Outline
Introduction
ff
:
b
(
r
&
10
11
12
13
14
15
16
17
18
SSDF Attacks
19
20
Decision fusion
Bayesian detection
Neyman-Pearson test
Weighted sequential probability ratio test (WSPRT)
21
Incumbent coexistence
Avoid serious interference to incumbent users
Ex: spectrum sensing for detecting incumbent signals
Ex: dynamic frequency hopping to avoid interfering with
detected incumbents
Why is self-coexistence important in CR networks?
Minimize self interference between neighboring networks
Need to satisfy QoS of networks admitted service
workloads in a DSA environment
Ex: 802.22 prescribes inter-cell dynamic resource sharing
mechanisms for better self-coexistence
CR coexistence mechanisms can be exploited by adversaries
Threats to incumbent coexistence mechanisms
Threats to self-coexistence mechanisms
22
Wireless
microphones
TV transmitters
WRAN
Base Station
Wireless
microphones
Typical ~33km
Max. 100km
23
Fast sensing
Fine sensing
BS1
Fast sensing
Fine sensing
BS2
Fast sensing
Fine sensing
BS3
Time
Fast sensing
Fine sensing
Cognitive Radio Communications and Networks: Principles
and Practice
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
802.22 Transmission
24
25
26
27
CMAC mechanisms
protected by
802.22s security
sublayer
28
DoS attacks
Insertion of forged management messages by rogue terminals
Prevented by use of mutual authentication and MACs
Replay attacks
Management messages: Prevented by use of nonces in
challenge/response protocols
Data packets: Thwarted using AES-CCM & packet numbers
Threats against WMBs
Class B CPEs possess pre-programmed keys that enable the use of
authentication mechanisms to prevent WMB forgery/modification
Spurious transmissions in QPs
Interfere w/ various coexistence-related control mechanisms
Primary user emulation
Adversarial radio transmits signals whose characteristics emulate
those of incumbent signals
29
30
Objective of BF attacks
Disrupt self-coexistence mechanisms (spectrum contention processes)
Attack method
Forge inter-cell beacons with arbitrarily large CCN value
(e.g., select CCN from [W / z, W ], where z >= 1)
Tx beacons that contain large CCN to neighboring BSs
Impact of BF attacks
Legitimate victim BSs lose the target channels.
Drop in network throughput
Z=1
31
Objective of BF attack
Undermine efficacy of incumbent coexistence mechanism (spectrum
sensing)
Attack method
Forge inter-cell beacons with spurious Frame Offset
Impact of BF attack
Victim BS performs frame sliding according to the spurious Frame Offset,
which causes asynchrony of QPs.
Asynchrony causes self-interference that degrades accuracy of spectrum
sensing during QPs.
Impact on misdetection probability (for energy detector)
An incumbent signal is detected if Y > r (estimated Rx signal power, Y , is
greater than threshold r ).
Under BF attacks, self-interference in QPs causes the threshold to increase
to a larger value, r*.
r*
*
Miss detection probability increases by Pr(r Y r )
fY ( x)dx
32
Countermeasures
802.22 backhaul
infrastructure
33
Chapter 15 Summary
Emergence of the opportunistic spectrum sharing (OSS)
paradigm and cognitive radio technology raises new
security implications that have not been studied
previously
One countermeasure for primary user emulation attacks is
transmitter verification; it is composed of 3 processes:
Verification of signal characteristics
Measurement of received signal energy level
Localization of the signal source
We can model the distributed spectrum sensing problem
as a parallel fusion network to deal with Byzantine failures
IEEE 802.22 is vulnerable to attacks because its inter-cell
beacons are not protected
Cognitive Radio Communications and Networks: Principles and Practice
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
34