[28] Ashwin Sampath, Hui Dai, Haitao Zheng and Ben
Y. Zhao, Multi-channel Jamming Attacks Using
Cognitive Radios, Proceedings of 16th International
Conference on Computer Communications and
Networks (ICCCN 2007), Honolulu, HI, Aug,2007,
pp.352-357.
[29] Chris Karlof and David Wagner, Secure Routing
i n Wi re l e s s S e n s o r N e t w o r k s : A t t a c k s a n d
Countermeasures, Proceedings of the First IEEE
International Workshop on Sensor Network Protocols
and Applications, Berkeley, CA, May, 2003, pp.113127.
[30] Chetan Mathur and Koduvayur Subbalakshmi,
Security Issues in Cognitive Radio Networks,
Cognitive Networks: Towards Self-Aware Networks,
Wiley, New York, 2007, pp.284-293.
[31] Priyank Anand, Ankit Singh Rawat, Hao Chen
and Pramod K. Varshney, Collaborative Spectrum
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
Sensing in the Presence of Byzantine Attacks in

Cognitive Radio Networks, Second International
Conference on Communications Systems and
Networks (COMSNETS 2010), Bangalore, India,
January, 2010, pp.1-9.
Huahui Wang, Leonard Lightfoot and Tongtong
Li, On PHY-Layer Security of Cognitive Radio:
Collaborative Sensing under Malicious Attacks, 44th
Annual Conference on Information Sciences and
Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.
A. Pandharipande et al., IEEE P802.22 Wireless
RANs: Technology Proposal Package for IEEE
802.22, IEEE 802.22 WG on WRANs, November,
2005.
Yeelin Shei andY. T. Su, A Sequential Test Based
Cooperative Spectrum Sensing Scheme for Cognitive
Radios, IEEE 19th International Symposium on
Personal, Indoor and Mobile Radio Communications
2008 (PIMRC 2008), Cannes, France, September,
2008, pp.1-5.
Praveen Kaligineedi, Majid Khabbazian and Vijay K.
Bhargava, Secure Cooperative Sensing Techniques
for Cognitive Radio Systems, IEEE International
Conference on Communications 2008 (ICC 08),
Beijing, China, May, 2008, pp.3406-3410.
Ankit Rawat, Priyank Anand, Hao Chen and Pramod
Varshney, Countering Byzantine Attacks in Cognitive
Radio Networks, 2010 IEEE International Conference
on Acoustics Speech and Signal Processing (ICASSP),
Dallas, TX, March, 2010, pp.3098-3101.
Linjun Lu, Soo-Young Chang et al., Technology
Proposal Clarifications for IEEE 802.22 WRAN
Systems, IEEE 802.22 WG on WRANs, March, 2006.
Joerg Hillenbrand, Timo Weiss and Friedrich K.
Jondral, Calculation of Detection and False Alarm
Probabilities in Spectrum Pooling Systems, IEEE
Communication Letters, Vol.9, No.4, 2005, pp.349351.
Wenkai Wang, Husheng Li, Yan Sun and Zhu Han,
Attack-Proof Collaborative Spectrum Sensing in
Cognitive Radio Networks, 43rd Annual Conference
on Information Sciences and Systems, 2009 (CISS
2009), Baltimore, MD, March, 2009, pp.130-134.
Li Zhu and Huaibei Zhou, Two Types of Attacks
againstCognitive Radio Network MAC Protocols,
International Conference on Computer Science
and Software Engineering, Vol.4, Wuhan, China,
December, 2008, pp.1110-1113.
Kaigui Bian and Jung-Min Park, MAC-Layer
Misbehaviors in Multi-hop Cognitive Radio Networks,
2006 US-Korea Conference on Science, Technology,
and Entrepreneurship (UKC2006), August, 2006
2011/3/10 13:01:00
[42] Chris Karlof and David Wagner, Secure Routing in

Wireless Networks: Attacks and Countermeasures, Ad
Hoc Networks, Vol.1, 2003, pp.293-315.
[43] Yih-Chun Hu, David B. Johnson and Adrian Perrig,
SEAD: Secure Efficient Distance Vector Routing for
Mobile Wireless Ad Hoc Networks, Proceedings of
the Fourth IEEE Workshop on Mobile Computing
Systems and Applications (WMCSA02), Callicoon,
NY, June, 2002.
[44] Ian F. Akyildiz, Won-Yeol Lee, Mehmet C. Vuran
and Shantidev Mohanty, Next Generation/Dynamic
Spectrum Access/Cognitive Radio Wireless Networks:
A Survey, Elsevier Computer Networks, Vol.50, 2006,
pp.2127-2159.
[45] Imad Aad, Jean-Pierre Hubaux and Edward W.
Knightly, Denial of Service Resilience in Ad
Hoc Networks, Proceedings of the 10th Annual
International Conference on Mobile Computing
and Networking (MobiCom 04), Philadelphia, PA,
September, 2004.
[46] Olga Len, Juan Hernandez-Serrano and Miguel
Soriano, A New Cross-Layer Attack to TCP in
Cognitive Radio Networks, Proceedings of the 2nd
International Workshop on Cross Layer Design
(IWCLD 09), Palma, Spain, June, 2009, pp.1-5.
[47] Juan Hernandez-Serrano, Olga Len and Miguel
Soriano, Modeling the Lion Attack in Cognitive
Radio Networks, EURASIP Journal on Wireless
Communications and Networking, Vol.2011, Article
ID 242304, 10 pages, 2011.
[48] Hugo Marques, Jos Ribeiro, Paulo Marques,
Andr Zquete and Jonathan Rodriguez, A
Security Framework for Cognitive Radio IP Based
Cooperative Protocols, IEEE 20th International
Symposium on Personal, Indoor and Mobile Radio
Communications, Tokyo, Japan, September, 2009,
pp.2838-2842.
[49] Kun Zeng, Przemysaw Paweczak and Danijela
Cabric, Reputation-Based Cooperative Spectrum
Sensing with Trusted Nodes Assistance, IEEE
Communications Letters, Vol.14, No.3, 2010, pp.226228.
[50] Kwang-Cheng Chen, Peng-Yu Chen, Neeli Prasad and
Ying-Chang Liangnand Sumei Sun, Trusted Cognitive
Radio Networking, Wireless Communications and
Mobile Computing, Vol.10, 2010, pp.467-485.
17
Biographies
Wassim El-Hajj received his BS degree
from the American University of Beirut
in 2000, and the MS and PhD degrees
Not Available in 2002 and 2006, respectively, from
Western Michigan University, all in
Computer Science. Immediately after
his graduation, he joined the Faculty of
Information Technology at UAE University as an Assistant
Professor in the Department of Information Security.
Later, he joined the Electrical and Computer Engineering
Department at the American University of Beirut as a
visiting assistant professor. Currently, he is a visiting
assistant professor in the Computer Science Department at
the American University of Beirut. His research interests
include Security, Network Planning, and Bioinformatics.
Some of his academic accomplishments include a book
published recently in 2010, more than 30 journal and
conference publications, and multiple research funds.
In addition to his research and teaching experience, he
has valuable industrial experience with Boeing and Ten
Strategic Consulting Co.
Haidar Safa received a BS in Computer
Science in 1991 from Lebanese
university, Lebanon, MS in Computer
Not Available Science in 1996 from University of
Quebec at Montreal (UQAM), and a PhD
in Electrical and Computer Engineering
in 2001 from Ecole Polytechnique de
Montreal. He joined ADC Telecommunications in 2000
then SS8 Networks in 2001 where he worked on designing
and developing networking and system software. In 2003,
he joined the American University of Beirut where he
is currently an associate professor at the Department of
Computer Science. Dr. Safa is also associated with the
Mobile Computing and Networking Research Laboratory
(LARIM), Ecole Polytechnique de Montreal, Montreal,
Canada. His research interests include mobile and wireless
networks, distributed computing, quality of service, routing,
and network security.
2011/3/10 13:01:00
18
Mohsen Guizani received a BS (with

distinction), MS and PhD degrees in
Electrical Engineering from Syracuse
Not Available University in 1985, 1987 and 1990,
respectively. He worked in different
institutions and is now a full professor.
His research interests cover network
security, wireless communications and networking,
performance evaluation, and optical computing. He
received the best research award in 1995 and 1999. He
also received the best teaching award in 1999. He was a
distinguished speaker of the IEEE Computer Society and a
very active member of the IEEE Communication Society.
He is a Fellow of the IEEE and a senior member of the
ACM.
2011/3/10 13:01:00

Survey of Security Issues in Cognitive Radio Networks

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Survey of Security Issues in Cognitive Radio Networks

Diunggah oleh

Hak Cipta:

Format Tersedia

Survey of Security Issues in Cognitive Radio Networks