Abstract
Cognitive Radio (CR) is a novel technology that
promises to solve the spectrum shortage problem by
allowing secondary users to coexist with primary users
without causing interference to their communication.
Although the operational aspects of CR are being explored
vigorously, its security aspects have gained little attention.
In this paper, a brief overview of the CR technology is
provided followed by a detailed analysis of the security
attacks targeting Cognitive Radio Networks (CRNs)
along with the corresponding mitigation techniques.
We categorize the attacks with respect to the layer they
target starting from the physical layer and moving up
to the transport layer. An evaluation of the suggested
countermeasures is presented along with other solutions
and augmentations to achieve a secure and trusted CRN.
Keywords:
1 Introduction
The ever increasing demand of spectrum due to the
rapid introduction of novel wireless applications has led
the Federal Communication Commission (FCC) to approve
in September 2010 new rules to allow unlicensed users
to utilize the spectrum reserved for wireless broadband
services (300MHz and 400MHz). The technology
developed to take advantage of this unused spectrum is
Cognitive Radio Networks (CRNs) which are intelligent
networks that adapt to changes in their environments to
make a better use of the radio spectrum. CRNs help solve
the problem of spectrum shortage by allowing unlicensed
users to use primary systems without interference. This
technology allows the coexistence and sharing of licensed
spectrum resources between two types of users, licensed
and unlicensed.
Cognitive Radio (CR) nodes have unique capabilities
which allow them to take advantage of available white
spaces in a spectrum. A study made at the Berkeley
Wireless Research Center (BWRC) shows that most
spectrum, particularly from 1 GHz to 10 GHz is underutilized, as shown in Figure 1. The nodes can sense
their environment and spectrum, analyze the discovered
information, and adjust to the sensed environment. CR
*Corresponding author:
00-Invited Paper.indd 1
2011/3/10 13:00:58
00-Invited Paper.indd 2
2011/3/10 13:00:59
3 Spectrum Sensing
In order for a CR node (secondary user) to acquire a
service, it undergoes spectrum sensing to decide on the
band to use for transmission, i.e., it searches for spectrum
holes in a specific frequency, and then it exploits the
existence of these holes to be able to use that frequency
for communication. This technique is called Dynamic
Spectrum Access (DSA). However, making sure that this
sensing process is reliable is a challenging task for CRs
because of the signal fading due to the low received signal
strength which may result in the hidden node problem. This
00-Invited Paper.indd 3
2011/3/10 13:00:59
00-Invited Paper.indd 4
2011/3/10 13:00:59
proposed to compute the secrecy capacity and the capacityachieving transmit covariance matrix. By exploring the
inherent convexity, the first approach has transformed the
original quasiconvex problem into a single semi definite
program by exploring its inherent convexity, which
can be solved efficiently. By exploring the relationship
between the secure CRN with the conventional CRN, the
second approach has transformed the original problem
into a sequence of optimization problems related to the
conventional CRN.
4.1.1 Primary User Emulation (PUE)
One of the Cognitive Radio principles is that a
secondary user is allowed to use a specific band as long
as its not occupied by a primary user. However, once the
secondary user detects the presence of a primary user, it
must switch channels immediately to an alternative band
in order not to cause interference to the primary user. If the
secondary user detects another secondary user using the
same band, certain mechanisms should be used to share the
spectrum fairly.
Primary User Emulation (PUE) attack [14][16] is
carried out by a malicious secondary user emulating a
primary user or masquerading as a primary user to obtain
the resources of a given channel without having to share
them with other secondary users (Figure 7). As a result,
the attacker is able to obtain full bands of a spectrum. The
motivation behind the attack is divided into two categories:
Selfish PUE attack and Malicious PUE attack. In the Selfish
PUE attack, the attackers goal is to increase its share of
the spectrum resources. In addition, this attack can be
conducted simultaneously by two attackers to establish a
dedicated link between them. In the Malicious PUE attack,
the attackers goal is to prevent legitimate secondary users
from using the holes found in a spectrum.
Data collector
( Fusion center)
Sensing
Terminals
Primary User
Local
Spectrum
Sensing
Results
Data
Fusion
Final spectrum
sensing result
Sensing
Terminals
Sensing
Terminals
Malicious user
00-Invited Paper.indd 5
The secondary user will then sense that the spectrum is idle
and claim it. On the other hand, when dealing with learning
radios, information about primary users current and past
behavior can be gathered in order to predict when they will
leave the channel, i.e., make it idle. The attacker can then
perform the PUE attack during these idle times. Now the
attack will have a long term effect on secondary users and
they might never use the affected channel ever again.
As mentioned in [12], new and more sophisticated PUE
attacks can be performed when having some knowledge
about the cognitive radio network. For instance, an
attacker can utilize the CRNs quiet periods to perform
PUE attacks. A quiet period is the time during which all
secondary users refrain from transmitting to facilitate
spectrum sensing. During these periods, any user whose
received signal strength is beyond a certain threshold
is considered a primary user. This CRN feature can be
exploited by an attacker who transmits during quiet
periods fooling the rest of the nodes as being a primary
user. Another example is an attacker that performs new PUE
attacks whenever the CRN makes a frequency handoff, i.e.,
switches from one channel to another, thus degrading the
data throughput of the CRN or completely leading to DoS.
Such an attack assumes that the attacker can find the next
CRN in a limited time.
Apart from the experimental PUE attacks, an analytical
model is described in [17] to obtain the probability of
successful PUE attacks on secondary users. The authors
provided lower bounds on the probability of a successful
attack using Fentons approximation and Markov inequality.
We discuss next the approaches used to thwart PUE attacks.
yyDefending Against Primary User Emulation Attack
To defend against PUE attacks, the identity of the
transmitting source needs to be identified, i.e., is the
transmitting source a primary user or a malicious user? The
usual and best approach of knowing the user identity is to
apply cryptographic authentication mechanisms, such as
digital signatures. But such an approach cannot be adapted
because of the FCC regulation that prohibits altering
primary user systems. Given this restriction and knowing
that primary users locations are known ahead of time,
researchers resorted to finding efficient ways of pin pointing
the location of the transmitting source. If the location of the
source matches the location of a primary user, the source is
considered to be a primary user. Otherwise it is considered
to be an attacker trying to emulate a primary user.
In [14], two approaches have been suggested to
determine the location of the transmitting source: Distance
Ratio Test (DRT) which is based on received signal strength
measurements and Distance Difference Test (DDT) which
is based on signal phase difference. Both approaches are
2011/3/10 13:00:59
00-Invited Paper.indd 6
2011/3/10 13:00:59
00-Invited Paper.indd 7
2011/3/10 13:00:59
00-Invited Paper.indd 8
2011/3/10 13:00:59
00-Invited Paper.indd 9
2011/3/10 13:01:00
10
00-Invited Paper.indd 10
2011/3/10 13:01:00
00-Invited Paper.indd 11
11
2011/3/10 13:01:00
12
5 Evaluation Study
In this section, we evaluate the suggested
countermeasures putting a grade for each one. For every
layer, we include the attack, its countermeasures, an
evaluation discussion, and a grade. Three grades are used as
follows:
- indicates that the suggested countermeasure is
good and works for almost all scenarios
- indicates that the suggested countermeasure is
very restrictive in the sense that it only applies to
very specific scenarios or it requires the addition
of extra infrastructure that does not normally exist
in CRNs, for instance WSNs or LVs.
- indicates that the suggested countermeasure
includes some minor drawbacks, but is
acceptable.
Tables 1, 2, 3, and 4 present the evaluation of the
attacks countermeasures of the Physical, Link, Network,
and Transport layers, respectively.
The conclusion that can be made from table 1 is
that a complete solution can be formulated to defend
against Physical Layer attacks in CRN by combining
fingerprinting, frequency hopping, and thresholding (to
thwart OFA). The conclusion extracted from Table 2 is
that by adopting a trusted CRN architecture and using a
Weighted Sequential Ratio Test one can defend against Link
Layer attacks. Tables 3 and 4 indicate that the suggested
countermeasures are well suited to defend against Network
and Transport layer attacks. Therefore, by combining
these countermeasure (the ones graded as ), one can
achieve a secure CRN. Although this suggestion can
potentially produce the ultimate secure CRN, it might face
performance problems. Other approaches were suggested to
achieve a secure CRN; we discuss their approaches next.
00-Invited Paper.indd 12
7 Conclusion
In this paper, we described the most recent and
important attacks targeting CRNs. We classified them
2011/3/10 13:01:00
13
Threat
Countermeasure
Evaluation
Grade
Cryptographic authentication of
primary users
Same as DRT
Frequency hopping
Spatial retreat
Primary User
Emulation
Jamming
00-Invited Paper.indd 13
2011/3/10 13:01:00
14
Threat
Countermeasure
Evaluation
Spectrum
Sensing Data
Falsification
(Byzantine
attack)
Grade
Threat
Sinkhole Attack
HELLO Flood
Attack
Other Attacks
Countermeasure
Evaluation
Grade
Threat
Lion Attack
00-Invited Paper.indd 14
Countermeasure
Cross Layer detection based
mechanism [47]
Evaluation
Good solution
Grade
2011/3/10 13:01:00
References
[1] T. Charles Clancy and Nathan Goergen, Security in
Cognitive Radio Networks: Threats and Mitigation,
International Conference on Cognitive Radio
Oriented Wireless Networks and Communications
(CrownCom), Singapore, May, 2008, pp.1-8.
[2] Kwang Cheng Chen, Y. J. Peng, Neeli Rashmi Prasad,
Y. C. Liang and Sumei Sun, Cognitive Radio Network
Architecture: part I -- General Structure, Proceedings
of the 2nd International Conference on Ubiquitous
Information Management and Communication,
Suwon, South Korea, January, 2008, pp.114-119.
[3] Vinod Sharma and ArunKumar Jayaprakasam,
An Efficient Algorithm for Cooperative Spectrum
Sensing in Cognitive Radio Networks, Proceedings
of National Communications Conference (NCC),
Guwahati, India, January, 2009.
[4] Cognitive Radio Ad Hoc Networks, Broadband
Wireless Networking Lab, School of Electrical
and Computer Engineering, Georgia Inst of Tech.
URL: http://www.ece.gatech.edu/research/labs/bwn/
CRAHN/projectdescription.html
[5] Wenjing Yue and Baoyu Zheng, A Two-Stage
Spectrum Sensing Technique in Cognitive Radio
Systems Based on Combining Energy Detection and
One-Order Cyclo-Stationary Feature Detection,
Proceedings of the 2009 International Symposium
on Web Information Systems and Applications
(WISA09), Nanchang, China, May, 2009, pp.327330.
[6] Rajesh K. Sharma and Jon W. Wallace, Improved
Spectrum Sensing by Utilizing Signal Autocorrelation,
Proceedings of IEEE Vehicular Technology
Conference, Barcelona, Spain, April, 2009, pp.1-5.
[7] Ruiliang Chen, Jung-Min Park and Jeffrey H. Reed,
Defense against Primary User Emulation Attacks in
Cognitive Radio Networks, IEEE Journal on Selected
Areas in Communications, Vol.26, No.1, 2008, pp.2537.
[8] Huahui Wang, Leonard Lightfoot and Tongtong
Li, On PHY-Layer Security of Cognitive Radio:
Collaborative Sensing under Malicious Attacks, 44th
Annual Conference on Information Sciences and
Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.
[9] Eric Wong and Rene Cruz, On Physical Carrier
Sensing for Cognitive Radio Networks, Forty-Fifth
Annual Allerton Conference on Communication,
Control, and Computing, Allerton House, UIUC, IL,
September, 2007.
[10] Bertrand Mercier, Viktoria Fodor, Ragnar Tobaben
et al., Sensor Networks for Cognitive Radio: Theory
00-Invited Paper.indd 15
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
15
2011/3/10 13:01:00
16
00-Invited Paper.indd 16
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
2011/3/10 13:01:00
00-Invited Paper.indd 17
17
Biographies
Wassim El-Hajj received his BS degree
from the American University of Beirut
in 2000, and the MS and PhD degrees
Not Available in 2002 and 2006, respectively, from
Western Michigan University, all in
Computer Science. Immediately after
his graduation, he joined the Faculty of
Information Technology at UAE University as an Assistant
Professor in the Department of Information Security.
Later, he joined the Electrical and Computer Engineering
Department at the American University of Beirut as a
visiting assistant professor. Currently, he is a visiting
assistant professor in the Computer Science Department at
the American University of Beirut. His research interests
include Security, Network Planning, and Bioinformatics.
Some of his academic accomplishments include a book
published recently in 2010, more than 30 journal and
conference publications, and multiple research funds.
In addition to his research and teaching experience, he
has valuable industrial experience with Boeing and Ten
Strategic Consulting Co.
Haidar Safa received a BS in Computer
Science in 1991 from Lebanese
university, Lebanon, MS in Computer
Not Available Science in 1996 from University of
Quebec at Montreal (UQAM), and a PhD
in Electrical and Computer Engineering
in 2001 from Ecole Polytechnique de
Montreal. He joined ADC Telecommunications in 2000
then SS8 Networks in 2001 where he worked on designing
and developing networking and system software. In 2003,
he joined the American University of Beirut where he
is currently an associate professor at the Department of
Computer Science. Dr. Safa is also associated with the
Mobile Computing and Networking Research Laboratory
(LARIM), Ecole Polytechnique de Montreal, Montreal,
Canada. His research interests include mobile and wireless
networks, distributed computing, quality of service, routing,
and network security.
2011/3/10 13:01:00
18
00-Invited Paper.indd 18
2011/3/10 13:01:00