survey of security issues in cognitive radio networks

8/20/2019 Survey of Security Issues in Cognitive Radio Networks

1/18

1Survey of Security Issues in Cognitive Radio Networks

Survey of Security Issues in Cognitive Radio Networks

Wassim El-Hajj1 , Haidar Safa

1 , Mohsen Guizani

2

1

Computer Science Department, American University of Beirut, Lebanon2Computer Science Department, Western Michigan University, USA

{we07, hs33}@aub.edu.lb, [email protected]

Abstract

Cognitive Radio (CR) is a novel technology that

promises to solve the spectrum shortage problem by

allowing secondary users to coexist with primary users

without causing interference to their communication.

Although the operational aspects of CR are being explored

vigorously, its security aspects have gained little attention.

In this paper, a brief overview of the CR technology is provided followed by a detailed analysis of the security

attacks targeting Cognitive Radio Networks (CRNs)

along with the corresponding mitigation techniques.

We categorize the attacks with respect to the layer they

target starting from the physical layer and moving up

to the transport layer. An evaluation of the suggested

countermeasures is presented along with other solutions

and augmentations to achieve a secure and trusted CRN.

Keywords:

1 Introduction

The ever increasing demand of spectrum due to the

rapid introduction of novel wireless applications has led

the Federal Communication Commission (FCC) to approve

in September 2010 new rules to allow unlicensed users

to utilize the spectrum reserved for wireless broadband

services (300MHz and 400MHz). The technology

developed to take advantage of this unused spectrum is

Cognitive Radio Networks (CRNs) which are intelligent

networks that adapt to changes in their environments to

make a better use of the radio spectrum. CRNs help solve

the problem of spectrum shortage by allowing unlicensed

users to use primary systems without interference. Thistechnology allows the coexistence and sharing of licensed

spectrum resources between two types of users, licensed

and unlicensed.

Cognitive Radio (CR) nodes have unique capabilities

which allow them to take advantage of available white

spaces in a spectrum. A study made at the Berkeley

Wireless Research Center (BWRC) shows that most

spectrum, particularly from 1 GHz to 10 GHz is under-

utilized, as shown in Figure 1. The nodes can sense

their environment and spectrum, analyze the discovered

information, and adjust to the sensed environment. CR

nodes discover white spaces by performing spectrum

sensing; the ability to identify or detect holes in a spectrum.

The techniques used to make use of these holes fall under

the term Dynamic Spectrum Access (DSA). The Two

most signicant challenges in CRNs are: Transparency to

primary users and non-interference.

Figure 1 Spectrum Utilization Measurement

The successful deployment of CRNs includes the

correct construction and maintenance of security measures

to combat attacks launched against them. We categorize the

attacks on CRNs into four major classes: Physical Layer

attacks, Link Layer attacks (also known as MAC attacks),

Network layer attacks, and Transport Layer attacks. In

Physical Layer, we discuss Primary User Emulation (PUE),

Objective Function Attack, and Jamming. In Link Layer,

we discuss Spectrum Sensing Data Falsification (SSDF),

Control Channel Saturation DoS Attack (CCSD), and

Selfish Channel Negotiation (SCN). In Network Layer,

we mainly discuss the routing attacks that are relevant to

CRNs, for instance, HELLO Flood attack and Sinkhole

attack. In transport Layer, we discuss the Lion Attack.

Some of these attacks might target different layers such as

jamming which can be done in either the physical or MAC

Layers. After presenting each attack we discuss in details

the techniques used to mitigate it. We then evaluate these

countermeasures showing their strengths and weaknesses.

The rest of the paper is organized as follows. In Section

2, we give a brief overview of the CR technology. In

Section 3, we discuss spectrum sensing which is considered

the most essential step in CRNs. In Section 4, we discuss

*Corresponding author:


2/18

Journal of Internet Technology Volume 12 (2011) No.22

in details the attacks targeting CRNs and the corresponding

countermeasures. In Section 5, we present an evaluation

study of the existing countermeasures. In Section 6, we

present general frameworks for secure and trusted CRNs.In Section 7, we conclude the paper and present our future

work.

2 Brief Overview of Cognitive RadioTechnology

CRNs are intelligent networks that adapt to changes

in their environments to make a better use of the radio

spectrum. Sometimes a frequency may be licensed to a

primary system, but it is not used fully. Consequent ly,

spectrum holes or white spaces are created. CRNs help

solve the problem of spectrum utilization by allowing

unlicensed users to use primary systems without

interference. For example, a device with CR capabilities

may locate spectrum holes in the frequency band of a TV

network with the existence of a GSM network. The device

can then decide to make calls and communicate with other

CR devices using these holes.

There are two types of CRs [1]: Policy Radios and

Learning Radios. Policy radios have some predefined

pol icies tha t determine the behavior of a radio. When

a radio gathers information from the surrounding

environment, the information is then turned into statistics

that determines the radio’s state. Learning radios have an

extra component which is a learning engine, this engineallows them to configure and re-configure their states.

Radios with a learning engine are able to try out different

parameters and determine which works well in a particular

environment. It is important to point out the different types

of CRs in order to be able to demonstrate the different

effects similar attacks have on them. For example; in a

policy radio, an attacker with knowledge of how statistics

are calculated can affect them and force a desired output.

This attack can affect learning radios as well; however, as

they have a learning engine the attack can have a longer

affect on them as they learn or accumulate information

from this experience which may dictate a certain behavior

in the future. The Objective Function Attack discussed in

section 4 is an example of such an attack that has a bigger

impact on learning radios than policy radios.

A CR node has the following capabilities [2]: Cognitive

capability by which the node can sense the environment

and the spectrum, Self-organized capability which is the

node’s ability to analyze discovered information, and

Recongurable capability where the node is able to adapt

to the sensed environment. Cognitive capability includes

spectrum sensing which refers to the ability to identify or

detect spectrum holes. This operation must be done with

limited to none interference to the licensed users traffic

or communication. In addition, it includes network and

service discoveries; for example, what kind of networks

are near-by (WiFi, GSM, ..., etc.) and what are the services provided by these networks. A self-organized capability

provides management of the connection between the

different CR nodes that happen to be in the same area. A

good connection management can help CR nodes in route

selections. The ability of the radio to change its frequency

and adapt to available networks and services is one of the

recongurable capabilities. Figure 2 presents a generalized

snapshot of CR architecture.

CRNs are organized in three different architectures:

Infrastructure, Ad-Hoc and Mesh. An infrastructure CRN

(Figure 3) has base stations or access points. A device with

CR capabilities may communicate with other devices within

the range of the base station through the base station itself.

Communication between devices in different cells is routed

by the base sta tions. On the other hand, ad-hoc CRNs

(Figure 4) are formed by devices without the need for base

stations, the devices can establish links between each other

using different communication protocols. For example,

they may use existing protocols such as: Bluetooth or

they may use spectrum holes. The nal architecture is the

Mesh (Figure 5) which is basically a combination of the

aforementioned architectures. It allows devices to connect

to the base stations through neighboring devices, and then

the base stations work as routers and forward the packets.

Discussion about cognitive radio cannot be completewithout discussing its most important component Spectrum

Sensing. Spectrum sensing is the task of obtaining

awareness about the spectrum usage and existence of

primary users in a geographical area. In the next section,

we give a brief overview about how spectrum sensing is

done in CRNs.

Figure 2 General Architecture of Cognitive Radio


3/18


3 Spectrum Sensing

In order for a CR node (secondary user) to acquire a

service, it undergoes spectrum sensing to decide on the

band to use for transmission, i.e., it searches for spectrum

holes in a specific frequency, and then it exploits the

existence of these holes to be able to use that frequency

for communication. This technique is called Dynamic

Spectrum Access (DSA). However, making sure that this

sensing process is reliable is a challenging task for CRs

because of the signal fading due to the low received signal

strength which may result in the hidden node problem. This

problem lessens in distributed spectrum sensing (DSS)

where multiple secondary users cooperate and share their

sensing measures and send them to a data collector [3].

Indeed, each sensing terminal conducts the local spectrum

sensing then reports these local sensing results to the data

collector which in turn executes data fusion techniques

and determines the final spectrum sensing result. Sensing

can also be done in a completely ad hoc architecture where

no data collector is present as shown in Figure 6 [4]. The

Common Control Channel (CCC) is used to facilitate the

message exchange between users and support spectrum

sensing coordination.

Figure 3 Infrastructure Architecture Figure 4 Ad Hoc Architecture

Figure 5 Mesh Architecture

Figure 6 Spectrum Sensing in an Ad Hoc Architecture


4/18


Depending on the CRN architecture, many techniques

have been suggested to determine the final spectrum

sensing result. The three most popular ones are matched

filter, energy detection and cyclo-stationary featuredetection. Although other techniques have been suggested,

we decided to include a brief description of these three

mechanisms for completeness. The energy detection

technique is the most common because of some features

it possesses that prevail over the other techniques. For

example, Matched lter utilizes the signal-to-noise ratio to

detect the presence of a primary user [5]. The disadvantage

is that it needs to have former knowledge of the primary

user signal characteristics, such as modulation type and

order, pulse shaping and packet format. On the other hand,

when such knowledge is unavailable, energy detection is

used as an alternative.

Cyclo-stationary feature detection can detect primary

users’ signals with low signal-to-noise ratio, but it is

very difficult to implement because it is computationally

complex [5-6]. In addition, it requires having prior

knowledge of the primary user signal. In cyclo-stationary

feature detection the primary user signal is sampled and

the amplitude is normalized. If the amplitude is periodic

and there exists a peak value for each period, this value is

compared to a predetermined threshold. If a periodicity is

found, the band is then determined to be used by a primary

user. Otherwise, the band is determined to be free of

primary users’ signals.

Energy detection works according to the followingrationale: “The channel with low power has high

probability to be an unoccupied channel” [5]. Therefore,

the entire detected bandwidth is scanned, and then some

channels are selected by sorting them in an ascending order

based on the power of each channel. The channel with the

lowest power is then chosen for use by secondary users.

The disadvantage of energy detection is its naïve way of

differentiating between primary user and secondary user

signals [7]. If a secondary user detects a signal it recognizes

then it assumes that it is another secondary user; otherwise,

it determines that it is the signal of a primary user. This

shortcoming has severe repercussions in CR security as it

facilitates Primary User Emulation attacks.Many other spectrum sensing and access techniques

have been suggested in the literature. For instance, in [8] a

sensing method which improves the efciency of spectrum

access without causing interference to licensed bands

was formulated as a constrained parameter optimization

problem, and solved using a numerical algorithm. In [9],

a Distributed Medium Access Control access protocol for

CR ad-hoc networks is suggested. The protocol relies on

time slots for scanning primary system frequencies to allow

secondary users to use the frequency. In [10], a technique

called Sensor Network Aided Cognitive Radio is suggested

to enable licensed and unlicensed wireless users to use

available networks with minimum interference to each

other. The nodes of the CRN send queries to the sensornetwork exploring the existence of spectrum holes in the

primary network. Upon receipt of the query, the sensor

network scans the primary network, and responds with the

available holes back to the secondary users. Yucek et al.

present a good survey of spectrum sensing algorithm for

CRNs [11].

4 Cognitive Radio Networks: Attacksand Countermeasures

Unlike most of the surveys that address the attacks on

CRNs, we categorize the attacks according to the layers

they target: Physical, Link, Network, and Transport. Since

CRNs can be considered a special kind of Ad Hoc network,

most of the attacks targeting Ad Hoc networks can also

target CRNs. In this survey, we analyze the attacks that are

most relevant to CRNs.

It is important to note that there already exist some

surveys on CRNs [12-13], but they have many weaknesses

in the sense that they miss to address some very important

attacks, they are outdated, and most importantly

none presents an evaluation study of the various

countermeasures.

Any solution suggested to counter CRN attacks should

abide by the FCC requirement which states that “nomodification to the incumbent system should be required

to accommodate opportunistic use of the spectrum by

secondary users” [14]. Having this requirement in mind,

any security solution suggested to protect or thwart an

attack on CRN should be introduced to the secondary user

system, not the primary one.

4.1 Physical Layer Attacks

Before discussing the physical layer attacks on CRN

and the corresponding countermeasures, we highlight the

work done in [15] that addresses the physical-layer security

issue of a secondary user in CRN from an information-

theoretic perspective where a secure multiple-input single-

output (MISO) cognitive radio channel was considered. In

MISO, a multi-antenna SU transmitter sends confidential

information to a legitimate SU receiver in the presence

of an eavesdropper and on the licensed band of a primary

user (PU). The approach defines the Secrecy Capacity as

the maximum achievable rate at which the data can be

reliably sent from the SU transmitter to the legitimate SU

receiver but is kept perfectly secret from Eavesdropper.

The secrecy capacity of a secure MISO CR channel has

been characterized. Two numerical approaches have been


5/18


proposed to compute the secrecy capacity and the capacity-

achieving transmit covariance matrix. By exploring the

inherent convexity, the rst approach has transformed the

original quasiconvex problem into a single semi definite program by explor ing it s inherent convexity, which

can be solved efficiently. By exploring the relationship

between the secure CRN with the conventional CRN, the

second approach has transformed the original problem

into a sequence of optimization problems related to the

conventional CRN.

4.1.1 Primary User Emulation (PUE)

One of the Cognitive Radio principles is that a

secondary user is allowed to use a specific band as long

as it’s not occupied by a primary user. However, once the

secondary user detects the presence of a primary user, it

must switch channels immediately to an alternative band

in order not to cause interference to the primary user. If the

secondary user detects another secondary user using the

same band, certain mechanisms should be used to share the

spectrum fairly.

Primary User Emulation (PUE) attack [14][16] is

carried out by a malicious secondary user emulating a

primary user or masquerading as a primary user to obtain

the resources of a given channel without having to share

them with other secondary users (Figure 7). As a result,

the attacker is able to obtain full bands of a spectrum. The

motivation behind the attack is divided into two categories:

Selsh PUE attack and Malicious PUE attack. In the Selsh

PUE attack, the attacker’s goal is to increase its share ofthe spectrum resources. In addition, this attack can be

conducted simultaneously by two attackers to establish a

dedicated link between them. In the Malicious PUE attack,

the attacker’s goal is to prevent legitimate secondary users

from using the holes found in a spectrum.

Data collector

( Fusion center)

SensingTerminals

Sensing

Terminals

Sensing

TerminalsLocal

SpectrumSensing

Results

Signals with the samecharacteristics as

Primary User signals

Primary User Final spectrumsensing result

DataFusion

Malicious user

Figure 7 Primary User Emulation Attack

The PUE attack can target both types of cognitive

radio Policy Radios and Learning Radios [1] with different

severity. When dealing with policy radios, the effect of the

attack vanishes as soon as the attacker leaves the channel.

The secondary user will then sense that the spectrum is idle

and claim it. On the other hand, when dealing with learning

radios, information about primary users’ current and past

behavior can be gathered in order to predict when they willleave the channel, i.e., make it idle. The attacker can then

perform the PUE attack during these idle times. Now the

attack will have a long term effect on secondary users and

they might never use the affected channel ever again.

As mentioned in [12], new and more sophisticated PUE

attacks can be performed when having some knowledge

about the cognitive radio network. For instance, an

attacker can utilize the CRN’s “quiet periods” to perform

PUE attacks. A quiet period is the time during which all

secondary users refrain from transmitting to facilitate

spectrum sensing. During these periods, any user whose

received signal strength is beyond a certain threshold

is considered a primary user. This CRN feature can be

exploited by an attacker who transmits during “quiet

periods” fooling the rest of the nodes as being a primary

user. Another example is an attacker that performs new PUE

attacks whenever the CRN makes a frequency handoff, i.e.,

switches from one channel to another, thus degrading the

data throughput of the CRN or completely leading to DoS.

Such an attack assumes that the attacker can nd the next

CRN in a limited time.

Apart from the experimental PUE attacks, an analytical

model is described in [17] to obtain the probability of

successful PUE attacks on secondary users. The authors

provided lower bounds on the probability of a successfulattack using Fenton’s approximation and Markov inequality.

We discuss next the approaches used to thwart PUE attacks.

y Defending Against Primary User Emulation Attack

To defend against PUE attacks, the identity of the

transmitting source needs to be identified, i.e., is the

transmitting source a primary user or a malicious user? The

usual and best approach of knowing the user identity is to

apply cryptographic authentication mechanisms, such as

digital signatures. But such an approach cannot be adapted

because of the FCC regulation that prohibit s alt ering

primary user systems. Given this restriction and knowing

that primary users’ locations are known ahead of time,researchers resorted to nding efcient ways of pin pointing

the location of the transmitting source. If the location of the

source matches the location of a primary user, the source is

considered to be a primary user. Otherwise it is considered

to be an attacker trying to emulate a primary user.

In [14], two approaches have been suggested to

determine the location of the transmitting source: Distance

Ratio Test (DRT) which is based on received signal strength

measurements and Distance Difference Test (DDT) which

is based on signal phase difference. Both approaches are


6/18


based on a transmitter verication procedure. The procedure

uses a location verication method to distinguish between

primary signals and secondary signals masquerading

as primary signals. Some assumptions are set to createthe environment where the attack is likely to occur. The

primary users are TV broadcast towers with xed locations,

and there are some secondary user nodes within the range of

the towers’ signals. There are trusted location veriers (LVs)

to perform DRT and DDT, and there are two types of LVs:

master and slave LVs. A master LV has a database with

the coordinates of the TV towers. LVs know their location

from a secure GPS system. Finally, there exists a control

channel between LVs used for their communication. LVs

calculate the distances between them and the transmitters

as they receive their signals. The signals can be from the

towers or an attacker masquerading as a tower. Then the

LVs compare them to their database of towers’ locations.

If the verication fails, the transmitter of a given signal is

considered to be an attacker. For these approached to work,

the data exchanged between the LVs must be encrypted

and authenticated to avoid eavesdropping, modication or

replay attacks executed by the attacker.

Although DDT does not suffer from the drawbacks of

DRT, DDT requires tight synchronization among the LVs

that may be expensive to implement. These transmitter

verification methods which verify the authenticity of a

given signal by estimating its location and comparing it

with the location of known incumbents are insufcient in a

full mobile network where the incumbents are mobile andhave low power [18].

Both DRT and DDT can be fooled if the attacker is

transmitting from the vicinity of the TV tower. A solution to

this problem is presented in [7] by combining localization

of transmitters with signal energy level detection. The

following scenario is used to describe the suggested

approach: The network consists of TV towers transmitters

and receivers which represent the primary users. The

secondary users are mobile devices with cognitive radio

capabilities. The TV towers have a fixed location and

energy level of hundreds of thousands of Watts while

the mobile devices have energy level of few hundred

milliwatts. This is important because an attacker may tryto deceive other secondary users by transmitting from the

vicinity of the TV tower, and here the level of the energy

of the transmitter will be used in conjunction with the

location.

The authors named their approach Localization-based

Defense (LocDef) which does transmitter verification

in three steps: verification of signal characteristics,

measurement of received signal energy level, and

localization of the signal source [7]. LocDef uses RSS-

based localization that exploits the relationship between

signal strength and a transmitter location. The strength of

a signal decreases as the distance between the transmitter

and receiver increases. If a node was able to collect enough

signal strength data from the nodes spread through anetwork, it can create a signal strength model which it

can use then to estimate the location of the transmitter. To

collect the RSS measurements, an underlying Wireless

Sensor Network (WSN) will be used. WSN helps

secondary users in spectrum-sensing and informing them of

opportunities in the network.

In [19], another localization strategy was suggested

by first applying the Time Difference of Arrival (TDOA)

method and then the Frequency Difference of Arrival

(FDOA). TDOA will run first to provide certain inputs

(motion vector) to FDOA, which in turn pinpoints

the accurate location of the transmitting source. Both

approaches ([19-20]) rely on many assumptions that make

them very restrictive and not applicable to general CRN.

Apart from localization, fingerprinting has been used

to authenticate the transmission source [21]. Initially,

Radio Frequency Fingerprinting (RFF) has been proposed

as means of enhancing security in wireless networks [22].

RFF consists of using a certain unique, short duration

distinctive behavior of emitter present in the waveforms

emitted by a transceiver when activated to identify an

emitter. It has been attributed to the acquisition behavior

of frequency synthesis systems, modulator subsystems,

RF ampliers as well as physical properties of the emitter.

The idea is that by monitoring and analyzing a network’sanalog signal at the physical layer, it is possible to identify

emitters and address security related issues. Although an

optimal solution was claimed, this approach requires heavy

computation and large samples for training data. To address

this drawback, a cross layer signal pattern recognition

technique was proposed in [21]. This approach exploits a

unique property called Electromagnetic Signatures (EMS)

(which can be compared to the human biometric feature)

of each CR device to build a security sub-system. A PHY

attacker model that exploits the adaptability and exibility

of CRN was described. Then to thwart this attack,

waveform pattern recognition is used to identify emitters

and detect camouaging attackers by using the EMS of thetransceiver. In this approach, a malicious device is detected

based on its signal pattern with certain levels of deviation.

The main two processes that are involved in the execution

of this scheme are the enrollment for data collection and the

testing in order to identify a user. This approach is a cross-

layer security module which is capable of highlighting

distinctions among cognitive radio devices. It is designed

to learn the foul-proof initial unique characteristic of CR

devices and compares it with subsequent transmissions

for validation and authentication. Although this approach


7/18


was initially suggested to mitigate DoS threats in general,

it can be perfectly tailored to defend against PUE attacks

since it can be used to authenticate the transmission source.

However, there is a likely increase in storage requirementand total sensing time due to possible overhead of extra

signal processing operations.

Another ngerprinting approach was suggested in [20].

The suggested approach works by erasing the modulation

of all received signals to get the carrier with phase noise.

The phase noise for each transmitter is random but unique.

After applying wavelet and higher-order statistics analysis,

the authors generated what they called the fingerprint

of the signal. The fingerprint is then used as the basis of

transmitter identication to defend against PUE attacks.

In [23], Wald’s sequential probability ratio test is

used to detect PUE attack. The authors assumed that the

transmission power of the attacker is fixed. Although

detecting PUE attacks is a challenging problem, a more

challenging one is to develop effective countermeasures

once an attack is identied.

4.1.2 Objective Function Attack

One of the many definitions of cognitive radio

states that “Cognitive radio is a smart radio that has the

ability to sense the external environment, learn from

the history, and make intelligent decisions to adjust its

transmission parameters according to the current state

of the environment” [24]. The cognitive engine in the

adaptive radio is the one responsible for adjusting the radio

parameters in order to meet specic requirements such aslow energy consumption, high data rate, and high security.

Radio parameters include center frequency, bandwidth,

power, modulation type, coding rate, channel access

protocol, encryption type, and frame size [1]. The cognitive

engine calculates these parameters by solving one or more

objective functions, for instance nd the radio parameters

that maximize data rate and minimize power.

When the cognitive engine is running to find the

radio parameters appropriate to the current environment,

the attacker can launch his attack by manipulating the

parameters he has control on (transmission rate) in order

to make the results biased and tailored to his interest. In

[1], a scenario of an Objective Function attack is presentedwhere the cognitive engine needs to maximize an objective

function composed of transmission rate (R) and security (S),

i.e., f = w1R + w2S, where w1 and w2 represent the weights

of R and S. Whenever the cognitive engine attempts to use

a high security level S, the attacker launches a jamming

attack on the radio, thus reducing R and hence reducing

the overall objective function. The cognitive engine will

then refrain from increasing the security level in order not

to decrease the objective function. This way, the attacker

forces the radio to use a low security level that can be

hacked. It is to be noted that this attack is affective on

on-line learning radios only and has no effect on off-line

learning radios [1][12].

y Defending against Objective Function Attack

No good solution has been suggested to defend against

the Objective Function Attack. A simple suggestion has

been made in [12] to define threshold values for every

updatable radio parameter. If the parameters do not meet the

thresholds, the communication stops. They also suggested

getting help from a good Intrusion Detection System (IDS).

4.1.3 Jamming

In jamming, the attacker (jammer) maliciously sends out

packets to hinder legitimate participants in a communication

session from sending or receiving data; consequently,

creating a denial of service situation. The jammer may

send continuous packets of data making a legitimate user

to never sense a channel as idle, or he can send these

packets to the legitimate users and force them to receive

junk packets. The jammer can also disrupt communication

by blasting a radio transmission resulting in the corruption

of packets received by legitimate users. A more dangerous

attack a jammer can do is to jam the dedicated channel

that is used to exchange sensing information between CRs

(Common control data attack [25]). An attacker can still

do damage if he just eavesdropped on the control data and

knew the new channel the CRN is switching to. He can

then jam it. Jamming is an attack that can be done in the

physical and MAC layers. For this reason, we discuss it inthe end of the Physical Layer Attacks section, just before

the Link Layer Attacks section.

There exist four types of jammers: Constant Jammer,

Deceptive Jammer, Random Jammer, and Reactive Jammer

[26]. The constant jammer sends out packets of data

continuously with no regard to MAC-layer protocols. It

doesn’t wait for the channel to be idle as the attacker starts

sending its packets without any regard to other users on

that channel. The deceptive jammer tricks the legitimate

users. It sends out packets continuously making the other

users switch into a receive state and remain in that state as

they detect a constant stream of incoming data packets. The

random jammer takes breaks between the jamming signals,and during its jamming phase it may behave as a constant

or deceptive jammer. It takes some time off to reserve

energy in case the jammer doesn’t have unlimited power

supply. The reactive jammer senses the channel at all times,

and whenever it senses communication in the channel it

starts transmitting the jamming signals. This jammer is

harder to detect because it’s not transmitting all the time.

To perform MAC Layer denial of service attack, an

attacker can send out packets on a specific radio channel

making all devices within radio range to assume that the


8/18


channel is occupied and postpone their transmission of data

[27]. To perform Physical Layer denial of service attack,

an attacker may use a device capable of emitting energy at

the same frequency used by other devices to communicateand interfere with their communication. Examples of such

devices are programmable radios and waveform generators.

An attack scenario is presented in [28], where a single

cognitive radio jams multiple channels by switching

through channels quickly after sending the jamming

packet s for a fixed period. There is an inter-jamming

interval between each jamming period on each channel.

After sending the jamming packets in the last channel, the

attacker revisits the previous channels at the end of the

inter-jamming interval, and repeats the jamming cycle.

y Defending against Jamming

Since DoS can be performed at the Link and Physical

layers, the detection should be addressed at both layers. In

the MAC-layer detection, devices can detect a denial of

service attack by sensing the channel they want to transmit

their packets on. A popular class for medium access control

protocols is the one based on carr ier-sensing multiple-

access (CSMA). In CSMA, a device will continually sense

a channel until it detects that it’s idle. Even then, it will

wait for some time before starting transmitting (propagation

delay) in order to make sure that the channel is clear.

Suppose an attacker is sending packets on the same channel

that the legitimate device wants to use for transmission,

the legitimate device will never pass the carrier-sensingand will be forced to back off. Therefore, the device will

know that it’s a victim of a denial of service attack. In the

PHY-layer detection, legitimate devices should be able

to distinguish between the normal and abnormal level of

noise in a channel. They can do so by collecting enough

data of the level of the noise in the network and building

a statistical model to use for comparison when a denial of

service attack occurs [27].

In [26], a jamming detection technique that investigates

the relationship between Signal Strength (SS) and Packet

Delivery Ratio is suggested. Packet Delivery Ratio (PDR)

is the ratio of packets delivered to a destination compared

to the number of packets sent by a transmitter. If SS ishigh, but PDR is low; a legitimate user may assume that

it’s being jammed unless one of its neighbors has high

SS and PDR. This technique is called Signal Strength

Consistency Checks. Another technique called Location

Consistency Checks is suggested to detect jamming where

the location of the neighbors is important and can be

acquired through GPS and then advertised by each node.

A node is jammed when its neighbors should have been

delivered at least a minimal amount of packets. A node will

check its PDR and decide whether the PDR is consistent

with what it should see given the location of its neighboring

nodes. Theoretically, neighboring nodes that are close to

a particular node should have high PDR values, and if all

nearby neighbors have low PDR values this may lead toconcluding that this user is either being jammed or have

poor link quality with its neighbors.

Given the Jamming detection techniques just discussed,

two strategies could be used to defend against jamming

(DOS). The first strategy to escape denial of service is

channel surfing, or frequency hopping. In this approach,

communicators agree to use a different channel once a

denial of service attack is detected through any of the

abovementioned detection techniques. The second strategy

is spatial retreat where legitimate users change their

location to escape the interference range imposed by the

attacker. Two things must be kept in mind in this approach,

the users must leave the region where the attacker is located

and they must stay within range of each other to continue

communication [27].

4.2 Link Layer Attacks

4.2.1 Spectrum Sensing Data Falsication (SSDF)

Spectrum Sensing Data Falsification, also known as

the Byzantine Attack, takes place when an attacker sends

false local spectrum sensing results to its neighbors or to

the fusion center, causing the receiver to make a wrong

spectrum-sensing decision [29][30]. This attack targets

centralized as well as distributed CRNs. In a centralized

CRN, a fusion center is responsible for collecting all thesensed data and then making a decision on which frequency

bands are occupied and which are free. Fooling the fusion

center will either deny some legitimate users from using

a free band or allow users to use a band that is already

occupied causing interference. Similar problems occur in

a distributed CRN where decisions about the frequency

bands’ status are made via collaboration between CR’s. But

SSDF attack could be more harmful in a distributed CRN

because the false information can propagate quickly with

no means to control them. While in the centralized CRN,

the fusion center can lessen the effect of false information

by comparing the data received from all CRs and devising

some smart techniques to know which CR might be lying.An analytical treatment of the attack was presented

in [31] in which performance limits are established in

terms of the fraction of Byzantine attackers that will make

the fusion center blind and when no trust based approach

would work. In [32], the system performance under certain

quality of service (QoS) constraints was investigated, and

the performance of collaborative sensing under malicious

attacks and various conditions was studied.


9/18


y Defending against Spectrum Sensing Data Falsication

Several data fusion techniques were proposed to detect

the Spectrum Sensing Data Falsification (SSDF) Attack.

In [33], a Decision fusion technique is proposed whereall collected local spectrum-sensing results are summed.

If the sum is greater than or equal to a certain threshold

(which is a specified value between 1 and the number of

sensing terminals), then the nal sensing result is “busy,”

i.e., it denotes the presence of incumbent signal. Otherwise,

the band is determined to be “free,” i.e., it denotes the

absence of incumbent signal. Because interference to

incumbents should be minimized, usually a conservative

strategy is favored, which takes a threshold value of one.

In this case, even if a band is free, as long as there is one

sensing terminal that erroneously reports the presence of

an incumbent signal, the nal result will be busy, causing

a false alarm. If an SSDF attacker exploits this feature

and always reports the presence of an incumbent signal

as its local spectrum sensing result, then the final result

will always be busy. To prevent such a scenario, one can

increase the threshold value. However, increasing the

threshold value has the downside of increasing the miss

detection probability. Moreover increasing the threshold is

ineffective in decreasing the false alarm probability when

there are multiple attackers.

In [18], a data fusion technique called Weighted

Sequential Ratio Test (WSRT) was proposed to counter

Byzantine attacks. In an ad hoc architecture any node

that needs to conduct spectrum sensing, it becomes a datacollector and collects local sensing reports from neighboring

nodes. WSRT is composed of two major steps. The rst one

is reputation maintenance step where every node initially

has a reputation value equal to zero, upon each correct local

spectrum report the reputation value will be increased by 1.

The second step is the actual hypothesis test step of WSPRT

which is based on Sequential Probability Ratio Test [34] but

with some adjustments so that the decision value takes into

consideration the terminal’s reputation unlike the ordinary

SPRT applied to the previous data fusion techniques. This

WSRT approach is similar to various trust based data fusion

schemes which are employed in wireless sensor networks

(WSNs).A similar weight based fusion scheme was proposed in

[35] to counter malicious nodes that transmit false sensing

signals. In this approach, a trust approach and “pre-ltering

techniques” are used. Permanent Malicious nodes are of

two types, the “Always Yes” type and the “Always No”

type. The “always yes” advertises the presence of a primary

user nearby (i.e., increases the probability of false alarm)

and the “always no” advertises the absence of a primary

user nearby (i.e., decrease the probability of detection).

The approach relies on pre-ltering the data to identify and

nullify the malicious users that are sometimes “Faulty” and

sometimes not permanently faulty, assigning a trust factor

to each user (based on statistics from many users) that

quickly identies “Always Yes” and “Always No” nodes,and quantizing the data.

In [36], a detection mechanism is proposed to identify

Byzantine attackers by counting mismatches between their

local decisions and the global decision at the fusion center

over a time window and then removing the Byzantines from

the data fusion process. The proposed scheme was shown

to be robust against Byzantine attacks and it successfully

removed the Byzantines in a very short time span.

In [37], another Bayesian detection mechanism was

proposed that requires the knowledge of a priori conditional

probabili ties of the local spectrum sensing result (i.e.,

presence or absence of incumbent). It also requires the

knowledge of a priori probabilities of the final sensing

result. Several combination cases exist from these local

and nal sensing results. These cases are either correct or

wrong. A small cost is assigned to the correct ones and a

large cost is assigned to the wrong ones. The overall cost

is the sum of all the costs weighted by the probabilities

of the corresponding cases. Bayesian detection outputs a

final spectrum sensing result that minimizes the overall

cost. When a network is under SSDF attacks, the values of

the a-priori conditional probabilities of the local terminal

sensing are not trustworthy. As a result, Bayesian detection

is no longer optimal in terms of minimizing the overall

cost.In [38], the Neyman-Pearson test was proposed which

does not rely on the knowledge of a-priori probabilities

of the final sensing or any cost associated with each

decision case. Instead, it needs to dene either a maximum

acceptable probability of false alarm or a maximum

acceptable probability of miss detection. The Neyman-

Pearson test guarantees that the other probability is

minimized, whereas the defined probability is acceptable.

As with Bayesian detection, the Neyman-Pearson test

also requires the knowledge of the a priori conditional

probabilities of the local sensing.

A malicious user detection algorithm that calculates

the suspicious level of secondary users based on their pastreports was proposed in [39]. This algorithm calculates

trust values as well as consistency values that are used to

eliminate the malicious users' influence on the primary

user detection results. The results show that even a single

malicious user can significantly degrade the performance

of collaborative sensing. The trust value indicator can

effectively differentiate honest and malicious secondary

users. Furthermore, when a good user suddenly turns bad,

the proposed scheme can quickly reduce the trust value of

this user. If this user only behaves badly for a few times,


10/18


its trust value can recover after a large number of good

behaviors. If the bad behavior is consistent, the trust value

becomes almost impossible to recover.

In all the previous approaches, sensing results must be authenticated and a robust data fusion scheme must be

deployed. This can be ensured through utilizing a sequential

probability ratio test which collects more results and thus

guarantees better decisions. Another solution would be

to incorporate a “reputation-based scheme” into the DSS

that ensures reputation maintenance and apply reputation

information to data fusion.

Although the trust based schemes, presented above,

have shown satisfactory performance in some settings,

but an analytical study of their performance has not been

carried out. Moreover, there is a lack of references on how

severe the attacks would degrade the system performance.

4.2.2 Control Channel Saturation DoS Attack (CCSD)

In a multi-hop CRN, CRs communicate with each

other after performing a channel negotiation process in a

distributed manner. During the negotiation phase, MAC

control frames are exchanged to reserve the channel.

When many CRs want to communicate at the same time,

the common control channel becomes a bottleneck as the

channel can only support a certain number of concurrent

data channels. An attacker can utilize this feature and

generate forged MAC control frames for the purpose of

saturating the control channel and thus decreasing the

network performance due to Link layer collisions. As

discussed in [40-41], the Control Channel Saturation DoSAttack leaves the CRN with a near-zero throughput. It

is important to note that this attack only works on multi-

hop CRNs and does not work on centralized CRN. This

is because in centralized CRNs, all MAC control frames

are authenticated and stamped by the base station. This

fact makes forging MAC control frames an infeasible task.

The mechanism used to defend against this attack will be

discussed in the next section.

4.2.3 Selsh Channel Negotiation (SCN)

In a multi-hop CRN, a CR host can refuse to forward

any data for other hosts. This will allow it to conserve its

energy and increase its own throughput which resulted

from selsh channel concealment [41]. Similar objectivescan be achieved if the selfish host was able to alter the

proper MAC behavior of the CR devices. For instance, if

the host decreases its own back-off window size, it will

have a higher chance of claiming the channel at the expense

of other CR hosts. This attack can also severely degrade the

end-to-end throughput of the whole CRN [41].

y Defending against Control Channel Saturation and

selsh channel negotiation

Mitigating CCSD and SCN can be done by adapting

a trusted architecture where any suspicious CR host will be monitored and evaluated by its neighbors. A neighbor

can then perform a sequential analysis on the set of

observation data, and conclude a nal decision whether it is

misbehaving or not. The Sequential Probability Ratio Test

can be used for that purpose as it has proven its efciency

in terms of detection time [41].

4.3 Network Layer Attacks

Much research has focused on the development of

MAC and PHY layer protocols for CRNs, unfortunately

end-to-end flow of the packets received insufficient

attention. In addition, CR introduces challenges to routing

due to the novel way they operate. Routing challenges

faced in CRNs originate from the need for transparency in

the existence of CR activities to primary users. In addition,

CR nodes are required to leave any channel as soon as a

primary user is detected on that channel which complicates

the routing design even more. The three architectures of

CRNs make the network vulnerable to some old fashion

wireless network attacks. Also CRNs exhibit many

similarities with sensor networks in the sense that they both

use multi-hop routing protocols, and both of them have

power constraints. A good survey on sensor network attacks

can be found in [42]. In what follows, we discuss two of

the most relevant attacks on CRNs namely: sinkholes andHELLO oods.

4.3.1 Sinkhole Attacks

In a sinkhole attack, an attacker advertises itself as

the best route to a specic destination, luring neighboring

nodes to use it to forward their packets [42]. An attacker

may use this way to perform another attack called

selective forwarding where an attacker is able to modify

or discard packets from any node in the network. The

attack is particularly effective in the infrastructure and

mesh architectures as all trafc goes through a base station

allowing the attacker to falsely claim that it is the best route

for packet forwarding.

y Defending against Sinkhole Attacks

A sinkhole attack is hard to detect because it exploits

the very design of the routing protocol and network

architecture. However, there are protocols that are fortied

against the attack which are geographic routing protocols.

Geographic routing protocols construct a topology on

demand using only local communications and information

without initiation from the base station. Thus, trafc will be

routed to the physical location of the base station and will

be difcult to lure it to go elsewhere to create a sinkhole [42].


11/18


4.3.2 HELLO Flood Attacks

The HELLO flood attack is accomplished when an

attacker sends a broadcast message to all the nodes in a

network with enough power to convince them that it is theirneighbor [42]. For example, an attacker sending a packet

advertising a high quality link to a specic destination will

encourage even far away nodes to use this route convincing

them that he is their neighbor. However, their packets will

be lost, and if a node discovers the attack it will be left with

no neighbors to forward its packets because all of them will

be using the same route.

y Defending against HELLO Flood Attacks

To countermeasure the HELLO flood attacks, a

symmetric key should be shared with a trusted base station

[42]. The base station will act as a Trusted Third Party

as in Kerberos and facilitate the establishment of session

keys between parties in the network; in order to protect

their communication. Consequently, two nodes may use

the session key to verify each other’s identity; as well as,

authenticate and encrypt the link between them. Now, to

prevent an attacker from creating a session key with every

node on the network, the number of shared keys must be

limited. In addition, a node claiming to be the neighbor

of so many nodes in the network should raise an alarm.

Symmetric key algorithms are suggested because they are

known to be faster and have lower overhead on system

resources.

y General Techniques to Defend against Network Layer

Attacks

In general, one can defend against routing attacks by

using a secure routing protocol, such as Secure Efficient

Ad hoc Distance vector routing protocol (SEAD) [43].

SEAD protects against denial of service attacks as it uses

a one way hash function instead of asymmetric encryption

to prevent attackers attempts to cause other nodes to use

more network bandwidth or processing time. The protocol

operates as the vector routing protocol, and the design is

based on Destination-Sequences Distance-Vector protocol

(DSDV).

Another effective mechanism to defend againstrouting attacks is to use a cross layer solution to make the

transmission more efcient [44]. It suggests that, instead of

router’s direct decision, the routing algorithm and spectrum

management should be considered together to make

decisions for the channel scheduling.

4.4 Transport Layer Attacks

As with the other layers, the Transport layer in a CR

node is also vulnerable to many of the attacks that target

wireless Ad Hoc networks in general, for instance, the

JellyFish attack [45]. In what follows, we only consider a

transport layer attack named Lion Attack [46] because of its

close relevance to CRNs.

4.4.1 Lion AttackThe Lion attack uses the primary user emulation (PUE)

attack to disrupt the Transmission Control Protocol (TCP)

connection. The Lion attack can be considered a cross-layer

attack performed at the physical link layer and targeted at

the transport layer where emulating a licensed transmission

will force a CRN to perform frequency handoffs and

thus degrading TCP performance. When a PUE attack is

performed, all SUs have to do frequency handoff in order

to free the channel for the primary user. When this handoff

takes place, TCP will not be aware of the handoff and will

keep creating logical connections and sending packets

without receiving acknowledgments. The TCP segments

will then start to timeout and consequently TCP retransmits

them with an increased timeout value. As a result, the

retransmission timer backs off doubling the value, resulting

in delays and packet loss. Additionally if an attacker can

intercept the messages, it can predict the frequency band

tested in a handoff, and claim it using PUE resulting in a

total network starvation.

y Defending against Lion Attack

To Mitigate the Lion attack, Hernandez-Serrano et

al. suggest a mechanism that starts by making the TCP

protocol aware of what is happening in the physical layer

by employing cross-layer data sharing between physical/link and transport layers [47]. This way, the CRN devices

will be able to freeze TCP connection parameters during

frequency handoffs and adapt them to the new network

conditions after the handoff. To secure the control data in

order to prevent the attacker from eavesdropping current

and future actions of the CRN, a group key management

(GKM) can then be used to allow CRN members to

encrypt, decrypt and authenticate themselves. Finally, a

cross-layer IDSs specically adapted to CRNs can be used

as a technique to nd the attack source if it still exists.

Finally, cognitive radios must have some common

sense [1]. Policies must be dened to cover all scenarios.

In addition, some sort of cooperation between the differentcognitive radios can be benecial. In [1] a technique called

particle swarm optimization (PSO) is ment ioned. Each

cognitive radio is a particle, and each has its own idea about

what is the best behavior in a particular situation. However,

this behavior is not dependent solely on its own idea, but a

weighted average of all the ideas in the network. Next, we

evaluate the countermeasures suggested in section 4.


12/18


5 Evaluation Study

In th i s sec t ion , we eva lua te the sugges ted

countermeasures putting a grade for each one. For everylayer, we include the attack, its countermeasures, an

evaluation discussion, and a grade. Three grades are used as

follows:

- √ indicates that the suggested countermeasure is

good and works for almost all scenarios

- indicates that the suggested countermeasure is

very restrictive in the sense that it only applies to

very specic scenarios or it requires the addition

of extra infrastructure that does not normally exist

in CRNs, for instance WSNs or LVs.

- indicates that the suggested countermeasure

includes some minor drawbacks, but i s

acceptable.

Tables 1, 2, 3, and 4 present the evaluation of the

attacks countermeasures of the Physical, Link, Network,

and Transport layers, respectively.

The conclusion that can be made from table 1 is

that a complete solution can be formulated to defend

against Physical Layer attacks in CRN by combining

fingerprinting, frequency hopping, and thresholding (to

thwart OFA). The conclusion extracted from Table 2 is

that by adopting a trusted CRN architecture and using a

Weighted Sequential Ratio Test one can defend against Link

Layer attacks. Tables 3 and 4 indicate that the suggested

countermeasures are well suited to defend against Networkand Transport layer attacks. Therefore, by combining

these countermeasure (the ones graded as √), one can

achieve a secure CRN. Although this suggestion can

potentially produce the ultimate secure CRN, it might face

performance problems. Other approaches were suggested to

achieve a secure CRN; we discuss their approaches next.

6 Sample Frameworks for SecureCRNs

It is obvious from section 4 that CRNs are vulnerable

to many serious attacks that hinder their usefulness. As

discussed earlier, various mitigation techniques were

suggested to each category of CRN attacks. In order to

form a secure CRN, all these mitigation techniques need

to be incorporated in the same CRN. On the contrary, such

a solution becomes a bottleneck as most of the CR nodes’

processing power will be spent on doing security checks.

As an alternative, some researchers suggested building

various security frameworks for CRN. The suggestions can

be mainly categorized into: cryptography based, reputation

based, and trust based.

In [48], a CRN security framework based on

cryptography is suggested that a ims to provide

authentication, confidentiality and integrity on CR nodes

interactions. The framework uses 802.1X access controlmechanism, a Key Distribution Center (KDC), a new

CR terminal identification policy, and modified DHCP

servers, which in turn work together to provide proper

resource allocation and message authentication in DHCP

transactions. The KDC is also used to authenticate the

mapping between the addresses used in the ARP protocol

(MAC and IP addresses), and to distribute session keys

to neighbor CR terminals allowing them to share a secure

dedicated channel. This architecture achieves security in

CRNs since all services are supported by secret, shared

session keys between interacting devices. Hence, no

experimental evaluation was done to prove the effectiveness

of this approach.

In [49], a reputation based mechanism is suggested to

identify and mitigate the harm done by misbehaved CRs

who falsify sensed data while cooperative spectrum sensing

is taking place. The scheme starts by choosing some nodes

as trusted. It then categorizes the reputation of each CR into

three states: discarded , pending and reliable. The sensing

information of the trusted nodes is reliable by default. The

reputation of the other CRs is initially assigned a pending

state and they are accumulated through a consistency

check between global and local sensing decisions. Those

that exceed the trusted threshold are updated to reliable,

and their sensing results are then incorporated in CSS. Theothers are changed to discarded . Simulation results show

that the scheme works well even when there is a large

number of misbehaviors.

In [50], a trusted cognitive radio networking (TCRN)

concept is suggested to facilitate network functions such

as association in dynamic spectrum access and routing.

The authors argue that two major components should

be present in CRN trust model: trusted association and

learning algorithms. Trusted association consists of the

initial decision for a node to accept or reject the trusted

association from a neighboring CR node. Moreover,

each CR node should keep track of the information it

collects and employ appropriate learning algorithms inorder to make better decisions regarding trust measures,

packet forwarding, and rout ing. TCRN was formulated

mathematically and a conclusion was made that TCRN

can allow more homogeneous operation of CRN as a

heterogeneous wireless network.

7 Conclusion

In this paper, we described the most recent and

important attacks targeting CRNs. We classified them


13/18


according to the layer they operate on and presented

their existing countermeasures. We then evaluated all the

countermeasures giving each one a grade that presents its

effectiveness. According to these evaluations, we suggested

to combine the countermeasures that we think will produce

the ultimate secure CRN. Such a suggestion should be

normally supported by simulation results, but we keep this

as part of our future work. We also overviewed the works

that suggest building from scratch security frameworks for

CRN.

Table 1 Physical layer threats, countermeasures, and evaluations

Threat Countermeasure Evaluation Grade

Primary UserEmulation

Cryptographic authentication of

primary users

Does not work as it requires altering the primary user

system which violates FCC regulations

Distance Ratio Test (DRT) -- based onsignal strength measurements [14]

Depends on trusted nodes called Location Verifiers(LV’s). Major drawback is that tight synchronizationamong LVs is required and it can be fooled if theattacker is close to the tower

Distance Difference Test (DDT) -- based on signal phase difference [14]

Same as DRT

LocDef -- based on localization of the primary user [7]

Depends on a Wireless Sensor Network to collectRSS measurements. The RSS measurement of the primary user is compared to the collected ones. Majordrawback is the addition of the WSN

Localization strategy that appliesTDOA then FDOA [19][20]

Major drawback of this approach is that it relies onmany assumptions that make them very restrictive andnot applicable to general CRN

Wald’s sequential probability ratiotest is used to detect PUE [23]

Major drawback of this approach is that it assumes thatthe transmission power of the attacker is xed

Fingerprinting approaches that areused to authenticate the transmissionsource [21]

Out of the suggested countermeasures, this approachis considered the best, but there is a likely increasein storage requirement and total sensing time due to possible overhead of extra signal processing operations

√

ObjectiveFunction Attack

Define threshold values for everyupdatable radio parameter. If the parameters do not meet the thresholds,the communication stops [12]

The major drawback of this approach is that dependson xed thresholds. A considerable improvement will be to make these thresholds adaptive.

Use Intrusion Detection System (IDS)[12]

Using an IDS is a very general countermeasure thatdoes not defend against all kinds of OFA

Jamming

Collect enough data of the levelof the noise in the network and build a statistical model to use indistinguishing between normal andabnormal level of noise [27]

Drawback lies in the denition of “enough data” i.e.,what is the appropriate amount of data that should beused to build the model

Compare Signal Strength and PacketDelivery Ratio - If SS is high, butPDR is low; a legitimate user mayassume that it’s being jammed unlessone of its neighbors has high SS andPDR [26]

There is no rule that decides on the relation between“high” and “low” when the authors say “If SS is high, but PDR is low.” This issue presents a major weaknessin the suggested approach.

Location Consistency Checks [26] The location of the neighbors is important and can beacquired through GPS, but the drawback is that GPSmight not always exist in a CRN.

Frequency hopping Good solution for jamming √

Spatial retreat The user should be very careful when escaping fromthe jamming signal of the attacker since he needs tostay in range with the other user he is communicatingwith.


14/18


Table 2 Link Layer Threats, Countermeasures, and Evaluations


SpectrumSensing DataFalsication(Byzantineattack)

Decision fusion technique where

all collected local spectrum-sensingresults are summed and compared to athreshold to detect an attack [33]

The major drawback is in using fixed thresholds.

In this particular countermeasure increasing anddecreasing the threshold has major impact on thedecision. Moreover, the method is ineffective in manyscenarios that include multiple attackers.

Weighted Sequential Ratio Test [18] Solution is composed of 2 steps: a reputationmaintenance step and the actual hypothesis test. No analyt ical st udie s have been conduc ted, bu t performance is good.

√

Weight based fusion scheme [35] Uses trust approach and pre-filtering techniques.Shows good performance.

√

Detection mechanism that runs in thefusion center [36]

The fusion center identies the attackers and removesthem from the data fusion process. Only works when acentralized fusion center exists.

Detection mechanism that requires a priori knowledge [37]

The major drawback is that the a priori knowledge becomes not trustworthy when a network is underSSDF attack, and thus the suggested detectionmechanism becomes no longer optimal in terms ofminimizing the overall cost

Neyman-Pearson Test [38] Works by defining either a maximum acceptable probability of false alarm or a maximum acceptable probability of miss detection. It still requires a prioriconditional probabilities of the local sensing

Detection mechanism based on trust[39]

The major drawback is that the scheme cannot beapplied to multiple malicious users scenario.

ControlChannel

Saturation DoSAttack


The suggested countermeasure adapts a trustedarchitecture where any suspicious CR host will bemonitored and evaluated by its neighbors. A neighbor

can then perform Sequential Probability Ratio Test toreach a nal decision whether it is misbehaving or not.Its performance is proven to be good.

√

Selsh Channel Negotiation


Same countermeasure suggested for Control ChannelSaturation DoS Attack works for this attack. √

Table 3 Network Layer Threats, Countermeasures, and Evaluations


Sinkhole Attack Geographic routing protocols [42] Trafc will be routed to the physical location of the

base station. Presents a good solution for sinkholeattacks

√

HELLO Flood

Attack

Symmetric Key based algorithm[42]

The base station will act as a Trusted Third Party andfacilitate the establishment of session keys between

parties in the network. Presents a good solution forHELLO Flood attacks

√

Other AttacksUse a protocol called SEAD [43] Protects against attacks by using one-way hash

function. √

Table 4 Transport Layer Threats, Countermeasures, and Evaluations


Lion Attack Cross Layer detection basedmechanism [47]

Good solution√


15/18


References

[1] T. Charles Clancy and Nathan Goergen, Security in

Cognitive Radio Networks: Threats and Mitigation, In te rna ti on al Co nf eren ce on Co gn it iv e Ra di o

Oriented Wireless Networks and Communications

(CrownCom), Singapore, May, 2008, pp.1-8.

[2] Kwang Cheng Chen, Y. J. Peng, Neeli Rashmi Prasad,

Y. C. Liang and Sumei Sun, Cognitive Radio Network

Architecture: part I -- General Structure, Proceedings

of the 2nd International Conference on Ubiquitous

Inform at ion Management and Communicat ion,

Suwon, South Korea, January, 2008, pp.114-119.

[3] Vinod Sharma and ArunKumar Jayaprakasam,

An Efficient Algorithm for Cooperative Spectrum

Sensing in Cognitive Radio Networks, Proceedings

of National Communications Conference (NCC),

Guwahati, India, January, 2009.

[4] Cognitive Radio Ad Hoc Networks, Broadband

Wireless Networking Lab, School of Electrical

and Computer Engineering, Georgia Inst of Tech.

URL: http://www.ece.gatech.edu/research/labs/bwn/

CRAHN/projectdescription.html

[5] Wenjing Yue and Baoyu Zheng, A Two -S ta ge

Spectrum Sensing Technique in Cognitive Radio

Systems Based on Combining Energy Detection and

One-Order Cyclo-Stationary Feature Detection,

Proceedings of the 2009 International Symposium

on Web Information Systems and Applications(WISA’09), Nanchang, China, May, 2009, pp.327-

330.

[6] Rajesh K. Sharma and Jon W. Wallace, Improved

Spectrum Sensing by Utilizing Signal Autocorrelation,

Pro ceedings of IEEE Veh icular Technology

Conference, Barcelona, Spain, April, 2009, pp.1-5.

[7] Ruiliang Chen, Jung-Min Park and Jeffrey H. Reed,

Defense against Primary User Emulation Attacks in

Cognitive Radio Networks, IEEE Journal on Selected

Areas in Communications, Vol.26, No.1, 2008, pp.25-

37.

[8] Huahui Wang, Leonard Lightfoot and Tongtong

Li, On PHY-Layer Security of Cognitive Radio:

Collaborative Sensing under Malicious Attacks, 44th

Annual Conference on Information Sciences and

Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.

[9] Eric Wong and Rene Cruz, On Physical Carrier

Sensing for Cognitive Radio Networks, Forty-Fifth

Annual Allerton Conference on Communication,

Control, and Computing , Allerton House, UIUC, IL,

September, 2007.

[10] Bertrand Mercier, Viktoria Fodor, Ragnar Tobaben

et al., Sensor Networks for Cognitive Radio: Theory

and System Design, ICT Mobile Summit , Stockholm,

Sweden, June, 2008.

[11] Tevfik Yucek and Huse yin Arslan, A Survey of

Spectrum Sensing Algorithms for Cognitive Radio Applications , IEEE Communications Surveys &

Tutorials, Vol.11, No.1, 2009, pp.116-130.

[12] Olga León, Juan Hernández-Serrano and Miguel

Soriano, Securing Cognitive Radio Networks ,

Internat ional Journal of Communication Systems,

Vol.23, No.5, 2010, pp.633-652.

[13] Xueying Zhang and Cheng Li, The Security in

Cognitive Radio Networks: A Survey, Proceedings of

the 2009 ACM International Conference on Wireless

Communications and Mobile Computing: Connecting

the World Wirelessly (IWCMC ‘09), New York, 2009,

pp.309-313.

[14] Ruiliang Chen and Jung-Min Park, En sur in g

Trustworthy Spectrum Sensing in Cognitive Radio

Networks , First IEEE Workshop on Networking

Technologies for Software Defined Radio Networks

(SDR), Reston, VA, September, 2006, pp.110-119.

[15] Yiyang Pei, Ying-Chang Liang, Lan Zhang, Kah Chan

Teh and Kwok Hung Li, Secure Communication Over

MISO Cognitive Radio Channels, IEEE Transactions

on Wireless Communications, Vol.9, No.4, 2010,

pp.1494-1502.

[16] Ruiliang Chen, Enhancing Attack Resi lience in

Cognitive Radio Networks, Dissertation, Virginia

Polytechnic Insti tute and State University,Blacksburg, VA, 2008.

[17] Santhanakrishnan Anand, Zituo Jin and Koduvayur

Subbalakshmi, An Analytical Model for Primary User

Emulat ion Attacks in Cognit ive Radio Networks,

3rd IEEE Symposium on New Frontiers in Dynamic

Spectrum Access Networks (DySPAN), Chicago, IL,

October, 2008.

[18] Ruili ang Chen, Jung-Min Park, Y. Thomas Hou

and Jeffrey H. Reed, Toward Secure Distributed

Spectrum Sensing in Cognitive Radio Networks, IEEE

Communications Magazine, Vol.46, No.4, 2008,

pp.50-55.

[19] Lianfen Huang, Liang Xie, Han Yu, Wumei Wangand Yan Yao, Anti -PUE At tack Base d on Jo in t

Position Verification in Cognitive Radio Networks,

International Conference on Communications and

Mobile Computing (CMC), Vol.2, Shenzhen, China,

April, 2010, pp.169-173.

[20] Caida n Zhao, Wumei Wang, Lian fen Huang

and Yan Yao, Anti -PU E At tack Base on the

Transmitter Fingerprint Identification in Cognitive

Radio, 5th International Conference on Wireless

Communications, Networking and Mobile Computing

(WiCom ‘09), Beijing, China,September, 2009, pp.1-5.


16/18


[21] O. Richard Afolabi, Kiseon Kim and Aftab Ahmad,

On Secure Spectrum Sensing in Cognitive Radio

Networks Using Emitters Electromagnetic Signature,

Proceedings of 18th International Conference onComputer Communications and Networks (ICCCN

2009), San Francisco, CA, August, 2009, pp.1-5.

[22] Oktay Ureten and Nur Serinken, Wireless Security

through RF Fingerprinting , Canadian Journal of

Electrical and Computer Engineering , Vol.32, No.1,

2007, pp.27-33.

[23] Zituo Jin, Santhanakrishnan Anand and Koduvayur

Subbalakshmi, Mitigating Primary User Emulation

Attacks in Dynamic Spectrum Access Networks Using

Hypothesis Testing , ACM Mobi le Computing and

Communications Review, Special Issue on Cognitive

Radio Technologies and Systems, Vol.13, No.2, 2009,

pp.74-85.

[24] Qusay Mahmoud, Cognitive Networks: Towards Self-

Aware Networks, Wiley E-Book, New York, 2007.

[25] Yuan Zhang, Gaochao Xu and Xiaozhong Geng,

Security Threats in Cognitive Radio Networks, 10th

IEEE International Conference on High Performance

Computing and Communications (HPCC 2008),

Dalian, China, September, 2008, pp.1036-1041.

[26] Wenyuan Xu, Wade Trappe, Yanyong Zhang and

Timothy Wood, The Feasibility of Launching and

Detecting Jamming Attacks in Wireless Networks ,

Proceedings of ACM MobiHoc, Urbana, IL, May,

2005, pp.46-57.[27] Wenyuan Xu, Timothy Wood, Wade Trappe, Yanyong

Zhang, Channel Surfng and Spatial Retreats: Defenses

Agains t Wireless Den ial of Service, Proceedings

of the 3rd ACM Workshop on Wireless Security,

Philadelphia, PA, January, 2004, pp.80-89.

[28] Ashwin Sampath, Hui Dai, Haitao Zheng and Ben

Y. Zhao, Multi-channel Jamming Attacks Using

Cognitive Radios, Proceedings of 16th International

Conference on Computer Communications and

Networks (ICCCN 2007), Honolulu, HI, Aug,2007,

pp.352-357.

[29] Chris Karlof and David Wagner, Secure Routing

in Wireless Sensor Networks: At tacks andCountermeasures, Proceedings of the First IEEE

International Workshop on Sensor Network Protocols

and Applications, Berkeley, CA, May, 2003, pp.113-

127.

[30] Chetan Mathur and Koduvayur Subbalakshmi,

Security Issues in Cognitive Radio Networks ,

Cognitive Networks: Towards Self-Aware Networks,

Wiley, New York, 2007, pp.284-293.

[31] Priyank Anand, Ankit Singh Rawat, Hao Chen

and Pramod K. Varshney, Collaborative Spectrum

Sensing in the Presence of Byzantine Attacks in

Cognitive Radio Networks, Second International

Conference on Communications Systems and

Networks (COMSNETS 2010) , Bangalore, India,January, 2010, pp.1-9.

[32] Huahui Wang, Leonard Lightfoot and Tongtong

Li, On PHY-Layer Security of Cognitive Radio:

Collaborative Sensing under Malicious Attacks, 44th

Annual Conference on Information Sciences and

Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.

[33] A. Pandharipande et al., IEEE P802.22 Wireless

RANs: Technology Proposal Package for IEEE

802.22, IEEE 802.22 WG on WRANs, November,

2005.

[34] Yeelin Shei and Y. T. Su, A Sequential Test Based

Cooperative Spectrum Sensing Scheme for Cognitive

Radios, IEEE 19th International Symposium on

Personal, Indoor and Mobile Radio Communications

2008 (PIMRC 2008), Cannes, France, September,

2008, pp.1-5.

[35] Praveen Kaligineedi, Majid Khabbazian and Vijay K.

Bhargava, Secure Cooperative Sensing Techniques

for Cognitive Radio Systems, IEEE International

Conference on Communications 2008 (ICC ‘08),

Beijing, China, May, 2008, pp.3406-3410.

[36] Ankit Rawat, Priyank Anand, Hao Chen and Pramod

Varshney, Countering Byzantine Attacks in Cognitive

Radio Networks, 2010 IEEE International Conference

on Acoustics Speech and Signal Processing (ICASSP),Dallas, TX, March, 2010, pp.3098-3101.

[37] Linjun Lu, Soo-Young Chang et al., Technology

Proposal Clarif ications for IEEE 802.22 WRAN

Systems, IEEE 802.22 WG on WRANs, March, 2006.

[38] Joerg Hillenbrand, Timo Weiss and Friedrich K.

Jondral, Calculation of Detection and False Alarm

Probabilities in Spectrum Pool ing Systems, IEEE

Communication Letters, Vol.9, No.4, 2005, pp.349-

351.

[39] Wenkai Wang, Husheng Li, Yan Sun and Zhu Han,

Attack-Proof Col laborative Spectrum Sensing in

Cognitive Radio Networks, 43rd Annual Conference

on Information Sciences and Systems, 2009 (CISS2009), Baltimore, MD, March, 2009, pp.130-134.

[40] Li Zhu and Huaibei Zhou, Two Types of Attacks

against Cognitive Radio Network MAC Protocols,

In ternat ional Confere nce on Computer Science

and Software Engineering , Vol.4, Wuhan, China,

December, 2008, pp.1110-1113.

[41] Kaigu i Bian and Jung-Min Park, MA C-L ay er

Misbehaviors in Multi-hop Cognitive Radio Networks,

2006 US-Korea Conference on Science, Technology,

and Entrepreneurship (UKC2006), August, 2006


17/18


[42] Chris Karlof and David Wagner, Secure Routing in

Wireless Networks: Attacks and Countermeasures, Ad

Hoc Networks, Vol.1, 2003, pp.293-315.

[43] Yih-Chun Hu, David B. Johnson and Adrian Perrig,SEAD: Secure Efcient Distance Vector Routing for

Mobile Wireless Ad Hoc Networks, Proceedings of

the Fourth IEEE Workshop on Mobile Computing

Systems and Applications (WMCSA’02), Callicoon,

NY, June, 2002.

[44] Ian F. Akyildiz, Won-Yeol Lee, Mehmet C. Vuran

and Shantidev Mohanty, Next Generation/Dynamic

Spectrum Access/Cognitive Radio Wireless Networks:

A Survey, Elsevier Computer Networks, Vol.50, 2006,

pp.2127-2159.

[45] Imad Aad, Jean-Pierre Hubaux and Edwa rd W.

Knightly, De ni al of Se rv ic e Re si li enc e in Ad

Hoc Networks , Proceedings of the 10th Annual

Int ernational Conference on Mobile Computing

and Networking (MobiCom ’04), Philadelphia, PA,

September, 2004.

[46] Olga León, Juan Hernandez-Serrano and Miguel

Soriano, A Ne w Cros s-Laye r At tack to TCP in

Cognitive Radio Networks, Proceedings of the 2nd

International Workshop on Cross Layer Design

(IWCLD ’09), Palma, Spain, June, 2009, pp.1-5.

[47] Juan Hernandez-Serrano, Olga León and Miguel

Soriano, Modeling the Lion Attac k in Cogni tive

Rad io Networks , EURASIP Journal on Wireless

Communications and Networking , Vol.2011, ArticleID 242304, 10 pages, 2011.

[48] Hugo Marques, José Ribeiro, Paulo Marqu es,

André Zúquete and Jonathan Rodr iguez, A

Security Framework for Cognitive Radio IP Based

Cooperative Protocols, IEEE 20th Int ernat ional

Symposium on Personal, Indoor and Mobile Radio

Communications , Tokyo, Japan, September, 2009,

pp.2838-2842.

[49] Kun Zeng, Przemysaw Paweczak and Danijela

Cabric, Reputation-Based Cooperative Spectrum

Sensing with Trusted Nodes Assistance , IE EE

Communications Letters, Vol.14, No.3, 2010, pp.226-

228.[50] Kwang-Cheng Chen, Peng-Yu Chen, Neeli Prasad and

Ying-Chang Liangnand Sumei Sun, Trusted Cognitive

Radio Networking , Wireless Communications and

Mobile Computing , Vol.10, 2010, pp.467-485.

Biographies

Wassim El-Hajj received his BS degree

from the American University of Beirutin 2000, and the MS and PhD degrees

in 2002 and 2006, respectively, from

Western Michigan University, all in

Computer Science. Immediately after

his graduation, he joined the Faculty of

Information Technology at UAE University as an Assistant

Professor in the Department of Information Security.

Later, he joined the Electrical and Computer Engineering

Department at the American University of Beirut as a

visiting assistant professor. Currently, he is a visiting

assistant professor in the Computer Science Department at

the American University of Beirut. His research interests

include Security, Network Planning, and Bioinformatics.

Some of his academic accomplishments include a book

pub lished recent ly in 2010, more than 30 journal and

conference publications, and multiple research funds.

In addition to his research and teaching experience, he

has valuable industrial experience with Boeing and Ten

Strategic Consulting Co.

Haidar Safa received a BS in Computer

S c i e n c e i n 1 9 9 1 f r o m L e b a n e s e

university, Lebanon, MS in Computer

Science in 1996 from University of

Quebec at Montreal (UQAM), and a PhDin Electrical and Computer Engineering

in 2001 from Ecole Polytechnique de

Montreal. He joined ADC Telecommunications in 2000

then SS8 Networks in 2001 where he worked on designing

and developing networking and system software. In 2003,

he joined the American University of Beirut where he

survey of security issues in cognitive radio networks

Documents