security in cognitive radio networks
DESCRIPTION
Overview on Security in Cognitive Radio NetworksTRANSCRIPT
-
- 0 -
FACULTY OF ENGINEERING
CAIRO UNIVERSITY
Electronics and Electrical Communications Department
Cognitive Radio Networks
Security in Cognitive Radio Networks
Presented to
Dr. Ahmed Khattab
Prepared by
Amal Samir Abd El-hameed
Mohamed AbdelBasset Mustafa AbdelAziz
Mohamed Sayed Mohamed Sayed AbuZeid
Cairo, 2014
-
- 1 -
1. Abstract
This report presents security concept in cognitive radio networks. A suitable cognitive radio
model is introduced to explain the effects of different security attacks on cognitive radio network
behavior. Attacks on different model layers are discussed with a special focus on physical layer
attacks. Finally, mitigation techniques against addressed attacks are discussed.
2. Introduction
Cognitive radios have the ability to learn from the environment and adapt their output to it.
Learning from the environment and adaptation to it requires an artificial intelligence (AI) to control the
radio decisions through the provided sensory inputs. If an enemy manages to provide a cognitive radio
with a false sensory input, it can affect its beliefs and behaviors to drive radio operation into sub-
optimal or even malicious performance.
This report focuses mainly on physical layer security attacks and provides an analysis for
different threats that affect optimality of cognitive radio performance. Attacks on higher layers also are
discussed with fewer details. Mitigation schemes of discussed threats are presented in some detail as
well.
3. Cognitive Radio Architecture
Cognitive radio consists of two basic parts: a software-defined radio (SDR) and a controlling
entity. An SDR typically consists of adjustable front-end, modem components, sensors and
programming interface to the controlling entity. The front-end is adjustable in order to tune over
different frequency ranges and an amplifier that allows communication at many different power levels.
The modem components can implement many different modulation types with different symbol rates.
Similar flexibility is possible for additional layers like data link layer. For example data link layer can
include forward error correction, data framing, multiplexing, and scheduling. SDR has a wide variety
of sensors. An energy detector that can measure the received power at the tuned frequency in order to
determine whether or not that channel is occupied is an example of sensors. Other sensors may be used
to determine signal-to-noise ratio, bit error rates, frame error rates or the type of communication
system that occupies the channel at a certain instance of time.
The controlling entity consists of a knowledge base, a learning engine and a reasoning engine.
It needs to select the set of inputs that results in optimal outputs, where optimality is often defined with
an objective or fitness function. Selecting the radio inputs is then simply a multi-dimensional, discrete
optimization problem. The knowledge base represents the state of the radio through read-write
configurations and read-only statistics. The reasoning engine has a list of actions to be implemented
when certain conditions are met. Those actions have a direct effect on the state of the knowledge base.
The learning engine is capable of starting with no preprogrammed policy and trying out various radio
configurations to see how the system performs. For example, a radio can try out different modulation
types to see which works optimally in a particular RF environment.
According to the existence of the learning engine, cognitive radios can be categorized into
policy radios and learning radios. Policy radios do not have the learning engine, but learning radios do.
-
- 2 -
Fig. 1. Cognitive radio components
4. Physical Layer Attacks
Physical layer in cognitive radio networks (CRN) is responsible for RF observation, sensing
coordination, and spectrum switching. The importance of this layer comes from its responsibility for
three parts of Mitola cognition cycle [1] of Sense -> Analyze-> Decide -> Adapt, which are sensing,
analyzing, and adapting. Thus, attacking this layer will make CRN vulnerable to different types of
attacks such as:
Sensory manipulation, where the attacker manipulates the RF the radio sensing, so an attacker
can cause faulty statistics to appear in the knowledge base which causing the radio to select a
suboptimal configuration and get use of all available resources. This technique affects policy
radios.
Belief manipulation, where the attacker manipulates how the CR behaves and reacts to different
situations. So, CRN can act as a malicious node to other nodes. This technique affects the
learning radios.
These attacks may cause a cognitive radio system to act sub-optimally, maliciously, or even as
a cognitive radio virus depending on the cooperation between the different cognitive radio nodes.
4.1. Primary User Emulation Attack (PUE)
It can be effective in dynamic spectrum access (DSA) environments. In such environments, a
primary user (PU) owns a license to a particular frequency band, and can use it whenever they wish.
When they are idle, secondary users (SU) can opportunistically use the available spectrum. Such SU
needs spectrum sensing algorithms to detect when the PU is active.
If an attacker works on the sensing property of the SU, where it creates a waveform similar to
the PU signal, the SU sees the attacker signal and believes that the PU is active. This will cause the
system to lose this channel and lower the system utilization [2].
There are two types of PUE attack, namely selfish attack and malicious attack. Selfish attack is
done by another secondary user. This SU is a greedy SU that aim at having all the spectrum resources
all the time without sharing them with other SUs as shown in Fig. 2a.
While in the malicious attack, the attack is done by the attacker. Its goal is to prevent the
secondary users from using the free spectrum as shown in Fig.2b [3].
-
- 3 -
PUE effects are transient, as it is only a sensory-manipulation attack. Once the attacker leaves
the frequency, the SU notice the spectrum becomes idle again and can resume using it. On the other
hand, the attacker can increase the effect of its attack by predicting the times PU uses the channel, so
when PU does not use the channel, the attacker sends the PU waveform. This can prevent SU
transmission. Also, the attacker can make PU signal appears as noise for SU. Thus, SU cannot identify
where are the available bands that he can transmit in without interfering on PU.
Fig. 2a. Primary User Emulation attack by a greedy secondary user.
Fig. 2b. Primary User Emulation attack by a malicious user.
4.2. Objective Function Attacks
Referring back to the structure of the cognitive radio, we focus here on the learning engine.
This engine is responsible for adjusting the radio parameters that include center frequency,
bandwidth, power, modulation type, coding rate, channel access protocol, and encryption type in
order to meet the environment requirements such as low energy consumption, high data rate, and high
security. The cognitive engine calculates these parameters by solving one or more objective functions.
We can represent this function as a weighted sum, such as
-
- 4 -
where , and represent the weights power ( ), data rate ( ) and security ( ).
In this case case, we can figure out that power and security are defined from the system inputs,
while data rate is a system output. For example, when the cognitive engine tries to use a high security
level S, the attacker launches a jamming attack on the radio, thus reducing R and hence reducing the
overall objective function. As a result, the cognitive engine reduces the security level to increase the
data rate in order not to decrease the objective function. This way, the attacker forces the radio to use a
low security level that can be hacked easily. That is why this kind of attacks is called belief-
manipulation attacks [3].
4.3. Malicious Behavior attacks
It can be another type of the objective function attack, where the attacker changes in the SU's
objective function by changing its weights. So the SU becomes a jamming signal on the PU.
Jamming is an attack that can be done in the physical and MAC layers. In jamming, the
attacker (jammer) maliciously sends out packets to prevent the two users in a communication session
from sending or receiving data; consequently, creating a denial of service situation. The jammer may
send continuous packets of data making a SU never be able to sense a channel as idle. A more
dangerous attack a jammer can do is to jam the dedicated channel that is used to exchange sensing
information between CRs (Common control data attack) [3].
As mentioned, affecting the behavior of CRN may cause it to be a cognitive radio virus. This
attack works on the idea of self-propagating behavior. In such an attack, a series of state transitions in
a cognitive radio node propagates through all nodes in a particular area. This induces the same pattern
of state transitions in the neighboring radios. As an example, the attacker may cause all CRN to
transmit in the same period, which causes collisions between all nodes, and degrades the network
efficiency [2].
5. Security Attacks Mitigation and Defense
In this section, we explore possible mitigation and defense techniques for different described
CR security attack threats in previous two sections.
5.1. Primary User Emulation Attack Mitigation
In order to defend against PUE attacks, the transmitting source identity should be analyzed to
confirm whether it is a primary user or a malicious user.
The best approach to recognize the PU identity is to apply cryptographic authentication
mechanisms, such as digital signatures. But such approach cannot be adapted because of the FCC
regulation rule, stating that no modification to the primary user should be required to accommodate
opportunistic use of the spectrum by secondary users. Many researches proposed alternative
techniques to determine the location of the transmitting source. If this location matches the location of
a primary user, the source is considered to be a primary user. Otherwise, it is a PUE attacker. Fig. 3
presents different proposed procedures and techniques for PUE attack mitigation.
-
- 5 -
Fig. 3. Primary User Emulation attacks mitigation techniques.
5.1.1. PU Transmitter Verification
In this section, we discuss PU transmitter verification procedures and methods. Two main
approaches are introduced; Distance Ratio Test (DRT) which is based on received signal strength
(RSS) measurements and Distance Difference Test (DDT) which is based on signal phase difference.
These approaches are considered as Non Interactive Localization techniques for PU transmitter
verification as the used location verifiers cannot interact with the signal transmitter to estimate or
verify its location [3].
Prior to elaborate more details about each technique, some environment assumptions are considered:
PUs are TV broadcast towers with fixed locations and SUs are within the range of towers
signals,
Two types of trusted Location Verifiers (LVs) are considered, master and slave LVs, to
perform DRT and DDT,
A master LV has a database with the TV towers coordinates (it could be one of the LVs or
centralized node),
LVs know their location from a secure GPS system.
There is a control channel between LVs used for their communication,
LVs calculate the distances between each other and the transmitters as they receive their
signals,
The signals can be from the towers or an attacker. Then LVs compare them to their database of
towers locations.
If the location verification fails, the transmitter of a given signal is considered to be an attacker.
-
- 6 -
A. Distance Ratio Test (DRT)
Fig. 4 presents DRT measurements and calculations which are carried out using RSS-based
localization. Assuming same operating conditions at both LVs, measured distance ratio is compared
with weighted range of reference distance ratio. If this verification fails, so the transmitter signal is
due to PUE attack [5].
a. Assume same operating conditions for both LV
(Transmitted signal power, TX and RX antenna gains,
Antenna heights and system path loss)
b. Master LV calculates reference distance ratio between LVs and
signal transmitter using coordinates DB
c. Master LV calculates measured distance ratio via
different RSS levels at both LVs
d. Considering expected max error factor, Master LV check
whether measured distance ratio is within acceptable range or not.
If this verification fails, so it is a PUE attack
Fig. 4. DRT measurements.
However, DRT technique has two main drawbacks. Firstly, DR does not consider that radio
propagation model is affected by environment variables so different propagation environments may
require the use of different parameters. Secondly, DRT relies on a large-scale propagation model,
possible fluctuations in RSS via small-scale fading are not considered. It may vary the RSS by three or
four orders of magnitude when a receiver position changes by only a fraction of a wavelength.
B. Distance Difference Test (DDT)
Distance Difference Test (DDT) is an alternative technique to DRT that verifies the difference
in the two distances between a primary user and a pair of LVs. The difference in distance can be
measured by measuring the phase shift of a signal at the two LVs. Although DDT does not suffer from
the drawbacks of DRT, DDT requires tight synchronization among the LVs that may be expensive to
-
- 7 -
implement. Also, exchanged data between the LVs must be encrypted and authenticated to avoid
eavesdropping, modification or replay attacks executed by the attacker [5].
C. Localization Based Defense (LocDef)
Earlier discussed transmitter verification methods are insufficient in a full mobile network
where the users are mobile and have low power. Both DRT and DDT cannot detect the attacker if it is
transmitting from the surrounding area of the TV tower. To resolve these problem, localization based
defense (LocDef) technique is introduced via combining localization of transmitters with signal energy
level detection in order to detect PUE attack. Fig. 5 illustrates LocDef transmitter verification in three
steps: verification of signal characteristics, measurement of received signal energy level and
localization of the signal source [4].
Fig. 5. PU Transmitter verification Flowchart LocDef.
5.1.2. Conventional Localization of PU Transmitter
A conventional localization strategy suggests applying the Time Difference of Arrival (TDOA)
method and then the Frequency Difference of Arrival (FDOA) to have a joint scheme. TDOA will run
first to provide certain motion vector to FDOA, which determine the accurate location of the
transmitting source. Both approaches rely on many assumptions that make them very restrictive and
not applicable to general CRN [3].
-
- 8 -
5.1.3. Fingerprinting
Radio Frequency Fingerprinting (RFF) has been proposed as means of enhancing security in
wireless networks by authenticating the transmission source. RFF is done using a certain unique, short
duration distinctive behavior of emitter present in the waveforms emitted by a transceiver when
activated to identify an emitter. It has been attributed to the acquisition behavior of frequency synthesis
systems, modulator subsystems, RF amplifiers as well as physical properties of the emitter. The idea is
that by monitoring and analyzing a networks analog signal at the physical layer, it is possible to
identify emitters and address security related issues.
Out of the suggested approaches, this approach is considered the optimal, but this approach
requires heavy computations and large samples for training data. There is a likely increase in storage
requirement and total sensing time due to possible overhead of extra signal processing operations.
To address this drawback, a cross layer signal pattern recognition technique was proposed. This
approach exploits a unique property called Electromagnetic Signatures (EMS) (which can be compared
to the human biometric feature) of each CR device to build a security sub-system. A physical layer
attacker model that exploits the adaptability and flexibility of CRN was described. Then to thwart this
attack, waveform pattern recognition is used to identify emitters and detect camouflaging attackers by
using the EMS of the transceiver [3].
5.2. Objective Function Attacks Mitigation
There is no good proposed mitigation technique to defend against the Objective Function
Attack. A suggested proposal is to define threshold for every updatable radio parameter. If the
parameters do not meet the thresholds, then communication stops.
5.3. Malicious Behavior Attacks Mitigation
Frequency hopping technique could be used for malicious attacks defense, so users agree to
utilize a different channel once a denial of service attack is detected through Signal Strength
consistency or Location consistency checks.
Signal Strength Consistency Check means comparing Signal Strength (SS) and Packet Delivery
Ratio (PDR). If SS is high and PDR is low, a legitimate user may assume that it is being jammed
unless one of its neighbors has high SS and PDR.
In Location Consistency Check, a node is jammed when its neighbors receive at least a minimal
amount of packets. A node will check its PDR and decide whether the PDR is consistent with what it
should see; given the location of its neighboring nodes via GPS. Neighboring nodes that are close to a
particular node should have high PDR values, and if all nearby neighbors have low PDR values this
may lead to conclude that this user is either being jammed or have poor link quality with its neighbors.
Another defense technique is spatial retreat, where legitimate users change their location to
avoid the interference range caused by the attacker. However, users must leave the region where the
attacker is located and they must stay within communication range of each other [3].
-
- 9 -
6. Higher Layers Attacks and Mitigation Techniques
6.1. Link Layer Attacks and Mitigation
It is the layer that is responsible for the MAC reconfiguration. Also, it has the spectrum sensing
and sharing. Thus, an attacker will attack these two functions to affect the CRN. There are different
types of attacks on the link layer. Spectrum Sensing Data Falsification (SSDF) is an example.
It is also known as the Byzantine Attack and takes place when an attacker sends false local
spectrum sensing results to its neighbors or to the fusion center, causing the receiver to make a wrong
spectrum-sensing decision. This attack targets centralized as well as distributed CRNs. In a centralized
CRN, a fusion center is responsible for collecting all the sensed data and then making a decision on
which frequency bands are occupied and which are free. Fooling the fusion center will either deny
some users from using a free band or allow users to use a band that is already used causing
interference. Similar problems occur in a distributed CRN where decisions about the frequency bands
status are made through the collaboration between CRs. They exchange their sensing results to each
other, after that they decide together who will take the available frequency bands. SSDF attack could
be more harmful in a distributed CRN because the false information can propagate quickly with no
way to control them [3].
Weighted Sequential Ratio Test (WSRT) is proposed to defense against SSDF. First, every
spectrum sensing node initially has a reputation value equal to zero. After each correct local spectrum
sensing report, the reputation value will be increased by 1. The second step is the actual hypothesis test
which is based on Sequential Probability Ratio Test, so the decision value takes into consideration the
terminals reputation [3].
6.2. Network Layer Attacks and Mitigation
This layer contains the spectrum decision and spectrum mobility. Thus, it is responsible for the
routing and the handoff for the CRN. The attacks on this layer will be related to the routing and the
information transfer between the CRN. Sinkhole attack is an example of network layer attacks. In a
sinkhole attack, an attacker broadcasts to all nodes that he is the best route to a specific destination. He
asks his neighboring nodes to use him to forward their packets. The attacker may use this way to
perform another attack called selective forwarding where an attacker is able to modify or discard
packets from any node in the network [3].
Geographic routing protocols are used to mitigate sinkhole attacks. They construct on demand
topology, so traffic will be routed to the physical location of the base station and will be difficult to
trap it elsewhere [3].
6.3. Transport Layer Attacks and Mitigation
Lion attack is an example for the transport layer attacks. It can be considered a cross-layer
attack performed at the physical link layer and targeted at the transport layer. An attacker generates a
signal similar to primary user signal, which will force a CRN to perform frequency handoffs and thus
degrading TCP performance. When this handoff takes place, TCP will not see this handoff and will
keep creating the connections and sending packets without having any acknowledgment. Then timeout
-
- 10 -
starts and TCP retransmits the lost packets with an increased timeout value. As a result, the
retransmission timer backs off doubling the value, resulting in delays and packet loss [3].
Cross Layer detection based mechanism is used to mitigate Lion attack. So TCP layer is aware
of what is happening in the physical/Link layer [3].
7. Conclusion
In this paper we presented the concept of security in cognitive radio networks. We focused
mainly on the physical layer attacks in which attackers try to manipulate cognitive radio sensors inputs
in order to cause cognitive radio to behave sub-optimally or maliciously.
In Primary User Emulation (PUE) attacks, the attacker works on SU sensors, where it creates a
signal similar to the PU signal, the SU sees the attacker signal and believes that the PU is occupying
the channel. This will cause the system to lose this channel and lower the system utilization. In
Objective Function Attacks, the adversary aims at minimizing the objective function that is created by
the CR device and indicating the optimum communication metrics. In Malicious Behavior Attacks, the
enemy tries to jam the communication in CR network and causes denial of service.
Possible mitigation techniques for addressed security issues were also discussed. We discussed
PUE mitigation through PU transmitter verification, conventional localization of PU transmitter or
fingerprinting. Frequency Hopping was introduced as an effective solution for Malicious Behavior
Attacks.
A broad overview for higher layers attacks and mitigation techniques was also presented. Link
layer, network layer and transport layer attacks were discussed briefly along with some ideas for their
mitigation.
8. References [1] J. Mitola, Cognitive radio: An integrated agent architecture for software defined radio. Ph.D. Dissertation, KTH, 2000.
[2] Clancy, T.C and Goergen, N., Security in Cognitive Radio Networks: Threats and Mitigation, Cognitive Radio Oriented Wireless Networks and Communications conference, 2008.
[3] Wassim El-Hajj, Haidar Safa and Mohsen Guizani, Survey of Security Issues in Cognitive Radio Networks, Journal of Internet Technology Volume 12 (2011) No.2.
[4] Ruiliang Chen, Jung-Min Park and Reed, J.H., Defense against Primary User Emulation Attacks in Cognitive Radio Networks, Selected Areas in Communications, IEEE Journal on (Volume:26, Issue: 1).
[5] Ruiliang Chen and Jung-Min, Park Ensuring Trustworthy Spectrum Sensing in Cognitive Radio Networks, 1st IEEE Workshop on Networking Technologies for Software Defined Radio Networks, 2006.