Cognitive Radio Network Security

Chapter 15
Cognitive Radio Network Security
Cognitive Radio Communications and Networks: Principles and Practice

By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Outline
A taxonomy of CR security threats

Primary user emulation attacks
Byzantine failures in distributed spectrum sensing
Security vulnerabilities in IEEE 802.22

Introduction
Successful deployment of CR networks and the realization of

their benefits will depend on the placement of essential
security mechanisms
Emergence of the opportunistic spectrum sharing (OSS)
paradigm and cognitive radio technology raises new security
implications that have not been studied previously
Researchers have only recently started to examine the security
issues specific to CR devices and networks

Some Recent Publications on CR

Security
R. Chen, J. Park, & J. Reed, Defense against primary user

emulation attacks in cognitive radio networks, IEEE Journal on
Selected Areas in Communications, vol. 26, no. 1, Jan. 2008.
R. Chen, J. Park, T. Hou, & J. Reed, Toward secure distributed
spectrum sensing in cognitive radio networks, IEEE Comm.
Magazine, vol. 46, no. 4, 2008.
S. Xiao, J. Park, and Y. Ye, Tamper Resistance for Software
Defined Radio Software, IEEE Computer Software and
Applications Conference, July 2009.
K. Bian and J. Park, Security Vulnerabilities in IEEE 802.22,
Fourth International Wireless Internet Conference, Nov. 2008.

Some Recent Publications on CR

Security
T. Clancy, N. Goergen, Security in Cognitive Radio Networks:

Threats and Mitigation, Intl Conference on Cognitive Radio
Oriented Wireless Networks and Communications, May 2008.
T.B. Brown and A. Sethi, Potential cognitive radio denial-ofservice vulnerabilities and protection countermeasures: a
multi-dimensional analysis and assessment, Journal of Mobile
Networks and Applications, vol. 13, no. 5, Oct. 2008.
A. Brawerman et al., Towards a fraud-prevention framework
for software defined radio mobile devices, EURASIP Journal on
Wireless Comm. and Networking, vol. 2005, no. 3, 2005.
L.B. Michael et al., A framework for secure download for
software-defined radio, IEEE Comm. Magazine, July 2002.
P. Flanigan et al., Dynamic policy enforcement for software
defined radio, 38th Annual Simulation Symposium, 2005.

A Taxonomy of CR Security Threats

C
ff
:
b
(
r
&

The Importance of Distinguishing

Primary Users from Secondary Users
Spectrum usage scenario for a secondary user
Periodically search for spectrum white spaces (i.e.,
fallow bands) to transmit/receive data
When a primary user is detected in its spectrum band
Immediately vacate that band and switch to a vacant
one
vertical spectrum sharing
When another secondary user is detected in its

spectrum band
When there are no better spectrum opportunities, it
may choose to share the band with the detected
secondary user
horizontal spectrum sharing
CR MAC protocol guarantees fair resource allocation
among secondary users
Primary User Emulation Attacks

Existing Technique (1): Using Energy

Detection to Conduct Spectrum Sensing
Trust model
An energy detector measures RF energy or the RSS
to determine whether a given channel is idle or not
Secondary users can recognize each others signals
and share a common protocol, and therefore are able
to identify each other
If an unidentified user is detected, it is considered a
primary user

Existing Technique (1): Using Energy

Detection to Conduct Spectrum Sensing
Problem: If a malicious secondary user
transmits a signal that is not recognized by
other secondary users, it will be identified as a
primary user by the other secondary users
Interference to primary users
Prevents other secondary users from accessing that
band

10
Existing Technique (2): Matched Filter and

Cyclostationary Feature Detection
Trust model
Matched filter and cyclostationary feature detectors
are able to recognize the distinguishing
characteristics of primary user signals
Secondary users can identify each others signals
Problem: If a malicious secondary user

transmits signals that emulate the
characteristics of primary user signals, it will be
identified as a primary user by the other
secondary users
band
11
Existing Technique (3): Quiet Period

for Spectrum Sensing
Trust model
Define a quiet period that all secondary users stop
transmission. It is dedicated for spectrum sensing.
Any user detected in the quiet period (using energy
detector, matched filter or cyclostationary feature
detector) is a primary user
Problem: If a malicious secondary user transmits

signals in the quiet period, it will be identified as
a primary user by the other secondary users
band
12
The Disruptive Effects of Primary User

Emulation Attacks
Selfish PUE attacks
Malicious PUE attacks

13
Transmitter Verification for Spectrum

Sensing
Transmitter verification for spectrum sensing is
composed of three processes:
Verification of signal characteristics
Measurement of received signal energy level
Localization of the signal source

14
A Flowchart of transmitter verification

15
Challenges in PST Localization
Primary signal transmitter (PST) localization is more

challenging than the standard localization problem due to two
reasons
No modification should be made to primary users to
accommodate the DSA of licensed spectrum. This
requirement excludes the possibility of using a localization
protocol that involves the interaction between a primary
user and the localization device(s).
PST localization problem is a non-interactive
localization problem
When a receiver is localized, one does not need to consider
the existence of other receivers. However, the existence of
multiple transmitters may add difficulty to transmitter
localization

16
A solution to PST Localization
Magnitude of an RSS value typically decreases as the distance

between the signal transmitter and the receiver increases
If one is able to collect a sufficient number of RSS
measurements from a group of receivers spread throughout a
large network, the location with the peak RSS value is likely to
be the location of a transmitter.
Advantage of this technique is twofold,
Obviates modification of primary users and
Supports localizing multiple transmitters that transmit
signals simultaneously

17
Byzantine failures in distributed

spectrum sensing
Cause of Byzantine failures in distributed spectrum
sensing (DSS)
Malfunctioning sensing terminals
Spectrum sensing data falsification (SSDF) attacks
A malicious secondary user intentionally sends falsified local

spectrum sensing reports to the data collector in an attempt to
cause the data collector to make incorrect spectrum sensing
decisions

18
SSDF Attacks

19
Modeling of DSS as a parallel fusion

network
We can model the DSS problem as a parallel fusion

network
20
Data fusion algorithms for DSS
Decision fusion
Bayesian detection
Neyman-Pearson test
Weighted sequential probability ratio test (WSPRT)

21
The Coexistence Problem in CR

Networks
Incumbent coexistence
Avoid serious interference to incumbent users
Ex: spectrum sensing for detecting incumbent signals
Ex: dynamic frequency hopping to avoid interfering with
detected incumbents
Why is self-coexistence important in CR networks?
Minimize self interference between neighboring networks
Need to satisfy QoS of networks admitted service
workloads in a DSA environment
Ex: 802.22 prescribes inter-cell dynamic resource sharing
mechanisms for better self-coexistence
CR coexistence mechanisms can be exploited by adversaries
Threats to incumbent coexistence mechanisms
Threats to self-coexistence mechanisms

22
Operating Environment of 802.22 Networks

Incumbent services:
TV broadcast services
Part 74 devices (wireless microphones)
WRAN
Base Station
Wireless
microphones
TV transmitters
WRAN
Base Station
: WRAN Base Station
Wireless
microphones
Typical ~33km
Max. 100km
: CPE (Consumer Premise Equipment)

23
PHY-Layer Support for Coexistence
Two-stage spectrum sensing in quiet periods (QPs)

Fast sensing stage: a quick and simple detection technique,
e.g., energy detection.
Fine sensing stage: measurements from fast sensing
determine the need and duration of fine sensing stage.
Synchronization of overlapping BSs QPs
Channel Detection Time
Fast sensing

Fine sensing
Fast sensing
Fine sensing
BS1

Fast sensing

Fine sensing
Fast sensing
Fine sensing
BS2

Fast sensing

Fine sensing
Fast sensing
Fine sensing
BS3
Time
Fast sensing
Fine sensing
Cognitive Radio Communications and Networks: Principles
and Practice
802.22 Transmission
24
Cognitive MAC (CMAC) Layer

(1)
Two types control messages

Management messages: intra-cell management
Beacons: inter-cell coordination
Inter-cell synchronization
Frame offset is contained in beacon payload
The receiver BS performs frame sliding to synchronize with
the transmitter BS.

25

(2)
Inter-BS dynamic resource sharing

Needed when QoS of admitted service workload cannot be
satisfied
802.22 prescribes non-exclusive & exclusive spectrum sharing
On-demand spectrum contention (ODSC) protocol
Select a target channel to contend
Each BS selects a Channel Contention Number (CCN) from
[0,W].
BS with a greater CCN wins the pair-wise contention
procedure.
BS wins the channel if it wins all pair-wise contention
procedures with all co-channel BSs.
Inter-cell beacons used to carry out ODSC

26

(3)
Protection of Part 74 devices (wireless microphones)

Class A solution
A separate beacon device deployed
Transmit short wireless microphone beacons (WMB)
Use WMBs to notify collocated 802.22 cells about operation
of Part 74 devices
Class B solution
Wireless
A special type of CPE is deployed
MIC
Class B CPEs detect Part 74
WRAN
Base Station
Class B CPE
device operations and notify
other 802.22 systems

27
Overview of 802.22s Security Sublayer
802.22 security sublayer provides confidentiality, authentication and

integrity services for intra-cell management messages
PKM (Privacy Key Management) protocol
Encapsulation protocol
It fails to protect inter-cell beacons used in coexistence mechanisms
CMAC mechanisms
protected by
802.22s security
sublayer

28
Potential Security Threats
DoS attacks
Insertion of forged management messages by rogue terminals
Prevented by use of mutual authentication and MACs
Replay attacks
Management messages: Prevented by use of nonces in
challenge/response protocols
Data packets: Thwarted using AES-CCM & packet numbers
Threats against WMBs
Class B CPEs possess pre-programmed keys that enable the use of
authentication mechanisms to prevent WMB forgery/modification
Spurious transmissions in QPs
Interfere w/ various coexistence-related control mechanisms
Primary user emulation
Adversarial radio transmits signals whose characteristics emulate
those of incumbent signals

29
Security Vulnerabilities in Inter-Cell

Coexistence Mechanisms
Inter-cell beacons are not protected by 802.22s

security sublayer!
Beacon Falsification (BF) attack
Two types of BF attacks
Tx of false/forged inter-cell beacons to
disrupt spectrum contention processes
Network throughput drop
interfere with inter-cell synchronization
Undermine the accuracy of spectrum sensing

30
Disrupting Inter-cell Spectrum Contention
Objective of BF attacks
Disrupt self-coexistence mechanisms (spectrum contention processes)
Attack method
Forge inter-cell beacons with arbitrarily large CCN value
(e.g., select CCN from [W / z, W ], where z >= 1)
Tx beacons that contain large CCN to neighboring BSs
Impact of BF attacks
Legitimate victim BSs lose the target channels.
Drop in network throughput
Z=1
Simulation layout and results

31
Interfering with Inter-cell Synchronization
Objective of BF attack
Undermine efficacy of incumbent coexistence mechanism (spectrum
sensing)
Attack method
Forge inter-cell beacons with spurious Frame Offset
Impact of BF attack
Victim BS performs frame sliding according to the spurious Frame Offset,
which causes asynchrony of QPs.
Asynchrony causes self-interference that degrades accuracy of spectrum
sensing during QPs.
Impact on misdetection probability (for energy detector)
An incumbent signal is detected if Y > r (estimated Rx signal power, Y , is
greater than threshold r ).
Under BF attacks, self-interference in QPs causes the threshold to increase
to a larger value, r*.
r*
*
Miss detection probability increases by Pr(r Y r )
fY ( x)dx

32
Countermeasures
To thwart the forgery of inter-cell beacons, an inter-cell key

management scheme is needed
Utilize the backhaul infrastructure that connects multiple cells
Employ a distributed key management scheme
802.22 backhaul
infrastructure

33
Chapter 15 Summary
Emergence of the opportunistic spectrum sharing (OSS)
paradigm and cognitive radio technology raises new
security implications that have not been studied
previously
One countermeasure for primary user emulation attacks is
transmitter verification; it is composed of 3 processes:
Verification of signal characteristics
Measurement of received signal energy level
Localization of the signal source
We can model the distributed spectrum sensing problem
as a parallel fusion network to deal with Byzantine failures
IEEE 802.22 is vulnerable to attacks because its inter-cell
beacons are not protected
34

Cognitive Radio Network Security

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cognitive Radio Network Security

Diunggah oleh

Hak Cipta:

Format Tersedia

Chapter 15

Cognitive Radio Network Security

Cognitive Radio Communications and Networks: Principles and Practice

A taxonomy of CR security threats

Cognitive Radio Communications and Networks: Principles and Practice

Successful deployment of CR networks and the realization of

Cognitive Radio Communications and Networks: Principles and Practice

Some Recent Publications on CR

R. Chen, J. Park, & J. Reed, Defense against primary user

Cognitive Radio Communications and Networks: Principles and Practice

Some Recent Publications on CR

T. Clancy, N. Goergen, Security in Cognitive Radio Networks:

Cognitive Radio Communications and Networks: Principles and Practice

A Taxonomy of CR Security Threats

Cognitive Radio Communications and Networks: Principles and Practice

The Importance of Distinguishing

When another secondary user is detected in its

Primary User Emulation Attacks

Cognitive Radio Communications and Networks: Principles and Practice

Existing Technique (1): Using Energy

Cognitive Radio Communications and Networks: Principles and Practice

Existing Technique (1): Using Energy

Cognitive Radio Communications and Networks: Principles and Practice

Existing Technique (2): Matched Filter and

Problem: If a malicious secondary user

Existing Technique (3): Quiet Period

Problem: If a malicious secondary user transmits

The Disruptive Effects of Primary User

Selfish PUE attacks

Malicious PUE attacks

Cognitive Radio Communications and Networks: Principles and Practice

Transmitter Verification for Spectrum

Cognitive Radio Communications and Networks: Principles and Practice

A Flowchart of transmitter verification

Cognitive Radio Communications and Networks: Principles and Practice

Challenges in PST Localization

Primary signal transmitter (PST) localization is more

Cognitive Radio Communications and Networks: Principles and Practice

A solution to PST Localization

Magnitude of an RSS value typically decreases as the distance

Cognitive Radio Communications and Networks: Principles and Practice

Byzantine failures in distributed

A malicious secondary user intentionally sends falsified local

Cognitive Radio Communications and Networks: Principles and Practice

Cognitive Radio Communications and Networks: Principles and Practice

Modeling of DSS as a parallel fusion

We can model the DSS problem as a parallel fusion

Data fusion algorithms for DSS

Cognitive Radio Communications and Networks: Principles and Practice

The Coexistence Problem in CR

Cognitive Radio Communications and Networks: Principles and Practice

Operating Environment of 802.22 Networks

: WRAN Base Station

: CPE (Consumer Premise Equipment)

Cognitive Radio Communications and Networks: Principles and Practice

PHY-Layer Support for Coexistence

Two-stage spectrum sensing in quiet periods (QPs)

Channel Detection Time

Channel Detection Time

Channel Detection Time

Channel Detection Time

Channel Detection Time

Cognitive MAC (CMAC) Layer

Two types control messages