SecuringCRNs PDF

Universitat Politècnica de Catalunya
Departament d’Enginyeria Telemàtica
Security in Cognitive Radio Networks

Multihop Networks
Juan Hernández Serrano

Agenda
1 An overview of Cognitive Radio Networks
2 Security in CRNs
3 Roadmap
4 Smart PUE: The Lion attack
5 Cooperative detection of PUE attacks
6 Securing localization for PUE attacks detection
7 Future work
An overview of Cognitive Radio Networks
Security in CRNs
Roadmap Why Cognitive Radio Networks
Smart PUE: The Lion attack Cognitive Radio
Cooperative detection of PUE attacks Cognitive Radio Networks (CRNs)
Securing localization for PUE attacks detection
Future work
Why Cognitive Radio Networks?
Spectrum is a scarce resource

New wireless applications demand more bandwidth
High inefficiency in spectrum usage
Regulatory bodies have followed static spectrum allocation
Most spectrum not in use at any location and time
Cognitive Radio Networks (CRNs)

Opportunistically access licensed spectrum
May also used unlicensed spectrum
Improve spectrum usage
Security in Cognitive Radio Networks Multihop Networks 3 / 46

Security in CRNs
Future work
Cognitive Radios (CRs)
Term coined by Mitola [Mitola,2000]

Smart devices that:
Sense the medium
Identify best transmission parameters
Reconfigure themselves
Learn from the past
RECONFIGURATOR
SPECTRUM SENSING
DATA EXCHANGE
RADIO 2
RADIO 1
COGNITIVE

Security in CRNs
Future work
Cognitive Radio Networks (CRNs)
Act as secondary users of licensed

spectrum CRNi CRNi+1
UNLICENSED BAND
Primary users must not be CRNi User
interfered CRNi+1 User
Perform spectrum sensing CRNi User
CRNi Base
Station
Spectrum handoff if primary user
LICENSED BAND
is detected Primary User
CRNi+1 Base
Station
(Secondary User)
CRNi+1 User
Classification Primary Base

Station
CRNi User
(Secondary User)
(Secondary User)
Primary User
Centralized or distributed Primary Net Secondary Net Secondary Net
Cooperative or non cooperative

Security in CRNs
Future work
IEEE 802.22 Wireless Regional Area Networks (WRANs)
First worldwide standard on CRNs (approved in July 2011)

Centralized networks (a Base Station and several CPEs)
Coverage range 33km (up to 100km)
Operate in TV channel bands
54-862Mhz
6-7-8 Mhz channels
OFDMA access
Protection to incumbents (primary users) is mandatory
TV transmitters
Wireless microphones

Security in CRNs
Roadmap
Threats to CRNs
Smart PUE: The Lion attack
Countermeasures
Cooperative detection of PUE attacks
Future work
Threats to CRNs
OUTSIDE INSIDE
PUE ATTACKS FALSE FEEDBACK

ATTACKS
LINK-LAYER
JAMMING LEARNING ENGINE ATTACKS
ATTACKS
COMMON CONTROL CHANNEL SELFISH NODES

ATTACKS
SELECTIVE FORWARDING
ATTACKS
SPOOFING
NETWORK-LAYER
SINK-HOLE ATTACKS
ATTACKS
WORM-HOLE ATTACKS
CROSS-LAYER ATTACKS PACKET INJECTION ATTACKS

(KEY DEPLETION ATTACKS) TRANSPORT-LAYER
ATTACKS
CROSS-LAYER ATTACKS
(JELLYFISH ATTACKS)

Security in CRNs
Roadmap
Threats to CRNs
Countermeasures
Future work
Primary User Emulation (PUE) Attack
Coined by Chan and Park [Chan and Park,

2006]
Primary users transmission
The attacker emulates a primary White spaces (spectrum opportunity)
Time
transmission Primary User Emulation
May force a frequency handoff in the CRN

Degrades CRN communications
A PUE attack can lead to a DoS
If the attacker can known/predict the next
channel of operation Frequency

Security in CRNs
Roadmap
Threats to CRNs
Countermeasures
Future work
Other attacks
Learning engine attacks 10
Objective function
Alter the sensed medium 6
Disrupt the learning process of CRs 2
Common control channel attacks 0
Lin 4
)
8
10
6 l (S
k
R ve
ate 6 4 Le
Prevent CRs from communicating (i.e., by

ty
(R ri
) 8 2 cu
Se
10 0
jamming)
Attacks to cooperative sensing
mechanisms 6
May lead to miss-detection or false
function
5
detection of primary users
Hacked objective
3
Selfish users (do not cooperate) 1
False Feedback (FF) attacks 0
0 10
2 8
)
Lin 4 6 l (S
k ve
R
ate 6 4 Le
ty
(R ri
) u
8 2 ec
S
10 0

Security in CRNs
Roadmap
Threats to CRNs
Countermeasures
Future work
PUE countermeasures
Based on energy measures [Chen et al., 2008],[Chen et al., 2009], [Jin et al., 2009]
Energy level is used to distinguished between a primary user and an attacker
Generally assume attackers with limited capabilities
Can be overcome by controlling transmit power
Radio Frequency Fingerprinting (RFF)[Afolai et al., 2008]
Uniquely identify a radio transmitter
Signal properties may change due to device degradation or environment
variations
Random Frequency Hopping [Li and Han, 2010][Wang et al.,2011]
Randomly select channel of operation
Communications may be interrupted due to channel unavailability

Security in CRNs
Roadmap
Threats to CRNs
Countermeasures
Future work
Other countermeasures
False feedback countermeasures [Chen et al.,2009], [Qin et al.,2009], [Min et al., 2010]
[Kaligineedi et al., 2008]
Identify deviated measures
Hypothesis testing, outliers detection techniques
Deviated measures are excluded or assigned a lower weight
Reputation mechanisms
Selfish behavior countermeasures
Cooperation enforcement [Song and Zhang,2009]
Game theory-based strategies
Learning engine attacks countermeasures [Burbank, 2008]
Perform learning in a controlled environment
Ability to authenticate observations and self-analyze its behavior

Security in CRNs
Roadmap
The need for a blueprint
Blueprint for securing CRNs
Future work
Roadmap for the security of CRNs
Security is usually split into two lines of defense

A first line to avoid attacks: related to cryptographic primitives
A second line to detect and identify attacks
Assumption: existing cryptographic solutions can be easily implemented in

CRNs without changes
Challenge
Define a blueprint for securing CRNs

Security in CRNs
Roadmap
The need for a blueprint
Future work
MEMORY MODULE
Position track
Historic of env. Historic of probs.
Reliability Indicators conds & agrmnt. of PUE/jamming Other data
intervals. attack
Other
parameters Other attacks > γ?
Type of signal, PUE/ >  PUE ? Attack

RF fingerprint Jamming alert
detection >  jam ? Attack
type,
Emitter
position,
Cognitive Malicious
Agreement params, engine >  OF ? CR id
Environ. conditions attack
detection
Reliability
System /
CRs’ False
measurements feedback
> γ FF ?
Cooperative
detection
Location
Opt. method OUTPUT

params MODULE
INPUT MODULE DETECTION MODULE

Security in CRNs
Roadmap
Impact of the attack
Countermeasures
Future work
The Lion attack
Cross-layer attack targeted to disrupt TCP connections

By forcing frequency handoffs in the CRN which lead to the expiration of
retransmission timers
TCP retransmission timer (RTO)

Backs off (doubles) with each unsuccessful attempt
RTOi+1 = 2RTOi
Detection time Inactivity time after Detection time

(0.5s) Handoff (1.5s) the handoff (1.6s) (0.5s) Handoff (1.5s)
PUE attack
PUE attack
2nd Retx
2nd Retx
1st Retx
3rd Retx
3rd Retx
4th Retx
1st Retx
DATA
DATA
DATA
DATA
Time
RTO 2 RTO 4 RTO 8 RTO

Security in CRNs
Roadmap
Countermeasures
Future work
The Lion attack
Cross-layer attack targeted to disrupt TCP connections

By forcing frequency handoffs in the CRN which lead to the expiration of
retransmission timers
TCP retransmission timer (RTO)

Backs off (doubles) with each unsuccessful attempt
RTOi+1 = 2RTOi
Detection time Inactivity time after Detection time

(0.5s) Handoff (1.5s) the handoff (1.6s) (0.5s) Handoff (1.5s)
PUE attack
PUE attack
2nd Retx
2nd Retx
1st Retx
3rd Retx
3rd Retx
4th Retx
1st Retx
DATA
DATA
DATA
DATA
TCP sender remains inactive after the handoff ends

Time
RTO 2 RTO 4 RTO 8 RTO

Security in CRNs
Roadmap
Countermeasures
Future work
Even smarter: The smart Lion attack
TCP retransmission timer

Computed according to Round Trip Time (RTT)
Most implementations use a minimum value RTOmin
Retransmission instants ti can be predicted
i
ti = (2 − 1) · RTOmin
Detection time Detection time Detection time

(0.5s) Handoff (1.5s) (0.5s) Handoff (1.5s) (0.5s) Handoff (1.5s)
PUE attack
PUE attack
PUE attack
2nd Retx
3rd Retx
1st Retx
4th Retx
5th Retx
DATA
DATA
Time
RTO 2 RTO 4 RTO 8 RTO 16 RTO

Security in CRNs
Roadmap
Countermeasures
Future work
Even smarter: The smart Lion attack
TCP retransmission timer

Computed according to Round Trip Time (RTT)
Most implementations use a minimum value RTOmin
Retransmission instants ti can be predicted
i
ti = (2 − 1) · RTOmin
Detection time Detection time Detection time

(0.5s) Handoff (1.5s) (0.5s) Handoff (1.5s) (0.5s) Handoff (1.5s)
PUE attack
PUE attack
PUE attack
2nd Retx
3rd Retx
1st Retx
4th Retx
5th Retx
DATA
DATA
Time
RTO 2 RTO 4 RTO 8 RTO 16 RTO
TCP sender starves

Security in CRNs
Roadmap
Countermeasures
Future work
Simulation scenario
IEEE 802.22 network

Channel capacity= 18
802.22
Mbps Base
Station
Detection time
tD = 500ms 15
K
m
m
K
Handoff duration
15
User 1 User 2
tH = 1.5s
33 Km
BER is neglected
TCP RTOmin = 200ms
Xi exponentially distributed TCP connection
with mean λ1 = 0.1, 0.3, ..., 5s

Security in CRNs
Roadmap
Countermeasures
Future work
TCP throughput under the Lion attack
18000
16000
14000
TCP throughtput (kbps)
12000
10000
8000
6000
4000
2000 TCP instantaneous throughput
TCP average throughput
00 2 4 6 8 10 12 14 16 18 20
time (s)
1
Average and instantaneous throughput λ = 0.3s

Security in CRNs
Roadmap
Countermeasures
Future work
TCP throughput under the Lion attack

Average throughput reduced to 500kbps
TCP sender remains inactive for 6.2s
18000
16000
14000
12000
10000
8000
6000
4000
2000 TCP instantaneous throughput
TCP average throughput
00 2 4 6 8 10 12 14 16 18 20
time (s)
1

Security in CRNs
Roadmap
Countermeasures
Future work
TCP throughput under the smart Lion attack
20000
18000
16000
14000
12000
10000
8000
6000
4000
2000 Std TCP inst. throughput
Std TCP avg throughput
00 2 4 6 8 10 12 14 16 18 20
time (s)
1

Security in CRNs
Roadmap
Countermeasures
Future work
TCP throughput under the smart Lion attack

TCP sender completely starves
20000
18000
16000
14000
12000
10000
8000
6000
4000
2000 Std TCP inst. throughput
00 2 4 6 8 10 12 14 16 18 20
time (s)
1

Security in CRNs
Roadmap
Countermeasures
Future work
Activity and inactivity time
1
Simulation Analytical model
λ (s)
A(s) T (s) Uinactivity (%) A(s) T (s) Uinactivity (%)
0.1 0.296 30.06 99.02 ≤0.6 30.63 ≥98.07
0.305 0.55 16.83 96.83 ≤0.805 16.64 ≥95.38
0.5 0.72 17.15 95.97 ≤1 17.46 ≥94.58
1 1.15 11.89 91.18 ≤1.5 11.63 ≥88.57
1.5 1.62 8.6 84.14 ≤2 8.37 ≥80.71
2 2.09 6.69 76.19 ≤2.5 6.48 ≥72.16
5 5.06 3.93 43.71 ≤5.5 3.76 ≥40.60
Percentage of inactivity, average activity and inactivity time

Security in CRNs
Roadmap
Countermeasures
Future work
Countermeasures
TCP-oriented
Cross-layer schemes PUE-related
Freeze TCP parameters Based on energy measures
during handoff intervals RFF
Correlation between handoff Frequency hopping
intervals and TCP
retransmissions instants

Security in CRNs
Roadmap
Countermeasures
Future work
Freezing TCP parameters: standard attack
18000
16000
14000
12000
10000
8000
6000
TCP frz inst. throughput
4000
Std TCP inst. throughput
2000 TCP frz avg. throughput
0
0 2 4 6 8 10 12 14 16 18 20
time (s)
1
Average and instantaneous throughput freezing TCP parameters λ = 0.3s

Security in CRNs
Roadmap
Countermeasures
Future work
Freezing TCP parameters: standard attack

TCP transmits data whenever the channel is available
18000
16000
14000
12000
10000
8000
6000
4000
0
0 2 4 6 8 10 12 14 16 18 20
time (s)
1
Average and instantaneous throughput freezing TCP parameters λ = 0.3s

Security in CRNs
Roadmap
Countermeasures
Future work
Freezing TCP parameters: smart attack
20000
18000
16000
14000
12000
10000
8000
6000
4000
0
0 2 4 6 8 10 12 14 16 18 20
time (s)
1
Average and instaneous throughput freezing TCP parameters λ = 0.3s

Security in CRNs
Roadmap
Countermeasures
Future work
Freezing TCP parameters: smart attack

Higher throughput than with the standard attack
since handoffs are less frequent
20000
18000
16000
14000
12000
10000
8000
6000
4000
0
0 2 4 6 8 10 12 14 16 18 20
time (s)
1
Average and instaneous throughput freezing TCP parameters λ = 0.3s

Security in CRNs Introduction
Roadmap Location techniques
Smart PUE: The Lion attack Proposed method to detect PUE attacks
Cooperative detection of PUE attacks Performance evaluation
Securing localization for PUE attacks detection Conclusions
Future work
Introduction
The PUE attack is one of the main threats to CRNs

Existing PUE countermeasures are not efficient enough
Energy-based approaches can be easily overcome
Radio Frequency Fingerprinting may not work in dynamic environments
Frequency hopping efficiency depends on the available channels
PUE attacks can be detected by means of location
If primary users have known positions, e.g., TV systems in 802.22 networks
Location also allows to react against the attack
Proposal
Cooperative localization may counteract PUE attacks

Future work
Location techniques
Techniques
GPS Requirements for CRNs
Angle of Arrival (AoA)
Received Strength Signal
(RSS)
RSS difference
Time of Arrival (ToA)
Time Difference of Arrival
(TDoA)

Future work
Location techniques
Techniques
GPS Requirements for CRNs
Angle of Arrival (AoA) Node to be located do not
Received Strength Signal collaborate
(RSS)
No synchronization with the
RSS difference
emitter
Unknown transmit power
(TDoA)

Future work
Location techniques
Techniques
Requirements for CRNs
GPS
Angle of Arrival (AoA) Node to be located do not
Received Strength Signal collaborate
(RSS) No synchronization with the
RSS difference emitter
Time of Arrival (ToA) Unknown transmit power
Time Difference of Arrival No extra hardware
(TDoA)

Future work
Location techniques
Techniques Requirements for CRNs

GPS Node to be located do not
Angle of Arrival (AoA) collaborate
Received Strength Signal No synchronization with the
(RSS)
emitter
RSS difference
Unknown transmit power
No extra hardware
(TDoA) High accuracy

Future work
Localization based on TDoA
Given a pair of anchor nodes i and j:

di −dj
ti,j = ti − tj = vp
Tight synchronization between anchor Anchor node 1

(x1,y1)
nodes is required Hyperbola 1
Usually obtained by means of
correlation techniques d1
Anchor node 0
(0,0)
d0
A TDoA equation (hyperbola) is
obtained for each pair. Considering
d2
node j positioned at (0,0):
Hyperbola 2
p p
(x − xi )2 + (y − yi )2 − x 2 + y 2 Anchor node 2
ti,0 = (x2,y2)
vp
2 TDoA measures (3 nodes) provide

the position

Future work
Localization based on TDoA
In real
Given life...
a pair of anchor nodes i and j:
Measures are subjected
d −d to errors
ti,j = ti − tj = i v j
p
p p
(x − xi )2 + (y − yi )2 − x 2 + y 2
Tight synchronization
t̂i,0 =between anchor + ∆i Anchor node 1
(x1,y1)
nodes is required vp Hyperbola 1
Usually obtained by means of
An optimization
correlation techniques method is applied d1
Anchor node 0
More than 2 measures are required to get(0,0)higher accuracy
d 0
A TDoA equation (hyperbola) is

obtained for each pair. Considering
d
node j positioned at (0,0): 2
Hyperbola 2
p p
(x − xi )2 + (y − yi )2 − x 2 + y 2 Anchor node 2
ti,0 = (x2,y2)
vp
2 TDoA measures (3 nodes) provide

the position

Future work
Dealing with measure errors
Taylor-series advantages
Higher accuracy than non-iterative
Dealing with measure errors methods
Lower complexity than filtering methods
Non-iterative methods: Least Squares
(LS) method
Iterative methods: Taylor-series Taylor-series disadvantages
estimation
Requires an initial estimation
Filtering methods: Kalman-Bucy filter
It may not converge
Higher computational load than
non-iterative methods

Future work
Taylor-series estimation
Measured distance
d̂i,0 = t̂i,0 vp = di,0 + εi = fi (x, y ) + εi

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2

Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:

Let (xv , yv ) be a guess of the emitter’s position

Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:

Equations are linearized applying Taylor’s expansion around (xv , yv )
fi (xv , yv ) + aix δx + aiy δy = d̂i,0 − ei

Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:

Expressed in matrix form:

Aδ = z − e
     
a1x a1y d̂1,0 − f1 (xv , yv ) e1
       
 a2x a2y d̂2,0 − f2 (xv , yv )  e2
     
 δx   
A= . δ =  z =  ε =  .
    
 . .  . 
 . .  δy  .   . 
 . 


 . 

 .



anx any d̂n,0 − fn (xv , yv ) en
Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:


Aδ = z − e
The solution which minimize the sum of squares errors kAδ − zk2 = (Aδ − z)T (Aδ − z) is
T −1 T
δ = [A A] A z

Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:


Aδ = z − e
The Weighted Least Squares solution which minimizes (Aδ − z)T W(Aδ − z) is:
T −1 T
δ = [A WA] A Wz

Future work
Measured distance

p p
fi (x, y ) = (x − xi )2 + (y − yi )2 − x 2 + y 2
For each iteration:


Aδ = z − e
The Weighted Least Squares solution which minimizes (Aδ − z)T W(Aδ − z) is:
T −1 T
δ = [A WA] A Wz
Update the guess and iterate until a threshold is reached
0 0
xv = xv + δx yv = yv + δ y
Future work
Proposed method to detect PUE attacks
Cooperative localization of PUE attackers in

IEEE 802.22 networks
Primary
BS and a set of CRs act as anchor nodes Primary
emitter
emitter
A TDoA measure for pair node i and BS is derived

SU SU
BS acts as fusion center
Position derived by applying
Series-Taylor-estimation SU
SU BS (0,0)
Assumptions SU
SU SU
Static PUE attacker
Static PUs with known positions Primary
emitter
TDoA measure errors are statistically
independent and normally distributed Primary
emitter

Future work
Obtaining TDoA measures
τ2
marker τ1
The BS:
1 Asks the anchor nodes to record a

fragment of the received signal Δt 1
A marker signal is sent by the BS
Anchor nodes send to the BS both the
marker and the signal fragment
2 Synchronizes recordings and derives
marker
the set of n TDoA measurements
Δt 2
The BS can predict the arrival time of
the marker signal at each node

Future work
Applying Taylor-series estimation
Primary
Emitter
Primary
Initial guess (xv , yv ) Emitter
A database with m vectorsVm with n TDoA measures is

stored SU
Each vector Vm corresponds to a different position SU
BS SU
Compute Euclidean distance between a vector
SU
containing the current measures and vectors Vm SU SU
Select as initial guess (xv , yv ) the position with smallest

Euclidean distance Primary
Emitter
Primary
Emitter

Future work
Applying Taylor-series estimation
Matrix of weights
A Weighted Least Squares (WLS) method is applied
Measures weighted according to W
T −1 T
δ = [A WA] A Wz
W diagonal matrix with coefficients wii (inverse of the error variance)
1
wii =
(σi2 + σ02 )

Measure error N 0, σi2 + σ02
Variance of measures given by Cramer-Rao Lower Bound (CRLB)
2 1
σi ≥
8π 2 · B 2 · SNRi

Future work
Performance evaluation
Simulation scenario
802.22 network: 60km x 60 km area
From 10 to 100 number of anchor nodes 60Km
Primary
Primary emitter
randomly positioned emitter
BS located at the origin (0,0) SU SU
Primary users locate far away from the

network SU BS (0,0)
SU 60Km
Location of the attacker

SU
Inside and outside the network
SU SU
Average SNR at the BS Primary

emitter
-10dB,...,10dB
SNR at anchor nodes derived by means of Primary
emitter
the Okumura-Hata model

Future work
Location accuracy
30 99%
95%
50%
20
10
meters
−10
−20
−30
−40 −30 −20 −10 0 10 20 30 40

meters
Confidence interval error (1000 experiments), (x,y)=(8000m,1000m), SNR=-10dB, n=100

Future work
PUE attacker inside the CRN
n=10 n=10
40
n=20 n=20
400 n=30 n=30
n=40 n=40
n=50 30 n=50
300 n=60
n=60
n=70 n=70
n=80 20 n=80
200
n=90 n=90
n=100 n=100
100 10
meters
meters
0 0
−100 −10
−200
−20
−300
−30
−400
−40
−600 −400 −200 0 200 400 600 −50 −40 −30 −20 −10 0 10 20 30 40 50
meters meters
SNR=-10dB SNR=10dB
99% confidence interval error, (x,y)=(8000m,1000m),10000experiments

Future work
PUE attacker inside the CRN
n=10 n=10
40
n=20 n=20
400 n=30 n=30
n=40 n=40
n=50 30 n=50
300 n=60
n=60
n=70 n=70
n=80 20 n=80
200
n=90 n=90
n=100 n=100
100 10
meters
meters
0 0
−100 −10
−200
−20
−300
−30
−400
−40
−600 −400 −200 0 200 400 600 −50 −40 −30 −20 −10 0 10 20 30 40 50
meters meters
Distance SNR=-10dB
error in major axis Distance errorSNR=10dB
in major axis
491m (n=10) 40m (n=10)
30m (n=100)
99% 3.3m (n=100)
confidence interval error, (x,y)=(8000m,1000m),10000experiments

Future work
PUE attacker outside the CRN
1500 n=10 n=10

n=20 n=20
n=30 6000 n=30
n=40 n=40
n=50 n=50
1000
n=60 n=60
n=70 4000 n=70
n=80 n=80
n=90 n=90
500 n=100 n=100
2000
meters
meters
0 0
−2000
−500
−4000
−1000
−6000
−1500
−2000 −1500 −1000 −500 0 500 1000 1500 2000 −8000 −6000 −4000 −2000 0 2000 4000 6000 8000
meters meters
(x,y)=(-75000,50000) (x,y)=(0,140000)
99% confidence interval error, -10dB, 10000 experiments

Future work
1500 n=10 n=10

n=20 n=20
n=30 6000 n=30
n=40 n=40
n=50 n=50
1000
n=60 n=60
n=70 4000 n=70
n=80 n=80
n=90 n=90
500 n=100 n=100
2000
meters
meters
0 0
−2000
−500
Distance error in major axis −4000 Distance error in major axis

−1000
1.39km (n=10) −6000 9.97km (n=10)

−1500
137m (n=100) 841m (n=100)
−2000 −1500 −1000 −500 0 500 1000 1500 2000 −8000 −6000 −4000 −2000 0 2000 4000 6000 8000
meters meters
(x,y)=(-75000,50000) (x,y)=(0,140000)

Future work
In order to perform a successful PUE attack...

1500 n=10 n=10
n=20 n=20
The attacker should
n=30 be closer
6000than 1km to n=30
n=40 n=40
1000 the TV primary emitter
n=50
n=60
n=50
n=60
n=70 4000 n=70
It represents a bigger
n=80
n=90
threat to the primary n=80
n=90
500
network! n=100
2000
n=100
meters
meters
0 0
−2000
−500
Distance error in major axis −4000 Distance error in major axis

−1000
1.39km (n=10) −6000 9.97km (n=10)

−1500
137m (n=100) 841m (n=100)
−2000 −1500 −1000 −500 0 500 1000 1500 2000 −8000 −6000 −4000 −2000 0 2000 4000 6000 8000
meters meters
(x,y)=(-75000,50000) (x,y)=(0,140000)

Future work
Localization process time
Sul defines the number of slots in the OFDMA frame assigned for upstream
(CR −→ BS)
Mod. (CR) Sul Fl (time)

n = 10 n = 100
1
QPSK 2 10 3 (30ms) 25 (250ms)
20 2 (20ms) 13 (130ms)
2
16-QAM 3 10 1 (10ms) 10 (100ms)
20 1 (10ms) 3 (30ms)
5
64-QAM 6 10 1 (10ms) 5 (50ms)
20 1 (10ms) 3 (30ms)
Frames/time for the localization process

Future work
Localization process time
Sul defines theLocation

numbertakes place
of slots in tens
in the of milliseconds
OFDMA frame assigned for upstream
(CR −→ BS) It conforms to the specifications of the 802.22 standard
Mod. (CR) Sul Fl (time)

n = 10 n = 100
1
QPSK 2 10 3 (30ms) 25 (250ms)
20 2 (20ms) 13 (130ms)
2
16-QAM 3 10 1 (10ms) 10 (100ms)
20 1 (10ms) 3 (30ms)
5
64-QAM 6 10 1 (10ms) 5 (50ms)
20 1 (10ms) 3 (30ms)
Frames/time for the localization process

Future work
Conclusions
A cooperative location method to detect PUE attacks has been proposed.

Based on TDoA measures and Taylor-series estimation.
Reliable measures have a higher impact on the estimation.
The goodness of the method has been proved via simulation.
It provides enough accuracy to distinguish between legitimate primary users
and attackers if the number of anchor nodes is above 40 nodes.
The worst case: an attacker near a real primary user and low SNR.
It can only be applied when primary user positions are known and PUE
attacker is static.

Security in CRNs
Roadmap Introduction
Smart PUE: The Lion attack FF attacks to the localization method
Cooperative detection of PUE attacks Cooperative localization robust to liars
Future work
Introduction
Cooperative mechanisms can be disrupted by:

False feedback
Selfish behaviors
Cooperative localization for PUE detection in IEEE 802.22 networks
Undesired behaviors can lead to false positives or false negatives regarding
PUE detection
Goals
Analyze the effect of false feedback on cooperative localization
Design a mechanism to identify false feedback

Security in CRNs
Future work
False Feedback attacks to the localization method

Attacker model
True measure d1i

PUE Attacker
di2 − d02 d10 d2i

τi0t = + εi
vp Malicious
node i
di0
d20
Fake measure
The maximum TDoA value for BS
pair node i and BS
di1 − d01 di0
τi0f = + εi = + εi
vp vp
CRN

Security in CRNs
Future work
Simulation scenario
Simulation scenario
802.22 network: 60km x 60 km area
n anchor nodes randomly positioned 60Km
Primary
Primary emitter
1,2 or 3 liars out of n randomly selected emitter
BS located at the origin (0,0) SU SU
Obtains TDoA measures

Apply Taylor-series estimation SU 60Km
SU BS (0,0)
Primary users locate far away from the

SU
CRN SU SU
Average SNR at the BS -10dB
Primary
emitter
SNR at anchor nodes derived by means of
the Okumura-Hata model Primary
emitter
10000 simulations

Security in CRNs
Future work
Effect of false measures on the position estimation

Impact of the number of liars
150 60
100 40
50 20
kilometers
meters
0 0
-50 -20
-100 -40
-150 -60
-150 -100 -50 0 50 100 150 -60 -40 -20 0 20 40 60 80 100 120
meters kilometers
Prediction error with no liars, n=30, (x,y)=(30000,0) Prediction error with 1 liar, n=30, (x,y)=(30000,0)

Security in CRNs
Future work

Error with one liar
Increases from order of meters to kilometers
Could lead to false positives or false negatives
150 60
100 40
50 20
kilometers
meters
0 0
-50 -20
-100 -40
-150 -60
-150 -100 -50 0 50 100 150 -60 -40 -20 0 20 40 60 80 100 120
meters kilometers
Prediction error with no liars, n=30, (x,y)=(30000,0) Prediction error with 1 liar, n=30, (x,y)=(30000,0)

Security in CRNs
Future work

n no liars 1 liar 2 liars 3 liars

10 358.9 112000 117960 120240
20 75.04 66779 98175 100580
30 46.64 34105 53794 70607 n No liars 1 liar 2 liars 3 liars
40 35.28 20948 34933 45971 10 0 7.20 16.59 23.86
50 30.06 12642 22165 30316 20 0 0.74 3.54 7.58
60 26.12 9626 15359 19942 30 0 0.02 0.47 0.68
70 23.4 8087 11094 14452 40 0 0 0.03 0.3
80 21.24 6562 9038.6 11699 50 0 0 0 1
90 19.85 5078 7631 9900 Percentage of location failures, (x,y)=(30000,0)

100 18.82 4442 6066 7509
99% confidence interval error of the position

estimation (meters), (x,y)=(30000,0)
Security in CRNs
Future work
Cooperative localization robust to c-1 liars
1 Divide the set of n anchor nodes into c several clusters

2 Apply the localization method separately in every cluster and obtain
(xv 1 , yv 1 )...(xvj , yvj )...(xvc , yvc )
3 Compute the median of squares residues for each cluster j as
2
rclusterj
= median(r12 ...ri2 ...rs2 )
with q q
ri = d̂i,0 − (xvc − xi )2 − (yvc − yi )2 − 2 − y2
xvc vc
4 Select as tentative estimation (xv , yv ) the one given by the cluster with the lowest
median of square residues.
5 Compute the square residue for all the n nodes considering the tentative estimation
(xv , yv ).
6 Apply again the localization method assigning a different weight to each node’s
measurement according to its square residue.

Security in CRNs
Future work
WLS method
Measure i is assigned a weight wi according to its residue ri
pdf(E = ri )
wi =
max (pdf(E))
Measure error i is modeled by a normally distributed random variable E with

zero mean and variance σi
1
σi2 ≥
8π 2 · B 2 · SNRi
Weights are normalized so that wi ∈ [0, 1]

Security in CRNs
Future work
No liars 1 liar
n
no clusters 2 clusters no clusters 2 clusters
10 358.9 744.29 112000 1593.8
20 75.04 246.78 66779 307.98
30 46.64 132.94 34105 139.23
40 35.28 80.28 20948 87.56
50 30.06 53.96 12642 64.68
60 26.12 42.8 9626 46.58
70 23.4 37.51 8087 37.54
80 21.24 32.2 6562 32.17
90 19.85 28.42 5078 29.92
100 18.82 27.05 4442 25.9
99% confidence interval error of the position estimation (meters), (x,y)=(30000,0)

Security in CRNs
Future work
No liars 1 liar
n
no clusters 2 clusters no clusters 2 clusters
10 358.9 744.29 112000 1593.8
20 75.04 246.78 66779 307.98
30 46.64 132.94 34105 139.23
40 35.28 80.28 20948 87.56
50 30.06 53.96 12642 64.68
60 26.12 42.8 9626 46.58
70 23.4 37.51 8087 37.54
80 21.24 32.2 6562 32.17
90 19.85 28.42 5078 29.92
Percentage of convergence failures
100 18.82 27.05 4442 25.9
Similar to the case with no liars and no clusters
99% confidence interval error of the position estimation (meters), (x,y)=(30000,0)

Security in CRNs
Roadmap
Future work
Future work
PUE attack countermeasures

Attacks based on wireless microphones emulation
Mobile attackers
Simultaneous PUE attackers
Cooperative location
Model of the effect of multipath
Secure cooperative location

Trust mechanisms
Trust values could be used to determine the number of clusters c
Security in spectrum management and spectrum sharing mechanisms
Cognitive Radio Networks...

... are still evolving and new threats will be identified

SecuringCRNs PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SecuringCRNs PDF

Uploaded by

Copyright:

Available Formats

Universitat Politècnica de Catalunya

Departament d’Enginyeria Telemàtica

Security in Cognitive Radio Networks

Juan Hernández Serrano

1 An overview of Cognitive Radio Networks

4 Smart PUE: The Lion attack

5 Cooperative detection of PUE attacks

6 Securing localization for PUE attacks detection

Why Cognitive Radio Networks?

Spectrum is a scarce resource

Cognitive Radio Networks (CRNs)

Improve spectrum usage

Security in Cognitive Radio Networks Multihop Networks 3 / 46

Cognitive Radios (CRs)

Term coined by Mitola [Mitola,2000]

Security in Cognitive Radio Networks Multihop Networks 4 / 46

Cognitive Radio Networks (CRNs)

Act as secondary users of licensed

interfered CRNi+1 User

Perform spectrum sensing CRNi User

Classification Primary Base

Centralized or distributed Primary Net Secondary Net Secondary Net

Cooperative or non cooperative

Security in Cognitive Radio Networks Multihop Networks 5 / 46

IEEE 802.22 Wireless Regional Area Networks (WRANs)

First worldwide standard on CRNs (approved in July 2011)

Security in Cognitive Radio Networks Multihop Networks 6 / 46

PUE ATTACKS FALSE FEEDBACK

COMMON CONTROL CHANNEL SELFISH NODES

CROSS-LAYER ATTACKS PACKET INJECTION ATTACKS

Security in Cognitive Radio Networks Multihop Networks 7 / 46

Primary User Emulation (PUE) Attack

Coined by Chan and Park [Chan and Park,

The attacker emulates a primary White spaces (spectrum opportunity)

May force a frequency handoff in the CRN

Security in Cognitive Radio Networks Multihop Networks 8 / 46

Learning engine attacks 10

Disrupt the learning process of CRs 2

Common control channel attacks 0

Prevent CRs from communicating (i.e., by

May lead to miss-detection or false

detection of primary users

Selfish users (do not cooperate) 1

False Feedback (FF) attacks 0

Security in Cognitive Radio Networks Multihop Networks 9 / 46

Security in Cognitive Radio Networks Multihop Networks 10 / 46

Security in Cognitive Radio Networks Multihop Networks 11 / 46

Roadmap for the security of CRNs

Security is usually split into two lines of defense

Assumption: existing cryptographic solutions can be easily implemented in

Security in Cognitive Radio Networks Multihop Networks 12 / 46

Blueprint for securing CRNs

Type of signal, PUE/ >  PUE ? Attack

Opt. method OUTPUT

INPUT MODULE DETECTION MODULE

Security in Cognitive Radio Networks Multihop Networks 13 / 46

The Lion attack

Cross-layer attack targeted to disrupt TCP connections

TCP retransmission timer (RTO)

Detection time Inactivity time after Detection time

RTO 2 RTO 4 RTO 8 RTO

Security in Cognitive Radio Networks Multihop Networks 14 / 46