Location Spoofing Attack and Its

Countermeasures in Database-Driven

Cognitive Radio Networks

Kexiong (Curtis) Zeng,

Sreeraksha Kondaji Ramesh,

Yaling Yang.

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

1

Background

Background of database-driven cognitive radio networks

Enforced by FCC.

Primary users (PUs) and secondary users (SUs).

Submit location information to query the database.

Database allocates available spectrum to SUs.

2

Motivation

3

Location Security Loophole

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

4

Our Works

First to study the impact of GPS spoofing

attacks in cognitive radio networks (CRNs).

Formulate attack models & examine the

impact.

Analyze various countermeasures.

5

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

6

Overview of GPS Spoofing Attack

and Existing Countermeasures

Civilian GPS can be easily spoofed:

Transmit counterfeit GPS signals.

Rebroadcast GPS signals.

Existing Countermeasures:

Self-check algorithms.

Smart antennas.

7

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

8

Single GPS Spoofing Attacker

9

Attack Model

Random attack model

No knowledge about the database and currently registered SUs information.

Spoof SUs to a random location in the cell.

Optimal attack model

Access to the database and currently registered SUs information.

Spoof SUs to an optimal location in the cell.

10

Our Settings

Round-robin scheduling and List-coloring spectrum allocation.

WhiteSpaceFinder developed by Microsoft.

A 16km-radius single cell in Blacksburg, Virginia with 100m *100m resolution.

SUs are uniformly distributed.

11

Evaluate the Impact

Random and optimal attacks

1 km transmission range

30 simulation runs

15

Random vs. Optimal

16

The performance of random and optimal attack in a 1260-SU network.

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

17

Countermeasures

Centralized Detection Scheme (CDS)

Environmental-radio-based Location

Verification (ELV)

Peer Location Verification (PLV)

18

Centralized Detection Scheme

Maintain location traces for all SUs.

Detect abnormal mobility patterns.

Limitations:

Misclassification.

Cannot restore network operations.

Privacy violations to SUs.

19

Environmental-radio-based

Location Verification

SUs are software defined radios.

WiFi signal

Television signal

FM signal

Location crosscheck.

20

Implementation of ELV

21

26 red balloons indicate the locations of test points.

Localization Performance

22

Localization performance using FM radio signals.

ELV has some error ranges.

Effectiveness of ELV

Undetected GPS spoofing attacks.

Spoofed locations inside the error ranges.

Model as attacks with distance constraints.

23

Effectiveness of ELV

24

The probability is calculated by 30 individual simulations in a 84-SU network.

Limitations of ELV

Blind spots of the environmental radio

signal database.

Performance depends on the number of

local channels.

25

Peer Location Verification

26

Spoofed

Parameters

Initial anchor ratio .

Anchors transmit 𝑟-radius beacon signals with

probability 𝛽.

27

Convergence Speed

Divide time into discrete slots.

𝑝𝑖,𝑡: the probability of an SU 𝑖 is verified at

time 𝑡.

𝐏𝐭 = 𝑝1,𝑡, 𝑝2,𝑡, . . . , 𝑝𝑛,𝑡𝑇.

28

Convergence Speed

Time evolution of the probability :

𝐏𝐭 = (𝐈 + 𝛽𝐀)𝐏𝐭−1 = 𝐁𝐏𝐭−1 = 𝐁𝑡𝐏0,

where 𝐁 = (𝐈 + 𝛽𝐀), 𝐈 is the identity matrix

and 𝐀 is the adjacency matrix.

29

Convergence Speed

Derive a lower bound for the increasing of

verified SU number:

where N𝑡 is the time evolution of verified SU

number, 𝜆1,𝐵 is the largest eigenvalue of 𝐁,

𝐶 is a constant.

30

Evaluation of PLV

Missed detection (false negative)

Isolated SUs

31

Missed Detection

32

False negative SU ratio = number of non−detected victim SUsTotal number of non−anchor SUs

.

Evaluation of PLV

Missed detection (false negative)

Isolated SUs

False alarm (false positive)

Malicious anchor nodes

Majority Voting

33

False Alarm

34

False positive SU ratio=Number of SUs reporting false alarms

Total number of non−anchor SUs.

Discussion of PLV

Require some small initial anchor ratio and

SU density.

Good news:

Attackers are less likely to spoof extremely

sparse SU networks.

• Can hardly spoof enough SUs to cause serious PU

interference.

35

Outline

Background and Motivation

Our Works

Overview of GPS Spoofing Attack and Existing

Countermeasures

Attack Model

Countermeasures and Evaluations

Future Work

36

Future Work

Hybrid Countermeasure.

Independent of wireless signals.

A framework of sensing-based secure

location verification system for mobile

devices.

37