survey of security issues in cognitive radio networkswe07/publications/survey of security... ·...

1Survey of Security Issues in Cognitive Radio Networks

Survey of Security Issues in Cognitive Radio NetworksWassim El-Hajj1, Haidar Safa1, Mohsen Guizani2

1Computer Science Department, American University of Beirut, Lebanon2Computer Science Department, Western Michigan University, USA

{we07, hs33}@aub.edu.lb, [email protected]

Abstract

Cognitive Radio (CR) is a novel technology that promises to solve the spectrum shortage problem by allowing secondary users to coexist with primary users without causing interference to their communication. Although the operational aspects of CR are being explored vigorously, its security aspects have gained little attention. In this paper, a brief overview of the CR technology is provided followed by a detailed analysis of the security attacks targeting Cognitive Radio Networks (CRNs) along with the corresponding mitigation techniques. We categorize the attacks with respect to the layer they target starting from the physical layer and moving up to the transport layer. An evaluation of the suggested countermeasures is presented along with other solutions and augmentations to achieve a secure and trusted CRN.

Keywords:

1 Introduction

The ever increasing demand of spectrum due to the rapid introduction of novel wireless applications has led the Federal Communication Commission (FCC) to approve in September 2010 new rules to allow unlicensed users to utilize the spectrum reserved for wireless broadband services (300MHz and 400MHz). The technology developed to take advantage of this unused spectrum is Cognitive Radio Networks (CRNs) which are intelligent networks that adapt to changes in their environments to make a better use of the radio spectrum. CRNs help solve the problem of spectrum shortage by allowing unlicensed users to use primary systems without interference. This technology allows the coexistence and sharing of licensed spectrum resources between two types of users, licensed and unlicensed.

Cognitive Radio (CR) nodes have unique capabilities which allow them to take advantage of available white spaces in a spectrum. A study made at the Berkeley Wireless Research Center (BWRC) shows that most spectrum, particularly from 1 GHz to 10 GHz is under-utilized, as shown in Figure 1. The nodes can sense their environment and spectrum, analyze the discovered information, and adjust to the sensed environment. CR

nodes discover white spaces by performing spectrum sensing; the ability to identify or detect holes in a spectrum. The techniques used to make use of these holes fall under the term Dynamic Spectrum Access (DSA). The Two most significant challenges in CRNs are: Transparency to primary users and non-interference.

Figure 1 Spectrum Utilization Measurement

The successful deployment of CRNs includes the correct construction and maintenance of security measures to combat attacks launched against them. We categorize the attacks on CRNs into four major classes: Physical Layer attacks, Link Layer attacks (also known as MAC attacks), Network layer attacks, and Transport Layer attacks. In Physical Layer, we discuss Primary User Emulation (PUE), Objective Function Attack, and Jamming. In Link Layer, we discuss Spectrum Sensing Data Falsification (SSDF), Control Channel Saturation DoS Attack (CCSD), and Selfish Channel Negotiation (SCN). In Network Layer, we mainly discuss the routing attacks that are relevant to CRNs, for instance, HELLO Flood attack and Sinkhole attack. In transport Layer, we discuss the Lion Attack. Some of these attacks might target different layers such as jamming which can be done in either the physical or MAC Layers. After presenting each attack we discuss in details the techniques used to mitigate it. We then evaluate these countermeasures showing their strengths and weaknesses.

The rest of the paper is organized as follows. In Section 2, we give a brief overview of the CR technology. In Section 3, we discuss spectrum sensing which is considered the most essential step in CRNs. In Section 4, we discuss

*Corresponding author:

00-Invited Paper.indd 1 2011/3/10 下午 13:00:58

Journal of Internet Technology Volume 12 (2011) No.22

in details the attacks targeting CRNs and the corresponding countermeasures. In Section 5, we present an evaluation study of the existing countermeasures. In Section 6, we present general frameworks for secure and trusted CRNs. In Section 7, we conclude the paper and present our future work.

2 Brief Overview of Cognitive Radio Technology

CRNs are intelligent networks that adapt to changes in their environments to make a better use of the radio spectrum. Sometimes a frequency may be licensed to a primary system, but it is not used fully. Consequently, spectrum holes or white spaces are created. CRNs help solve the problem of spectrum utilization by allowing unlicensed users to use primary systems without interference. For example, a device with CR capabilities may locate spectrum holes in the frequency band of a TV network with the existence of a GSM network. The device can then decide to make calls and communicate with other CR devices using these holes.

There are two types of CRs [1]: Policy Radios and Learning Radios. Policy radios have some predefined policies that determine the behavior of a radio. When a radio gathers information from the surrounding environment, the information is then turned into statistics that determines the radio’s state. Learning radios have an extra component which is a learning engine, this engine allows them to configure and re-configure their states. Radios with a learning engine are able to try out different parameters and determine which works well in a particular environment. It is important to point out the different types of CRs in order to be able to demonstrate the different effects similar attacks have on them. For example; in a policy radio, an attacker with knowledge of how statistics are calculated can affect them and force a desired output. This attack can affect learning radios as well; however, as they have a learning engine the attack can have a longer affect on them as they learn or accumulate information from this experience which may dictate a certain behavior in the future. The Objective Function Attack discussed in section 4 is an example of such an attack that has a bigger impact on learning radios than policy radios.

A CR node has the following capabilities [2]: Cognitive capability by which the node can sense the environment and the spectrum, Self-organized capability which is the node’s ability to analyze discovered information, and Reconfigurable capability where the node is able to adapt to the sensed environment. Cognitive capability includes spectrum sensing which refers to the ability to identify or detect spectrum holes. This operation must be done with

limited to none interference to the licensed users traffic or communication. In addition, it includes network and service discoveries; for example, what kind of networks are near-by (WiFi, GSM, ..., etc.) and what are the services provided by these networks. A self-organized capability provides management of the connection between the different CR nodes that happen to be in the same area. A good connection management can help CR nodes in route selections. The ability of the radio to change its frequency and adapt to available networks and services is one of the reconfigurable capabilities. Figure 2 presents a generalized snapshot of CR architecture.

CRNs are organized in three different architectures: Infrastructure, Ad-Hoc and Mesh. An infrastructure CRN (Figure 3) has base stations or access points. A device with CR capabilities may communicate with other devices within the range of the base station through the base station itself. Communication between devices in different cells is routed by the base stations. On the other hand, ad-hoc CRNs (Figure 4) are formed by devices without the need for base stations, the devices can establish links between each other using different communication protocols. For example, they may use existing protocols such as: Bluetooth or they may use spectrum holes. The final architecture is the Mesh (Figure 5) which is basically a combination of the aforementioned architectures. It allows devices to connect to the base stations through neighboring devices, and then the base stations work as routers and forward the packets.

Discussion about cognitive radio cannot be complete without discussing its most important component Spectrum Sensing. Spectrum sensing is the task of obtaining awareness about the spectrum usage and existence of primary users in a geographical area. In the next section, we give a brief overview about how spectrum sensing is done in CRNs.

Figure 2 General Architecture of Cognitive Radio



3 Spectrum Sensing

In order for a CR node (secondary user) to acquire a service, it undergoes spectrum sensing to decide on the band to use for transmission, i.e., it searches for spectrum holes in a specific frequency, and then it exploits the existence of these holes to be able to use that frequency for communication. This technique is called Dynamic Spectrum Access (DSA). However, making sure that this sensing process is reliable is a challenging task for CRs because of the signal fading due to the low received signal strength which may result in the hidden node problem. This

problem lessens in distributed spectrum sensing (DSS) where multiple secondary users cooperate and share their sensing measures and send them to a data collector [3]. Indeed, each sensing terminal conducts the local spectrum sensing then reports these local sensing results to the data collector which in turn executes data fusion techniques and determines the final spectrum sensing result. Sensing can also be done in a completely ad hoc architecture where no data collector is present as shown in Figure 6 [4]. The Common Control Channel (CCC) is used to facilitate the message exchange between users and support spectrum sensing coordination.

Figure 3 Infrastructure Architecture Figure 4 Ad Hoc Architecture

Figure 5 Mesh Architecture

Figure 6 Spectrum Sensing in an Ad Hoc Architecture



Depending on the CRN architecture, many techniques have been suggested to determine the final spectrum sensing result. The three most popular ones are matched filter, energy detection and cyclo-stationary feature detection. Although other techniques have been suggested, we decided to include a brief description of these three mechanisms for completeness. The energy detection technique is the most common because of some features it possesses that prevail over the other techniques. For example, Matched filter utilizes the signal-to-noise ratio to detect the presence of a primary user [5]. The disadvantage is that it needs to have former knowledge of the primary user signal characteristics, such as modulation type and order, pulse shaping and packet format. On the other hand, when such knowledge is unavailable, energy detection is used as an alternative.

Cyclo-stationary feature detection can detect primary users’ signals with low signal-to-noise ratio, but it is very difficult to implement because it is computationally complex [5-6]. In addition, it requires having prior knowledge of the primary user signal. In cyclo-stationary feature detection the primary user signal is sampled and the amplitude is normalized. If the amplitude is periodic and there exists a peak value for each period, this value is compared to a predetermined threshold. If a periodicity is found, the band is then determined to be used by a primary user. Otherwise, the band is determined to be free of primary users’ signals.

Energy detection works according to the following rationale: “The channel with low power has high probability to be an unoccupied channel” [5]. Therefore, the entire detected bandwidth is scanned, and then some channels are selected by sorting them in an ascending order based on the power of each channel. The channel with the lowest power is then chosen for use by secondary users. The disadvantage of energy detection is its naïve way of differentiating between primary user and secondary user signals [7]. If a secondary user detects a signal it recognizes then it assumes that it is another secondary user; otherwise, it determines that it is the signal of a primary user. This shortcoming has severe repercussions in CR security as it facilitates Primary User Emulation attacks.

Many other spectrum sensing and access techniques have been suggested in the literature. For instance, in [8] a sensing method which improves the efficiency of spectrum access without causing interference to licensed bands was formulated as a constrained parameter optimization problem, and solved using a numerical algorithm. In [9], a Distributed Medium Access Control access protocol for CR ad-hoc networks is suggested. The protocol relies on time slots for scanning primary system frequencies to allow secondary users to use the frequency. In [10], a technique

called Sensor Network Aided Cognitive Radio is suggested to enable licensed and unlicensed wireless users to use available networks with minimum interference to each other. The nodes of the CRN send queries to the sensor network exploring the existence of spectrum holes in the primary network. Upon receipt of the query, the sensor network scans the primary network, and responds with the available holes back to the secondary users. Yucek et al. present a good survey of spectrum sensing algorithm for CRNs [11].

4 Cognitive Radio Networks: Attacks and Countermeasures

Unlike most of the surveys that address the attacks on CRNs, we categorize the attacks according to the layers they target: Physical, Link, Network, and Transport. Since CRNs can be considered a special kind of Ad Hoc network, most of the attacks targeting Ad Hoc networks can also target CRNs. In this survey, we analyze the attacks that are most relevant to CRNs.

It is important to note that there already exist some surveys on CRNs [12-13], but they have many weaknesses in the sense that they miss to address some very important attacks, they are outdated, and most importantly none presents an evaluation study of the various countermeasures.

Any solution suggested to counter CRN attacks should abide by the FCC requirement which states that “no modification to the incumbent system should be required to accommodate opportunistic use of the spectrum by secondary users” [14]. Having this requirement in mind, any security solution suggested to protect or thwart an attack on CRN should be introduced to the secondary user system, not the primary one.

4.1 Physical Layer AttacksBefore discussing the physical layer attacks on CRN

and the corresponding countermeasures, we highlight the work done in [15] that addresses the physical-layer security issue of a secondary user in CRN from an information-theoretic perspective where a secure multiple-input single-output (MISO) cognitive radio channel was considered. In MISO, a multi-antenna SU transmitter sends confidential information to a legitimate SU receiver in the presence of an eavesdropper and on the licensed band of a primary user (PU). The approach defines the Secrecy Capacity as the maximum achievable rate at which the data can be reliably sent from the SU transmitter to the legitimate SU receiver but is kept perfectly secret from Eavesdropper. The secrecy capacity of a secure MISO CR channel has been characterized. Two numerical approaches have been



proposed to compute the secrecy capacity and the capacity-achieving transmit covariance matrix. By exploring the inherent convexity, the first approach has transformed the original quasiconvex problem into a single semi definite program by exploring its inherent convexity, which can be solved efficiently. By exploring the relationship between the secure CRN with the conventional CRN, the second approach has transformed the original problem into a sequence of optimization problems related to the conventional CRN.4.1.1 Primary User Emulation (PUE)

One of the Cognitive Radio principles is that a secondary user is allowed to use a specific band as long as it’s not occupied by a primary user. However, once the secondary user detects the presence of a primary user, it must switch channels immediately to an alternative band in order not to cause interference to the primary user. If the secondary user detects another secondary user using the same band, certain mechanisms should be used to share the spectrum fairly.

Primary User Emulation (PUE) attack [14][16] is carried out by a malicious secondary user emulating a primary user or masquerading as a primary user to obtain the resources of a given channel without having to share them with other secondary users (Figure 7). As a result, the attacker is able to obtain full bands of a spectrum. The motivation behind the attack is divided into two categories: Selfish PUE attack and Malicious PUE attack. In the Selfish PUE attack, the attacker’s goal is to increase its share of the spectrum resources. In addition, this attack can be conducted simultaneously by two attackers to establish a dedicated link between them. In the Malicious PUE attack, the attacker’s goal is to prevent legitimate secondary users from using the holes found in a spectrum.

Data collector( Fusion center)

SensingTerminals

SensingTerminals

SensingTerminals

Local SpectrumSensingResults

Signals with the samecharacteristics as

Primary User signals

Primary UserFinal spectrumsensing result

DataFusion

Malicious user

Figure 7 Primary User Emulation Attack

The PUE attack can target both types of cognitive radio Policy Radios and Learning Radios [1] with different severity. When dealing with policy radios, the effect of the attack vanishes as soon as the attacker leaves the channel.

The secondary user will then sense that the spectrum is idle and claim it. On the other hand, when dealing with learning radios, information about primary users’ current and past behavior can be gathered in order to predict when they will leave the channel, i.e., make it idle. The attacker can then perform the PUE attack during these idle times. Now the attack will have a long term effect on secondary users and they might never use the affected channel ever again.

As mentioned in [12], new and more sophisticated PUE attacks can be performed when having some knowledge about the cognitive radio network. For instance, an attacker can utilize the CRN’s “quiet periods” to perform PUE attacks. A quiet period is the time during which all secondary users refrain from transmitting to facilitate spectrum sensing. During these periods, any user whose received signal strength is beyond a certain threshold is considered a primary user. This CRN feature can be exploited by an attacker who transmits during “quiet periods” fooling the rest of the nodes as being a primary user. Another example is an attacker that performs new PUE attacks whenever the CRN makes a frequency handoff, i.e., switches from one channel to another, thus degrading the data throughput of the CRN or completely leading to DoS. Such an attack assumes that the attacker can find the next CRN in a limited time.

Apart from the experimental PUE attacks, an analytical model is described in [17] to obtain the probability of successful PUE attacks on secondary users. The authors provided lower bounds on the probability of a successful attack using Fenton’s approximation and Markov inequality. We discuss next the approaches used to thwart PUE attacks.

y Defending Against Primary User Emulation AttackTo defend against PUE attacks, the identity of the

transmitting source needs to be identified, i.e., is the transmitting source a primary user or a malicious user? The usual and best approach of knowing the user identity is to apply cryptographic authentication mechanisms, such as digital signatures. But such an approach cannot be adapted because of the FCC regulation that prohibits altering primary user systems. Given this restriction and knowing that primary users’ locations are known ahead of time, researchers resorted to finding efficient ways of pin pointing the location of the transmitting source. If the location of the source matches the location of a primary user, the source is considered to be a primary user. Otherwise it is considered to be an attacker trying to emulate a primary user.

In [14], two approaches have been suggested to determine the location of the transmitting source: Distance Ratio Test (DRT) which is based on received signal strength measurements and Distance Difference Test (DDT) which is based on signal phase difference. Both approaches are



based on a transmitter verification procedure. The procedure uses a location verification method to distinguish between primary signals and secondary signals masquerading as primary signals. Some assumptions are set to create the environment where the attack is likely to occur. The primary users are TV broadcast towers with fixed locations, and there are some secondary user nodes within the range of the towers’ signals. There are trusted location verifiers (LVs) to perform DRT and DDT, and there are two types of LVs: master and slave LVs. A master LV has a database with the coordinates of the TV towers. LVs know their location from a secure GPS system. Finally, there exists a control channel between LVs used for their communication. LVs calculate the distances between them and the transmitters as they receive their signals. The signals can be from the towers or an attacker masquerading as a tower. Then the LVs compare them to their database of towers’ locations. If the verification fails, the transmitter of a given signal is considered to be an attacker. For these approached to work, the data exchanged between the LVs must be encrypted and authenticated to avoid eavesdropping, modification or replay attacks executed by the attacker.

Although DDT does not suffer from the drawbacks of DRT, DDT requires tight synchronization among the LVs that may be expensive to implement. These transmitter verification methods which verify the authenticity of a given signal by estimating its location and comparing it with the location of known incumbents are insufficient in a full mobile network where the incumbents are mobile and have low power [18].

Both DRT and DDT can be fooled if the attacker is transmitting from the vicinity of the TV tower. A solution to this problem is presented in [7] by combining localization of transmitters with signal energy level detection. The following scenario is used to describe the suggested approach: The network consists of TV towers transmitters and receivers which represent the primary users. The secondary users are mobile devices with cognitive radio capabilities. The TV towers have a fixed location and energy level of hundreds of thousands of Watts while the mobile devices have energy level of few hundred milliwatts. This is important because an attacker may try to deceive other secondary users by transmitting from the vicinity of the TV tower, and here the level of the energy of the transmitter will be used in conjunction with the location.

The authors named their approach Localization-based Defense (LocDef) which does transmitter verification in three steps: verification of signal characteristics, measurement of received signal energy level, and localization of the signal source [7]. LocDef uses RSS-based localization that exploits the relationship between

signal strength and a transmitter location. The strength of a signal decreases as the distance between the transmitter and receiver increases. If a node was able to collect enough signal strength data from the nodes spread through a network, it can create a signal strength model which it can use then to estimate the location of the transmitter. To collect the RSS measurements, an underlying Wireless Sensor Network (WSN) will be used. WSN helps secondary users in spectrum-sensing and informing them of opportunities in the network.

In [19], another localization strategy was suggested by first applying the Time Difference of Arrival (TDOA) method and then the Frequency Difference of Arrival (FDOA). TDOA will run first to provide certain inputs (motion vector) to FDOA, which in turn pinpoints the accurate location of the transmitting source. Both approaches ([19-20]) rely on many assumptions that make them very restrictive and not applicable to general CRN.

Apart from localization, fingerprinting has been used to authenticate the transmission source [21]. Initially, Radio Frequency Fingerprinting (RFF) has been proposed as means of enhancing security in wireless networks [22]. RFF consists of using a certain unique, short duration distinctive behavior of emitter present in the waveforms emitted by a transceiver when activated to identify an emitter. It has been attributed to the acquisition behavior of frequency synthesis systems, modulator subsystems, RF amplifiers as well as physical properties of the emitter. The idea is that by monitoring and analyzing a network’s analog signal at the physical layer, it is possible to identify emitters and address security related issues. Although an optimal solution was claimed, this approach requires heavy computation and large samples for training data. To address this drawback, a cross layer signal pattern recognition technique was proposed in [21]. This approach exploits a unique property called Electromagnetic Signatures (EMS) (which can be compared to the human biometric feature) of each CR device to build a security sub-system. A PHY attacker model that exploits the adaptability and flexibility of CRN was described. Then to thwart this attack, waveform pattern recognition is used to identify emitters and detect camouflaging attackers by using the EMS of the transceiver. In this approach, a malicious device is detected based on its signal pattern with certain levels of deviation. The main two processes that are involved in the execution of this scheme are the enrollment for data collection and the testing in order to identify a user. This approach is a cross-layer security module which is capable of highlighting distinctions among cognitive radio devices. It is designed to learn the foul-proof initial unique characteristic of CR devices and compares it with subsequent transmissions for validation and authentication. Although this approach



was initially suggested to mitigate DoS threats in general, it can be perfectly tailored to defend against PUE attacks since it can be used to authenticate the transmission source. However, there is a likely increase in storage requirement and total sensing time due to possible overhead of extra signal processing operations.

Another fingerprinting approach was suggested in [20]. The suggested approach works by erasing the modulation of all received signals to get the carrier with phase noise. The phase noise for each transmitter is random but unique. After applying wavelet and higher-order statistics analysis, the authors generated what they called the fingerprint of the signal. The fingerprint is then used as the basis of transmitter identification to defend against PUE attacks.

In [23], Wald’s sequential probability ratio test is used to detect PUE attack. The authors assumed that the transmission power of the attacker is fixed. Although detecting PUE attacks is a challenging problem, a more challenging one is to develop effective countermeasures once an attack is identified.4.1.2 Objective Function Attack

One of the many definitions of cognitive radio states that “Cognitive radio is a smart radio that has the ability to sense the external environment, learn from the history, and make intelligent decisions to adjust its transmission parameters according to the current state of the environment” [24]. The cognitive engine in the adaptive radio is the one responsible for adjusting the radio parameters in order to meet specific requirements such as low energy consumption, high data rate, and high security. Radio parameters include center frequency, bandwidth, power, modulation type, coding rate, channel access protocol, encryption type, and frame size [1]. The cognitive engine calculates these parameters by solving one or more objective functions, for instance find the radio parameters that maximize data rate and minimize power.

When the cognitive engine is running to find the radio parameters appropriate to the current environment, the attacker can launch his attack by manipulating the parameters he has control on (transmission rate) in order to make the results biased and tailored to his interest. In [1], a scenario of an Objective Function attack is presented where the cognitive engine needs to maximize an objective function composed of transmission rate (R) and security (S), i.e., f = w1R + w2S, where w1 and w2 represent the weights of R and S. Whenever the cognitive engine attempts to use a high security level S, the attacker launches a jamming attack on the radio, thus reducing R and hence reducing the overall objective function. The cognitive engine will then refrain from increasing the security level in order not to decrease the objective function. This way, the attacker forces the radio to use a low security level that can be

hacked. It is to be noted that this attack is affective on on-line learning radios only and has no effect on off-line learning radios [1][12].

y Defending against Objective Function AttackNo good solution has been suggested to defend against

the Objective Function Attack. A simple suggestion has been made in [12] to define threshold values for every updatable radio parameter. If the parameters do not meet the thresholds, the communication stops. They also suggested getting help from a good Intrusion Detection System (IDS).4.1.3 Jamming

In jamming, the attacker (jammer) maliciously sends out packets to hinder legitimate participants in a communication session from sending or receiving data; consequently, creating a denial of service situation. The jammer may send continuous packets of data making a legitimate user to never sense a channel as idle, or he can send these packets to the legitimate users and force them to receive junk packets. The jammer can also disrupt communication by blasting a radio transmission resulting in the corruption of packets received by legitimate users. A more dangerous attack a jammer can do is to jam the dedicated channel that is used to exchange sensing information between CRs (Common control data attack [25]). An attacker can still do damage if he just eavesdropped on the control data and knew the new channel the CRN is switching to. He can then jam it. Jamming is an attack that can be done in the physical and MAC layers. For this reason, we discuss it in the end of the Physical Layer Attacks section, just before the Link Layer Attacks section.

There exist four types of jammers: Constant Jammer, Deceptive Jammer, Random Jammer, and Reactive Jammer [26]. The constant jammer sends out packets of data continuously with no regard to MAC-layer protocols. It doesn’t wait for the channel to be idle as the attacker starts sending its packets without any regard to other users on that channel. The deceptive jammer tricks the legitimate users. It sends out packets continuously making the other users switch into a receive state and remain in that state as they detect a constant stream of incoming data packets. The random jammer takes breaks between the jamming signals, and during its jamming phase it may behave as a constant or deceptive jammer. It takes some time off to reserve energy in case the jammer doesn’t have unlimited power supply. The reactive jammer senses the channel at all times, and whenever it senses communication in the channel it starts transmitting the jamming signals. This jammer is harder to detect because it’s not transmitting all the time.

To perform MAC Layer denial of service attack, an attacker can send out packets on a specific radio channel making all devices within radio range to assume that the



channel is occupied and postpone their transmission of data [27]. To perform Physical Layer denial of service attack, an attacker may use a device capable of emitting energy at the same frequency used by other devices to communicate and interfere with their communication. Examples of such devices are programmable radios and waveform generators.

An attack scenario is presented in [28], where a single cognitive radio jams multiple channels by switching through channels quickly after sending the jamming packets for a fixed period. There is an inter-jamming interval between each jamming period on each channel. After sending the jamming packets in the last channel, the attacker revisits the previous channels at the end of the inter-jamming interval, and repeats the jamming cycle.

y Defending against JammingSince DoS can be performed at the Link and Physical

layers, the detection should be addressed at both layers. In the MAC-layer detection, devices can detect a denial of service attack by sensing the channel they want to transmit their packets on. A popular class for medium access control protocols is the one based on carrier-sensing multiple-access (CSMA). In CSMA, a device will continually sense a channel until it detects that it’s idle. Even then, it will wait for some time before starting transmitting (propagation delay) in order to make sure that the channel is clear. Suppose an attacker is sending packets on the same channel that the legitimate device wants to use for transmission, the legitimate device will never pass the carrier-sensing and will be forced to back off. Therefore, the device will know that it’s a victim of a denial of service attack. In the PHY-layer detection, legitimate devices should be able to distinguish between the normal and abnormal level of noise in a channel. They can do so by collecting enough data of the level of the noise in the network and building a statistical model to use for comparison when a denial of service attack occurs [27].

In [26], a jamming detection technique that investigates the relationship between Signal Strength (SS) and Packet Delivery Ratio is suggested. Packet Delivery Ratio (PDR) is the ratio of packets delivered to a destination compared to the number of packets sent by a transmitter. If SS is high, but PDR is low; a legitimate user may assume that it’s being jammed unless one of its neighbors has high SS and PDR. This technique is called Signal Strength Consistency Checks. Another technique called Location Consistency Checks is suggested to detect jamming where the location of the neighbors is important and can be acquired through GPS and then advertised by each node. A node is jammed when its neighbors should have been delivered at least a minimal amount of packets. A node will check its PDR and decide whether the PDR is consistent

with what it should see given the location of its neighboring nodes. Theoretically, neighboring nodes that are close to a particular node should have high PDR values, and if all nearby neighbors have low PDR values this may lead to concluding that this user is either being jammed or have poor link quality with its neighbors.

Given the Jamming detection techniques just discussed, two strategies could be used to defend against jamming (DOS). The first strategy to escape denial of service is channel surfing, or frequency hopping. In this approach, communicators agree to use a different channel once a denial of service attack is detected through any of the abovementioned detection techniques. The second strategy is spatial retreat where legitimate users change their location to escape the interference range imposed by the attacker. Two things must be kept in mind in this approach, the users must leave the region where the attacker is located and they must stay within range of each other to continue communication [27].

4.2 Link Layer Attacks4.2.1 Spectrum Sensing Data Falsification (SSDF)

Spectrum Sensing Data Falsification, also known as the Byzantine Attack, takes place when an attacker sends false local spectrum sensing results to its neighbors or to the fusion center, causing the receiver to make a wrong spectrum-sensing decision [29][30]. This attack targets centralized as well as distributed CRNs. In a centralized CRN, a fusion center is responsible for collecting all the sensed data and then making a decision on which frequency bands are occupied and which are free. Fooling the fusion center will either deny some legitimate users from using a free band or allow users to use a band that is already occupied causing interference. Similar problems occur in a distributed CRN where decisions about the frequency bands’ status are made via collaboration between CR’s. But SSDF attack could be more harmful in a distributed CRN because the false information can propagate quickly with no means to control them. While in the centralized CRN, the fusion center can lessen the effect of false information by comparing the data received from all CRs and devising some smart techniques to know which CR might be lying.

An analytical treatment of the attack was presented in [31] in which performance limits are established in terms of the fraction of Byzantine attackers that will make the fusion center blind and when no trust based approach would work. In [32], the system performance under certain quality of service (QoS) constraints was investigated, and the performance of collaborative sensing under malicious attacks and various conditions was studied.



y Defending against Spectrum Sensing Data FalsificationSeveral data fusion techniques were proposed to detect

the Spectrum Sensing Data Falsification (SSDF) Attack. In [33], a Decision fusion technique is proposed where all collected local spectrum-sensing results are summed. If the sum is greater than or equal to a certain threshold (which is a specified value between 1 and the number of sensing terminals), then the final sensing result is “busy,” i.e., it denotes the presence of incumbent signal. Otherwise, the band is determined to be “free,” i.e., it denotes the absence of incumbent signal. Because interference to incumbents should be minimized, usually a conservative strategy is favored, which takes a threshold value of one. In this case, even if a band is free, as long as there is one sensing terminal that erroneously reports the presence of an incumbent signal, the final result will be busy, causing a false alarm. If an SSDF attacker exploits this feature and always reports the presence of an incumbent signal as its local spectrum sensing result, then the final result will always be busy. To prevent such a scenario, one can increase the threshold value. However, increasing the threshold value has the downside of increasing the miss detection probability. Moreover increasing the threshold is ineffective in decreasing the false alarm probability when there are multiple attackers.

In [18], a data fusion technique called Weighted Sequential Ratio Test (WSRT) was proposed to counter Byzantine attacks. In an ad hoc architecture any node that needs to conduct spectrum sensing, it becomes a data collector and collects local sensing reports from neighboring nodes. WSRT is composed of two major steps. The first one is reputation maintenance step where every node initially has a reputation value equal to zero, upon each correct local spectrum report the reputation value will be increased by 1. The second step is the actual hypothesis test step of WSPRT which is based on Sequential Probability Ratio Test [34] but with some adjustments so that the decision value takes into consideration the terminal’s reputation unlike the ordinary SPRT applied to the previous data fusion techniques. This WSRT approach is similar to various trust based data fusion schemes which are employed in wireless sensor networks (WSNs).

A similar weight based fusion scheme was proposed in [35] to counter malicious nodes that transmit false sensing signals. In this approach, a trust approach and “pre-filtering techniques” are used. Permanent Malicious nodes are of two types, the “Always Yes” type and the “Always No” type. The “always yes” advertises the presence of a primary user nearby (i.e., increases the probability of false alarm) and the “always no” advertises the absence of a primary user nearby (i.e., decrease the probability of detection). The approach relies on pre-filtering the data to identify and

nullify the malicious users that are sometimes “Faulty” and sometimes not permanently faulty, assigning a trust factor to each user (based on statistics from many users) that quickly identifies “Always Yes” and “Always No” nodes, and quantizing the data.

In [36], a detection mechanism is proposed to identify Byzantine attackers by counting mismatches between their local decisions and the global decision at the fusion center over a time window and then removing the Byzantines from the data fusion process. The proposed scheme was shown to be robust against Byzantine attacks and it successfully removed the Byzantines in a very short time span.

In [37], another Bayesian detection mechanism was proposed that requires the knowledge of a priori conditional probabilities of the local spectrum sensing result (i.e., presence or absence of incumbent). It also requires the knowledge of a priori probabilities of the final sensing result. Several combination cases exist from these local and final sensing results. These cases are either correct or wrong. A small cost is assigned to the correct ones and a large cost is assigned to the wrong ones. The overall cost is the sum of all the costs weighted by the probabilities of the corresponding cases. Bayesian detection outputs a final spectrum sensing result that minimizes the overall cost. When a network is under SSDF attacks, the values of the a-priori conditional probabilities of the local terminal sensing are not trustworthy. As a result, Bayesian detection is no longer optimal in terms of minimizing the overall cost.

In [38], the Neyman-Pearson test was proposed which does not rely on the knowledge of a-priori probabilities of the final sensing or any cost associated with each decision case. Instead, it needs to define either a maximum acceptable probability of false alarm or a maximum acceptable probability of miss detection. The Neyman-Pearson test guarantees that the other probability is minimized, whereas the defined probability is acceptable. As with Bayesian detection, the Neyman-Pearson test also requires the knowledge of the a priori conditional probabilities of the local sensing.

A malicious user detection algorithm that calculates the suspicious level of secondary users based on their past reports was proposed in [39]. This algorithm calculates trust values as well as consistency values that are used to eliminate the malicious users' influence on the primary user detection results. The results show that even a single malicious user can significantly degrade the performance of collaborative sensing. The trust value indicator can effectively differentiate honest and malicious secondary users. Furthermore, when a good user suddenly turns bad, the proposed scheme can quickly reduce the trust value of this user. If this user only behaves badly for a few times,



its trust value can recover after a large number of good behaviors. If the bad behavior is consistent, the trust value becomes almost impossible to recover.

In all the previous approaches, sensing results must be authenticated and a robust data fusion scheme must be deployed. This can be ensured through utilizing a sequential probability ratio test which collects more results and thus guarantees better decisions. Another solution would be to incorporate a “reputation-based scheme” into the DSS that ensures reputation maintenance and apply reputation information to data fusion.

Although the trust based schemes, presented above, have shown satisfactory performance in some settings, but an analytical study of their performance has not been carried out. Moreover, there is a lack of references on how severe the attacks would degrade the system performance.4.2.2 Control Channel Saturation DoS Attack (CCSD)

In a multi-hop CRN, CRs communicate with each other after performing a channel negotiation process in a distributed manner. During the negotiation phase, MAC control frames are exchanged to reserve the channel. When many CRs want to communicate at the same time, the common control channel becomes a bottleneck as the channel can only support a certain number of concurrent data channels. An attacker can utilize this feature and generate forged MAC control frames for the purpose of saturating the control channel and thus decreasing the network performance due to Link layer collisions. As discussed in [40-41], the Control Channel Saturation DoS Attack leaves the CRN with a near-zero throughput. It is important to note that this attack only works on multi-hop CRNs and does not work on centralized CRN. This is because in centralized CRNs, all MAC control frames are authenticated and stamped by the base station. This fact makes forging MAC control frames an infeasible task. The mechanism used to defend against this attack will be discussed in the next section.4.2.3 Selfish Channel Negotiation (SCN)

In a multi-hop CRN, a CR host can refuse to forward any data for other hosts. This will allow it to conserve its energy and increase its own throughput which resulted from selfish channel concealment [41]. Similar objectives can be achieved if the selfish host was able to alter the proper MAC behavior of the CR devices. For instance, if the host decreases its own back-off window size, it will have a higher chance of claiming the channel at the expense of other CR hosts. This attack can also severely degrade the end-to-end throughput of the whole CRN [41].

y Defending against Control Channel Saturation and selfish channel negotiation

Mitigating CCSD and SCN can be done by adapting a trusted architecture where any suspicious CR host will be monitored and evaluated by its neighbors. A neighbor can then perform a sequential analysis on the set of observation data, and conclude a final decision whether it is misbehaving or not. The Sequential Probability Ratio Test can be used for that purpose as it has proven its efficiency in terms of detection time [41].

4.3 Network Layer AttacksMuch research has focused on the development of

MAC and PHY layer protocols for CRNs, unfortunately end-to-end flow of the packets received insufficient attention. In addition, CR introduces challenges to routing due to the novel way they operate. Routing challenges faced in CRNs originate from the need for transparency in the existence of CR activities to primary users. In addition, CR nodes are required to leave any channel as soon as a primary user is detected on that channel which complicates the routing design even more. The three architectures of CRNs make the network vulnerable to some old fashion wireless network attacks. Also CRNs exhibit many similarities with sensor networks in the sense that they both use multi-hop routing protocols, and both of them have power constraints. A good survey on sensor network attacks can be found in [42]. In what follows, we discuss two of the most relevant attacks on CRNs namely: sinkholes and HELLO floods.4.3.1 Sinkhole Attacks

In a sinkhole attack, an attacker advertises itself as the best route to a specific destination, luring neighboring nodes to use it to forward their packets [42]. An attacker may use this way to perform another attack called selective forwarding where an attacker is able to modify or discard packets from any node in the network. The attack is particularly effective in the infrastructure and mesh architectures as all traffic goes through a base station allowing the attacker to falsely claim that it is the best route for packet forwarding.

y Defending against Sinkhole AttacksA sinkhole attack is hard to detect because it exploits

the very design of the routing protocol and network architecture. However, there are protocols that are fortified against the attack which are geographic routing protocols. Geographic routing protocols construct a topology on demand using only local communications and information without initiation from the base station. Thus, traffic will be routed to the physical location of the base station and will be difficult to lure it to go elsewhere to create a sinkhole [42].



4.3.2 HELLO Flood AttacksThe HELLO flood attack is accomplished when an

attacker sends a broadcast message to all the nodes in a network with enough power to convince them that it is their neighbor [42]. For example, an attacker sending a packet advertising a high quality link to a specific destination will encourage even far away nodes to use this route convincing them that he is their neighbor. However, their packets will be lost, and if a node discovers the attack it will be left with no neighbors to forward its packets because all of them will be using the same route.

y Defending against HELLO Flood AttacksTo countermeasure the HELLO flood attacks, a

symmetric key should be shared with a trusted base station [42]. The base station will act as a Trusted Third Party as in Kerberos and facilitate the establishment of session keys between parties in the network; in order to protect their communication. Consequently, two nodes may use the session key to verify each other’s identity; as well as, authenticate and encrypt the link between them. Now, to prevent an attacker from creating a session key with every node on the network, the number of shared keys must be limited. In addition, a node claiming to be the neighbor of so many nodes in the network should raise an alarm. Symmetric key algorithms are suggested because they are known to be faster and have lower overhead on system resources.

y General Techniques to Defend against Network Layer Attacks

In general, one can defend against routing attacks by using a secure routing protocol, such as Secure Efficient Ad hoc Distance vector routing protocol (SEAD) [43]. SEAD protects against denial of service attacks as it uses a one way hash function instead of asymmetric encryption to prevent attackers attempts to cause other nodes to use more network bandwidth or processing time. The protocol operates as the vector routing protocol, and the design is based on Destination-Sequences Distance-Vector protocol (DSDV).

Another effective mechanism to defend against routing attacks is to use a cross layer solution to make the transmission more efficient [44]. It suggests that, instead of router’s direct decision, the routing algorithm and spectrum management should be considered together to make decisions for the channel scheduling.

4.4 Transport Layer AttacksAs with the other layers, the Transport layer in a CR

node is also vulnerable to many of the attacks that target wireless Ad Hoc networks in general, for instance, the

JellyFish attack [45]. In what follows, we only consider a transport layer attack named Lion Attack [46] because of its close relevance to CRNs.4.4.1 Lion Attack

The Lion attack uses the primary user emulation (PUE) attack to disrupt the Transmission Control Protocol (TCP) connection. The Lion attack can be considered a cross-layer attack performed at the physical link layer and targeted at the transport layer where emulating a licensed transmission will force a CRN to perform frequency handoffs and thus degrading TCP performance. When a PUE attack is performed, all SUs have to do frequency handoff in order to free the channel for the primary user. When this handoff takes place, TCP will not be aware of the handoff and will keep creating logical connections and sending packets without receiving acknowledgments. The TCP segments will then start to timeout and consequently TCP retransmits them with an increased timeout value. As a result, the retransmission timer backs off doubling the value, resulting in delays and packet loss. Additionally if an attacker can intercept the messages, it can predict the frequency band tested in a handoff, and claim it using PUE resulting in a total network starvation.

y Defending against Lion AttackTo Mitigate the Lion attack, Hernandez-Serrano et

al. suggest a mechanism that starts by making the TCP protocol aware of what is happening in the physical layer by employing cross-layer data sharing between physical/link and transport layers [47]. This way, the CRN devices will be able to freeze TCP connection parameters during frequency handoffs and adapt them to the new network conditions after the handoff. To secure the control data in order to prevent the attacker from eavesdropping current and future actions of the CRN, a group key management (GKM) can then be used to allow CRN members to encrypt, decrypt and authenticate themselves. Finally, a cross-layer IDSs specifically adapted to CRNs can be used as a technique to find the attack source if it still exists.

Finally, cognitive radios must have some common sense [1]. Policies must be defined to cover all scenarios. In addition, some sort of cooperation between the different cognitive radios can be beneficial. In [1] a technique called particle swarm optimization (PSO) is mentioned. Each cognitive radio is a particle, and each has its own idea about what is the best behavior in a particular situation. However, this behavior is not dependent solely on its own idea, but a weighted average of all the ideas in the network. Next, we evaluate the countermeasures suggested in section 4.



5 Evaluation Study

I n t h i s s e c t i o n , w e e v a l u a t e t h e s u g g e s t e d countermeasures putting a grade for each one. For every layer, we include the attack, its countermeasures, an evaluation discussion, and a grade. Three grades are used as follows:

- √ indicates that the suggested countermeasure is good and works for almost all scenarios

- indicates that the suggested countermeasure is very restrictive in the sense that it only applies to very specific scenarios or it requires the addition of extra infrastructure that does not normally exist in CRNs, for instance WSNs or LVs.

- indicates that the suggested countermeasure inc ludes some minor drawbacks , bu t i s acceptable.

Tables 1, 2, 3, and 4 present the evaluation of the attacks countermeasures of the Physical, Link, Network, and Transport layers, respectively.

The conclusion that can be made from table 1 is that a complete solution can be formulated to defend against Physical Layer attacks in CRN by combining fingerprinting, frequency hopping, and thresholding (to thwart OFA). The conclusion extracted from Table 2 is that by adopting a trusted CRN architecture and using a Weighted Sequential Ratio Test one can defend against Link Layer attacks. Tables 3 and 4 indicate that the suggested countermeasures are well suited to defend against Network and Transport layer attacks. Therefore, by combining these countermeasure (the ones graded as √), one can achieve a secure CRN. Although this suggestion can potentially produce the ultimate secure CRN, it might face performance problems. Other approaches were suggested to achieve a secure CRN; we discuss their approaches next.

6 Sample Frameworks for Secure CRNs

It is obvious from section 4 that CRNs are vulnerable to many serious attacks that hinder their usefulness. As discussed earlier, various mitigation techniques were suggested to each category of CRN attacks. In order to form a secure CRN, all these mitigation techniques need to be incorporated in the same CRN. On the contrary, such a solution becomes a bottleneck as most of the CR nodes’ processing power will be spent on doing security checks. As an alternative, some researchers suggested building various security frameworks for CRN. The suggestions can be mainly categorized into: cryptography based, reputation based, and trust based.

In [48], a CRN securi ty framework based on cryptography is sugges ted tha t a ims to provide authentication, confidentiality and integrity on CR nodes interactions. The framework uses 802.1X access control mechanism, a Key Distribution Center (KDC), a new CR terminal identification policy, and modified DHCP servers, which in turn work together to provide proper resource allocation and message authentication in DHCP transactions. The KDC is also used to authenticate the mapping between the addresses used in the ARP protocol (MAC and IP addresses), and to distribute session keys to neighbor CR terminals allowing them to share a secure dedicated channel. This architecture achieves security in CRNs since all services are supported by secret, shared session keys between interacting devices. Hence, no experimental evaluation was done to prove the effectiveness of this approach.

In [49], a reputation based mechanism is suggested to identify and mitigate the harm done by misbehaved CRs who falsify sensed data while cooperative spectrum sensing is taking place. The scheme starts by choosing some nodes as trusted. It then categorizes the reputation of each CR into three states: discarded, pending and reliable. The sensing information of the trusted nodes is reliable by default. The reputation of the other CRs is initially assigned a pending state and they are accumulated through a consistency check between global and local sensing decisions. Those that exceed the trusted threshold are updated to reliable, and their sensing results are then incorporated in CSS. The others are changed to discarded. Simulation results show that the scheme works well even when there is a large number of misbehaviors.

In [50], a trusted cognitive radio networking (TCRN) concept is suggested to facilitate network functions such as association in dynamic spectrum access and routing. The authors argue that two major components should be present in CRN trust model: trusted association and learning algorithms. Trusted association consists of the initial decision for a node to accept or reject the trusted association from a neighboring CR node. Moreover, each CR node should keep track of the information it collects and employ appropriate learning algorithms in order to make better decisions regarding trust measures, packet forwarding, and routing. TCRN was formulated mathematically and a conclusion was made that TCRN can allow more homogeneous operation of CRN as a heterogeneous wireless network.

7 Conclusion

In this paper, we described the most recent and important attacks targeting CRNs. We classified them



according to the layer they operate on and presented their existing countermeasures. We then evaluated all the countermeasures giving each one a grade that presents its effectiveness. According to these evaluations, we suggested to combine the countermeasures that we think will produce the ultimate secure CRN. Such a suggestion should be

normally supported by simulation results, but we keep this as part of our future work. We also overviewed the works that suggest building from scratch security frameworks for CRN.

Table 1 Physical layer threats, countermeasures, and evaluations

Threat Countermeasure Evaluation Grade

Primary User Emulation

Cryptographic authentication of primary users

Does not work as it requires altering the primary user system which violates FCC regulations

Distance Ratio Test (DRT) -- based on signal strength measurements [14]

Depends on trusted nodes called Location Verifiers (LV’s). Major drawback is that tight synchronization among LVs is required and it can be fooled if the attacker is close to the tower

Distance Difference Test (DDT) -- based on signal phase difference [14]

Same as DRT

LocDef -- based on localization of the primary user [7]

Depends on a Wireless Sensor Network to collect RSS measurements. The RSS measurement of the primary user is compared to the collected ones. Major drawback is the addition of the WSN

Localization strategy that applies TDOA then FDOA [19][20]

Major drawback of this approach is that it relies on many assumptions that make them very restrictive and not applicable to general CRN

Wald’s sequential probability ratio test is used to detect PUE [23]

Major drawback of this approach is that it assumes that the transmission power of the attacker is fixed

Fingerprinting approaches that are used to authenticate the transmission source [21]

Out of the suggested countermeasures, this approach is considered the best, but there is a likely increase in storage requirement and total sensing time due to possible overhead of extra signal processing operations

√

Objective Function Attack

Define threshold values for every updatable radio parameter. If the parameters do not meet the thresholds, the communication stops [12]

The major drawback of this approach is that depends on fixed thresholds. A considerable improvement will be to make these thresholds adaptive.

Use Intrusion Detection System (IDS) [12]

Using an IDS is a very general countermeasure that does not defend against all kinds of OFA

Jamming

Collect enough data of the level of the noise in the network and build a statistical model to use in distinguishing between normal and abnormal level of noise [27]

Drawback lies in the definition of “enough data” i.e., what is the appropriate amount of data that should be used to build the model

Compare Signal Strength and Packet Delivery Ratio - If SS is high, but PDR is low; a legitimate user may assume that it’s being jammed unless one of its neighbors has high SS and PDR [26]

There is no rule that decides on the relation between “high” and “low” when the authors say “If SS is high, but PDR is low.” This issue presents a major weakness in the suggested approach.

Location Consistency Checks [26] The location of the neighbors is important and can be acquired through GPS, but the drawback is that GPS might not always exist in a CRN.

Frequency hopping Good solution for jamming √Spatial retreat The user should be very careful when escaping from

the jamming signal of the attacker since he needs to stay in range with the other user he is communicating with.



Table 2 Link Layer Threats, Countermeasures, and Evaluations


Spectrum Sensing Data Falsification (Byzantine attack)

Decision fusion technique where all collected local spectrum-sensing results are summed and compared to a threshold to detect an attack [33]

The major drawback is in using fixed thresholds. In this particular countermeasure increasing and decreasing the threshold has major impact on the decision. Moreover, the method is ineffective in many scenarios that include multiple attackers.

Weighted Sequential Ratio Test [18] Solution is composed of 2 steps: a reputation maintenance step and the actual hypothesis test. No analytical studies have been conducted, but performance is good.

√

Weight based fusion scheme [35] Uses trust approach and pre-filtering techniques. Shows good performance. √

Detection mechanism that runs in the fusion center [36]

The fusion center identifies the attackers and removes them from the data fusion process. Only works when a centralized fusion center exists.

Detection mechanism that requires a priori knowledge [37]

The major drawback is that the a priori knowledge becomes not trustworthy when a network is under SSDF attack, and thus the suggested detection mechanism becomes no longer optimal in terms of minimizing the overall cost

Neyman-Pearson Test [38] Works by defining either a maximum acceptable probability of false alarm or a maximum acceptable probability of miss detection. It still requires a priori conditional probabilities of the local sensing

Detection mechanism based on trust [39]

The major drawback is that the scheme cannot be applied to multiple malicious users scenario.

Control Channel Saturation DoS Attack


The suggested countermeasure adapts a trusted architecture where any suspicious CR host will be monitored and evaluated by its neighbors. A neighbor can then perform Sequential Probability Ratio Test to reach a final decision whether it is misbehaving or not. Its performance is proven to be good.

√

Selfish Channel Negotiation


Same countermeasure suggested for Control Channel Saturation DoS Attack works for this attack. √

Table 3 Network Layer Threats, Countermeasures, and Evaluations


Sinkhole AttackGeographic routing protocols [42] Traffic will be routed to the physical location of the

base station. Presents a good solution for sinkhole attacks

√

HELLO Flood Attack

Symmetric Key based algorithm [42]

The base station will act as a Trusted Third Party and facilitate the establishment of session keys between parties in the network. Presents a good solution for HELLO Flood attacks

√

Other Attacks Use a protocol called SEAD [43] Protects against attacks by using one-way hash function. √

Table 4 Transport Layer Threats, Countermeasures, and Evaluations


Lion Attack Cross Layer detection based mechanism [47]

Good solution √



References

[1] T. Charles Clancy and Nathan Goergen, Security in Cognitive Radio Networks: Threats and Mitigation, International Conference on Cognitive Radio Oriented Wireless Networks and Communications (CrownCom), Singapore, May, 2008, pp.1-8.

[2] Kwang Cheng Chen, Y. J. Peng, Neeli Rashmi Prasad, Y. C. Liang and Sumei Sun, Cognitive Radio Network Architecture: part I -- General Structure, Proceedings of the 2nd International Conference on Ubiquitous Information Management and Communication, Suwon, South Korea, January, 2008, pp.114-119.

[3] Vinod Sharma and ArunKumar Jayaprakasam, An Efficient Algorithm for Cooperative Spectrum Sensing in Cognitive Radio Networks, Proceedings of National Communications Conference (NCC), Guwahati, India, January, 2009.

[4] Cognitive Radio Ad Hoc Networks, Broadband Wireless Networking Lab, School of Electrical and Computer Engineering, Georgia Inst of Tech. URL: http://www.ece.gatech.edu/research/labs/bwn/CRAHN/projectdescription.html

[5] Wenjing Yue and Baoyu Zheng, A Two-Stage Spectrum Sensing Technique in Cognitive Radio Systems Based on Combining Energy Detection and One-Order Cyclo-Stationary Feature Detection, Proceedings of the 2009 International Symposium on Web Information Systems and Applications (WISA’09), Nanchang, China, May, 2009, pp.327-330.

[6] Rajesh K. Sharma and Jon W. Wallace, Improved Spectrum Sensing by Utilizing Signal Autocorrelation, Proceedings of IEEE Vehicular Technology Conference, Barcelona, Spain, April, 2009, pp.1-5.

[7] Ruiliang Chen, Jung-Min Park and Jeffrey H. Reed, Defense against Primary User Emulation Attacks in Cognitive Radio Networks, IEEE Journal on Selected Areas in Communications, Vol.26, No.1, 2008, pp.25-37.

[8] Huahui Wang, Leonard Lightfoot and Tongtong Li, On PHY-Layer Security of Cognitive Radio: Collaborative Sensing under Malicious Attacks, 44th Annual Conference on Information Sciences and Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.

[9] Eric Wong and Rene Cruz, On Physical Carrier Sensing for Cognitive Radio Networks, Forty-Fifth Annual Allerton Conference on Communication, Control, and Computing, Allerton House, UIUC, IL, September, 2007.

[10] Bertrand Mercier, Viktoria Fodor, Ragnar Tobaben et al., Sensor Networks for Cognitive Radio: Theory

and System Design, ICT Mobile Summit, Stockholm, Sweden, June, 2008.

[11] Tevfik Yucek and Huseyin Arslan, A Survey of Spectrum Sensing Algorithms for Cognitive Radio Applications, IEEE Communications Surveys & Tutorials, Vol.11, No.1, 2009, pp.116-130.

[12] Olga León, Juan Hernández-Serrano and Miguel Soriano, Securing Cognitive Radio Networks , International Journal of Communication Systems, Vol.23, No.5, 2010, pp.633-652.

[13] Xueying Zhang and Cheng Li, The Security in Cognitive Radio Networks: A Survey, Proceedings of the 2009 ACM International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly (IWCMC ‘09), New York, 2009, pp.309-313.

[14] Ruiliang Chen and Jung-Min Park, Ensuring Trustworthy Spectrum Sensing in Cognitive Radio Networks, First IEEE Workshop on Networking Technologies for Software Defined Radio Networks (SDR), Reston, VA, September, 2006, pp.110-119.

[15] Yiyang Pei, Ying-Chang Liang, Lan Zhang, Kah Chan Teh and Kwok Hung Li, Secure Communication Over MISO Cognitive Radio Channels, IEEE Transactions on Wireless Communications, Vol.9, No.4, 2010, pp.1494-1502.

[16] Ruiliang Chen, Enhancing Attack Resilience in Cognitive Radio Networks, Dissertation, Virginia Polytechnic Ins t i tu te and Sta te Univers i ty, Blacksburg, VA, 2008.

[17] Santhanakrishnan Anand, Zituo Jin and Koduvayur Subbalakshmi, An Analytical Model for Primary User Emulation Attacks in Cognitive Radio Networks, 3rd IEEE Symposium on New Frontiers in Dynamic Spectrum Access Networks (DySPAN), Chicago, IL, October, 2008.

[18] Ruiliang Chen, Jung-Min Park, Y. Thomas Hou and Jeffrey H. Reed, Toward Secure Distributed Spectrum Sensing in Cognitive Radio Networks, IEEE Communications Magazine, Vol.46, No.4, 2008, pp.50-55.

[19] Lianfen Huang, Liang Xie, Han Yu, Wumei Wang and Yan Yao, Anti-PUE Attack Based on Joint Position Verification in Cognitive Radio Networks, International Conference on Communications and Mobile Computing (CMC), Vol.2, Shenzhen, China, April, 2010, pp.169-173.

[20] Caidan Zhao, Wumei Wang, Lianfen Huang and Yan Yao, Anti-PUE Attack Base on the Transmitter Fingerprint Identification in Cognitive Radio, 5th International Conference on Wireless Communications, Networking and Mobile Computing (WiCom ‘09), Beijing, China,September, 2009, pp.1-5.



[21] O. Richard Afolabi, Kiseon Kim and Aftab Ahmad, On Secure Spectrum Sensing in Cognitive Radio Networks Using Emitters Electromagnetic Signature, Proceedings of 18th International Conference on Computer Communications and Networks (ICCCN 2009), San Francisco, CA, August, 2009, pp.1-5.

[22] Oktay Ureten and Nur Serinken, Wireless Security through RF Fingerprinting, Canadian Journal of Electrical and Computer Engineering, Vol.32, No.1, 2007, pp.27-33.

[23] Zituo Jin, Santhanakrishnan Anand and Koduvayur Subbalakshmi, Mitigating Primary User Emulation Attacks in Dynamic Spectrum Access Networks Using Hypothesis Testing, ACM Mobile Computing and Communications Review, Special Issue on Cognitive Radio Technologies and Systems, Vol.13, No.2, 2009, pp.74-85.

[24] Qusay Mahmoud, Cognitive Networks: Towards Self-Aware Networks, Wiley E-Book, New York, 2007.

[25] Yuan Zhang, Gaochao Xu and Xiaozhong Geng, Security Threats in Cognitive Radio Networks, 10th IEEE International Conference on High Performance Computing and Communications (HPCC 2008), Dalian, China, September, 2008, pp.1036-1041.

[26] Wenyuan Xu, Wade Trappe, Yanyong Zhang and Timothy Wood, The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks, Proceedings of ACM MobiHoc, Urbana, IL, May, 2005, pp.46-57.

[27] Wenyuan Xu, Timothy Wood, Wade Trappe, Yanyong Zhang, Channel Surfng and Spatial Retreats: Defenses Against Wireless Denial of Service, Proceedings of the 3rd ACM Workshop on Wireless Security, Philadelphia, PA, January, 2004, pp.80-89.

[28] Ashwin Sampath, Hui Dai, Haitao Zheng and Ben Y. Zhao, Multi-channel Jamming Attacks Using Cognitive Radios, Proceedings of 16th International Conference on Computer Communications and Networks (ICCCN 2007), Honolulu, HI, Aug,2007, pp.352-357.

[29] Chris Karlof and David Wagner, Secure Routing in Wire less Sensor Ne tworks : A t tacks and Countermeasures, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, Berkeley, CA, May, 2003, pp.113-127.

[30] Chetan Mathur and Koduvayur Subbalakshmi, Security Issues in Cognitive Radio Networks, Cognitive Networks: Towards Self-Aware Networks, Wiley, New York, 2007, pp.284-293.

[31] Priyank Anand, Ankit Singh Rawat, Hao Chen and Pramod K. Varshney, Collaborative Spectrum

Sensing in the Presence of Byzantine Attacks in Cognitive Radio Networks, Second International Conference on Communications Systems and Networks (COMSNETS 2010), Bangalore, India, January, 2010, pp.1-9.

[32] Huahui Wang, Leonard Lightfoot and Tongtong Li, On PHY-Layer Security of Cognitive Radio: Collaborative Sensing under Malicious Attacks, 44th Annual Conference on Information Sciences and Systems (CISS), Princeton, NJ, March, 2010, pp.1-6.

[33] A. Pandharipande et al., IEEE P802.22 Wireless RANs: Technology Proposal Package for IEEE 802.22, IEEE 802.22 WG on WRANs, November, 2005.

[34] Yeelin Shei and Y. T. Su, A Sequential Test Based Cooperative Spectrum Sensing Scheme for Cognitive Radios, IEEE 19th International Symposium on Personal, Indoor and Mobile Radio Communications 2008 (PIMRC 2008), Cannes, France, September, 2008, pp.1-5.

[35] Praveen Kaligineedi, Majid Khabbazian and Vijay K. Bhargava, Secure Cooperative Sensing Techniques for Cognitive Radio Systems, IEEE International Conference on Communications 2008 (ICC ‘08), Beijing, China, May, 2008, pp.3406-3410.

[36] Ankit Rawat, Priyank Anand, Hao Chen and Pramod Varshney, Countering Byzantine Attacks in Cognitive Radio Networks, 2010 IEEE International Conference on Acoustics Speech and Signal Processing (ICASSP), Dallas, TX, March, 2010, pp.3098-3101.

[37] Linjun Lu, Soo-Young Chang et al., Technology Proposal Clarifications for IEEE 802.22 WRAN Systems, IEEE 802.22 WG on WRANs, March, 2006.

[38] Joerg Hillenbrand, Timo Weiss and Friedrich K. Jondral, Calculation of Detection and False Alarm Probabilities in Spectrum Pooling Systems, IEEE Communication Letters, Vol.9, No.4, 2005, pp.349-351.

[39] Wenkai Wang, Husheng Li, Yan Sun and Zhu Han, Attack-Proof Collaborative Spectrum Sensing in Cognitive Radio Networks, 43rd Annual Conference on Information Sciences and Systems, 2009 (CISS 2009), Baltimore, MD, March, 2009, pp.130-134.

[40] Li Zhu and Huaibei Zhou, Two Types of Attacks against Cognitive Radio Network MAC Protocols, International Conference on Computer Science and Software Engineering, Vol.4, Wuhan, China, December, 2008, pp.1110-1113.

[41] Kaigui Bian and Jung-Min Park, MAC-Layer Misbehaviors in Multi-hop Cognitive Radio Networks, 2006 US-Korea Conference on Science, Technology, and Entrepreneurship (UKC2006), August, 2006



[42] Chris Karlof and David Wagner, Secure Routing in Wireless Networks: Attacks and Countermeasures, Ad Hoc Networks, Vol.1, 2003, pp.293-315.

[43] Yih-Chun Hu, David B. Johnson and Adrian Perrig, SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks, Proceedings of the Fourth IEEE Workshop on Mobile Computing Systems and Applications (WMCSA’02), Callicoon, NY, June, 2002.

[44] Ian F. Akyildiz, Won-Yeol Lee, Mehmet C. Vuran and Shantidev Mohanty, Next Generation/Dynamic Spectrum Access/Cognitive Radio Wireless Networks: A Survey, Elsevier Computer Networks, Vol.50, 2006, pp.2127-2159.

[45] Imad Aad, Jean-Pierre Hubaux and Edward W. Knightly, Denial of Service Resilience in Ad Hoc Networks, Proceedings of the 10th Annual International Conference on Mobile Computing and Networking (MobiCom ’04), Philadelphia, PA, September, 2004.

[46] Olga León, Juan Hernandez-Serrano and Miguel Soriano, A New Cross-Layer Attack to TCP in Cognitive Radio Networks, Proceedings of the 2nd International Workshop on Cross Layer Design (IWCLD ’09), Palma, Spain, June, 2009, pp.1-5.

[47] Juan Hernandez-Serrano, Olga León and Miguel Soriano, Modeling the Lion Attack in Cognitive Radio Networks, EURASIP Journal on Wireless Communications and Networking, Vol.2011, Article ID 242304, 10 pages, 2011.

[48] Hugo Marques, José Ribeiro, Paulo Marques, André Zúquete and Jonathan Rodr iguez , A Security Framework for Cognitive Radio IP Based Cooperative Protocols, IEEE 20th International Symposium on Personal, Indoor and Mobile Radio Communications, Tokyo, Japan, September, 2009, pp.2838-2842.

[49] Kun Zeng, Przemysaw Paweczak and Danijela Cabric, Reputation-Based Cooperative Spectrum Sensing with Trusted Nodes Assistance, IEEE Communications Letters, Vol.14, No.3, 2010, pp.226-228.

[50] Kwang-Cheng Chen, Peng-Yu Chen, Neeli Prasad and Ying-Chang Liangnand Sumei Sun, Trusted Cognitive Radio Networking, Wireless Communications and Mobile Computing, Vol.10, 2010, pp.467-485.

Biographies

Wassim El-Hajj received his BS degree from the American University of Beirut in 2000, and the MS and PhD degrees in 2002 and 2006, respectively, from Western Michigan University, all in Computer Science. Immediately after his graduation, he joined the Faculty of

Information Technology at UAE University as an Assistant Professor in the Department of Information Security. Later, he joined the Electrical and Computer Engineering Department at the American University of Beirut as a visiting assistant professor. Currently, he is a visiting assistant professor in the Computer Science Department at the American University of Beirut. His research interests include Security, Network Planning, and Bioinformatics. Some of his academic accomplishments include a book published recently in 2010, more than 30 journal and conference publications, and multiple research funds. In addition to his research and teaching experience, he has valuable industrial experience with Boeing and Ten Strategic Consulting Co.

Haidar Safa received a BS in Computer S c i e n c e i n 1 9 9 1 f r o m L e b a n e s e university, Lebanon, MS in Computer Science in 1996 from University of Quebec at Montreal (UQAM), and a PhD in Electrical and Computer Engineering in 2001 from Ecole Polytechnique de

Montreal. He joined ADC Telecommunications in 2000 then SS8 Networks in 2001 where he worked on designing and developing networking and system software. In 2003, he joined the American University of Beirut where he is currently an associate professor at the Department of Computer Science. Dr. Safa is also associated with the Mobile Computing and Networking Research Laboratory (LARIM), Ecole Polytechnique de Montreal, Montreal, Canada. His research interests include mobile and wireless networks, distributed computing, quality of service, routing, and network security.

Not Available

Not Available



Mohsen Guizani received a BS (with distinction), MS and PhD degrees in Electrical Engineering from Syracuse University in 1985, 1987 and 1990, respectively. He worked in different institutions and is now a full professor. His research interests cover network

security, wireless communications and networking, performance evaluation, and optical computing. He received the best research award in 1995 and 1999. He also received the best teaching award in 1999. He was a distinguished speaker of the IEEE Computer Society and a very active member of the IEEE Communication Society. He is a Fellow of the IEEE and a senior member of the ACM.

Not Available


survey of security issues in cognitive radio networkswe07/publications/survey of security... ·...

Documents