Security Issues in Cognitive Radio Networks (CRN)

advertisement
Security Issues in Cognitive
Radio Networks (CRN)
Peng Zang
Apr. 13, 2012
1
Outlines
• Why Using CRN and its goal
• Elements of CRN
• Specific security issues of CRN
• Selected attack models
• Several potential solutions and models
• Conclusion
2
Why CRN
• Spectrum crisis
– Most spectrum are occupied by licensed users
– Exploit idle portion of the licensed spectrum
• Goals
– Coexistence with Primary Users (PU)
– Coexistence with other Secondary Users (SU)
– Using spectrum effectively and fairly
– Maximum throughput
– Fairly allocated spectrum to each SUs
3
Elements of CRN
• Spectrum sensing
• Spectrum analysis and decision making
• Dynamic Spectrum Access and Allocation (DSA)
• Software defined Radio (SDR)
– Cognitive capability
– Reconfigurability
4
Attack against CRN
• Primary User Emulation Attack (PUE)
• Spectrum Sensing Data Falsification Attack (SSDF)
• Common Control Channel Attack (CCC)
• Beacon Falsification Attack (BF)
• Cross layer attacks
• Software Defined Radio Attacks (SDR)
• etc..
No modification to the incumbent signal should be required to
accommodate opportunistic use of the spectrum by SUs. – FCC
5
PUE attack
• An attacker emulates PU to
force SUs leave the vacant
channel
• High probability of success
• Could lead to DoS attack
• 3 models will be
presented:
Signal feature based;
Localization based;
Lion attack;
6
Figure 1. A simplified PUEA scheme [1]
Background knowledges
• Received signal
• Path loss :
• Log-normal Shadowing:
Variance of shadowing parameter
• Received energy:
Shadowing
Path loss : constant
7
PUE attack 1.1: Signal feature based –
Assumptions
• SU & Attacker know r1, attacker know r2 & r3.
• SU & PU : stationary
• Energy detection is adopted
• Attack knows
and waveform of PU signal
Different and unique
• When signal transmitter is:
– PU:
– Attacker:
8
PUE defense Model 1.1 – naive defense
Step1:
• Received signal energy:
• they are i.i.d. And follow the same distribution as
• Use unbiased estimator:
• Determination:
Step2:
Threshold
9
Keys for determination
PUE attack 1.2: advanced attack
• Goal: Make SU receive emulation signals has same power level as
PU signal:
• Need two parameter first:
• Attacker received signal from PU:
where:
10
PUE attack 1.2: advanced attack cont'd
• From MLE, parameters are found:
• Design of emulation signal:
• Leads to:
The emulation signal transmitted
with power:
11
Advanced Defense 1.2: Variance detection
• Basic idea: Detect PU channel parameter –
• Using unbiased estimation:
• Detection:
12
Advanced Defense 1.2: Variance detection
• Decision making:
• However, there are always trade-offs
13
Naïve detection simulation[1]
14
Advanced variance detection[1]
15
m sensing attempts[1]
16
PUE attack defense model 2: localization based[2]
• Basic idea: Transmitter's location verification
• Methods:
– Received Signal Strength (RSS);
– Need help from Wireless Sensor Network (WSN)
• Assumptions:
– WSN distributed uniformly
– Attacker not in the same position as PU
• RSS Model:
• Variance:
17
mean:
RSS smoothing procedure
Pivot point 1
Transmitter
Pivot point 2
18
RSS Smoothing Procedure
• Step 1: Calculate Median value of RSS in each pivot point.
– For Pivot point 1 (R0):
– Find minimum value of
19
RSS Smoothing Procedure
– For Pivot point 2 (R1):
– Find maximum value of
• Step 2: Get a loose lower bound:
20
RSS Smoothing procedure
• Step3: Obtain
– P: confidence level
– New R.V. X0:
• Then r and d must satisfy:
21
Results
22
Results
23
PUE attack 3: Lion Attack Model [4]
• Intelligent algorithm: attack TCP transmission utilizing
retransmission timer back off.
• Analytical Model:
•
24
25
Assumptions and definitions
• Each attack lead to a handoff
• Fixed handoff time:
• R.V.:
Fixed detection time:
Another R.V.:
• Round Trip Time(RTT) < Minimum Retransmittion Time
Out(RTO)
• At least one handoff take place
• Probability of k handoffs in an interval (x',x'+τ) is
• Then:
26
RTO and Retransmission time
• Retransmission Time Out (RTO):
• Retransmission Time instant:
27
Analytical model of lion attack [4]
28
Find Inactivity Time
• Probability that inactive time is a given value:
• Expected average time of inactivity:
29
Pr(every t’ before this one
happened in a handoff)
Find Inactivity Ratio
• Find TCP inactivity percentage:
• Average activity time:
30
Performance
31
PUE attack Conclusion
• Model 1.1 &1.2
– Goal: Authentication
– Channel parameters Map vs. Public/Private Key
• Model 2
– WSN vs. KDC
• Model 3
– RTO vs. Secrete Key
32
SSDF : Model
• Assumptions:
–
–
–
–
In distributed sensing;
Fixed graph for the network;
Duplex wireless connections;
Attackers are in the graph and send falsified
information to SU;
– Energy detection model is used.
33
Basic idea
• Step1: Get mean value of sensing result from neighbor nodes
• Step2: Exclude most deviate neighbor node
• Step3: Consensus algorithm
34
Basic idea con't
• Step 4: Compare with threshold:
• Vector form of algorithm:
• P: double Stochastic Matrix – ensure convergence of
x* in whole network
35
Conclusion
• Consensus
vs. Trust
model
• To trust, or
not to trust…
36
References
[1] Ruiliang Chen; Jung-Min Park; Reed, J.H.; , "Defense against Primary User Emulation
Attacks in Cognitive Radio Networks," Selected Areas in Communications, IEEE Journal on ,
vol.26, no.1, pp.25-37, Jan. 2008
[2] Zesheng Chen; Cooklev, T.; Chao Chen; Pomalaza-Raez, C.; , "Modeling primary user
emulation attacks and defenses in cognitive radio networks," Performance Computing and
Communications Conference (IPCCC), 2009 IEEE 28th International , vol., no., pp.208-215, 1416 Dec. 2009
[3] Yu, F.R.; Tang, H.; Minyi Huang; Zhiqiang Li; Mason, P.C.; , "Defense against spectrum
sensing data falsification attacks in mobile ad hoc networks with cognitive radios," Military
Communications Conference, 2009. MILCOM 2009. IEEE , vol., no., pp.1-7, 18-21 Oct. 2009
[4] Hernández, J.; León, O.; Soriano, M. “Modeling the lion attack in cognitive radio networks.
Eurasip journal on wireless communication and networking, 2011, vol. 2011, p. 1-10.
[5] Nansai Hu; Yu-Dong Yao; Mitola, J.; , "Most Active Band (MAB) Attack and
Countermeasures in a Cognitive Radio Network," Wireless Communications, IEEE Transactions
on , vol.11, no.3, pp.898-902, March 2012
37
Thank you !
• Questions?
38
Download