Transcript Z - Elsevier

Chapter 15
Cognitive Radio Network Security
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
1
Outline




A taxonomy of CR security threats
Primary user emulation attacks
Byzantine failures in distributed spectrum sensing
Security vulnerabilities in IEEE 802.22
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
2
Introduction



Successful deployment of CR networks and the realization of
their benefits will depend on the placement of essential
security mechanisms
Emergence of the opportunistic spectrum sharing (OSS)
paradigm and cognitive radio technology raises new security
implications that have not been studied previously
Researchers have only recently started to examine the security
issues specific to CR devices and networks
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
3
Some Recent Publications on CR
Security
•
•
•
•
R. Chen, J. Park, & J. Reed, “Defense against primary user
emulation attacks in cognitive radio networks,” IEEE Journal on
Selected Areas in Communications, vol. 26, no. 1, Jan. 2008.
R. Chen, J. Park, T. Hou, & J. Reed, “Toward secure distributed
spectrum sensing in cognitive radio networks,” IEEE Comm.
Magazine, vol. 46, no. 4, 2008.
S. Xiao, J. Park, and Y. Ye, “Tamper Resistance for Software
Defined Radio Software,” IEEE Computer Software and
Applications Conference, July 2009.
K. Bian and J. Park, “Security Vulnerabilities in IEEE 802.22,”
Fourth International Wireless Internet Conference, Nov. 2008.
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
4
Some Recent Publications on CR
Security
•
•
•
•
•
T. Clancy, N. Goergen, “Security in Cognitive Radio Networks:
Threats and Mitigation,” Int’l Conference on Cognitive Radio
Oriented Wireless Networks and Communications, May 2008.
T.B. Brown and A. Sethi, “Potential cognitive radio denial-ofservice vulnerabilities and protection countermeasures: a
multi-dimensional analysis and assessment,” Journal of Mobile
Networks and Applications, vol. 13, no. 5, Oct. 2008.
A. Brawerman et al., “Towards a fraud-prevention framework
for software defined radio mobile devices,” EURASIP Journal on
Wireless Comm. and Networking, vol. 2005, no. 3, 2005.
L.B. Michael et al., “A framework for secure download for
software-defined radio,” IEEE Comm. Magazine, July 2002.
P. Flanigan et al., “Dynamic policy enforcement for software
defined radio,” 38th Annual Simulation Symposium, 2005.
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
5
A Taxonomy of CR Security Threats
CR network
security threats
Radio software
security threats
Spectrum access related security threats
·
Threats to incumbent
coexistence mechanisms
Threats to selfcoexistence mechanisms
· Spectral “honeypots”
·
· Sensory manipulation:
- Primary user emulation
·
- Geospatial manipulation
- Chaff point attack
- Spam point bias attack
· Obstruct synchronization of QPs
Tx false/spurious inter-cell
beacons (control messages)
Exploit/obstruct inter-cell
spectrum sharing processes
·
·
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
Security threats to the
software download process
· Injection of false/forged
policies
· Injection of false/forged
SW updates
· Injection of malicious SW
(viruses)
Software IP theft
Software tampering
· Unauthorized policy changes
· Tampering w/ CR reasoners
(e.g., System Strategy Reasoner
& Policy Reasoner)
6
The Importance of Distinguishing
Primary Users from Secondary Users
 Spectrum usage scenario for a secondary user
 Periodically search for spectrum “white spaces” (i.e.,
fallow bands) to transmit/receive data
 When a primary user is detected in its spectrum band
 Immediately vacate that band and switch to a vacant
one
 “vertical spectrum sharing”
 When another secondary user is detected in its
spectrum band
 When there are no better spectrum opportunities, it
may choose to share the band with the detected
secondary user
 “horizontal spectrum sharing”
 CR MAC protocol guarantees fair resource allocation
among secondary users
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
7
Primary User Emulation Attacks
Distributed Spectrum Sensing
Sensor
...
Primary
signal
transmitter
Sensing data
Local
collector
spectrum
Data fusion Final spectrum
Sensor sensing
sensing result
results
Sensor
Adversaries
Signals with the
same characteristics
as primary signals
Primary-User Emulation attack: An
attacker emulates the characteristics
of a primary signal transmitter
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
8
Existing Technique (1): Using Energy
Detection to Conduct Spectrum Sensing
 Trust model
 An energy detector measures RF energy or the RSS
to determine whether a given channel is idle or not
 Secondary users can recognize each other’s signals
and share a common protocol, and therefore are able
to identify each other
 If an unidentified user is detected, it is considered a
primary user
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
9
Existing Technique (1): Using Energy
Detection to Conduct Spectrum Sensing
 Problem: If a malicious secondary user
transmits a signal that is not recognized by
other secondary users, it will be identified as a
primary user by the other secondary users
 Interference to primary users
 Prevents other secondary users from accessing that
band
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
10
Existing Technique (2): Matched Filter and
Cyclostationary Feature Detection
 Trust model
 Matched filter and cyclostationary feature detectors
are able to recognize the distinguishing
characteristics of primary user signals
 Secondary users can identify each other’s signals
 Problem: If a malicious secondary user
transmits signals that emulate the
characteristics of primary user signals, it will
be identified as a primary user by the other
secondary users
 Interference to primary users
 Prevents other secondary users from accessing that
band
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
11
Existing Technique (3): Quiet Period
for Spectrum Sensing
 Trust model
 Define a “quiet period” that all secondary users stop
transmission. It is dedicated for spectrum sensing.
 Any user detected in the quiet period (using energy
detector, matched filter or cyclostationary feature
detector) is a primary user
 Problem: If a malicious secondary user
transmits signals in the quiet period, it will be
identified as a primary user by the other
secondary users
 Interference to primary users
 Prevents other secondary users from accessing that
band
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
12
The Disruptive Effects of Primary User
Emulation Attacks
6
Selfish attackers
Legitimate users
5
4
3
2
1
0
0
5
10
15
20
25
Number of pairs of selfish attackers
Selfish PUE attacks
30
5
Available link bandwidth (MHz)
Available link bandwidth (MHz)
7
4
3
2
1
0
0
5
10
15
20
25
Number of malicious attackers
30
Malicious PUE attacks
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
13
Transmitter Verification for Spectrum
Sensing
 Transmitter verification for spectrum sensing is
composed of three processes:
 Verification of signal characteristics
 Measurement of received signal energy level
 Localization of the signal source
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
14
A Flowchart of transmitter verification
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
15
Challenges in PST Localization

Primary signal transmitter (PST) localization is more
challenging than the standard localization problem due to two
reasons
 No modification should be made to primary users to
accommodate the DSA of licensed spectrum. This
requirement excludes the possibility of using a localization
protocol that involves the interaction between a primary
user and the localization device(s).
  PST localization problem is a non-interactive
localization problem
 When a receiver is localized, one does not need to consider
the existence of other receivers. However, the existence of
multiple transmitters may add difficulty to transmitter
localization
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
16
A solution to PST Localization



Magnitude of an RSS value typically decreases as the distance
between the signal transmitter and the receiver increases
If one is able to collect a sufficient number of RSS
measurements from a group of receivers spread throughout a
large network, the location with the peak RSS value is likely to
be the location of a transmitter.
Advantage of this technique is twofold,
 Obviates modification of primary users and
 Supports localizing multiple transmitters that transmit
signals simultaneously
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
17
Byzantine failures in distributed
spectrum sensing
 Cause of Byzantine failures in distributed spectrum
sensing (DSS)
 Malfunctioning sensing terminals
 Spectrum sensing data falsification (SSDF) attacks

A malicious secondary user intentionally sends falsified local
spectrum sensing reports to the data collector in an attempt to
cause the data collector to make incorrect spectrum sensing
decisions
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
18
SSDF Attacks
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
19
Modeling of DSS as a parallel fusion
network
 We can model the DSS problem as a parallel fusion
network
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
20
Data fusion algorithms for DSS




Decision fusion
Bayesian detection
Neyman-Pearson test
Weighted sequential probability ratio test (WSPRT)
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
21
The Coexistence Problem in CR
Networks



Incumbent coexistence
 Avoid serious interference to incumbent users
 Ex: spectrum sensing for detecting incumbent signals
 Ex: dynamic frequency hopping to avoid interfering with
detected incumbents
Why is self-coexistence important in CR networks?
 Minimize self interference between neighboring networks
 Need to satisfy QoS of networks’ admitted service
workloads in a DSA environment
 Ex: 802.22 prescribes inter-cell dynamic resource sharing
mechanisms for better self-coexistence
CR coexistence mechanisms can be exploited by adversaries
 Threats to incumbent coexistence mechanisms
 Threats to self-coexistence mechanisms
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
22
Operating Environment of 802.22 Networks
집
Incumbent services:
• TV broadcast services
• Part 74 devices (wireless microphones)
집
WRAN
Base Station
집
집
집
집
Wireless
microphones
집
집
집
집
집
TV transmitters
집
집
집
WRAN
Base Station
집
집
집
집
집
집
Wireless
microphones
Typical ~33km
Max. 100km
집
: WRAN Base Station
집
집
집
: CPE (Consumer Premise Equipment)
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
23
PHY-Layer Support for Coexistence


Two-stage spectrum sensing in quiet periods (QPs)
 Fast sensing stage: a quick and simple detection technique,
e.g., energy detection.
 Fine sensing stage: measurements from fast sensing
determine the need and duration of fine sensing stage.
Synchronization of overlapping BSs’ QPs
Channel Detection Time
Fast sensing
Channel Detection Time
Fine sensing
Fast sensing
Fine sensing
BS1
Channel Detection Time
Fast sensing
Channel Detection Time
Fine sensing
Fast sensing
Fine sensing
BS2
Channel Detection Time
Fast sensing
Channel Detection Time
Fine sensing
Fast sensing
Fine sensing
BS3
Time
Fast sensing
Fine sensing
“Cognitive Radio Communications and Networks: Principles
and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
802.22 Transmission
24
Cognitive MAC (CMAC) Layer (1)


Two types control messages
 Management messages: intra-cell management
 Beacons: inter-cell coordination
Inter-cell synchronization
 Frame offset is contained in beacon payload
 The receiver BS performs frame sliding to synchronize with
the transmitter BS.
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
25
Cognitive MAC (CMAC) Layer (2)


Inter-BS dynamic resource sharing
 Needed when QoS of admitted service workload cannot be
satisfied
 802.22 prescribes non-exclusive & exclusive spectrum
sharing
On-demand spectrum contention (ODSC) protocol
 Select a target channel to contend
 Each BS selects a Channel Contention Number (CCN) from
[0,W].
 BS with a greater CCN wins the pair-wise contention
procedure.
 BS wins the channel if it wins all pair-wise contention
procedures with all co-channel BSs.
 Inter-cell beacons used to carry out ODSC
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
26
Cognitive MAC (CMAC) Layer (3)



Protection of Part 74 devices (wireless microphones)
Class A solution
 A separate beacon device deployed
 Transmit short wireless microphone beacons (WMB)
 Use WMBs to notify collocated 802.22 cells about operation
of Part 74 devices
Class B solution
Wireless
MIC
 A special type of CPE is deployed
 Class B CPEs detect Part 74
WRAN
Base
Station
Class B CPE
device operations and notify
other 802.22 systems
집
집
집
집
집
집
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
27
Overview of 802.22’s Security Sublayer


802.22 security sublayer provides confidentiality, authentication and
integrity services for intra-cell management messages
 PKM (Privacy Key Management) protocol
 Encapsulation protocol
It fails to protect inter-cell beacons used in coexistence mechanisms
CMAC mechanisms
protected by
802.22’s security
sublayer
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
28
Potential Security Threats





DoS attacks
 Insertion of forged management messages by rogue terminals
 Prevented by use of mutual authentication and MACs
Replay attacks
 Management messages: Prevented by use of nonces in
challenge/response protocols
 Data packets: Thwarted using AES-CCM & packet numbers
Threats against WMBs
 Class B CPEs possess pre-programmed keys that enable the use of
authentication mechanisms to prevent WMB forgery/modification
Spurious transmissions in QPs
 Interfere w/ various coexistence-related control mechanisms
Primary user emulation
 Adversarial radio transmits signals whose characteristics emulate
those of incumbent signals
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
29
Security Vulnerabilities in Inter-Cell
Coexistence Mechanisms


Inter-cell beacons are not protected by 802.22’s
security sublayer!
Beacon Falsification (BF) attack
 Two types of BF attacks
 Tx of false/forged inter-cell beacons to
 disrupt spectrum contention processes
 Network throughput drop
 interfere with inter-cell synchronization
 Undermine the accuracy of spectrum sensing
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
30
Disrupting Inter-cell Spectrum Contention



Objective of BF attacks
 Disrupt self-coexistence mechanisms (spectrum contention processes)
Attack method
 Forge inter-cell beacons with arbitrarily large CCN value
(e.g., select CCN from [W / z, W ], where z >= 1)
 Tx beacons that contain large CCN to neighboring BSs
Impact of BF attacks
 Legitimate victim BSs lose the target channels.
 Drop in network throughput
Z=1
Simulation layout and results
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
31
Interfering with Inter-cell Synchronization




Objective of BF attack
 Undermine efficacy of incumbent coexistence mechanism (spectrum
sensing)
Attack method
 Forge inter-cell beacons with spurious Frame Offset
Impact of BF attack
 Victim BS performs frame sliding according to the spurious Frame Offset,
which causes asynchrony of QPs.
 Asynchrony causes self-interference that degrades accuracy of spectrum
sensing during QPs.
Impact on misdetection probability (for energy detector)
 An incumbent signal is detected if Y > r (estimated Rx signal power, Y , is
greater than threshold r ).
 Under BF attacks, self-interference in QPs causes the threshold to increase
to a larger value, r*.
r*
*
 Miss detection probability increases by Pr( r  Y  r ) 
fY ( x)dx

r
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
32
Countermeasures

To thwart the forgery of inter-cell beacons, an inter-cell key
management scheme is needed
 Utilize the backhaul infrastructure that connects multiple cells
 Employ a distributed key management scheme
802.22 backhaul
infrastructure
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
33
Chapter 15 Summary
 Emergence of the opportunistic spectrum sharing (OSS)
paradigm and cognitive radio technology raises new
security implications that have not been studied
previously
 One countermeasure for primary user emulation attacks
is transmitter verification; it is composed of 3 processes:
 Verification of signal characteristics
 Measurement of received signal energy level
 Localization of the signal source
 We can model the distributed spectrum sensing problem
as a parallel fusion network to deal with Byzantine
failures
 IEEE 802.22 is vulnerable to attacks because its intercell beacons are not protected
“Cognitive Radio Communications and Networks: Principles and Practice”
By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)
34