Slide 1

Dynamic Spectrum Access Security IssuesTimothy R. Newman, Ph.D.Virginia Tech1Dynamic Spectrum AccessWhat is DSA?Dynamically changing channel in response to environmental stimuliWhy do we want DSA?Commercial: Inefficient spectrum usageMilitary: Ease spectrum management tasks avoid jamming

2DSA Current StateWhere is DSA technology currently at?DARPA XG radio program has come and goneWNaN program now pushing SOME developmentNo REAL deployment of these radios yetCommercial companies now involvedMicrosoft, Google, Dell HP, Intel, Philips, Samsung, .First white space network in Oct. 2009, Claudville, VA.No adaptation but its a first stepEstimate at least 7-9 solid prototype DSA systems exist3DSA Current StateWhere is DSA technology currently at? (cont..)Majority of the current prototype devices using energy detection techniques for signal detectionFinal consensus TRL 6Whats next for DSA?Army purchase WNaN radios for deployment?SSC integrating DSA technology with ARGONs HyNET wireless mesh network system (US Army)Ultimate white space network deployed for WORLDWIDE broadband access!!!

4Cognitive Radio and DSA SecurityCR security is slowly coming into focus for academia and industrySDR Forum session devoted to CR/SDR securityPublications with CR/SDR security topics are on the riseTwo DARPA programs on CR/SDR security proposedSecurity research for CR/SDR is still largely overlookedXG program had NO output related to security of DSA protocolsNone of the current prototypes have any DSA specific security features5DSA Radio Security AnalysisWhat are the primary DSA security issues?Primary User EmulationSpoofing the intended primary userSpectral Honey Pot threatsForcing the victim DSA radio to operate on a specific channelDSA DoS threatsI can sense and hop faster than you! PHY level threatLPD jamming Waveform level threat

6Primary User EmulationPUE threat is the baseline for many other DSA related attacksOnce you can manipulate the radio the floodgates are open, youve got root!!Classifiers and Detectors are all over and have been for a long timeDSA brings a new twist Detection/Classification affects communication parametersEnergy Detection is usually settled for to gain low complexity and processing speedProblem now: Any error is a possible hole

7Primary User Emulation

Here are some recent confusion matrices from published papers on signal classification. Most plot results from a signal tested environment, for example only for 20 dB SNR. A few have shown results with varying SNR. Typically only going down to 10 dB for non-cyclostationary features, and going well below 0 dB when using cyclostationary features. These are all for modulation classifiers.8Primary User Emulation

No one is perfect. If there are results with all 100%s, they are either lying or showing results from a 10000dB SNR MATLAB environment. Im not putting these results down, in fact I dont think its possible to be perfect. The point Im making is that there are holes in even the most recent signal classifier results that a malicious user WILL find and exploit.

Each of these circles show some sort of misclassification or imperfect result. A malicious user only needs to find a single instance and continue to exploit it over and over. For traditional classifiers applications this did not have the impact as it does now for DSA applications. A misclassification can result in a good radio causing interference or even a continuous unstable state with no chance for communication.9Primary User EmulationDSA algorithms commonly focus on maximizing Pd Pd is probability the PU is detected when it is therePd = 100% is still not secure!!This is what REALLY gets overlookedRemember XG Moto: No HarmThis can guarantee no interference but can not guarantee security of DSA system10Spectral HoneypotObjective is to manipulate a signal into a specific channel in order to have a better chance of exploitationSimplistic approach will simple emulate a primary user until the user jumps to the target channelAdvanced approaches take advantage of the DSA algorithm by manipulating other portions of the environment

11DSA Denial of ServiceStraightforward DSA DoS Sense and Hop faster than the receiversDSA radio networks must rendezvous on another channel if a PU appearsWhat if a PU appears before network can rendezvous?Waveform levelCommonly DSA algorithm interleave the sensing and communicationSynchronize and jam only the communication time blocks12Analyzing a Real Radio!Shared Spectrum DSA2100 WiMAX DSA RadioPhase 3 contractor for DARPA XG ProgramInteresting Radio CharacteristicsWavesat chipset: 802.16-2004Agility - 138 MHz 3 GHzBandwidth - 1.75 MHz, 3.5 MHz, or 7 MHzTuning speed 300 sTX spur level - -60 dBcDSA Channel Selection AlgorithmsLeast occupiedLeast energyRandom13Analyzing a Real Radio!DSA Specific ParametersCo-channel sample rate: 10 HzNon-occupancy period: 5 secDetection Algorithm: Energy detectionFreq. Range for analysis: 350 450 MHz, 400 480 MHz** Non-occupancy period Time a channel should be blocked out if a PU signal is detected14SSC Radio TestsAnalysis focused on DSA DoS and spectral honeypotPUE was a gimme!How much QoS is degraded?How fast can they be manipulated?High Performance TestsDone with a signal generator (Agilent)Restricted to sweeping-type testsPractical TestsDone with GNUradio and USRP (RFX400)SDR enabled smarter tests15DSA Denial of ServiceDSA DoS = Never able to rendezvousSignal generator parametersPulse sweep time - Amount of time pulse dwells in a channel before going to channel + 1Signal Power Is the detection threshold really enforced?Channel Step Size 1 MHz (2 MHz probably wouldve been better)

DSA Denial of Service

Non-Occupancy Period = 5 secSpectrum Range = 100 MHzSweep Rate = 100 ms50 % Channels BLOCKEDDSA Denial of ServiceAdding a bit of intelligence (sensing)Using GNUradio we can easily put together a waveform that can sense the location of the signal and send a pulsePulse power only needs to be just above detection thresholdWhat happens if DSA radio ALWAYS sees a PU?DSA Denial of ServiceSweeperPulse < 50ms: pulse is going to fastTheoretical optimal pulse sweep time =

Smarter Jamming~92% packet loss!100% because radio isnt perfect

** Optimal = largest block sizeSpectral HoneypotGoal is to manipulate radio into using a specific channelSignal Generator Sweep MethodNotch out a channel from the sweep list

Spectral HoneypotTiming results for sweeper method

Spectral HoneypotTiming results for sense and pulse

Security Analysis - Take AwaysWhat do we get from this analysis?Motto of this specific DSA technology is No HarmFocus is on existing systems QoS, not their ownNo Harm to existing systems may mean ZERO communication for the DSA radiosManipulation is possible when radios use an unauthenticated environment when making decisionsNon-occupancy period is a critical hole

23

DSA Security MitigationPrimary User Emulation DenialSignal Detection != Signal ClassificationRobust classification is the objectiveUnique feature selection is criticalEmbed signaturesWatermarking techniquesNon-Occupancy PeriodRandomize in order to create holes in the jamming blockEmbedding common senseIntegrate security cognition into the system to filter for obvious malicious actsFuture Generation of CR ThreatsCognitive Radio technology is adding more autonomous operating into the wireless deviceIncreased exposure to possible threatsThreats to this technology is analogous to social networking attacks rather than traditional network attacksSensory Manipulation (DSA)Belief Manipulation (Learning Attacks)Cognitive Radio Viruses (Learning Network Attacks)ETA until radios are using advanced AI: long

25Other SDR/CR related items at VT26Cognitive Radio Network TestbedDefense University Research Instrumentation Program (DURIP) grant for CR testbed equipment.Physical testbed deployed throughout a new campus buildingTotal size of testbed is 48 nodes12 nodes per floorNo restrictions on other wireless systems inside buildingReservation System for Nodes

27CR Testbed HardwareCustom RF DaughterboardHost PC ServersMotorola RFIC4100 MHz 4 GHz20 MHz instantaneous bwHighly variable receive gain25 dB 50 dB Multiple TX (3) and RX (5) pathsSideband Rejection40 dB - 60 dBIntel Xeon Quadcore 2.13 GHz6 GB RAM, Gigabit EthernetUpgradable to Intel Nehalem for futureMuch different from existing testbeds

28Cognitive Radio Network TestbedCurrent Testbed Status5 PC nodes with USRP and RFX400 daughterboard

Power and network installed throughout buildingServers are racked and readyWaiting on USRP2s to be deliveredManagement back-end is being developed

29

Cognitive Radio Open Source SystemOpen Source Cognitive Engine System APICurrent reference implementation uses a Case-Based Reasoning Cognitive EngineRadio Configuration described in XML

For more information:http://cornet.wireless.vt.eduApplication simply links to library to access systemModular SystemCognitive Engines can be swapped in and outOptional componentsPolicy EngineService Management Layer

30Cognitive Radio Testbed

Modular architecture provides mechanism to simply plug-in components on remote systems where higher quality resources may be available

Cognitive Engine developers can now focus on specific cognition algorithmsNo more worrying about physical layer hardware issues

Remote AccessResource Rich Testbed31Cognitive Radio Open Source SystemIntegrated into both OSSIE and GNUradio for intelligent control of waveforms and applicationsDemonstrated DSA application with hot-swappable cognitive engineService Management Layer component provides the service oriented architecture supportManages services and capabilities provided to the cognitive radio by componentsTranslates radio missions into operations and instructions for CROSS components

Mission 1: Jam all enemy signalsDetect signalsEnemy using Wifi?Detect wifi channel Jam Wifi

Mission 2: Covert Jam SignalsSignal ClassificationsOptimize Power for jammingJam signal Monitor for resurgence on multiple channels

32