Globecom 2013 - Communication and Information System Security Symposium

A Density Based Scheme to Countermeasure

Spectrum Sensing Data Falsification Attacks in
Cognitive Radio Networks
Changlong Chen

Min Song

ChunSheng Xin

EECS Dept.
University of Toledo
Toledo, OH 43606
changlong.chen@rockets.utoledo.edu

EECS Dept.
University of Toledo
Toledo, OH 43606
min.song@utoledo.edu

ECE Dept.
Old Dominion University
Norfolk, VA 23529
cxin@odu.edu

AbstractCognitive radio networks are a promising

solution to the spectrum scarcity issue. In cognitive radio
networks, because of the low reliability of individual
spectrum sensing by a single secondary user, cooperative spectrum sensing is critical to accurately detect the
existence of a primary user signal. However, cooperative
spectrum sensing is vulnerable to the spectrum sensing
data falsification (SSDF) attack. Specifically, a malicious
user can send a falsified sensing report to mislead other
(benign) secondary users to make an incorrect decision
on the PU activity. Therefore, detecting the SSDF attack
or identifying the malicious sensing reports is extremely
important for robust cooperative spectrum sensing. This
paper proposes a distributed density based SSDF detection
(DBSD) scheme to countermeasure the SSDF attack. DBSD
can effectively exclude the malicious sensing reports from
SSDF attackers, so that a benign secondary user can
effectively detect the PU activity in distributed cooperative
spectrum sensing. Furthermore, DBSD can also exclude
abnormal sensing reports from ill-functioned secondary
users. Simulation results show that DBSD achieves very
good performance in cooperative spectrum sensing.
Index Termscognitive radio networks; SSDF attack;
probability density based SSDF detection.

I. I NTRODUCTION
With wireless devices and applications booming, the
problem of inefficient utilization of the precious radio spectrum has arisen. Recent studies showed that
a considerable amount of licensed spectrum is rarely
occupied [1]. Cognitive radio is a key technology to
improve spectrum utilization [2]. A major challenge in
cognitive radio networks is spectrum sensing, which
detects if a spectrum band is being used by primary
users (PU) or not. The local spectrum sensing by a
single secondary user (SU) is often inaccurate as the

978-1-4799-1353-4/13/$31.00 2013 IEEE

channel often experiences fading and shadowing effects.

Therefore, cooperative spectrum sensing, which exploits
the cooperation among multiple SUs, has been proposed
to achieve reliable spectrum sensing.
Based on how cooperating SUs share the sensing
reports in the network, cooperative spectrum sensing can
be conducted in two modes: centralized or distributed
[3]. In centralized cooperative spectrum sensing, a fusion
center collects sensing reports from all the SUs, makes
a final decision on the PU activity, and disseminates the
decision to all SUs. In contrast, distributed cooperative
spectrum sensing does not rely on a fusion center for
making decision. Each SU shares its own sensing report
with other SUs, combines its report with the received
ones, and decides whether the PU is active or not by
using a local criterion. Since only local sensing reports
are exchanged, distributed cooperative spectrum sensing
is energy-efficient and scalable. Therefore, distributed
cooperative spectrum sensing is more suitable for cognitive radio networks.
However, distributed cooperative spectrum sensing is
vulnerable to security attacks from malicious users. For
example, to achieve unfair usage of a spectrum band, a
greedy user can generate a false PU signal to launch the
primary user emulation (PUE) attack [4]. On the other
hand, malicious users can manipulate sensing reports in
order to disrupt other SUs decision on the PU activity.
This type of attack is commonly known as the spectrum
sensing data falsification (SSDF) attack. In [5], we
proposed a distributed SSDF detection scheme, which
uses only local information. In [6], a novel attack called
covert adaptive data injection attack was analyzed. The
authors proposed a distributed outlier detection scheme
with an adaptive local threshold to countermeasure this

623

Globecom 2013 - Communication and Information System Security Symposium

Recently, the design of distributed SSDF countermeasure schemes for cognitive radio networks has received
considerable attention. In [5], we proposed a decentralized scheme to detect malicious users which launch
the SSDF attack in cooperative spectrum sensing. The
scheme utilizes spatial correlation of received signal
strengths among SUs in close proximity and is based
on robust outlier-detection technique. A neighborhood
majority voting approach is used for SUs to decide
if a specific user is malicious. A more sophisticated
attack called covert adaptive data injection attack was
considered in [6], where the attackers can adjust attack strategies via learning. The authors proposed a
distributed outlier detection scheme and used a majority
voting approach to detect malicious users.

attack, and further proposed a hash-based computation

verification scheme to detect colluding attacks. However,
both [5] and [6] used the majority voting to detect the
malicious user(s). This approach is not effective when
the number of users is small in the network.
In this paper, we propose a distributed scheme to
countermeasure the SSDF attack in cooperative spectrum
sensing, called density based SSDF detection (DBSD).
To achieve robust spectrum sensing, we focus on excluding abnormal sensing reports rather than detecting
malicious users. The scheme treats the sensing reports
as samples of a random variable, and then estimates
the probability density of the random variable using
a technique known as kernel density estimator. Each
sensing report is then tested for the normality. Once
a sensing report is deemed as abnormal, this sensing
report would be excluded from decision making on the
PU activity. Our main contributions are summarized as
follows:

III. S YSTEM M ODEL

We consider a time-slotted cognitive radio network
where PUs, benign SUs, and attackers (malicious users)
coexist. There are total N SUs which collaborate for
distributed spectrum sensing. Without loss of generality,
a single PU is considered in this study. Nevertheless, our
scheme can be extended to address multiple PUs.
All SUs use energy detection for local spectrum
sensing, and the sensing reports at different SUs are
assumed independent. In spectrum sensing, although the
hard decision, i.e., one bit decision on PUs existence,
can decrease the communication overhead, [12] claimed
that soft decision, i.e., raw sensing results, combining
sensing reports achieves better sensing performance than
hard decision. Therefore, the raw results from local
spectrum sensing are exchanged among all SUs. The
received signal strength, Pi , at SU i can be expressed
as follows [6]:

DBSD excludes all abnormal sensing reports, including the sensing reports from both malicious
users and ill-functioned SUs, which improves the
success probability to detect the PU activity.
We have developed an approach to effectively test
the normality of sensing reports.

The remainder of the paper is organized as follows.

Section II discusses the related work. Section III describes the system model. Section IV describes DBSD.
Section V presents simulation results. At last, Section VI
concludes the paper.
II. R ELATED W ORK
Many centralized approaches have been proposed to
achieve robust spectrum sensing in the literature. In [7],
the authors used shadow-fading correlation-based filters
to minimize the effect of abnormal sensing reports in
detecting digital TV PUs. The authors in [8] proposed
three schemes to detect malicious users based on outlier detection techniques. These schemes require some
knowledge of the malicious user, e.g., the maximum
number of malicious users. The authors in [9] proposed
a scheme for secure cooperative spectrum sensing. This
scheme assumes a somehow simplified attack strategy,
i.e., attackers launch only always yes or always no
attacks. In [10], an onion-peeling approach was proposed
to defend against multiple compromised SUs, using a
maliciousness suspicious level for each user. In [11],
the authors proposed a double-side abnormality detection
scheme for collaborative spectrum sensing.

Pi = Pt (10log10 (di /d0 ) + Gi + Mi )(dB)

(1)

where Pt is the transmission power of PU, is the

path loss exponent, di is the distance from PU to SU
i, d0 is the reference distance, Gi is the power loss due
to the log-normal shadowing, and Mi is the multipath
fading from the PU to SU i. We assume d0 = 1
meter in this paper. Also, the location of PU is assumed
known to all SUs. Each SU also knows its own location
information. As a general practice, the power loss due
to the log-normal shadowing, Gi , is usually modeled as
a Gaussian random variable with mean 0, and standard
deviation , which has an empirical value depending
on the surroundings. It is reasonable to assume that
the channel bandwidth is much larger than the coherent
2

624

Globecom 2013 - Communication and Information System Security Symposium

bandwidth. Therefore, the effect of multipath fading Mi

is negligible.
To make a decision on the PU activity, each SU
collects sensing reports from its neighbor SUs, uses the
proposed DBSD scheme to exclude abnormal reports,
calculates the average value based on the remaining
sensing reports, and compares this value to a PU detection threshold. We assume that there is a reliable
and secure end-to-end connection between SUs, i.e., the
communication is error-free and would not be tampered
by attackers. This process repeats for each time slot at
each node. It is important to note that a benign SUs
objective is to exclude abnormal sensing reports rather
than identifying specific attackers.
In this paper, we assume that there are M inside
attackers, i.e., malicious SUs, in the network, since
outside attackers can be effectively excluded from the
network by authentication mechanism. We assume that
M is relatively small compared with N so that the
sensing reports from attackers would not dominate the
sensing reports of benign SUs. The objective of the
SSDF attackers is to mislead benign SUs to make an incorrect decision on the PU activity. To achieve this goal,
the attackers manipulate their sensing reports to mislead
benign SUs. Specifically, when the PU is active, attackers
send out sensing reports with small PU signal energy; in
contrast, when the PU is inactive, the attackers send out
sensing reports with high PU signal energy. To avoid
being detected by the network, the attackers can adapt
their attack strategies based on the updated information
of benign SUs sensing reports and collude with other
attackers. It is worthy to note that ill-functioned SUs
may generate incorrect sensing reports due to software
or hardware failure. These sensing reports are harmful
to spectrum sensing, and hence should also be excluded.
Therefore, we do not differentiate the sensing reports of
attackers from the sensing reports of ill-functioned SUs.

the random samples (sensing reports). Then we test the

abnormality of each sensing report using a confidence
interval derived from the probability density function. If
the test result is abnormal, this sensing report is seen
from an attacker or an ill-functioned SU, and discarded.
Next we discuss how to estimate a probability density
based on sensing reports, and how to construct the
confidence interval.
We use a technique called kernel density estimator
[13], to estimate the probability density. We consider
an SU that has n neighbors in its direct communication
range, and has received n sensing reports from them.
Given n different sensing samples x1 , . . . , xn , the kernel
density estimator, denoted as q(x), is given as follows
n

1X 1
x xi
q(x) =
K(
)
m
n
h
h

(2)

i=1

where K() is a kernel function, and h(xi ) is the

bandwidth used for sample xi . In this paper, we consider
a cognitive radio network in a 2-dimensional plane.
Therefore, we have m = 2.
We use the PU signal energy detected by an SU as the
kernel function, i.e., we let K() = Pi . As described in
Section III, the power loss due to shadowing fading can
be modeled as a Gaussian random variable, i.e., Gi
N (0, 2 ). Therefore, the PU signal energy detected by
an SU can be modeled by a Gaussian distribution, i.e.,
Pi N (i , 2 ). Hence we have
(yi )2
1
K(y) = Pi (y) = e 22
2

(3)

where i = Pt 10log10 (di ).

For the ease of description, we let
x xi
.
h
Then Eq. (2) can be rewritten to
yi =

IV. D ENSITY BASED SSDF D ETECTION (DBSD)

In this section, we describe our SSDF countermeasure

scheme DBSD. With DBSD, after an SU has received the
sensing reports from other SUs. These received sensing
reports are treated as random samples of the PU signal
received at those SUs, which can be seen as a random
variable, i.e., Pi , as indicated in Eq. (1). To develop a
general and robust approach to countermeasure SSDF
attacks, we do not assume any knowledge of the probability density of this random variable. Instead, we use a
technique called kernel density estimation to estimate the
probability density of the received PU signal, based on

q(x) =

(yi i )2
1X
1
e 22 .
n
h2 2

(4)

i=1

Since we have used the Gaussian density function as

the kernel function as in Eq. (3), the optimal choice of
the bandwidth h() is given as follows [14, p.48],

h=

4
5
3n

 51
,

(5)

where n is the number of samples and

is the standard
deviation of the sensing samples x1 , . . . , xn .
3

625

Globecom 2013 - Communication and Information System Security Symposium

Algorithm 1 Density Based SSDF Detection at an SU

1: Input:
2: Output: A list of normal sensing reports in set X
3: Collect neighbor SUs sensing reports, x1 , . . . , xn
4: Compute the standard deviation
of samples
x1 , . . . , x n
5: Calculate the bandwidth h using Eq. (5)
6: Calculate using Eq. (7)
7: Let X = {x1 , . . . , xn }
8: for j = 1 to n do
9:
Test sensing report xj using Eq. (8)
10:
if test result is abnormal then
11:
X = X\{xj } {sensing report xj (from SU j )
is excluded}
12:
end if
13: end for

The PU signal energy detected at an SU is dependent

on the distance from the SU to the PU. The mean of the
PU signal energy detected at SU i is
i = Pt 10log10 (di ).

(6)

Therefore, the mean of the probability distribution represented by the kernel density estimator in (4), denoted
as , can be calculated as
=

n
1 X
i .
nh2

(7)

i=1

As discussed earlier, the power loss due to shadowing

fading can be modeled as a Gaussian random variable.
Therefore, the PU signal energy detected by an SU
follows the Gaussian distribution. In other words, the
underlying probability density we are trying to estimate
in Eq. (4) follows the Gaussian distribution with mean
and standard deviation . As such, from and ,
we
h can construct ai 100(1 )% confidence
 interval


z , + z , where z is the 1 2 quantile

2
2
2
of the standard Gaussian distribution, i.e., Pr(Z z ) =
2

1 2 , where Z is a standard Gaussian random variable.

With this confidence interval, we can test the abnormality
of a sensing report as follows.

(
T (xi ) =

normal,

h
i
if xi z , + z
2

abnormal, otherwise

(8)
At last, we describe our density based SSDF detection
scheme in Algorithm 1.

Fig. 1.
PU detection success probability versus , with 15%
malicious users

V. P ERFORMANCE E VALUATION
noted. In the simulation, we assume that the PU is active.
The results of detecting that PU is not active are similar
and omitted due to space limit. The simulation results
are obtained from 10000 rounds of simulations using
different seeds. We use the success probability to detect
the PUs activity as the performance metrics.
Fig. 1 illustrates the success probability of DBSD
to detect the PUs activity versus (the corresponding
confidence interval is 100(1 )%), with total 40, 60,
and 80 number of SUs, respectively. In this experiment,
15% of the SUs are simulated as malicious users to
launch the SSDF attack. We can see that when
increases, i.e., when the confidence interval decreases,
the PU detection success probability increases. This is
because a narrower confidence interval excludes more
sensing reports as abnormal data and hence the abnormal

We evaluate the performance of DBSD through simulations. The cognitive radio network is assumed as a
circular area with a radius = 1000 meters. One PU is
located at the center and N SUs are deployed at random
locations. In the simulations, the pass loss exponent
is assumed 2, and the PU transmission power Pt is
assumed 20. The standard deviation of the power loss
due to shadowing fading, , is assumed 1. The results
for using different values for have similar trends and
are omitted due to space limit. If SU i is a benign
SU, then the sensing report is generated as a Gaussian
random variable with mean i from Eq. (6) and standard
deviation . If SU i is a malicious user, then the sensing
reports is generated using an enlarged mean i , where
> 1 is called abnormality factor. The abnormality
factor is set as 1.1 in the simulation if not otherwise
4

626

Globecom 2013 - Communication and Information System Security Symposium

Fig. 2.

PU detection success probability versus , with N = 80

Fig. 4. PU detection success probability versus the percentage of

malicious users, with = 0.1

Fig. 3. PU detection success probability versus the percentage of

malicious users, with N = 40

Fig. 5. PU detection success probability versus the number of SUs

(N ), with = 0.1

sensing reports are more likely excluded. Therefore the

decision making on the PU activity is less impacted by
the sensing reports from malicious users. In particular
when 0.075, or when we use a 92.5% or narrower
confidence interval, the PU detection success probability
is close to 1.
Next we examine the PU detection success probability
with a fixed number of SUs (N = 80) but different
percentages of malicious users. The results are plotted
in Fig. 2. We can see that the PU detection success
probability has a similar trend as in Fig. 1.
Figs. 3 and 4 illustrate the PU detection success
probability as a function of the percentage of malicious
users, with N = 40, and = 0.1, respectively. The
PU detection success probability decreases only slowly
when the percentage of malicious users increases. This
indicates that DBSD is a robust scheme that is resilient

to increasing number of malicious users.

The PU detection success probability versus the number of SUs (N ) is plotted in Fig. 5. We can see that
with more number of SUs, the PU detection success
probability moderately improves. On the other hand,
DBSD still has a good performance even when the
number of SUs is small.
At last, we examine the PU detection success probability versus the abnormality factor that is used
to generate abnormal sensing reports. The results are
plotted in Figs. 6 and 7. We can see that DBSD is very
effective to countermeasure the SSDF attack, as indicated
by the high PU detection success probability when the
abnormality factor increases. For instance, when = 2,
the PU detection success probability is very close to 1.
As a matter of fact, even when is smaller, the PU
5

627

Globecom 2013 - Communication and Information System Security Symposium

dependent Research and Development (IR/D) Program.

However, any opinion, finding, and conclusions or recommendations expressed in this material; are those of
the author and do not necessarily reflect the views
of the National Science Foundation. The research of
ChunSheng Xin is supported in part by NSF under grants
CNS-1217668, ECCS-1247853, and CNS-1017172.
R EFERENCES
[1] M. McHenry, NSF spectrum occupancy measurements project
summary, Shared spectrum company report, 2005.
[2] M. Song, C. Xin, Y. Zhao, and X. Cheng, Dynamic spectrum
access: from cognitive radio to network radio, IEEE Wireless
Communications, vol. 19, no. 1, pp. 2329, 2012.
[3] I. Akyildiz, B. Lo, and R. Balakrishnan, Cooperative spectrum sensing in cognitive radio networks: A survey, Physical
Communication, vol. 4, no. 1, pp. 4062, 2011.
[4] R. Chen, J. Park, and J. Reed, Defense against primary user
emulation attacks in cognitive radio networks, IEEE Journal
on Selected Areas in Communications, vol. 26, no. 1, pp. 2537,
2008.
[5] C. Chen, M. Song, C. Xin, and M. Alam, A robust malicious
user detection scheme in cooperative spectrum sensing, in
Proc. IEEE Global Telecommunications Conference (GLOBECOM), 2012.
[6] Q. Yan, M. Li, T. Jiang, W. Lou, and Y. Hou, Vulnerability
and protection for distributed consensus-based spectrum sensing
in cognitive radio networks, in Proc. 31st IEEE International Conference on Computer Communications (INFOCOM),
pp. 900908, 2012.
[7] A. Min, K. Shin, and X. Hu, Secure cooperative sensing
in ieee 802.22 wrans using shadow fading correlation, IEEE
Transactions on Mobile Computing, vol. 10, no. 10, pp. 1434
1447, 2011.
[8] P. Kaligineedi, M. Khabbazian, and V. Bhargava, Malicious
user detection in a cognitive radio cooperative sensing system,
IEEE Transactions on Wireless Communications, vol. 9, no. 8,
pp. 24882497, 2010.
[9] P. Kaligineedi, M. Khabbazian, and V. Bhargava, Secure
cooperative sensing techniques for cognitive radio systems,
in Proc. IEEE International Conference on Communications
(ICC), pp. 34063410, 2008.
[10] W. Wang, H. Li, Y. Sun, and Z. Han, CatchIt: detect malicious
nodes in collaborative spectrum sensing, in Proc. IEEE Global
Telecommunications Conference (GLOBECOM), 2009.
[11] H. Li and Z. Han, Catching Attacker (s) for Collaborative
Spectrum Sensing in Cognitive Radio Systems: An Abnormality
Detection Approach, in Proc. 4th IEEE Symposium on New
Frontiers in Dynamic Spectrum Access Networks (DySPAN),
pp. 112, 2009.
[12] E. Visotsky, S. Kuffner, and R. Peterson, On collaborative
detection of TV transmissions in support of dynamic spectrum
sharing, in Proc. 1st IEEE International Symposium on New
Frontiers in Dynamic Spectrum Access Networks (DySPAN),
pp. 338345, 2005.
[13] L. Latecki, A. Lazarevic, and D. Pokrajac, Outlier detection
with kernel density functions, Machine Learning and Data
Mining in Pattern Recognition, pp. 6175, 2007.
[14] B. W. Silverman, Density estimation for statistics and data
analysis, vol. 26. Chapman & Hall/CRC, 1986.

Fig. 6. PU detection success probability versus the abnormality

factor , with = 0.1

Fig. 7. PU detection success probability versus the abnormality

factor , with N = 60

detection success probability is also very high.

VI. C ONCLUSION AND F UTURE D IRECTIONS
In this paper, we have proposed a density based
SSDF detection (DBSD) scheme to countermeasure the
SSDF security attack to cooperative spectrum sensing in
cognitive radio networks. Specifically, DBSD excludes
abnormal sensing reports in cooperative spectrum sensing, to prevent malicious users to mislead other secondary users in detection of the PU activity. Simulation
results indicate that using the proposed DBSD scheme,
secondary users can achieve a very good performance in
cooperative spectrum sensing.
ACKNOWLEDGMENT
The research of Min Song is supported in part by
NSF CAREER Award CNS-0644247 and NSF IPA In6

628