Security Issues in Cognitive Radio Networks (CRN)

Peng ZangApr. 13, 2012

1

Outlines• Why Using CRN and its goal• Elements of CRN• Specific security issues of CRN• Selected attack models• Several potential solutions and models• Conclusion

2

Why CRN• Spectrum crisis

– Most spectrum are occupied by licensed users– Exploit idle portion of the licensed spectrum

• Goals– Coexistence with Primary Users (PU)– Coexistence with other Secondary Users (SU)– Using spectrum effectively and fairly

– Maximum throughput– Fairly allocated spectrum to each SUs

3

Elements of CRN• Spectrum sensing• Spectrum analysis and decision making• Dynamic Spectrum Access and Allocation (DSA)• Software defined Radio (SDR)

– Cognitive capability– Reconfigurability

4

Attack against CRN• Primary User Emulation Attack (PUE)• Spectrum Sensing Data Falsification Attack (SSDF)• Common Control Channel Attack (CCC)• Beacon Falsification Attack (BF)• Cross layer attacks• Software Defined Radio Attacks (SDR)• etc..No modification to the incumbent signal should be required to

accommodate opportunistic use of the spectrum by SUs. – FCC

5

PUE attack• An attacker emulates PU to

force SUs leave the vacant channel

• High probability of success• Could lead to DoS attack

• 3 models will be presented: Signal feature based;Localization based;Lion attack;

Figure 1. A simplified PUEA scheme [1]

6

Background knowledges

• Received signal• Path loss :• Log-normal Shadowing:

• Received energy:

Path loss : constantShadowing

7

Variance of shadowing parameter

PUE attack 1.1: Signal feature based – Assumptions

• SU & Attacker know r1, attacker know r2 & r3.• SU & PU : stationary• Energy detection is adopted• Attack knows and waveform of PU signal

• When signal transmitter is:– PU:

– Attacker:

8

Different and unique

PUE defense Model 1.1 – naive defense

• Received signal energy:• they are i.i.d. And follow the same distribution as • Use unbiased estimator:

• Determination:

Keys for determination

Threshold

Step1:

Step2:

9

PUE attack 1.2: advanced attack

• Goal: Make SU receive emulation signals has same power level as PU signal:

• Need two parameter first:• Attacker received signal from PU:

where:

10

PUE attack 1.2: advanced attack cont'd

• From MLE, parameters are found:

• Design of emulation signal:

• Leads to:

The emulation signal transmitted with power:

11

Advanced Defense 1.2: Variance detection

• Basic idea: Detect PU channel parameter –• Using unbiased estimation:

• Detection:

12

Advanced Defense 1.2: Variance detection

• Decision making:

• However, there are always trade-offs

13

Naïve detection simulation[1]

14

Advanced variance detection[1]

15

m sensing attempts[1]

16

PUE attack defense model 2: localization based[2]

• Basic idea: Transmitter's location verification• Methods:

– Received Signal Strength (RSS); – Need help from Wireless Sensor Network (WSN)

• Assumptions:– WSN distributed uniformly– Attacker not in the same position as PU

• RSS Model:• Variance: mean:

17

18

RSS smoothing procedure

Pivot point 1

Pivot point 2

Transmitter

RSS Smoothing Procedure• Step 1: Calculate Median value of RSS in each pivot point.

– For Pivot point 1 (R0):

– Find minimum value of

19

RSS Smoothing Procedure– For Pivot point 2 (R1):

– Find maximum value of

• Step 2: Get a loose lower bound:

20

RSS Smoothing procedure• Step3: Obtain

– P: confidence level– New R.V. X0:

• Then r and d must satisfy:

21

Results

22

Results

23

PUE attack 3: Lion Attack Model [4]• Intelligent algorithm: attack TCP transmission utilizing

retransmission timer back off.• Analytical Model:

•

24

25

Assumptions and definitions• Each attack lead to a handoff• Fixed handoff time: Fixed detection time: • R.V.: Another R.V.:• Round Trip Time(RTT) < Minimum Retransmittion Time

Out(RTO)• At least one handoff take place• Probability of k handoffs in an interval (x',x'+τ) is • Then:

26

RTO and Retransmission time• Retransmission Time Out (RTO):

• Retransmission Time instant:

27

Analytical model of lion attack [4]

28

Find Inactivity Time• Probability that inactive time is a given value:

• Expected average time of inactivity:

29

Pr(every t’ before this one happened in a handoff)

Find Inactivity Ratio• Find TCP inactivity percentage:

• Average activity time:

30

Performance

31

PUE attack Conclusion• Model 1.1 &1.2

– Goal: Authentication– Channel parameters Map vs. Public/Private Key

• Model 2– WSN vs. KDC

• Model 3– RTO vs. Secrete Key

32

SSDF : Model

• Assumptions: – In distributed sensing; – Fixed graph for the network; – Duplex wireless connections;– Attackers are in the graph and send falsified

information to SU;– Energy detection model is used.

33

Basic idea• Step1: Get mean value of sensing result from neighbor nodes

• Step2: Exclude most deviate neighbor node

• Step3: Consensus algorithm

34

Basic idea con't• Step 4: Compare with threshold:

• Vector form of algorithm:

• P: double Stochastic Matrix – ensure convergence of x* in whole network

35

Conclusion• Consensus

vs. Trust model

• To trust, or not to trust…

36

References[1] Ruiliang Chen; Jung-Min Park; Reed, J.H.; , "Defense against Primary User Emulation Attacks in Cognitive Radio Networks," Selected Areas in Communications, IEEE Journal on , vol.26, no.1, pp.25-37, Jan. 2008

[2] Zesheng Chen; Cooklev, T.; Chao Chen; Pomalaza-Raez, C.; , "Modeling primary user emulation attacks and defenses in cognitive radio networks," Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International , vol., no., pp.208-215, 14-16 Dec. 2009

[3] Yu, F.R.; Tang, H.; Minyi Huang; Zhiqiang Li; Mason, P.C.; , "Defense against spectrum sensing data falsification attacks in mobile ad hoc networks with cognitive radios," Military Communications Conference, 2009. MILCOM 2009. IEEE , vol., no., pp.1-7, 18-21 Oct. 2009

[4] Hernández, J.; León, O.; Soriano, M. “Modeling the lion attack in cognitive radio networks. Eurasip journal on wireless communication and networking, 2011, vol. 2011, p. 1-10.

[5] Nansai Hu; Yu-Dong Yao; Mitola, J.; , "Most Active Band (MAB) Attack and Countermeasures in a Cognitive Radio Network," Wireless Communications, IEEE Transactions on , vol.11, no.3, pp.898-902, March 2012

37

Thank you !• Questions?

38