Outline A taxonomy of CR security threats Primary user emulation - - PDF document

SLIDE 1

10/25/19 1

Cognitive Radio Network Security

Yao Zheng

1

Outline

• A taxonomy of CR security threats
• Primary user emulation attacks
• Byzantine failures in distributed spectrum

sensing

• Security vulnerabilities in IEEE 802.22

2

Introduction

• Successful deployment of CR networks and the

realization of their benefits will depend on the placement of essential security mechanisms

• Emergence of the opportunistic spectrum sharing

(OSS) paradigm and cognitive radio technology raises new security implications that have not been studied previously

• Researchers have only recently started to examine

the security issues specific to CR devices and networks

3

COGNITIVE RADIO TECHNOLOGY

Cognitive Radios Spectrum Sensing Spectrum Sharing Spectrum Mobility Spectrum Management

4 Some Recent Publications on CR Security

• R. Chen, J. Park, & J. Reed, “Defense against primary user emulation

attacks in cognitive radio networks,” IEEE Journal on Selected Areas in Communications, vol. 26, no. 1, Jan. 2008.

• R. Chen, J. Park, T. Hou, & J. Reed, “Toward secure distributed spectrum

sensing in cognitive radio networks,” IEEE Comm. Magazine, vol. 46, no. 4, 2008.

• S. Xiao, J. Park, and Y. Ye, “Tamper Resistance for Software Defined

Radio Software,” IEEE Computer Software and Applications Conference, July 2009.

• K. Bian and J. Park, “Security Vulnerabilities in IEEE 802.22,” Fourth

International Wireless Internet Conference, Nov. 2008.

5 Some Recent Publications on CR Security

• T. Clancy, N. Goergen, “Security in Cognitive Radio Networks: Threats and

Mitigation,” Int’l Conference on Cognitive Radio Oriented Wireless Networks and Communications, May 2008.

• T.B. Brown and A. Sethi, “Potential cognitive radio denial-of-service vulnerabilities

and protection countermeasures: a multi-dimensional analysis and assessment,” Journal of Mobile Networks and Applications, vol. 13, no. 5, Oct. 2008.

• A. Brawerman et al., “Towards a fraud-prevention framework for software defined

radio mobile devices,” EURASIP Journal on Wireless Comm. and Networking, vol. 2005, no. 3, 2005.

• L.B. Michael et al., “A framework for secure download for software-defined radio,”

IEEE Comm. Magazine, July 2002.

• P

. Flanigan et al., “Dynamic policy enforcement for software defined radio,” 38th Annual Simulation Symposium, 2005.

6

SLIDE 2

10/25/19 2

A Taxonomy of CR Security Threats

CR CR netwo work se secu curity y threats Ra Radio softwa ware se security y threats Sp Spectrum access- re related securi rity thre reats Th Threats to incumbent co coexi xistence ce mech chanism sms Th Threats to self- co coexi xist stence ce mech chanism sms

Secu curity y threats s to the so software download proce cess ss Spect ctral “honeyp ypots” s” Senso sory y manipulation :

• Primary

y use ser emulation

• Geosp

spatial manipulation

• Chaff point attack

ck

• Spam point bias

s attack k Obst struct ct syn synch chroniza zation of QPs Tx x false se/sp spurious s inter-ce cell beaco cons s (co control messa ssages) Exp xploit/obst struct ct inter-ce cell sp spect ctrum sh sharing proce cesse sses Unauthorize zed policy cy ch changes Ta Tampering w/ / CR reaso soners (e.g., , Syst ystem Strategy y Reaso soner & & Policy cy Reaso soner ) So Software IP P theft So Software tampering Inject ction of false se/fo forged polici cies Inject ction of false se/fo forged SW SW updates Inject ction of malici cious s SW (vi viruse ses)

7

The Importance of Distinguishing Primary Users from Secondary Users

• Spectrum usage scenario for a secondary user
• Periodically search for spectrum “white spaces”

(i.e., fallow bands) to transmit/receive data

• When a primary user is detected in its spectrum

band

• Immediately vacate that band and switch to a vacant one

à “vertical spectrum sharing”

• When another secondary user is detected in its

spectrum band

• When there are no better spectrum opportunities, it may choose to share

the band with the detected secondary user à “horizontal spectrum sharing”

• CR MAC protocol guarantees fair resource allocation among secondary

users

8

Primary User Emulation Attacks

Sensor Primary signal transmitter . . . Sensor Sensor Sensing data collector Data fusion Final spectrum sensing result Distributed Spectrum Sensing Adversaries Primary-User Emulation attack: An attacker emulates the characteristics

• f a primary signal transmitter

Local spectrum sensing results Signals with the same characteristics as primary signals

9

Existing Technique (1): Using Energy Detection to Conduct Spectrum Sensing

• Trust model

ØAn energy detector measures RF energy or the RSS to determine whether a given channel is idle

• r not

ØSecondary users can recognize each other’s signals and share a common protocol, and therefore are able to identify each other ØIf an unidentified user is detected, it is considered a primary user

10

11

10/25/19

• Transmitter detection

2) Energy detection

Decision statistic Y follows Chi-square distribution

2 2 2 2 1

( )

M M

H Y H c c g ì ï í ï î !

Existing Technique (1): Using Energy Detection to Conduct Spectrum Sensing

11

Existing Technique (1): Using Energy Detection to Conduct Spectrum Sensing

• Problem: If a malicious secondary user transmits a signal that

is not recognized by other secondary users, it will be identified as a primary user by the other secondary users

• Interference to primary users
• Prevents other secondary users from accessing

that band

12

SLIDE 3

10/25/19 3

Existing Technique (2): Matched Filter and Cyclostationary Feature Detection

• Trust model

ØMatched filter and cyclostationary feature detectors are able to recognize the distinguishing characteristics of primary user signals ØSecondary users can identify each other’s signals

• Problem: If a malicious secondary user transmits signals that

emulate the characteristics of primary user signals, it will be identified as a primary user by the other secondary users

• Interference to primary users
• Prevents other secondary users from accessing

that band

13

Existing Technique (2): Matched Filter and Cyclostationary Feature Detection

• Transmitter detection

1) Matched filter detection Advantages: Better detection performance and less time to achieve processing gain Disadvantages: Priori knowledge of primary signal is required (such as pilots, preambles or synchronized messages).

14

Existing Technique (3): Quiet Period for Spectrum Sensing

• Trust model

ØDefine a “quiet period” that all secondary users stop

• transmission. It is dedicated for spectrum sensing.

ØAny user detected in the quiet period (using energy detector, matched filter or cyclostationary feature detector) is a primary user

• Problem: If a malicious secondary user transmits signals in the quiet

period, it will be identified as a primary user by the other secondary users

• Interference to primary users
• Prevents other secondary users from accessing that band

15

The Disruptive Effects of Primary User Emulation Attacks

5 10 15 20 25 30 1 2 3 4 5 6 7 Number of pairs of selfish attackers Available link bandwidth (MHz) Selfish attackers Legitimate users

Malicious PUE attacks Selfish PUE attacks

5 10 15 20 25 30 1 2 3 4 5 Number of malicious attackers Available link bandwidth (MHz)

16

Transmitter Verification for Spectrum Sensing

• Transmitter verification for spectrum sensing

is composed of three processes:

• Verification of signal characteristics
• Measurement of received signal energy level
• Localization of the signal source

17

A Flowchart of transmitter verification

18

SLIDE 4

10/25/19 4

Challenges in PST Localization

• Primary signal transmitter (PST) localization is more challenging

than the standard localization problem due to two reasons

• No modification should be made to primary users to

accommodate the DSA of licensed spectrum. This requirement excludes the possibility of using a localization protocol that involves the interaction between a primary user and the localization device(s).

• à PST localization problem is a non-interactive localization

problem

• When a receiver is localized, one does not need to consider the

existence of other receivers. However, the existence of multiple transmitters may add difficulty to transmitter localization

19

A solution to PST Localization

• Magnitude of an RSS value typically decreases as the distance

between the signal transmitter and the receiver increases

• If one is able to collect a sufficient number of RSS

measurements from a group of receivers spread throughout a large network, the location with the peak RSS value is likely to be the location of a transmitter.

• Advantage of this technique is twofold,
• Obviates modification of primary users and
• Supports localizing multiple transmitters that transmit

signals simultaneously

20

Byzantine failures in distributed spectrum sensing

• Cause of Byzantine failures in distributed

spectrum sensing (DSS)

• Malfunctioning sensing terminals
• Spectrum sensing data falsification (SSDF) attacks
• A malicious secondary user intentionally sends falsified

local spectrum sensing reports to the data collector in an attempt to cause the data collector to make incorrect spectrum sensing decisions

21

SSDF Attacks

22

Modeling of DSS as a parallel fusion network

• We can model the DSS problem as a parallel

fusion network

23

Data fusion algorithms for DSS

• Decision fusion
• Bayesian detection
• Neyman-Pearson test
• Weighted sequential probability ratio test

(WSPRT)

24

SLIDE 5

10/25/19 5

The Coexistence Problem in CR Networks

• Incumbent coexistence
• Avoid serious interference to incumbent users
• Ex: spectrum sensing for detecting incumbent signals
• Ex: dynamic frequency hopping to avoid interfering with detected

incumbents

• Why is self-coexistence important in CR networks?
• Minimize self interference between neighboring networks
• Need to satisfy QoS of networks’ admitted service workloads in a DSA

environment

• Ex: 802.22 prescribes inter-cell dynamic resource sharing mechanisms

for better self-coexistence

• CR coexistence mechanisms can be exploited by adversaries
• Threats to incumbent coexistence mechanisms
• Threats to self-coexistence mechanisms

25

Operating Environment of 802.22 Networks

꿦 꿦 꿦 꿦 꿦 꿦 꿦 꿦 꿦 꿦 꿦

TV transmitters

WRAN Base Station

Wireless microphones

꿦

Wireless microphones

꿦

WRAN Base Station

꿦 꿦

: CPE (Consumer Premise Equipment)

꿦 꿦 꿦 꿦 꿦

: WRAN Base Station

꿦 꿦 꿦

Typical ~33km

• Max. 100km

Incumbent services:

• TV broadcast services
• Part 74 devices (wireless microphones)

꿦

26

PHY-Layer Support for Coexistence

• Two-stage spectrum sensing in quiet periods (QPs)
• Fast sensing stage: a quick and simple detection technique, e.g., energy

detection.

• Fine sensing stage: measurements from fast sensing determine the need and

duration of fine sensing stage.

• Synchronization of overlapping BSs’ QPs

BS1 BS2 Time BS3 Fast sensing 802.22 Transmission Fine sensing Channel Detection Time

Fast sensing Fine sensing Channel Detection Time Fast sensing Fine sensing Channel Detection Time Fast sensing Fine sensing Channel Detection Time Fast sensing Fine sensing Channel Detection Time Fast sensing Fine sensing Channel Detection Time Fast sensing Fine sensing

27

Cognitive MAC (CMAC) Layer (1)

• Two types control messages
• Management messages: intra-cell management
• Beacons: inter-cell coordination
• Inter-cell synchronization
• Frame offset is contained in beacon payload
• The receiver BS performs frame sliding to synchronize with the

transmitter BS.

28

Cognitive MAC (CMAC) Layer (2)

• Inter-BS dynamic resource sharing
• Needed when QoS of admitted service workload cannot be satisfied
• 802.22 prescribes non-exclusive & exclusive spectrum sharing
• On-demand spectrum contention (ODSC) protocol
• Select a target channel to contend
• Each BS selects a Channel Contention Number (CCN) from [0,W].
• BS with a greater CCN wins the pair-wise contention procedure.
• BS wins the channel if it wins all pair-wise contention procedures with

all co-channel BSs.

• Inter-cell beacons used to carry out ODSC

29

Cognitive MAC (CMAC) Layer (3)

• Protection of Part 74 devices (wireless microphones)
• Class A solution
• A separate beacon device deployed
• Transmit short wireless microphone beacons (WMB)
• Use WMBs to notify collocated 802.22 cells about operation of Part 74

devices

• Class B solution
• A special type of CPE is deployed
• Class B CPEs detect Part 74

device operations and notify

• ther 802.22 systems

꿦 꿦 꿦 꿦

WRAN Base Station

꿦

Wireless MIC

꿦

Class B CPE

30

SLIDE 6

10/25/19 6

Overview of 802.22’s Security Sublayer

• 802.22 security sublayer provides confidentiality, authentication and integrity

services for intra-cell management messages

• PKM (Privacy Key Management) protocol
• Encapsulation protocol
• It fails to protect inter-cell beacons used in coexistence mechanisms

CMAC mechanisms protected by 802.22’s security sublayer

31

Potential Security Threats

• DoS attacks
• Insertion of forged management messages by rogue terminals
• Prevented by use of mutual authentication and MACs
• Replay attacks
• Management messages: Prevented by use of nonces in challenge/response

protocols

• Data packets: Thwarted using AES-CCM & packet numbers
• Threats against WMBs
• Class B CPEs possess pre-programmed keys that enable the use of

authentication mechanisms to prevent WMB forgery/modification

• Spurious transmissions in QPs
• Interfere w/ various coexistence-related control mechanisms
• Primary user emulation
• Adversarial radio transmits signals whose characteristics emulate those of

incumbent signals

32

Security Vulnerabilities in Inter-Cell Coexistence Mechanisms

• Inter-cell beacons are not protected by 802.22’s

security sublayer!

• Beacon Falsification (BF) attack
• Two types of BF attacks
• Tx of false/forged inter-cell beacons to
• disrupt spectrum contention processes

àNetwork throughput drop

• interfere with inter-cell synchronization

àUndermine the accuracy of spectrum sensing

33

Disrupting Inter-cell Spectrum Contention

• Objective of BF attacks
• Disrupt self-coexistence mechanisms (spectrum contention processes)
• Attack method
• Forge inter-cell beacons with arbitrarily large CCN value

(e.g., select CCN from [W / z, W ], where z >= 1)

• Tx beacons that contain large CCN to neighboring BSs
• Impact of BF attacks
• Legitimate victim BSs lose the target channels.
• Drop in network throughput

Z = 1 Simulation layout and results

34

Interfering with Inter-cell Synchronization

• Objective of BF attack
• Undermine efficacy of incumbent coexistence mechanism (spectrum sensing)
• Attack method
• Forge inter-cell beacons with spurious Frame Offset
• Impact of BF attack
• Victim BS performs frame sliding according to the spurious Frame Offset, which

causes asynchrony of QPs.

• Asynchrony causes self-interference that degrades accuracy of spectrum sensing

during QPs.

• Impact on misdetection probability (for energy detector)
• An incumbent signal is detected if Y > r (estimated Rx signal power, Y , is greater

than threshold r ).

• Under BF attacks, self-interference in QPs causes the threshold to increase to a

larger value, r*.

• Miss detection probability increases by

*

*

Pr( ) ( )

r Y r

r Y r f x dx < < = ò

35

Countermeasures

• To thwart the forgery of inter-cell beacons, an inter-cell key management scheme is

needed

• Utilize the backhaul infrastructure that connects multiple cells
• Employ a distributed key management scheme

802.22 backhaul infrastructure

36

SLIDE 7

10/25/19 7

Summary

• Emergence of the opportunistic spectrum sharing (OSS)

paradigm and cognitive radio technology raises new security implications that have not been studied previously

• One countermeasure for primary user emulation attacks is

transmitter verification; it is composed of 3 processes:

• Verification of signal characteristics
• Measurement of received signal energy level
• Localization of the signal source
• We can model the distributed spectrum sensing problem as a

parallel fusion network to deal with Byzantine failures

• IEEE 802.22 is vulnerable to attacks because its inter-cell

beacons are not protected

37