6. fingerprint-based defense against primary user...

6 Fingerprint-based Defense against PUE Attacks in CR Networks 112

6. Fingerprint-based Defense against Primary User Emulation

Attacks in CR Networks

6.1. Introduction

Spectrum sensing is one of the important mechanisms of CR and its operational

features are being investigated aggressively. However, the security features of

spectrum sensing have got little reflection. The successful operation of CR networks

will depend on the placement of necessary security systems. A system that can

consistently differentiate between genuine primary signal transmitters and secondary

signal transmitters masked as primary users is required. In hostile environments, such

a techniques must be integrated into the spectrum sensing system to improve the

reliability of the sensing outcome. This work focuses on a situation in which a PU

network is composed of TV transmission towers and receivers placed at fixed

locations. In such a site, the location of a given transmitter along with other features

can be used to verify whether the transmitter is a primary transmitter or an attacker.

This thesis has investigated RF fingerprinting such as multiple received signal from

PU to SU in order to counter this threat. If the transmitter (of PU), receiver (of SU)

and reflectors (obstacles) are all immobile, then the characteristics of multiple

received signal paths are fixed and can be viewed as fingerprint pattern. However, if

the PU or SU are mobile then the characteristics of the multiple paths vary with time.

These time variations are deterministic when number, location and characteristics of

reflector are known over time [Wireless communications, Anderea Goldsmith]. The


fingerprint outputs of PU’s transmission are simulated using MATLAB SIMULINK

in this chapter. The security threat in CR has been discussed in following section.

6.2. The Security Threats in CR Networks

There are two security threats to sensing spectrum in CR networks: Primary user

emulation (PUE) and spectrum sensing data falsification attacks [Ruiliang Chen et al.,

PP 50 - 55]. When a PU signal is detected in a given band, all SU avoid accessing

signal in that band. However, when a secondary is detected, other SU may choose to

share that same band. In other words, PUs has higher priority than SU in accessing

spectrum resources. In PUE attack, a malicious SU tries to gain priority over other SU

by transmitting signals that emulate the characteristics of a PU. However, relying

solely on signal feature detection may not be sufficient to reliably distinguish a PU’s

signal from those of an attacker. An adversary may have two different motives for

launching PUE attacks. One motivation is to gain an unfair advantage in accessing

spectrum in the spectrum-sharing paradigm. Because SU will avoid accessing a band

if a PU signal is detected in the band, an attacker can preempt and monopolize a

fallow band if it manages to fool others into believing that it is a PU. The second

motivation is to suppress legitimate SU from accessing spectrum, thereby causing

denial of service (DoS). There are alternative techniques for spectrum sensing, such as

matched filter and cyclostationary feature detection [I.F. Akyildiz]. Such detection

techniques are capable to distinguish the fundamental characteristics of PU signals.

However, these techniques are still not sufficient to counter PUE attacks. The

cyclostationary detectors may be defeated with an attacker as they make its

transmissions identical from PU signals by transmitting signals that have the same


cyclic spectral characteristics as PU signals. For example, when the terminals of a TV

broadcast network are PUs, an attacker may produce signals that follow TV signals.

In PUE attacks, the adversary only transmits in empty bands. Hence, the goal of the

attackers is not to cause interference to PUs, but to obstruct spectrum resources that

might have been used by legitimate SUs. In the next section, transmitter verification

scheme that can be integrated into a spectrum-sensing scheme to detect PUE attacks

under certain conditions are described.

6.3. Transmitter Verification Scheme

Before a discussion on this, the assumptions have to make that the PU networks

consist of TV signal transmitters (TV broadcast towers) and receivers. A TV

transmitter output power is usually thousands of Watts, and transmission range from

several miles to tens of miles. The each SU contains with a hand-held CR device and

form a mobile ad hoc network. Each CR has self-localization capability and has a

maximum transmission output power from a few hundred milli-watts to a few watts

and a transmission range of a few hundred meters. An adversary, prepared with a CR,

is able of changing its modulation mode, frequency, and transmission power.

Assumptions made as above, a transmitter verification scheme for spectrum sensing

that is suitable for hostile environments. For an example, the primary signal

transmitters are TV towers placed at fixed locations. Thus, if a location of estimated

signal source deviates from the known location of the TV towers and the signal

characteristics look like those of PU signals, then it is expected that the signal source

is launching a PUE attack. The transmitter verification scheme consists of three steps

[D. Xu et al.]: verification of signal characteristics, measurement of received signal


energy level, and localization of the signal source. Nowadays, the technical problems

associated to the first two steps, in the framework of CR networks, have concerned a

lot of consideration [I.F. Akyildiz et al.]. There is fewer existing research that concern

with the third step. Thus, the following section focuses on the problem of primary

signal transmitter localization. However, this is more challenging for two reasons.

First requirement is no modification should be made to PUs to system. Therefore, this

localization problem turns into a non-interactive localization problem. Second, the

receivers need not to be localized, if a receiver is localized, one does not need to

consider the presence of other receivers. On the other hand, the presence of multi

transmitters may include complexity to transmitter localization.

6.4. Non-interacting Localization of Primary Signal Transmitters

Before discussion of the localization system, first summarize traditional localization

methods used in wireless networks and its pitfall. And then this thesis discusses how

these methods should be improved to the localization problem in CR networks. In the

next section, existing localization methods has been discussed in detail.

6.4.1. Existing Localization Methods

The global positioning system (GPS) is a satellite-based system that utilizes the time

difference of arrival (TDoA) to locate a receiver [Cognitive Radio Technology by

Bruce Fette]. GPS receivers typically consist of a one-pulse-per-second signal as it

appears at each radio from each source of satellite, resulting in a computing of


propagation delay from each source in spite of position. In the nonexistence of GPS

signals, triangulation method can be used to locate a radio from non-cooperative or

even cooperative emitters.

Other approaches are time difference of arrival (TDoA), time of arrival (ToA),

angle of arrival (AoA) and Received Signal Strength (RSS) explored in [Cognitive

Radio Technology by Bruce Fette, Ruiliang Chen et al.].

TDOA is a passive localization system that uses the difference between the

pulses arrival time transmitted by a transmitter but does not depend on any awareness

of the pulse transmission time. This method measures the time differences at multiple

receivers with known locations and then computes estimate of a location.

In the AOA method, a receiver measures the angel of arrival from two or more

transmitters. If the locations of the transmitters are known, the receiver can compute

its own location using triangulation. Using the same theory, AOA information to

multi receivers can be used to find out the location of transmitter.

In the case of RSS, if the transmit power on a signal is precisely known, the

patterns of the antenna radiation pattern gains are known accurately, and the receiver

is capable to measure receive signal strength accurately, then a propagation model

may be used to compute the distance to the transmitter and receiver as a function of

RSS. But propagation channels are varying dynamically, thus this approach is

challenging. This location finding approach is analogous to the ToA approach. If a

process of correlation based on a PU transmitter’s database, an RSS-based receiver

application can find out in which regulatory area it is located. For example, if a CR is

receiving particular TV channels and particular AM and FM stations all at the same


time, it may conclude its city location. If the location of the transmitters is built-in the

database along with levels of transmission, the RSS process might improve this

computation due to the fairly large number of measurements. The quality of RSS-

based location estimates is somewhat low. It is helpful to CRs for a few applications

but not for others. Among the above methods, TDOA and AOA methods can both be

used for transmitter localization and have comparatively high localization precision.

Applying them to the localization problem, particular care must be taken to consider

the circumstances where multi transmitters or an attacker contains a directional

antenna. The general disadvantage of both methods is the requirement of costly

hardware, preventing it to a large-scale operation. However, RSS-based methods are

more realistic for most consumer premise devices (CPE) in a CR network. One of

transmission verification scheme given in paper [Ruiliang Chen et al.] as localization

based approach. However, this approach is not enough to counter this threat for CR

networks because adversary equipped with CR and capable of changing its

transmission parameters because CRs are highly re-configurable due to their SDR

based air interface [S. Hykins].

A localization-based approach is not the only method to defend against PUE

attacks. An alternative approach that uses the intrinsic characteristics of RF signals to

distinguish and identify emitters. There is alternative method exist like radio

frequency fingerprinting has been explored in next following section.

6.4.2. RF Fingerprinting approach for identification of PU transmitter

In this thesis, the fingerprinting approach has been investigated. The received signal is

extremely location specific because of its dependence on the terrine and intervening

obstructions. So the multi-path structure of the channel is unique to every location and


can be considered as a fingerprint or signature of the location if same RF signal is

transmitted from fixed location [Wireless communications, Anderea Goldsmith, O.

Leon et al.]. This property has been exploited in system to develop a “signature

database” of a location grid in specific service areas. The received signal is measured

as a SU moves along network and recorded in signature database. When another SU

moves in the same area, the signal received from it compared with the entry in the

database, thus is location is determined. Such a scheme may also be useful for indoor

application where the multi-path structure in an area can be exploited. Based on this

principle the detection of legitimate PU by SUs in order to prevent adversary attacks

(denial of service (DoS)) can be established. Before analyzing the results, it important

to highlight the analytical description of the multi path structure that will very useful

in fingerprinting approach.

If a primary single ( )s t pulse is transmitted over a multipath channel the SU

received signal will appear as a pulse train, with each pulse in the train corresponding

to the LOS component or a distinct multipath component associated with a distinct

scatterer or cluster of scatterers as shown in Figure 6.1. An important characteristic of

a multipath channel is the time delay spread mT it causes to the received signal ( )r t .

This delay spread equals the time delay between the arrivals of the first received

signal component (LOS or multipath) and the last received signal component

associated with a single transmitted pulse. If the delay spread is small compared to the

inverse of the signal bandwidth B (i.e. 1mT B ), then there is little time spreading in

the received signal. However, when the delay spread is relatively large (i.e. 1mT B ),

there is significant time spreading of the received signal, which can lead to substantial

signal distortion.


Figure 6.1 A Single Reflector and A Reflector Cluster.

Another characteristic of the multipath channel is its time-varying nature. This

time variation arises because either the PU transmitter or the SU receiver is moving,

and therefore the location of reflectors in the transmission path, which give rise to

multipath, will change over time. Thus, if we repeatedly transmit pulses from a

moving transmitter, it will observe changes in the amplitudes, delays, and the number

of multipath components corresponding to each pulse. However, these changes occur

over a much larger time scale than the fading due to constructive and destructive

addition of multipath components associated with a fixed set of scatterers. This work

will also characterize the statistics of wideband multipath channels using two-

dimensional transforms based on the underlying time-varying impulse response.


Let the transmitted signal be as [Wireless communications, Anderea Goldsmith]

2( ) ( ) ( ) cos(2 ) ( ) sin(2 )cj f tc cs t x t e x t f t x t f t (6.1)

where ( )x t is the complex envelope of ( )s t with bandwidth B and cf is its carrier

frequency. The corresponding received signal is the sum of the line-of-sight (LOS)

path and all resolvable multipath components is given as [25]

(2 ( )( )

0

( ) ( ) c n n

Nj f f t

n nn

r t a x t e

(6.2)

where N, na , n and nf are the total number of multipath, attenuation (or path gain),

path delay and shift in frequency respectively and (6.2) causes small scale time

variations.

For each path with NO Line Of Sight (NOLOS), each time delay is given by

(2 ( )( )

0

( ) ( ) c n n

Nj f f t

l n nn

r t a x t e

(6.3)

where , each time delay n n with is the average time delay, each frequency

doppler shift is given as [25] cos( )n nvf

, where , ,v are the moving speed of

SU, wavelength of carrier and angle of arrival respectively. Using (6.2),

2 (2 ( ) 2

0( ) ( ) n c n n c

Nj f t j f f j f t

n nn

r t a x t e e e

(6.4)


2

In phase Component Quadrature Component

( ) ( ) cos(2 ) ( ) sin(2 )cj f tI c Q cy t e y t f t y t f t

2 2 ( )( )

0( ) ( ) ( ) ( ) n c n n

Nj f t j f f

I Q nn

y t y t jy t a x t e e

gives ( ) ( ) ( )ly t c t x t with

2 2 ( )( )

0( ) n c n n

Nj f t j f f

l nn

c t a e e

is a random and time varying. Therefore, statistical model for the time varying

coefficients is given as:

2 cos 2 ( cos )( )

0( ) n c n n

v vN j t j f

l nn

c t a e e

(6.5)

Non Line of Sight (Rayleigh) Fading Channels is specified by following given

parameters as

Time delays 1 2[ , , , ]NT second, Power distribution 1 2[ , , , ]NP P P P and

Maximum Doppler Df . This thesis chooses a Rayleigh fading channel modal to

realize the fingerprinting approach for PU signal transmitter verification. The results

analysis on SIMULINK modal is explored in next section.


6.4.3. Simulation and results

Let a primary user signal uses QAM digital modulation type with modulation order M

= 16, and symbol rate Rs = 10 kHz, thus bit rate 2logb sR M R , computed as

34 10 10 40 kb / s . It is assumed the transmitted power (Pt) of PU signal is 5 watts

and channel attenuation A = 1/100, thus the received power becomes r tP A P = 0.05

watts. Notice that, these PU signal parameters must known by adversary of others SU.

Therefore, an adversary may transmit his or her own signal with parameters of PU

transmitted signal as shown in Figure 6.2 through 6.3 by use of SIMULINK.

(a) (b)

Figure 6.2. (a) Spectrum of PU signal. (b) Spectrum of Adversary

(a) (b)

Figure 6.3. (a) Time Scatter plot of PU signal. (b) Time Scatter plot of Adversary signal.


From Figure shown above, both signal appear to be the same as experimented by

Bernoulli Binary Generator. However, these two signals are transmitted through

wireless medium with separate channel. Let channel1 and channel2 be the channel of

PU signal and adversary signal respectively, then each channel contains unique

mutlipath structure and must be differ form each other. This thesis assumes a non line

of sight channel (Rayleigh) modal for simplicity. For PU transmit channel1, the

mutlipath power distribution vector is assumed as P1 = [0, -2, -3, -5] dB, time delay

vector T1=[0, 15, 30, 70] nanosecond and Doppler frequency shift Fd1=0.1 Hz.

Similarly, For Adversary transmit channel2, the mutlipath power distribution vector is

assumed as P2 = [0, -4, -7, -10]; dB, time delay vector T2=[0 10 20, 80] nanosecond

and Doppler frequency shift Fd2=0.5 Hz. Figure 5.4 shows similarity between PU

signal and adversary signal, but actual variations in these parameters due to variation

in multipath structure shown in Figure 6.5 through 6.6.

(a) (b)

Figure 6.4. (a) Spectrum of PU signal through channel1. (b) Spectrum of Adversary signal through channel2.


(a) (b)

Figure 6.5. (a) Scatter plot of PU signal through channel1. (b) Scatter plot of Adversary signal through channel2.

(a) (b)

Figure 6.6. (a) Eye diagram of PU signal through channel1. (b) Eye diagram of Adversary signal through

channel2.

From Figure 6.6, fingerprint can be view and it can be observed that the fingerprint of

the channel1 and channel2 varies. The difference of frequency and power has been

computed by use of SIMULINK yield the differences in original PU transmitted

signal and signal of Adversary transmitted as shown in Figure 6.7. This model can be

integrated into spectrum sensing system of CR device and possibly it can identify the

PU signal in order to avoid the denial of service (DoS). The SIMULINK model has

been shown in Figure 6.8.


Figure 6.7 Plot of differences in Power and frequency between PU signal and Adversary signal.

B-FFT

SpectrumScope4(PU)

B-FFT

SpectrumScope3 (PUE)

B-FFT

SpectrumScope2(Diff)

B-FFT

SpectrumScope1(Fading PUE)

B-FFT

SpectrumScope(FadingPU)

Rectangular16-QAM

Rectangular QAMModulator

Baseband (PUE)

Rectangular16-QAM

Rectangular QAMModulator

Baseband (PU)

RayleighFading

Multipath RayleighFading Channel1(PUE)

RayleighFading

Multipath RayleighFading Channel (PU)

-K-

Gain5

-K-

Gain4 -K-Gain3

-K-

Gain2

-K-

Gain1(PU)-K-

Gain

Discrete-TimeScatter Plot

Scope3(PUE)

Discrete-TimeScatter PlotScope2(PU)


Scope1(FadingPUE)


Scope(Fadding PU)

Discrete-TimeEye Diagram

Scope3 (PUE)


Scope2(Fading PUE)

Discrete-TimeEye DiagramScope1(PU)


Scope(Fading PU)

Complex PhaseDifference

Complex PhaseDifference

Bernoul liBinary

Bernoulli BinaryGenerator(PUE)

BernoulliBinary

Bernoulli BinaryGenerator (PU)

PU PUE

Figure 6.8. Fingerprinting approach by SIMULINK model for PU signal and Adversary signal.


6.5. Summary

In section 6.4.2, the mathematical modal was explored and on the basis of this modal

it has been resolved that concept of fingerprinting approach for identification of

primary users signal transmission by legitimate SU. This is demonstrated by use of

SIMULINK modal as explored above. If the fingerprinting data of PU transmitted

signal will stored in computer memory and can be compared present signal of

fingerprint in environment and thus attacker can be avoided by no response i.e. no

spectrum mobility takes place by SU.

6. fingerprint-based defense against primary user...

Documents