“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
1
Chapter 15
Cognitive Radio Network Security
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 2
Outline
A taxonomy of CR security threats Primary user emulation attacks Byzantine failures in distributed spectrum sensing Security vulnerabilities in IEEE 802.22
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 3
Introduction
Successful deployment of CR networks and the realization of their benefits will depend on the placement of essential security mechanisms
Emergence of the opportunistic spectrum sharing (OSS) paradigm and cognitive radio technology raises new security implications that have not been studied previously
Researchers have only recently started to examine the security issues specific to CR devices and networks
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Some Recent Publications on CR Security
4
• R. Chen, J. Park, & J. Reed, “Defense against primary user emulation attacks in cognitive radio networks,” IEEE Journal on Selected Areas in Communications, vol. 26, no. 1, Jan. 2008.
• R. Chen, J. Park, T. Hou, & J. Reed, “Toward secure distributed spectrum sensing in cognitive radio networks,” IEEE Comm. Magazine, vol. 46, no. 4, 2008.
• S. Xiao, J. Park, and Y. Ye, “Tamper Resistance for Software Defined Radio Software,” IEEE Computer Software and Applications Conference, July 2009.
• K. Bian and J. Park, “Security Vulnerabilities in IEEE 802.22,” Fourth International Wireless Internet Conference, Nov. 2008.
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Some Recent Publications on CR Security
• T. Clancy, N. Goergen, “Security in Cognitive Radio Networks: Threats and Mitigation,” Int’l Conference on Cognitive Radio Oriented Wireless Networks and Communications, May 2008.
• T.B. Brown and A. Sethi, “Potential cognitive radio denial-of-service vulnerabilities and protection countermeasures: a multi-dimensional analysis and assessment,” Journal of Mobile Networks and Applications, vol. 13, no. 5, Oct. 2008.
• A. Brawerman et al., “Towards a fraud-prevention framework for software defined radio mobile devices,” EURASIP Journal on Wireless Comm. and Networking, vol. 2005, no. 3, 2005.
• L.B. Michael et al., “A framework for secure download for software-defined radio,” IEEE Comm. Magazine, July 2002.
• P. Flanigan et al., “Dynamic policy enforcement for software defined radio,” 38th Annual Simulation Symposium, 2005.
5
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
A Taxonomy of CR Security Threats
6
CR networksecurity threats
Radio softwaresecurity threats
Spectrum access-related security threats
Threats to incumbent coexistence mechanisms
Threats to self-coexistence mechanisms
· Security threats to thesoftware download process
· Spectral “honeypots”· Sensory manipulation:
-Primary user emulation-Geospatial manipulation-Chaff point attack-Spam point bias attack
· Obstruct synchronization of QPs
· Tx false/spurious inter-cell beacons (control messages)
· Exploit/obstruct inter-cell spectrum sharing processes
· Unauthorized policy changes· Tampering w/ CR reasoners
(e.g., System Strategy Reasoner & Policy Reasoner)
· Software IP theft· Software tampering
· Injection of false/forged policies
· Injection of false/forged SW updates
· Injection of malicious SW (viruses)
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
The Importance of Distinguishing Primary Users from Secondary Users
Spectrum usage scenario for a secondary user Periodically search for spectrum “white spaces” (i.e.,
fallow bands) to transmit/receive data When a primary user is detected in its spectrum band
Immediately vacate that band and switch to a vacant one “vertical spectrum sharing”
When another secondary user is detected in its spectrum band When there are no better spectrum opportunities, it
may choose to share the band with the detected secondary user “horizontal spectrum sharing”
CR MAC protocol guarantees fair resource allocation among secondary users
7
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Primary User Emulation Attacks
8
Sensor
Primarysignal
transmitter...
Sensor
Sensor
Sensing datacollector
Data fusion Final spectrumsensing result
Distributed Spectrum Sensing
Adversaries
Primary-User Emulation attack: Anattacker emulates the characteristicsof a primary signal transmitter
Localspectrumsensingresults
Signals with thesame characteristicsas primary signals
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Existing Technique (1): Using Energy Detection to Conduct Spectrum Sensing
Trust model An energy detector measures RF energy or the RSS
to determine whether a given channel is idle or not Secondary users can recognize each other’s signals
and share a common protocol, and therefore are able to identify each other
If an unidentified user is detected, it is considered a primary user
9
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Existing Technique (1): Using Energy Detection to Conduct Spectrum Sensing
Problem: If a malicious secondary user transmits a signal that is not recognized by other secondary users, it will be identified as a primary user by the other secondary users Interference to primary users Prevents other secondary users from accessing that
band
10
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Existing Technique (2): Matched Filter and Cyclostationary Feature Detection
Trust model Matched filter and cyclostationary feature detectors
are able to recognize the distinguishing characteristics of primary user signals
Secondary users can identify each other’s signals Problem: If a malicious secondary user
transmits signals that emulate the characteristics of primary user signals, it will be identified as a primary user by the other secondary users Interference to primary users Prevents other secondary users from accessing that
band
11
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Existing Technique (3): Quiet Period for Spectrum Sensing
Trust model Define a “quiet period” that all secondary users stop
transmission. It is dedicated for spectrum sensing. Any user detected in the quiet period (using energy
detector, matched filter or cyclostationary feature detector) is a primary user
Problem: If a malicious secondary user transmits signals in the quiet period, it will be identified as a primary user by the other secondary users Interference to primary users Prevents other secondary users from accessing that
band
12
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
The Disruptive Effects of Primary User Emulation Attacks
13
0 5 10 15 20 25 300
1
2
3
4
5
6
7
Number of pairs of selfish attackers
Ava
ilab
le li
nk
ba
nd
wid
th (
MH
z)
Selfish attackersLegitimate users
Malicious PUE attacksSelfish PUE attacks
0 5 10 15 20 25 300
1
2
3
4
5
Number of malicious attackersA
vaila
ble
lin
k b
an
dw
idth
(M
Hz)
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Transmitter Verification for Spectrum Sensing
Transmitter verification for spectrum sensing is composed of three processes: Verification of signal characteristics Measurement of received signal energy level Localization of the signal source
14
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
A Flowchart of transmitter verification
15
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Challenges in PST Localization
Primary signal transmitter (PST) localization is more challenging than the standard localization problem due to two reasons No modification should be made to primary users to
accommodate the DSA of licensed spectrum. This requirement excludes the possibility of using a localization protocol that involves the interaction between a primary user and the localization device(s). PST localization problem is a non-interactive
localization problem When a receiver is localized, one does not need to consider
the existence of other receivers. However, the existence of multiple transmitters may add difficulty to transmitter localization
16
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
A solution to PST Localization
Magnitude of an RSS value typically decreases as the distance between the signal transmitter and the receiver increases
If one is able to collect a sufficient number of RSS measurements from a group of receivers spread throughout a large network, the location with the peak RSS value is likely to be the location of a transmitter.
Advantage of this technique is twofold, Obviates modification of primary users and Supports localizing multiple transmitters that transmit
signals simultaneously
17
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Byzantine failures in distributed spectrum sensing
Cause of Byzantine failures in distributed spectrum sensing (DSS) Malfunctioning sensing terminals Spectrum sensing data falsification (SSDF) attacks
A malicious secondary user intentionally sends falsified local spectrum sensing reports to the data collector in an attempt to cause the data collector to make incorrect spectrum sensing decisions
18
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
SSDF Attacks
19
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Modeling of DSS as a parallel fusion network
We can model the DSS problem as a parallel fusion network
20
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Data fusion algorithms for DSS
Decision fusion Bayesian detection Neyman-Pearson test Weighted sequential probability ratio test (WSPRT)
21
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
The Coexistence Problem in CR Networks
Incumbent coexistence Avoid serious interference to incumbent users Ex: spectrum sensing for detecting incumbent signals Ex: dynamic frequency hopping to avoid interfering with
detected incumbents Why is self-coexistence important in CR networks?
Minimize self interference between neighboring networks Need to satisfy QoS of networks’ admitted service
workloads in a DSA environment Ex: 802.22 prescribes inter-cell dynamic resource sharing
mechanisms for better self-coexistence CR coexistence mechanisms can be exploited by adversaries
Threats to incumbent coexistence mechanisms Threats to self-coexistence mechanisms
22
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Operating Environment of 802.22 Networks
23
집
집
집
집
집
집
집
집 집
집
집
TV transmitters
WRANBase Station
Wirelessmicrophones
집
Wirelessmicrophones
집
WRANBase Station
집
집
: CPE (Consumer Premise Equipment)집
집
집
집
집
: WRAN Base Station
집
집
집
Typical ~33kmMax. 100km
Incumbent services:• TV broadcast services• Part 74 devices (wireless microphones)
집
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
PHY-Layer Support for Coexistence
Two-stage spectrum sensing in quiet periods (QPs) Fast sensing stage: a quick and simple detection technique,
e.g., energy detection. Fine sensing stage: measurements from fast sensing
determine the need and duration of fine sensing stage. Synchronization of overlapping BSs’ QPs
24
BS1
BS2
Time
BS3
Fast sensing 802.22 TransmissionFine sensing
Channel Detection TimeFast sensing Fine sensing
Channel Detection TimeFast sensing Fine sensing
Channel Detection TimeFast sensing Fine sensing
Channel Detection TimeFast sensing Fine sensing
Channel Detection TimeFast sensing Fine sensing
Channel Detection TimeFast sensing Fine sensing
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Cognitive MAC (CMAC) Layer (1)
Two types control messages Management messages: intra-cell management Beacons: inter-cell coordination
Inter-cell synchronization Frame offset is contained in beacon payload The receiver BS performs frame sliding to synchronize with
the transmitter BS.
25
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Cognitive MAC (CMAC) Layer (2)
Inter-BS dynamic resource sharing Needed when QoS of admitted service workload cannot be
satisfied 802.22 prescribes non-exclusive & exclusive spectrum
sharing On-demand spectrum contention (ODSC) protocol
Select a target channel to contend Each BS selects a Channel Contention Number (CCN) from
[0,W]. BS with a greater CCN wins the pair-wise contention
procedure. BS wins the channel if it wins all pair-wise contention
procedures with all co-channel BSs. Inter-cell beacons used to carry out ODSC
26
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Cognitive MAC (CMAC) Layer (3)
Protection of Part 74 devices (wireless microphones) Class A solution
A separate beacon device deployed Transmit short wireless microphone beacons (WMB) Use WMBs to notify collocated 802.22 cells about operation
of Part 74 devices Class B solution
A special type of CPE is deployed Class B CPEs detect Part 74
device operations and notify other 802.22 systems
27
집
집
집
집
WRANBase Station
집 WirelessMIC
집
Class B CPE
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Overview of 802.22’s Security Sublayer
802.22 security sublayer provides confidentiality, authentication and integrity services for intra-cell management messages PKM (Privacy Key Management) protocol Encapsulation protocol
It fails to protect inter-cell beacons used in coexistence mechanisms
28
CMAC mechanisms protected by 802.22’s security sublayer
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Potential Security Threats
DoS attacks Insertion of forged management messages by rogue terminals Prevented by use of mutual authentication and MACs
Replay attacks Management messages: Prevented by use of nonces in
challenge/response protocols Data packets: Thwarted using AES-CCM & packet numbers
Threats against WMBs Class B CPEs possess pre-programmed keys that enable the use of
authentication mechanisms to prevent WMB forgery/modification Spurious transmissions in QPs
Interfere w/ various coexistence-related control mechanisms Primary user emulation
Adversarial radio transmits signals whose characteristics emulate those of incumbent signals
29
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Security Vulnerabilities in Inter-Cell Coexistence Mechanisms
Inter-cell beacons are not protected by 802.22’ssecurity sublayer!
Beacon Falsification (BF) attack Two types of BF attacks Tx of false/forged inter-cell beacons to
disrupt spectrum contention processes Network throughput drop
interfere with inter-cell synchronization Undermine the accuracy of spectrum sensing
30
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Disrupting Inter-cell Spectrum Contention
Objective of BF attacks Disrupt self-coexistence mechanisms (spectrum contention processes)
Attack method Forge inter-cell beacons with arbitrarily large CCN value
(e.g., select CCN from [W / z, W ], where z >= 1) Tx beacons that contain large CCN to neighboring BSs
Impact of BF attacks Legitimate victim BSs lose the target channels. Drop in network throughput
31
Z = 1
Simulation layout and results
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Interfering with Inter-cell Synchronization
Objective of BF attack Undermine efficacy of incumbent coexistence mechanism (spectrum
sensing) Attack method
Forge inter-cell beacons with spurious Frame Offset Impact of BF attack
Victim BS performs frame sliding according to the spurious Frame Offset, which causes asynchrony of QPs.
Asynchrony causes self-interference that degrades accuracy of spectrum sensing during QPs.
Impact on misdetection probability (for energy detector) An incumbent signal is detected if Y > r (estimated Rx signal power, Y , is
greater than threshold r ). Under BF attacks, self-interference in QPs causes the threshold to increase
to a larger value, r*. Miss detection probability increases by
32
**Pr( ) ( )
r
Yrr Y r f x dx
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Countermeasures
To thwart the forgery of inter-cell beacons, an inter-cell key management scheme is needed Utilize the backhaul infrastructure that connects multiple cells Employ a distributed key management scheme
33
802.22 backhaul infrastructure
“Cognitive Radio Communications and Networks: Principles and Practice”By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 34
Chapter 15 Summary
Emergence of the opportunistic spectrum sharing (OSS) paradigm and cognitive radio technology raises new security implications that have not been studied previously
One countermeasure for primary user emulation attacks is transmitter verification; it is composed of 3 processes: Verification of signal characteristics Measurement of received signal energy level Localization of the signal source
We can model the distributed spectrum sensing problem as a parallel fusion network to deal with Byzantine failures
IEEE 802.22 is vulnerable to attacks because its inter-cell beacons are not protected