Detecting Primary User Emulation Attack with Two Users Cooperative Scheme in cognitive radio networks Shih-Po Chou† Yoshiaki Hori‡ Kouichi Sakurai‡ †Graduate School of Information Science and Electrical Engineering, Kyushu University 744 Motooka, Nishi-ku, Fukuoka 819-0395, JAPAN [email protected]

‡Faculty of Information Science and Electrical Engineering, Kyushu University 744 Motooka, Nishi-ku, Fukuoka 819-0395, JAPAN [email protected], [email protected]

Abstract. In the cognitive radio networks (CRNs), there are two types of users. The first one is primary (licensed) user who has a higher priority to use the radio spectrum. And the second type is secondary (unlicensed) user who can use the radio only when the primary users do not use the radio spectrum. CRNs can help secondary users to find the white spectrum by dynamic spectrum access (DSA) technology. However, in this case, the security of CRN cannot be ensured. The reason is that malicious users send interference wave which is similar to that of primary users, and then launch attacks to interfere the detection of cognitive radio (CR). Primary user emulation attack (PUEA) is known as one type of denial of service (DoS) attack. We propose a detection scheme based on the Wald’s sequential probability ratio test (WSPRT) and the cooperative detection method for PUEA in cognitive radio networks. Keywords: cognitive radio, primary user emulation attack, security

1 1.1

Introduction Background

In the coming future, there is a trend that more and more people use the wireless networks. A problem that the increase of available spectrum resources cannot catch up with user’s rise causes people’s notice. Meanwhile, the wave interference and the fixed spectrum assignment policy make the problem more serious. However, the assigned spectrum range by Federal Communications Commission (FCC) is not always occupied. According to the FCC’s report, the utility rate of some ranges reaches to 85%, while some ranges are only 15% [1][2]. In the cognitive radio networks (CRNs), there are two kinds of users, the primary users (PU or licensed users) have a top priority to utilize the spectrum, and the secondary users (SU or unlicensed users) who installed the cognitive radio (CR), can use the network service when the spectrum is not used by the primary users. The CR use the dynamic spectrum access (DSA) to detect the spectrum which is not used by the primary users. This type of spectrum is also called as “white space”, and

secondary users can be allowed to use these white spaces for linking to the world wide network such as the primary users. In the DSA, the method to sense the state of spectrum is very important, because we should to get a sensing result as soon as possible. According to the sensing result, the secondary user can utilize the white space at right time without any interfering to the primary users. There are three techniques for CR to detect the spectrum: energy detection, feature detection, and matched filtering detection. Generally, we prefer to use the energy detection for spectrum sensing, because it is easy to implement and does not require the prior information about primary signal. Unfortunately, the energy detection has a seriously disadvantage, that is the high false alarm probability when the user who stays at the low-SNR (Signal-Noise-Rate) environment. Moreover, the low-SNR environment is possibly created by malicious users who send the wave interference. If we want to let the CRNs be popularized, we should solve the above man-made interference problem. 1.2

Motivation

The normal secondary users install the CR, and use the DSA with energy detection to sense the environment for finding the white space without any character confirmed, so we could not differentiate the received signals where they came from. If the malicious secondary users can emulate the signal of primary user, and send this signal to other secondary users, then the detection result by the secondary users will be affected. This type of attack is called Primary User Emulation (PUE) Attack [3]. If the normal secondary users receive the fake signal and make a wrong decision, then the malicious users can utilize the white space themselves, and the normal secondary users have to detect another white space. In the worst situation, the normal secondary users can not utilize the network service at all. If we want to use CR in the future world, we should protect CR users from PUE attack, and then the CR is able to become a practical technology to solve the spectrum shortage. 1.3

Related work

The simplest way to protect the CRNs from PUE attack is embeding a signature in a primary signal or using the authentication protocol between the primary users and the secondary users. However, these methods are not allowed by the FCC in [10], because the presence of the CRNs must not modify or make any interference to the primary systems. In paper [5][6], Ganesan and Li propose a cooperative detection method which uses the Amplify-and-forward protocol to sense whether the spectrum is being used or not by the secondary users. However, an attacker just transmits the signal which is similar with primary user when no primary transmissions are taking place. It will interfere the secondary users for detecting the state of spectrum. To detect the PUE attack, Chen and Park propose a localized based method to detect the location of the PUE attackers, which is called LocDef [4]. When we use LocDef, we should know the location of primary users. LocDef uses the distance ratio test (DRT) and distance difference test (DDT) to detect the locations where are sending the high energy. If LocDef finds the location with high power but no primary

3

user there, the LocDef can determine that there exists a PUE attacker. 1.4

Challenging Issue

In the related works, the PUE attacker can be detected by the energy detection with primary transmitter’s location information. There are some problems that make the detection result for the PUE attack not precise: ─ If each attacker just sends signal with low power, some attackers can successfully launch a PUE attack by cooperation. Because the secondary users receive the power by adding the total power from all attackers and the received power will become high enough as an interference wave. ─ If an attacker is near to the primary transmitter, then it is difficult to detect him. Because the signal from attacker can be hidden behind the high power signal from primary transmitter. 1.5

Our Contributions

We propose a two-user cooperative detection scheme for decreasing the probability of false alarm which is caused by PUE attack. Our scheme is based on the Wald’s sequential probability ratio test (WSPRT) which can be used to analyze the received powers at secondary users’ side and can detect the cooperative PUE attack. Moreover, our contributions are as follows: ─ In our detection scheme, each secondary user can evaluate the SNR values by himself and exchange the detection result. By using this scheme, a secondary user who even stays at a low-SNR environment, can detect attacks with better detection rate cooperated with another secondary user who stays at a high-SNR environment. ─ We solve the problem of high false alarm probability in the WSPRT which is mentioned by the original authors in [7][8]. 1.6

Structure of Our Study

WSPRT detection model for PUE attack is introduced in section 2, our cooperative detection scheme in section 3, and show the results of our simulation by MATLAB in section 4. Finally, we state a conclusion and our future work in section 5.

2

Preliminary works

Jin and Anand propose two no-cooperation detection models for detecting against PUE attack, whose names are NPCHT and WSPRT [7][8]. These detection models use the energy detection to sense the spectrum, and are installed by normal secondary users. These detection models collect the information about the distance from the secondary user to the primary user and the distance from the secondary user to malicious users in advance. The detection models measure the received power on a spectrum. They set a specified threshold to determine whether the measured spectrum

is vacant or not. If the received power is above the threshold, we consider the spectrum was occupied by a set of malicious users. On the contrary, if the received power is below the threshold, we consider the spectrum was occupied by the primary user. The models can determine the transmission is normal or abnormal. We will introduce NPCHT and WSPRT below the following assumptions.  There is only one primary transmitter (TV tower) that transmit the primary signal by a power Pt at the minimum distance dp from all the users (normal secondary user and malicious secondary user). The distance is very long with all users, so we can use free space model [9] to calculate the received power at the secondary user.  There is only one secondary user who installed this detection method and no communication with other secondary users or malicious users.  There are M malicious secondary users in this model and they should keep a distance R0 from secondary user. (If the distance between a malicious user and the secondary user is shorter than R0, the received power at secondary user will become big enough and the secondary user can always confirm the transmission at this time is a PUE attack launched by malicious users.)  Each malicious secondary user transfers signal by a power Pm who is present within a circle of network radius (R) centered at the secondary user. (If the malicious secondary user is out of this area, then the secondary user will not receive the signal from this malicious secondary user.)  The location of each malicious secondary user will be determined by uniformly distribution. And the distances from malicious users to the secondary user are not large enough, so we should consider the signal reflection from the ground and use the 2-ray ground reflection model [9] when we calculate the received signal at the secondary user.  The received signal at the secondary user will have path loss and log-normal shadowing, so the received power will become small than original one. At first, we calculate the received power at secondary user from primary transmitter by using the formula from the free space model, which is given by ( )

where

=

(1)

is antenna gain of the primary transmitter. Then we could use (1) to

calculate the probability density function (pdf) of (

)

( )=

√

( )

, which is given by

−

(2)

where = and = 10 − 20 . Moreover, we calculate the total received power at the secondary user from all the malicious secondary users by using 2-ray ground reflection model, which is given by ( )

where

=∑

(3)

is the antenna gain of the malicious secondary users. As the same with

received primary signal, using formula (3) to calculate the pdf of by

( )

, which is given

5

( )

where

=

ln

( )= ( )

−

√

( )

− 2 ln

(4) and

=

2

( )

−

( )

. After calculate the pdf of received powers from the primary transmitter and from all the malicious secondary users, we could use the result to determine the state of the spectrum by the NPCHT and the WSPRT.

2.1

Neyman-Person Composite Hypothesis Test (NPCHT)

In this model, we have two hypotheses: H1, which represents the hypothesis that “Primary transmission in progress”, and H2, which stands for the hypothesis that “PUE attack in progress”. When we take a sensing, there are two types of risks, false alarm and miss. ─ False alarm: The transmission is implemented by malicious secondary users, but the secondary user determines that it was implemented by the primary user. False alarm is the probability of the successful PUE attack. ─ Miss: The transmission is implemented by the primary user, but the secondary user determines that it was implemented by malicious secondary users. A threshold is predefines for detecting the probability of miss. Both formula (2) and (4) are used to calculate the decision variable , as given below, =

( (

)( ) )( )

(5)

And then we compare the threshold α and the decision variable Λ to discriminate against the transmission which is implemented by primary transmitter and by malicious secondary users. Following is the decision-making mechanism, ≤

：

>

：

(6)

Table 1. The false alarm probability and miss probability using the NCPHT with the threshold = .

Probability/ Network Radius R(m) False Alarm ( { | }) Miss ( { | })

90

150

210

270

0.72

0.79

0.66

0.35

0.203

0.204

0.202

0.202

Table 2. The false alarm probability and miss probability using the NCPHT with the threshold = .

Probability/ Network Radius R(m) False Alarm ( { | }) Miss ( { | })

90

150

210

270

0.85

0.88

0.81

0.52

0.101

0.103

0.104

0.101

Table 1 and Table 2 show the result of the NPCHT with the threshold = 0.1 and = 0.2. We can see the probability of miss is close to the threshold as we set. However, the probability of false alarm is not outstanding, so the improved detection model which used the WSPRT is proposed.

2.2

Wald’s Sequential Probability Ratio Test (WSPRT)

The WSPRT not only set a threshold for the probability of miss, but also set a threshold for the probability of false alarm. It revises the decision variable Λ to Λ by n sequential time, =∏

(

)(

)

(

)(

)

(7)

Before making a decision, the WSPRT will calculate the and by thresholds and . After that, we can make a decision function as similar with NCPHT, ⎧ ⎪ ⎨ ⎪ ⎩

≤

=

：

≥

=

：

ℎ

：

(8) ℎ

Table 3. The false alarm probability and miss probability using the WSPRT with the threshold = . , = .

Probability/ Network Radius R(m) False Alarm ( { | }) Miss ( { | })

90

150

210

270

0.37

0.39

0.31

0.18

0.174

0.163

0.158

0.121

7

Table 4. The false alarm probability and miss probability using the WSPRT with the threshold = . , = .

Probability/ Network Radius R(m) False Alarm ( { | }) Miss { | }) (

90

150

210

270

0.31

0.44

0.27

0.16

0.183

0.180

0.173

0.148

Table 3 and Table 4 show the result of the WSPRT with the threshold = 0.1 and = 0.2. We can see the probability of miss is close to the threshold as we set, and the WSPRT decreases the probability of false alarm by 40% to 50% comparing with NPCHT. However, from the observation of the above tables, there still exists a problem that the probability of false alarm is still above the threshold as we set. The WSPRT will detect the PUE attack with a poor result when the malicious secondary users are distributed in the area ranging from 30m to 150m (from R0 to R).

3

Our Proposal

In this section, we introduce our cooperative detection scheme which senses the spectrum by two secondary users. The detection scheme is based on WSPRT, and uses the cooperative sensing to decide the final result of the transmission state (primary transmission or PUE progress). The two secondary users will change the information with Signal-Noise-Radio (SNR). We present some assumptions for our proposal as following.  

  

There is only one primary transmitter (TV tower) which transmit the primary signal by a power Pt at the minimum distance dp from all the users (normal secondary user and malicious secondary user). There are 2 secondary users ( , ) who install the CR with WSPRT detection model and can change information with each other. We use the DiffieHellman key exchange method to make a safe route for changing information between the secondary users. The distance between 2 secondary users is , . We consider the received power from malicious user as background noise, and then evaluate the SNR values ( , ) at each secondary user. We use the SNR values to make our decision function. There are M malicious secondary users in the network and they transfer signal by a power Pm. We distribute the malicious secondary users into the network area. And they could not be close to the secondary users by R0.

Figure 1: The scheme of two-user cooperative detection

In our scheme, we have to evaluate the SNR value at each secondary user firstly. Because the distance between the primary transmitter and the secondary user is long, the SNR values could be expressed using the logarithmic decibel scale. We can calculate the SNR values which is given by, = 10

=

,

−

,

(9)

Figure 2 shows the flowchart for our two-user cooperative detection scheme. Every step will be described in the following part.  Step1. Evaluate the SNR value which uses the formula (9) at each secondary user.  Step2. Detect the transmission at each secondary user by the WSPRT detection model which is mentioned in section 2.B. Calculate the pdf of received powers from primary transmitter and malicious secondary users by Eqn. (2) and Eqn. (4). Make a final decision by Eqn. (7) and criterion (8).  Step3. Compose the reports ( and ) which including the result from Step1. and Step2. by each secondary user.  Step4. Change the report to each other and make the final decision of the transmission at this time.

9

Figure 2: Flowchart of PUE attack detection in our proposed cooperative detection scheme

We do some experiments in MATLAB to ensure our proposal is effective for detecting the PUE attack. Also, we will show the simulation flow and the results in the next section.

4

Simulation and Result

We run numerical simulations to ensure our two-user cooperative detection scheme by MATLAB. We compare the cooperative scheme’s detection result with the nocooperation model’s detection result. The simulation parameters we set as in Table 5. In our numerical simulations, we let the M malicious users be distributed in a 300m × 300m square grid. The probability that primary user utilizes the spectrum is 0.5. It means that the primary user uses or not uses the spectrum with the same probability. We have two cases of experiments that are according to the different locations between normal secondary users and malicious secondary users. In each case, we run 1000 times of simulations for each value of R (The network radius or the detection scope of secondary users).

Table 5. Parameter for simulation

Parameter

,

(

,

)

Value 25 100KW 4W 100Km 30m 60, 90, … ,3000m 500m (0.2, 0.2)

: The number of malicious users : The original power of primary transmitter : The original power of each malicious user : The minimum distance from primary transmitter to all users (Include the normal users and the malicious users) : The minimum distance from the malicious user to the secondary users : The network radius of detection range at the secondary users , : The distance of 2 secondary users ( , ): Threshold (false alarm, miss)

Figure 3: Our scheme in Case 1.

Figure 4: Our scheme in Case 2.

Case 1.The × square grid is centered at the secondary user 1 Figure 3 shows the scheme of Case 1, the malicious users are randomly distributed around , and we set at a distance of , =500m to . In this case, we can consider this situation that uses the no-cooperation WSPRT detection model. As we mentioned in section 2.2, if the malicious users are distributed around by 30m to 150m, will be easily interfered by the malicious users and have a bad detection result (the worst situation in the no-cooperation WSPRT detection model) because of the low SNR value. Oppositely, because presents at the location where is far away from all malicious secondary users. The detection result of will be better than . Therefore, we can think that if can send his detection results to , will get a correct detection.

11

Case 2.The × square grid is distributed between two secondary users Figure 4 shows the scheme of Case 2, the malicious secondary users are distributed between two users by random and the relative distance between the two secondary users is set to 500m. In this case, we consider the cooperative detection results of two secondary users will tend to be similar. In addition, we calculated the false alarm probability by and from section 2 and the criterion (8), which is expressed in { | }. We can see the results in Figure 5 and Figure 6.

Figure 5: Detection result in Case1.

Figure 6: Detection result in Case2.

Figure 5 shows the result of case 1. We can see that the malicious secondary users distributed around , and launch a large interference to . Oppositely, there was almost no malicious secondary user around , so the detection result is much better than the result of . And in this case, our two-user WSPRT detection scheme is very effective. In Figure 6, the malicious secondary users are distributed between two secondary users. They made a similar level of interference to the two secondary users. In this case, we can know if the distance between two users is not far enough, the detection result is almost the same with the no-cooperation detection model. Finally, Figure 7 shows that if wants to get a good detection result, he should cooperate with who is far enough from him (In our case, the two user’s distance should be far away from 600m, and we can get the detection result below the threshold = 0.2).

Figure 7: Relation between the false alarm probability and the relative distance between two users

5

Conclusion

In this paper, we proposed a detection scheme based on WSPRT for detecting the PUE attack by two-users-cooperation in cognitive radio networks. The detection results could be better than just use the no-cooperation WSPRT, but in the case 2, the detection result was not good enough when the distance between two secondary users were not long enough. For improving this case, we propose the detection scheme which is above three people on-going. We also experiment our proposal by numeric simulation in our future work.

Reference 1. Ian F. Akyildiz, Won-Yeol Lee, Mehmet C. Vuran, and Shantidev Mohanty, “NeXt generation/dynamic spectrum access/cognitive radio wireless networks: a survey,” Elsevier Computer Networks Journal, Vol. 50, pp.2127-2159, Sept. 2006. 2. Ian F. Akyildiz, Won-Yeol Lee, Mehmet C. Vuran, and Shantidev Mohanty. “A Survey on Spectrum Management in Cognitive Radio Networks” IEEE Communications Magazine, Volume 46, Issue4, pp. 40-48, April 2008. 3. O. Le´on, J. Hern´andez-Serrano and M. Soriano. ”Securing cognitive radio networks” INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS, volume 23, issue 5, pp633-652, 2010. 4. Ruiliang Chen, Jung-Min Park, and Jeffrey H. Reed. “Defense against Primary User Emulation Attacks in Cognitive Radio Networks” IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 26, NO. 1, pp. 25-37, JANUARY 2008. 5. Ganesan G, Ye Li. "Cooperative Spectrum Sensing in Cognitive Radio, Part I: Two User Networks" Wireless Communications, IEEE Transactions on, Volume 6, Issue 6, pp. 2204 2213, Aug 2007. 6. Ganesan G, Ye Li. " Cooperative Spectrum Sensing in Cognitive Radio, Part 2: Multiuser Network" Wireless Communications, IEEE Transactions on, Volume 6, Issue 6, pp. 2214 2222, Aug 2007. 7. Z. Jin, S. Anand and K. P. Subbalakshmi. “Mitigating Primary User Emulation Attacks in Dynamic Spectrum Access Networks using Hypothesis Testing” ACM SIGMOBILE Mobile

13 Computing and Communications Review Volume 13 Issue 2, pp. 77-85, April 2009. 8. Z. Jin, S. Anand and K. P. Subbalakshmi. “An analytical model for primary user emulation attacks in cognitive radio networks” IEEE Symposium of New Frontiers in Dynamic Spectrum Access Networks, pp. 1-6, OCTOBER 2008. 9. J. L. Melsa and D. L. Cohn, Decision and Estimation Theory. McGraw-Hill Inc., 1978. 10.Federal Communications Commission. Facilitating opportunities for flexible, efficient, and reliable spectrum use employing cognitive radio technologies. FCC 03-322. ET Docket No. 03-108, December 2003.