- 0 -

FACULTY OF ENGINEERING

CAIRO UNIVERSITY

Electronics and Electrical Communications Department

Cognitive Radio Networks

Security in Cognitive Radio Networks

Presented to

Dr. Ahmed Khattab

Prepared by

Amal Samir Abd El-hameed

Mohamed AbdelBasset Mustafa AbdelAziz

Mohamed Sayed Mohamed Sayed AbuZeid

Cairo, 2014

- 1 -

1. Abstract

This report presents security concept in cognitive radio networks. A suitable cognitive radio

model is introduced to explain the effects of different security attacks on cognitive radio network

behavior. Attacks on different model layers are discussed with a special focus on physical layer

attacks. Finally, mitigation techniques against addressed attacks are discussed.

2. Introduction

Cognitive radios have the ability to learn from the environment and adapt their output to it.

Learning from the environment and adaptation to it requires an artificial intelligence (AI) to control the

radio decisions through the provided sensory inputs. If an enemy manages to provide a cognitive radio

with a false sensory input, it can affect its beliefs and behaviors to drive radio operation into sub-

optimal or even malicious performance.

This report focuses mainly on physical layer security attacks and provides an analysis for

different threats that affect optimality of cognitive radio performance. Attacks on higher layers also are

discussed with fewer details. Mitigation schemes of discussed threats are presented in some detail as

well.

3. Cognitive Radio Architecture

Cognitive radio consists of two basic parts: a software-defined radio (SDR) and a controlling

entity. An SDR typically consists of adjustable front-end, modem components, sensors and

programming interface to the controlling entity. The front-end is adjustable in order to tune over

different frequency ranges and an amplifier that allows communication at many different power levels.

The modem components can implement many different modulation types with different symbol rates.

Similar flexibility is possible for additional layers like data link layer. For example data link layer can

include forward error correction, data framing, multiplexing, and scheduling. SDR has a wide variety

of sensors. An energy detector that can measure the received power at the tuned frequency in order to

determine whether or not that channel is occupied is an example of sensors. Other sensors may be used

to determine signal-to-noise ratio, bit error rates, frame error rates or the type of communication

system that occupies the channel at a certain instance of time.

The controlling entity consists of a knowledge base, a learning engine and a reasoning engine.

It needs to select the set of inputs that results in optimal outputs, where optimality is often defined with

an objective or fitness function. Selecting the radio inputs is then simply a multi-dimensional, discrete

optimization problem. The knowledge base represents the state of the radio through read-write

configurations and read-only statistics. The reasoning engine has a list of actions to be implemented

when certain conditions are met. Those actions have a direct effect on the state of the knowledge base.

The learning engine is capable of starting with no preprogrammed policy and trying out various radio

configurations to see how the system performs. For example, a radio can try out different modulation

types to see which works optimally in a particular RF environment.

According to the existence of the learning engine, cognitive radios can be categorized into

policy radios and learning radios. Policy radios do not have the learning engine, but learning radios do.

- 2 -

Fig. 1. Cognitive radio components

4. Physical Layer Attacks

Physical layer in cognitive radio networks (CRN) is responsible for RF observation, sensing

coordination, and spectrum switching. The importance of this layer comes from its responsibility for

three parts of Mitola cognition cycle [1] of Sense -> Analyze-> Decide -> Adapt, which are sensing,

analyzing, and adapting. Thus, attacking this layer will make CRN vulnerable to different types of

attacks such as:

Sensory manipulation, where the attacker manipulates the RF the radio sensing, so an attacker

can cause faulty statistics to appear in the knowledge base which causing the radio to select a

suboptimal configuration and get use of all available resources. This technique affects policy

radios.

Belief manipulation, where the attacker manipulates how the CR behaves and reacts to different

situations. So, CRN can act as a malicious node to other nodes. This technique affects the

learning radios.

These attacks may cause a cognitive radio system to act sub-optimally, maliciously, or even as

a cognitive radio virus depending on the cooperation between the different cognitive radio nodes.

4.1. Primary User Emulation Attack (PUE)

It can be effective in dynamic spectrum access (DSA) environments. In such environments, a

primary user (PU) owns a license to a particular frequency band, and can use it whenever they wish.

When they are idle, secondary users (SU) can opportunistically use the available spectrum. Such SU

needs spectrum sensing algorithms to detect when the PU is active.

If an attacker works on the sensing property of the SU, where it creates a waveform similar to

the PU signal, the SU sees the attacker signal and believes that the PU is active. This will cause the

system to lose this channel and lower the system utilization [2].

There are two types of PUE attack, namely selfish attack and malicious attack. Selfish attack is

done by another secondary user. This SU is a greedy SU that aim at having all the spectrum resources

all the time without sharing them with other SUs as shown in Fig. 2a.

While in the malicious attack, the attack is done by the attacker. Its goal is to prevent the

secondary users from using the free spectrum as shown in Fig.2b [3].

- 3 -

PUE effects are transient, as it is only a sensory-manipulation attack. Once the attacker leaves

the frequency, the SU notice the spectrum becomes idle again and can resume using it. On the other

hand, the attacker can increase the effect of its attack by predicting the times PU uses the channel, so

when PU does not use the channel, the attacker sends the PU waveform. This can prevent SU

transmission. Also, the attacker can make PU signal appears as noise for SU. Thus, SU cannot identify

where are the available bands that he can transmit in without interfering on PU.

Fig. 2a. Primary User Emulation attack by a greedy secondary user.

Fig. 2b. Primary User Emulation attack by a malicious user.

4.2. Objective Function Attacks

Referring back to the structure of the cognitive radio, we focus here on the learning engine.

This engine is responsible for adjusting the radio parameters that include center frequency,

bandwidth, power, modulation type, coding rate, channel access protocol, and encryption type in

order to meet the environment requirements such as low energy consumption, high data rate, and high

security. The cognitive engine calculates these parameters by solving one or more objective functions.

We can represent this function as a weighted sum, such as

- 4 -

where , and represent the weights power ( ), data rate ( ) and security ( ).

In this case case, we can figure out that power and security are defined from the system inputs,

while data rate is a system output. For example, when the cognitive engine tries to use a high security

level S, the attacker launches a jamming attack on the radio, thus reducing R and hence reducing the

overall objective function. As a result, the cognitive engine reduces the security level to increase the

data rate in order not to decrease the objective function. This way, the attacker forces the radio to use a

low security level that can be hacked easily. That is why this kind of attacks is called belief-

manipulation attacks [3].

4.3. Malicious Behavior attacks

It can be another type of the objective function attack, where the attacker changes in the SU's

objective function by changing its weights. So the SU becomes a jamming signal on the PU.

Jamming is an attack that can be done in the physical and MAC layers. In jamming, the

attacker (jammer) maliciously sends out packets to prevent the two users in a communication session

from sending or receiving data; consequently, creating a denial of service situation. The jammer may

send continuous packets of data making a SU never be able to sense a channel as idle. A more

dangerous attack a jammer can do is to jam the dedicated channel that is used to exchange sensing

information between CRs (Common control data attack) [3].

As mentioned, affecting the behavior of CRN may cause it to be a cognitive radio virus. This

attack works on the idea of self-propagating behavior. In such an attack, a series of state transitions in

a cognitive radio node propagates through all nodes in a particular area. This induces the same pattern

of state transitions in the neighboring radios. As an example, the attacker may cause all CRN to

transmit in the same period, which causes collisions between all nodes, and degrades the network

efficiency [2].

5. Security Attacks Mitigation and Defense

In this section, we explore possible mitigation and defense techniques for different described

CR security attack threats in previous two sections.

5.1. Primary User Emulation Attack Mitigation

In order to defend against PUE attacks, the transmitting source identity should be analyzed to

confirm whether it is a primary user or a malicious user.

The best approach to recognize the PU identity is to apply cryptographic authentication

mechanisms, such as digital signatures. But such approach cannot be adapted because of the FCC

regulation rule, stating that no modification to the primary user should be required to accommodate

opportunistic use of the spectrum by secondary users. Many researches proposed alternative

techniques to determine the location of the transmitting source. If this location matches the location of

a primary user, the source is considered to be a primary user. Otherwise, it is a PUE attacker. Fig. 3

presents different proposed procedures and techniques for PUE attack mitigation.

- 5 -

Fig. 3. Primary User Emulation attacks mitigation techniques.

5.1.1. PU Transmitter Verification

In this section, we discuss PU transmitter verification procedures and methods. Two main

approaches are introduced; Distance Ratio Test (DRT) which is based on received signal strength

(RSS) measurements and Distance Difference Test (DDT) which is based on signal phase difference.

These approaches are considered as Non Interactive Localization techniques for PU transmitter

verification as the used location verifiers cannot interact with the signal transmitter to estimate or

verify its location [3].

Prior to elaborate more details about each technique, some environment assumptions are considered:

PUs are TV broadcast towers with fixed locations and SUs are within the range of towers

signals,

Two types of trusted Location Verifiers (LVs) are considered, master and slave LVs, to

perform DRT and DDT,

A master LV has a database with the TV towers coordinates (it could be one of the LVs or

centralized node),

LVs know their location from a secure GPS system.

There is a control channel between LVs used for their communication,

LVs calculate the distances between each other and the transmitters as they receive their

signals,

The signals can be from the towers or an attacker. Then LVs compare them to their database of

towers locations.

If the location verification fails, the transmitter of a given signal is considered to be an attacker.

- 6 -

A. Distance Ratio Test (DRT)

Fig. 4 presents DRT measurements and calculations which are carried out using RSS-based

localization. Assuming same operating conditions at both LVs, measured distance ratio is compared

with weighted range of reference distance ratio. If this verification fails, so the transmitter signal is

due to PUE attack [5].

a. Assume same operating conditions for both LV

(Transmitted signal power, TX and RX antenna gains,

Antenna heights and system path loss)

b. Master LV calculates reference distance ratio between LVs and

signal transmitter using coordinates DB

c. Master LV calculates measured distance ratio via

different RSS levels at both LVs

d. Considering expected max error factor, Master LV check

whether measured distance ratio is within acceptable range or not.

If this verification fails, so it is a PUE attack

Fig. 4. DRT measurements.

However, DRT technique has two main drawbacks. Firstly, DR does not consider that radio

propagation model is affected by environment variables so different propagation environments may

require the use of different parameters. Secondly, DRT relies on a large-scale propagation model,

possible fluctuations in RSS via small-scale fading are not considered. It may vary the RSS by three or

four orders of magnitude when a receiver position changes by only a fraction of a wavelength.

B. Distance Difference Test (DDT)

Distance Difference Test (DDT) is an alternative technique to DRT that verifies the difference

in the two distances between a primary user and a pair of LVs. The difference in distance can be

measured by measuring the phase shift of a signal at the two LVs. Although DDT does not suffer from

the drawbacks of DRT, DDT requires tight synchronization among the LVs that may be expensive to

- 7 -

implement. Also, exchanged data between the LVs must be encrypted and authenticated to avoid

eavesdropping, modification or replay attacks executed by the attacker [5].

C. Localization Based Defense (LocDef)

Earlier discussed transmitter verification methods are insufficient in a full mobile network

where the users are mobile and have low power. Both DRT and DDT cannot detect the attacker if it is

transmitting from the surrounding area of the TV tower. To resolve these problem, localization based

defense (LocDef) technique is introduced via combining localization of transmitters with signal energy

level detection in order to detect PUE attack. Fig. 5 illustrates LocDef transmitter verification in three

steps: verification of signal characteristics, measurement of received signal energy level and

localization of the signal source [4].

Fig. 5. PU Transmitter verification Flowchart LocDef.

5.1.2. Conventional Localization of PU Transmitter

A conventional localization strategy suggests applying the Time Difference of Arrival (TDOA)

method and then the Frequency Difference of Arrival (FDOA) to have a joint scheme. TDOA will run

first to provide certain motion vector to FDOA, which determine the accurate location of the

transmitting source. Both approaches rely on many assumptions that make them very restrictive and

not applicable to general CRN [3].

- 8 -

5.1.3. Fingerprinting

Radio Frequency Fingerprinting (RFF) has been proposed as means of enhancing security in

wireless networks by authenticating the transmission source. RFF is done using a certain unique, short

duration distinctive behavior of emitter present in the waveforms emitted by a transceiver when

activated to identify an emitter. It has been attributed to the acquisition behavior of frequency synthesis

systems, modulator subsystems, RF amplifiers as well as physical properties of the emitter. The idea is

that by monitoring and analyzing a networks analog signal at the physical layer, it is possible to

identify emitters and address security related issues.

Out of the suggested approaches, this approach is considered the optimal, but this approach

requires heavy computations and large samples for training data. There is a likely increase in storage

requirement and total sensing time due to possible overhead of extra signal processing operations.

To address this drawback, a cross layer signal pattern recognition technique was proposed. This

approach exploits a unique property called Electromagnetic Signatures (EMS) (which can be compared

to the human biometric feature) of each CR device to build a security sub-system. A physical layer

attacker model that exploits the adaptability and flexibility of CRN was described. Then to thwart this

attack, waveform pattern recognition is used to identify emitters and detect camouflaging attackers by

using the EMS of the transceiver [3].

5.2. Objective Function Attacks Mitigation

There is no good proposed mitigation technique to defend against the Objective Function

Attack. A suggested proposal is to define threshold for every updatable radio parameter. If the

parameters do not meet the thresholds, then communication stops.

5.3. Malicious Behavior Attacks Mitigation

Frequency hopping technique could be used for malicious attacks defense, so users agree to

utilize a different channel once a denial of service attack is detected through Signal Strength

consistency or Location consistency checks.

Signal Strength Consistency Check means comparing Signal Strength (SS) and Packet Delivery

Ratio (PDR). If SS is high and PDR is low, a legitimate user may assume that it is being jammed

unless one of its neighbors has high SS and PDR.

In Location Consistency Check, a node is jammed when its neighbors receive at least a minimal

amount of packets. A node will check its PDR and decide whether the PDR is consistent with what it

should see; given the location of its neighboring nodes via GPS. Neighboring nodes that are close to a

particular node should have high PDR values, and if all nearby neighbors have low PDR values this

may lead to conclude that this user is either being jammed or have poor link quality with its neighbors.

Another defense technique is spatial retreat, where legitimate users change their location to

avoid the interference range caused by the attacker. However, users must leave the region where the

attacker is located and they must stay within communication range of each other [3].

- 9 -

6. Higher Layers Attacks and Mitigation Techniques

6.1. Link Layer Attacks and Mitigation

It is the layer that is responsible for the MAC reconfiguration. Also, it has the spectrum sensing

and sharing. Thus, an attacker will attack these two functions to affect the CRN. There are different

types of attacks on the link layer. Spectrum Sensing Data Falsification (SSDF) is an example.

It is also known as the Byzantine Attack and takes place when an attacker sends false local

spectrum sensing results to its neighbors or to the fusion center, causing the receiver to make a wrong

spectrum-sensing decision. This attack targets centralized as well as distributed CRNs. In a centralized

CRN, a fusion center is responsible for collecting all the sensed data and then making a decision on

which frequency bands are occupied and which are free. Fooling the fusion center will either deny

some users from using a free band or allow users to use a band that is already used causing

interference. Similar problems occur in a distributed CRN where decisions about the frequency bands

status are made through the collaboration between CRs. They exchange their sensing results to each

other, after that they decide together who will take the available frequency bands. SSDF attack could

be more harmful in a distributed CRN because the false information can propagate quickly with no

way to control them [3].

Weighted Sequential Ratio Test (WSRT) is proposed to defense against SSDF. First, every

spectrum sensing node initially has a reputation value equal to zero. After each correct local spectrum

sensing report, the reputation value will be increased by 1. The second step is the actual hypothesis test

which is based on Sequential Probability Ratio Test, so the decision value takes into consideration the

terminals reputation [3].

6.2. Network Layer Attacks and Mitigation

This layer contains the spectrum decision and spectrum mobility. Thus, it is responsible for the

routing and the handoff for the CRN. The attacks on this layer will be related to the routing and the

information transfer between the CRN. Sinkhole attack is an example of network layer attacks. In a

sinkhole attack, an attacker broadcasts to all nodes that he is the best route to a specific destination. He

asks his neighboring nodes to use him to forward their packets. The attacker may use this way to

perform another attack called selective forwarding where an attacker is able to modify or discard

packets from any node in the network [3].

Geographic routing protocols are used to mitigate sinkhole attacks. They construct on demand

topology, so traffic will be routed to the physical location of the base station and will be difficult to

trap it elsewhere [3].

6.3. Transport Layer Attacks and Mitigation

Lion attack is an example for the transport layer attacks. It can be considered a cross-layer

attack performed at the physical link layer and targeted at the transport layer. An attacker generates a

signal similar to primary user signal, which will force a CRN to perform frequency handoffs and thus

degrading TCP performance. When this handoff takes place, TCP will not see this handoff and will

keep creating the connections and sending packets without having any acknowledgment. Then timeout

- 10 -

starts and TCP retransmits the lost packets with an increased timeout value. As a result, the

retransmission timer backs off doubling the value, resulting in delays and packet loss [3].

Cross Layer detection based mechanism is used to mitigate Lion attack. So TCP layer is aware

of what is happening in the physical/Link layer [3].

7. Conclusion

In this paper we presented the concept of security in cognitive radio networks. We focused

mainly on the physical layer attacks in which attackers try to manipulate cognitive radio sensors inputs

in order to cause cognitive radio to behave sub-optimally or maliciously.

In Primary User Emulation (PUE) attacks, the attacker works on SU sensors, where it creates a

signal similar to the PU signal, the SU sees the attacker signal and believes that the PU is occupying

the channel. This will cause the system to lose this channel and lower the system utilization. In

Objective Function Attacks, the adversary aims at minimizing the objective function that is created by

the CR device and indicating the optimum communication metrics. In Malicious Behavior Attacks, the

enemy tries to jam the communication in CR network and causes denial of service.

Possible mitigation techniques for addressed security issues were also discussed. We discussed

PUE mitigation through PU transmitter verification, conventional localization of PU transmitter or

fingerprinting. Frequency Hopping was introduced as an effective solution for Malicious Behavior

Attacks.

A broad overview for higher layers attacks and mitigation techniques was also presented. Link

layer, network layer and transport layer attacks were discussed briefly along with some ideas for their

mitigation.

8. References [1] J. Mitola, Cognitive radio: An integrated agent architecture for software defined radio. Ph.D. Dissertation, KTH, 2000.

[2] Clancy, T.C and Goergen, N., Security in Cognitive Radio Networks: Threats and Mitigation, Cognitive Radio Oriented Wireless Networks and Communications conference, 2008.

[3] Wassim El-Hajj, Haidar Safa and Mohsen Guizani, Survey of Security Issues in Cognitive Radio Networks, Journal of Internet Technology Volume 12 (2011) No.2.

[4] Ruiliang Chen, Jung-Min Park and Reed, J.H., Defense against Primary User Emulation Attacks in Cognitive Radio Networks, Selected Areas in Communications, IEEE Journal on (Volume:26, Issue: 1).

[5] Ruiliang Chen and Jung-Min, Park Ensuring Trustworthy Spectrum Sensing in Cognitive Radio Networks, 1st IEEE Workshop on Networking Technologies for Software Defined Radio Networks, 2006.