mitigation of primary user emulation attack using time of emission estimation

CSC774 - NCSU ADVANCED NETWORK SECURITY

Mitigation of Primary User Emulation Attack

using Time of Emission

Estimation

Natraj Jaganmohan (njaganm)Sandeep A Rao (sarao)

1

2

Agenda of the presentation:Background about Cognitive Radio NetworksPrimary User Emulation Attack (PUEA)Existing approaches to solve PUEA.PUEA attack model with Directional antennas. Attack mitigation using TOE estimation.Simulation results.Limitations of the approach.Future directions of research.


3

It all started here:“All consumers . . . deserve a new spectrum

policy paradigm that is rooted in modern-day technologies and markets. We are living in a world where demand for spectrum is driven by an explosion of wireless technology and the ever-increasing popularity of wireless services. Nevertheless, we are still living under a spectrum 'management' regime that is 90 years old. It needs a hard look, and in my opinion, a new direction.”

Michael K. Powell (Chairman FCC Spectrum Policy Task Force)


4

Spectrum Scarcity:Cognitive Networks help us solve the

problem.


5

Background: Cognitive Radio Networks.

Wireless spectrum is very scarce leading to spectrum crisis.

FCC recommends use of opportunistic or cognitive networks to increase spectrum utilization.

This technology would put unused and under-used spectrum assets to work – without impacting primary users within those bands. It is a bold, yet workable solution.

CSC774 ADVANCED NETWORK SECURITY

6

Background: Cognitive Radio Networks.

“A Cognitive Radio is a radio frequency transmitter/receiver that is designed to intelligently detect whether a particular segment of the radio spectrum is currently in use, and to jump into (and out of, as necessary) the temporarily-unused spectrum very rapidly, without interfering with the transmissions of other authorized users.”

http://www.ieeeusa.org/forum/POSITIONS/cognitiveradio.html


7

Cognitive Radio networks operation:

PU-Tx

PU-RX

PU-RX

PU-RX

SU SU


8

What makes Cognitive Networks possible?

Key enablers of CRNs:

Radio manufacturers have started to create flexible software-defined radios.

Research funding and support for spectrum re-use.

Support for Dynamic Channel selection, channel scanning and adjustable transmission power.


9

Some terminologies used in this presentation:

CRN: Cognitive Radio NetworkPU: Primary User (licensed user)SU: Secondary user (CRN node)PUEA: Primary User Emulation AttackFC: Fusion CenterTOE: Time of EmissionTOA: Time of Arrival.


CSC774 ADVANCED NETWORK SECURITY

10

Most important attacks on CRNsSpectrum data falsification attacks: In

this case, one or more SUs are compromised and hence report wrong sensing values to FC. This makes the FC make incorrect decision about the presence of PU.

The most preferred way to mitigate the attack is to collect sensing values from a group of SUs and remove the outlier values.

11

Primary User Emulation Attack:

PU1

Primary Transmitter

PU2

PU3

SU1SU2


12

Primary User Emulation Attack:

PU1

Primary Transmitter

PU2

PU3

SU1

SU2Attacker


SUs cannot access channel as they think PU is transmitting

13

Why are we facing this attack :Secondary users cannot

authenticate the PU transmission.

FCC states that PU cannot be modified to support security. Hence regular authentication schemes don’t work.


14

General approaches to defeat this attack: Solution 1RSSI based PU localization:

(x,y)

FC


RSSI values are measured at all SUs and calculate the location of PU.

Decision is made based on all received sensing reports

Ideal case of a PU transmitting, all RSSI values will be correct w.r.t distance

15

Solution 1 proposed by:Zhou Yuan et al, suggested the use of

localization schemes to estimate and authenticate the location of PU.

Scheme based on Received signal power.Pr = Pt + a 10 log (do/d) + w

It can be defeated by attacker by using Antenna arrays with different power levels.


16

General approaches to defeat this attack: Solution 2 Dr. Peng Ning et al proposed

integrating cryptographic signatures and wireless link signatures to enable primary user detection. Essential to the approach is a helper node placed physically close to a primary user.


17

General approaches to defeat this attack: Solution 2Working with helper nodes.

(x,y)Helper Node


Helper node transmits signals identical to PU

SUs can try to verify the PU authenticity by verifying the Wireless Link signature of Helper node

18

General approaches to defeat this attack: Solution 2This technique is very effective in

terms of authenticating primary user. We exploit the proximity of Helper node with PU.

Problem is the authentication of wireless link signature of the helper node. Also if attackers are placed near helper nodes, then it causes problems.


19

General approaches to defeat this attack: Solution 3IRIS model proposed by Alexander et

al, has a secure attack detection by verifying the consistency of system state (Transmit power and path loss).

This technique is very effective and it defeats both Data Falsification attacks and PUEA. But, it fails in the case of attacker with antenna arrays and directional antenna.


20

Attack model: Assumptions : All nodes are loosely time

synchronized.Location of PU is fixed and known

to all SUs.Fusion Center is used to make

decision about presence of PU.All SUs are connected to FC using

a secure link.There is a LOS path between

every SU and PU. CSC774 - NCSU ADVANCED NETWORK SECURITY

21

Attack model : MotivationThis attack model fails all the

localization based solutions for PUEA which have been proposed previously.

Attacker uses a multi antenna array or MIMO technology with directional antennas to send PU-TX like signals to different SUs with various power levels faking the presence of PU.CSC774 - NCSU ADVANCED NETWORK SECURITY

22

Attack model: Representation The power levels at different nodes are expected with

respect to the distance from the PU-TX.


23

Attack model:Antenna array – multiple antenna

transmitter


24

Attack model:This attack is possible because:1. Antenna arrays are low cost

and easy to setup2. Attacker can manipulate the

power levels in each directional beam from every antenna element to make sure every SU calculates the RSSI equal to the RSSI when PU transmits.


25

Attack model: ValidationWe have simulated the attack

model to verify whether such an attack is really possible.

Modeler: Opnet Network modeler 16


26

Attack model: Directional Antenna pattern formation in Opnet


27



28



29

Attack model: A sample scenario proving the possibility of attack


30

Attack model: Throughput graphs.

PU-TX (antenna 1)

SU-1

SU-2


31

Attack model: Multiple antenna array simulation.

Ref: http://fens.sabanciuniv.edu/telecom/eng/comnet/cisco/smart.htm


http://fens.sabanciuniv.edu/telecom/eng/comnet/cisco/smart.htm

32

Attack model: ValidationHence if the attacker can

configure each antenna element with the appropriate power levels to produce required RSSI values at each SU, then attack is achieved.

Regular localization based methods cannot defeat this attack. This forms the motivation for our solution.

CSC774 DVANCED NETWORK SECURITYCSC774 - NCSU ADVANCED NETWORK SECURITY

33

Time of Emission Estimation Based Approach : Our solution to PUEA


34

ModelSU

SU

SU

SU

FusionCenter

PU

PUE


35

AssumptionsSecondary Users and Fusion

Center ◦are loosely Synchronized◦have secure communication

Fusion Center ◦cannot be compromised◦knows locations of all users

(secondary as well as primary)◦has good computational power and

storageCSC774 - NCSU ADVANCED NETWORK SECURITY

36

Attacker CapabilitiesCan use antenna array

◦But transmitting with a beam formation at different locations at different times is restricted.

Multiple Attackers can coordinate ◦They can be synchronized among

themselvesAttacker knows location of all

nodesSU may be compromised


37

Proposed ApproachSensors measure Time of ArrivalFusion Center estimates Time of

EmissionRobust against,

◦Multiple, coordinated attackers◦Multiple compromised secondary

users◦Node with Antenna Array!


38

DesignSU

FusionCenter

PU

Estimate TOA!TOA

Estimate TOE!TOE estimated for every sensor must be almost same in an ideal scenario

In the presence of an attack there will be deviations in some TOE estimations

SU

Estimate TOA!TOAPUEA result

PUEA result


39

Intuition

Time


40

ProcedureFC

TOA

TOATOA TOA

TOA

FOR EACH NODE MEASURE TOE!

TOEi = TOAi – Dist/c + ξ

COMPUTE MEAN TOEmean


41

Procedure

FOR EACH NODE, MEASURE DEVIATION!

δi = TOEAVG ~ TOEi

If δi > μ Increment C μ -> Maximum allowable deviation!C -> number of deviated values

If C > k then PUEA!k -> Maximum no. of allowable deviated reports


42

Parameters!Determining μ

◦ The maximum deviation in the measurement by a node under a non-attack scenario!

Determining k ◦Too small? Increase in false negative!◦Too large? Increase in false alarm!◦Tradeoff needed!


43

Simulation Results


44

LimitationIf an attacker is capable of

compromising almost every node! ◦Attacker too powerful!

◦Note: We have a threshold which is used to tolerate certain number of configured node compromises. But, if almost all nodes in network are compromised, then the network is not useful.


45

Future workFCC may relax rule “no

modification to the incumbent (primary) system should be required to accommodate opportunistic use of the spectrum by secondary users”◦Already relaxed for wireless

microphones Removing Fusion Center

◦May decrease latency and increase performance of system.CSC774 - NCSU ADVANCED NETWORK SECURITY

46

SummaryAn Attack Model against the

approaches using RSSI is proposed and simulated

A Novel approach to mitigate PUEA is proposed using Time of Emission Estimation and simulated

Approach is compared with a similar RSSI based approach


47

Thank you!


mitigation of primary user emulation attack using time of emission estimation

Documents

radio spectrum

wireless spectrum

unused spectrum

spectrum utilization

spectrum crisis

cognitive network research

spectrum reuse

cognitive networks possible