Mitigating Primary User Emulation Attacks via Time

advertisement

Mitigation of Primary User

Emulation Attack using

Time of Emission Estimation

Natraj Jaganmohan (njaganm)

Sandeep A Rao (sarao)

CSC774 - NCSU ADVANCED NETWORK SECURITY 1

Agenda of the presentation:

 Background about Cognitive Radio Networks

Primary User Emulation Attack (PUEA)

Existing approaches to solve PUEA.

 PUEA attack model with Directional antennas.

 Attack mitigation using TOE estimation.

 Simulation results.

Limitations of the approach.

Future directions of research.

CSC774 - NCSU ADVANCED NETWORK SECURITY 2

It all started here:

“All consumers . . . deserve a new spectrum policy paradigm that is rooted in modern-day technologies and markets. We are living in a world where demand for spectrum is driven by an explosion of wireless technology and the ever-increasing popularity of wireless services.

Nevertheless, we are still living under a spectrum 'management' regime that is 90 years old. It needs a hard look, and in my opinion, a new direction.”

Michael K. Powell (Chairman FCC Spectrum

Policy Task Force)

CSC774 - NCSU ADVANCED NETWORK SECURITY 3

Spectrum Scarcity:

Cognitive Networks help us solve the problem.

CSC774 - NCSU ADVANCED NETWORK SECURITY 4

Background: Cognitive Radio Networks.

Wireless spectrum is very scarce leading to spectrum crisis.

FCC recommends use of opportunistic or cognitive networks to increase spectrum utilization.

This technology would put unused and under-used spectrum assets to work – without impacting primary users within those bands. It is a bold, yet workable solution.

CSC774 ADVANCED NETWORK SECURITY 5

Background: Cognitive Radio Networks.

 “A Cognitive Radio is a radio frequency transmitter/receiver that is designed to intelligently detect whether a particular segment of the radio spectrum is currently in use, and to jump into (and out of, as necessary) the temporarily-unused spectrum very rapidly, without interfering with the transmissions of other authorized users.”

 http://www.ieeeusa.org/forum/POSITIONS/cognitiveradi o.html

CSC774 - NCSU ADVANCED NETWORK SECURITY 6

Cognitive Radio networks operation:

PU-Tx

PU-RX

SU

CSC774 - NCSU

PU-RX

SU

PU-RX

ADVANCED NETWORK SECURITY 7

What makes Cognitive Networks possible?

Key enablers of CRNs:

 Radio manufacturers have started to create flexible software-defined radios.

 Research funding and support for spectrum reuse.

 Support for Dynamic Channel selection, channel scanning and adjustable transmission power.

CSC774 - NCSU ADVANCED NETWORK SECURITY 8

Some terminologies used in this presentation:

 CRN: Cognitive Radio Network

 PU: Primary User (licensed user)

 SU: Secondary user (CRN node)

 PUEA: Primary User Emulation Attack

 FC: Fusion Center

 TOE: Time of Emission

 TOA: Time of Arrival.

CSC774 - NCSU ADVANCED NETWORK SECURITY 9

Most important attacks on CRNs

Spectrum data falsification attacks: In this case, one or more SUs are compromised and hence report wrong sensing values to

FC. This makes the FC make incorrect decision about the presence of PU.

The most preferred way to mitigate the attack is to collect sensing values from a group of SUs and remove the outlier values.

CSC774

ADVANCED NETWORK SECURITY 10

Primary User Emulation Attack:

Primary Transmitter

PU1

PU2

SU1

CSC774 - NCSU

PU3

SU2

ADVANCED NETWORK SECURITY 11

Primary User Emulation Attack:

Primary Transmitter

PU1

PU2

Attacker

SU1

CSC774 - NCSU

PU3

SU2

SUs cannot access channel as they think PU is transmitting

ADVANCED NETWORK SECURITY 12

Why are we facing this attack :

Secondary users cannot authenticate the

PU transmission.

FCC states that PU cannot be modified to support security. Hence regular authentication schemes don’t work.

CSC774 - NCSU ADVANCED NETWORK SECURITY 13

General approaches to defeat this attack:

Solution 1

RSSI based PU localization:

(x,y)

Decision is made based on all received sensing reports

FC

RSSI values are measured at all SUs and calculate the location of PU.

Ideal case of a PU transmitting, all RSSI values will be correct w.r.t distance

CSC774 - NCSU ADVANCED NETWORK SECURITY 14

Solution 1 proposed by:

Zhou Yuan et al, suggested the use of localization schemes to estimate and authenticate the location of PU.

Scheme based on Received signal power.

Pr = Pt + a 10 log (do/d) + w

It can be defeated by attacker by using

Antenna arrays with different power levels.

CSC774 - NCSU ADVANCED NETWORK SECURITY 15

General approaches to defeat this attack: Solution 2

Dr. Peng Ning et al proposed integrating cryptographic signatures and wireless link signatures to enable primary user detection. Essential to the approach is a helper node placed physically close to a primary user.

CSC774 - NCSU ADVANCED NETWORK SECURITY 16

General approaches to defeat this attack: Solution 2

Working with helper nodes.

(x,y)

Helper Node

Helper node transmits signals identical to PU

SUs can try to verify the PU authenticity by verifying the

Wireless Link signature of Helper node

ADVANCED NETWORK SECURITY 17 CSC774 - NCSU

General approaches to defeat this attack: Solution 2

This technique is very effective in terms of authenticating primary user. We exploit the proximity of Helper node with

PU.

Problem is the authentication of wireless link signature of the helper node. Also if attackers are placed near helper nodes, then it causes problems.

CSC774 - NCSU ADVANCED NETWORK SECURITY 18

General approaches to defeat this attack: Solution 3

IRIS model proposed by Alexander et al, has a secure attack detection by verifying the consistency of system state (Transmit power and path loss).

This technique is very effective and it defeats both Data Falsification attacks and

PUEA. But, it fails in the case of attacker with antenna arrays and directional antenna.

CSC774 - NCSU ADVANCED NETWORK SECURITY 19

Attack model: Assumptions :

All nodes are loosely time synchronized.

Location of PU is fixed and known to all

SUs.

Fusion Center is used to make decision about presence of PU.

All SUs are connected to FC using a secure link.

There is a LOS path between every SU and PU.

CSC774 - NCSU ADVANCED NETWORK SECURITY 20

Attack model : Motivation

This attack model fails all the localization based solutions for PUEA which have been proposed previously.

Attacker uses a multi antenna array or

MIMO technology with directional antennas to send PU-TX like signals to different SUs with various power levels faking the presence of PU.

CSC774 - NCSU ADVANCED NETWORK SECURITY 21

Attack model: Representation

The power levels at different nodes are expected with respect to the distance from the PU-TX.

CSC774 - NCSU ADVANCED NETWORK SECURITY 22

Attack model:

Antenna array – multiple antenna transmitter

CSC774 - NCSU ADVANCED NETWORK SECURITY 23

Attack model:

This attack is possible because:

1. Antenna arrays are low cost and easy to setup

2. Attacker can manipulate the power levels in each directional beam from every antenna element to make sure every SU calculates the RSSI equal to the RSSI when PU transmits.

CSC774 - NCSU ADVANCED NETWORK SECURITY 24

Attack model: Validation

We have simulated the attack model to verify whether such an attack is really possible.

Modeler: Opnet Network modeler 16

CSC774 - NCSU ADVANCED NETWORK SECURITY 25

Attack model: Directional Antenna pattern formation in Opnet

CSC774 - NCSU ADVANCED NETWORK SECURITY 26

Attack model: Directional Antenna pattern formation in Opnet

CSC774 - NCSU ADVANCED NETWORK SECURITY 27

Attack model: Directional Antenna pattern formation in Opnet

CSC774 - NCSU ADVANCED NETWORK SECURITY 28

Attack model: A sample scenario proving the possibility of attack

CSC774 - NCSU ADVANCED NETWORK SECURITY 29

Attack model: Throughput graphs.

PU-TX

(antenna 1)

SU-1

SU-2

CSC774 - NCSU ADVANCED NETWORK SECURITY 30

Attack model: Multiple antenna array simulation.

Ref: http://fens.sabanciuniv.edu/telecom/eng/comnet/cisco/smart.htm

CSC774 - NCSU ADVANCED NETWORK SECURITY 31

Attack model: Validation

Hence if the attacker can configure each antenna element with the appropriate power levels to produce required RSSI values at each SU, then attack is achieved.

Regular localization based methods cannot defeat this attack. This forms the motivation for our solution.

CSC774

ADVANCED NETWORK SECURITY 32 CSC774 - NCSU

Time of Emission Estimation Based

Approach : Our solution to PUEA

CSC774 - NCSU ADVANCED NETWORK SECURITY 33

Model

SU

Fusion

Center

SU

SU

SU

CSC774 - NCSU

PU

PUE

ADVANCED NETWORK SECURITY 34

Assumptions

Secondary Users and Fusion Center

◦ are loosely Synchronized

◦ have secure communication

Fusion Center

◦ cannot be compromised

◦ knows locations of all users (secondary as well as primary)

◦ has good computational power and storage

CSC774 - NCSU ADVANCED NETWORK SECURITY 35

Attacker Capabilities

Can use antenna array

◦ But transmitting with a beam formation at different locations at different times is restricted.

Multiple Attackers can coordinate

◦ They can be synchronized among themselves

Attacker knows location of all nodes

SU may be compromised

CSC774 - NCSU ADVANCED NETWORK SECURITY 36

Proposed Approach

Sensors measure Time of Arrival

Fusion Center estimates Time of Emission

Robust against,

◦ Multiple, coordinated attackers

◦ Multiple compromised secondary users

◦ Node with Antenna Array!

CSC774 - NCSU ADVANCED NETWORK SECURITY 37

Design

TOA SU

Estimate TOA!

PU

PUEA result

TOA

SU

Estimate TOA!

Fusion

Center

PUEA result

Estimate TOE!

TOE estimated for every sensor must be almost same in an ideal scenario

In the presence of an attack there will be deviations in some TOE estimations

ADVANCED NETWORK SECURITY 38 CSC774 - NCSU

Intuition

CSC774 - NCSU

Time

ADVANCED NETWORK SECURITY 39

Procedure

FC

TOA

TOA

TOA

FOR EACH NODE MEASURE TOE!

TOA

TOA

TOEi = TOAi – Dist/c + ξ

COMPUTE MEAN  TOEmean

CSC774 - NCSU ADVANCED NETWORK SECURITY 40

Procedure

FOR EACH NODE, MEASURE DEVIATION!

δ i = TOEAVG ~ TOEi

If δ i > μ Increment C

μ -> Maximum allowable deviation!

C -> number of deviated values

If C > k then PUEA!

k -> Maximum no. of allowable deviated reports

CSC774 - NCSU ADVANCED NETWORK SECURITY 41

Parameters!

Determining μ

◦ The maximum deviation in the measurement by a node under a non-attack scenario!

Determining k

◦ Too small? Increase in false negative!

◦ Too large? Increase in false alarm!

◦ Tradeoff needed!

CSC774 - NCSU ADVANCED NETWORK SECURITY 42

Simulation Results

CSC774 - NCSU ADVANCED NETWORK SECURITY 43

Limitation

If an attacker is capable of compromising almost every node!

◦ Attacker too powerful!

◦ Note: We have a threshold which is used to tolerate certain number of configured node compromises. But, if almost all nodes in network are compromised, then the network is not useful.

CSC774 - NCSU ADVANCED NETWORK SECURITY 44

Future work

FCC may relax rule “no modification to the incumbent (primary) system should be required to accommodate opportunistic use of the spectrum by secondary users”

◦ Already relaxed for wireless microphones

Removing Fusion Center

◦ May decrease latency and increase performance of system.

CSC774 - NCSU ADVANCED NETWORK SECURITY 45

Summary

An Attack Model against the approaches using RSSI is proposed and simulated

A Novel approach to mitigate PUEA is proposed using Time of Emission

Estimation and simulated

Approach is compared with a similar RSSI based approach

CSC774 - NCSU ADVANCED NETWORK SECURITY 46

Thank you!

CSC774 - NCSU ADVANCED NETWORK SECURITY 47

Download