A Survey:Render of PUE Attack in Cognitive Radio Compressed by Software Defined Radio

Transcription

1 International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT) A Survey:Render of PUE Attack in Cognitive Radio Compressed by Software Defined Radio Mandakini Gupta Dept. of ECE VITM Gwalior, India er.mandakini1989@gmail.com Abhishek jain Dept. of ECE VITM Gwalior, India abhishek1327@gmail.com Ankur Soni Dept. of ECE VITM Gwalior, India ec_ankursoni@vitm.edu.in Abstract PU Emulsion attack is one of the most important Threats of Spectrum sensing for wireless Cognitive Radio Network. On the basis of the Wireless Signal a PU is detected in a given band, all secondary Users should avoid accessing that band. However, when a Secondary user is detected other Secondary users may choose to share that same band. In a Primary user Attack, a malicious Secondary tries to gain priority over other Secondary users by transmitting signals that emulate the characteristic of Primary user s. In this paper we have to adversary to modify the Radio Software of a Cognitive Radio is to change its emission characteristics (i.e. Modulation, Frequency, Power, etc.) so that the emission characteristics resemble those of a PU. Keywords Cognitive radio, PU Emulsion Attack (PUE), Fallow Licensed Spectrum Band, Software Defined Radio. I INTRODUCTION In the DSA paradigm, when a primary user is detected in a given band, all secondary users should avoid accessing that band. However, when a secondary user is detected, other secondary users may choose to share that same band. In other words, primary users have higher priority than secondary users in accessing spectrum resources. In a PUE attack, a malicious secondary tries to proceed priority over other secondary users by transmitting signals that emulate the characteristics of a primary user s. An illustration of a PUE attack is shown in Fig Due to the re configurability of CRs, it is possible for antagonist to modify the radio software of a CR to change its emission characteristics (i.e., modulation, frequency, power, and etc.) so that the emission characteristic simulate those of a primary user. The potential impact of the PUE attacks depends on the legitimate secondary users ability to distinguish the attacker s signal from actual primary signals while conducting spectrum sensing. Here we examine extant local spectrum sensing techniques and explain why they may be vulnerable to PUE attacks. The energy detection technique infers the existence of a primary user based on the measured signal energy level. Apparently, energy detection is unable to distinguish primary signals and secondary signals. An improved scheme proposed in suggests the use of periodic. During a quiet period, all secondary users refrain from transmitting to expedite spectrum sensing. When quiet periods are observed by all secondary users, detecting primary users becomes straight forward i.e., any terminal whose received signal energy level is beyond a given threshold can be considered a primary transmitter. However, such a detection strategy breaks down completely when malicious secondary users studiously transmit during quiet periods. Cyclostationary feature detection or matched filter detection belongs to signal feature detection techniques, which capture special characteristics of a primary signal. However, confide solely on signal feature detection may not be sufficient to reliably distinguish primary signals from those of an attacker s. For example, in a CR network where primary users are TV systems, an attacker may emit signals that imitate TV signals. Alternatively, the attacker can rehash TV signals that were previously recorded. In either case, signal feature detection will maliciously identify the attacker s signal as that of a primary user. Depending on the impetus behind the attack, a PUE attack can be classified as either a selfish PUE attack or a malicious PUE attack. Selfish PUE attacks: In this attack, an attacker s detached is to maximize its own spectrum usage. When selfish PUE attackers distinguish a fallow spectrum band, they prevent other secondary users from competing for that band by transmitting signals that imitate the signal characteristics of primary user signals. This attack is most likely to be carried out by two selfish secondary users whose objective is to establish a dedicated link. Malicious PUE attacks: The objective of this attack is to obscure the DSA process of legitimate secondary users i.e., prevent legitimate secondary users from detecting and using fallow licensed spectrum bands, causing denial of service. Unlike a selfish attacker, a malicious attacker does not necessarily use fallow spectrum bands for its own communication purposes. It is quite possible for an attacker to simultaneously obstruct the DSA process in multiple bands by exploiting two DSA mechanisms implemented in every CR. The first mechanism requires a CR to wait for a certain amount of time before transmitting in the identified fallow band to make sure that the band is indeed unoccupied. Existing research shows that this time /16/$ IEEE

2 delay is non-negligible. The second instrument requires a CR to periodically sense the current operating band to detect primary signals and to immediately switch to another band when such signals are detected. By launching an PUE attack in multiple bands in a round-robin fashion, an attacker can effectively limit the legitimate secondary users from identifying and using fallow spectrum bands. Note that in PUE attacks, the adversary only transmits in fallow bands. Hence, interference to primary users is not a concern. We carried out simulation experiments to showcase the disruptive effects of PUE attacks. In the simulated network, 300 secondary users (which include both legitimate and malicious users) are randomly located inside a 2000m_2000m square area, each with a transmission range of 250m and an interference range of 550m. These range values are consistent with the protocol interference model. Two TV broadcast towers act as primary signal transmitters. Each TV tower has ten 6MHz channels, and the duty cycle of all the channels is fixed at 0.2. One tower is located 8000m east of the square area and has a transmission radius of 9000m; the other tower is located 5000m south of the square area with a transmission radius of 7000m1. The layout of the simulated network is shown in Fig. 3.2(a). Each secondary user node is randomly placed in the network area and moves according to a random waypoint model [2] by repeatedly executing the following four steps: 1) It randomly chooses a destination in the square area with a uniform distribution; 2) It chooses a velocity v that is uniformly distributed over [vmin, vmax]) It moves along a straight line from its current position to the destination with velocity v) 1We set the values of 9000m and 7000m for the primary users transmission radiuses based on realistic assumptions. Suppose the following parameters: the equivalent isotropically radiated power (EIRP) of the TV towers (transmitters) is 2500KW, transmitters effective antenna height is 100m, receivers effective antenna height is 1m, and receivers energy detection sensitivity is 94dbm. Under these conditions, one can derive a transmission radius of 8000m using the rural environment version of the HATA model. 20 It pauses in the destination for a random period that is uniformly distributed over [0, tpvmax]. We chose the values vmin = 5m/s, vmax = 10m/s, and tpmax = 60s. Each simulation instance spans a period of 24 hours. Another one hour before the 24 hours was simulated to ensure that the random waypoint model entered steady state. The number of attackers was varied from 1 to 30. Figs. 3.2(b) and 3.2(c) show the simulation results for the selfish PUE attack and the malicious PUE attack, respectively. The y-axis in the figures represents the amount of link bandwidth each secondary user is able to detect. The results show that a selfish PUE attack can effectively steal Band width from legitimate secondary users while a malicious PUE attack can drastically decrease the link bandwidth available to legitimate secondary users. Fig.1: A PU emulation attack II. PU EMULSION ATTACK (PUE) Security issues in cognitive radio networks are drawing more attention in recent years. Extensive issues associated with spectrum sensing is, how accurately it can discern incumbent signals from SU signals. An attacker can efficiently exploit the spectrum sensing process. For example, an attacker may imitate as an incumbent transmitter by transmitting indistinguishable signals in one of the licensed bands, thus preventing other secondary users from accessing that band [4]. Selfish PUE attacks: The main objective is to maximize attacker s bandwidth. For an example, when malicious node identifies vacant band, it will prevent other secondary users from using that band by transmits signals that resembles the incumbent signals [4]. Malicious PUE attack: The main objective is to obstruct the secondary users are identify and using vacant spectrum bands. Malicious attacker does not necessarily use vacant bands for its own communication aspiration. It is important to note that in PUE attacks, malicious nodes only transmit in vacant bands [4]. III. SYSTEM MODEL OF COGNITIVE RADIO NETWORK Following assumptions are made for this system model [7]. There are M malicious users in the system and they transmit at power. The distance between primary transmitter & all the users is and transmits at power.malicious users are uniformly distributed in circular region of radius R and all data are independent of each other. Fig.2 System model of CRN

3 IV. Software Defined Radio: Software defined radio (SDR) Technologies emerged in the early 1660s seeking to provide flexibility to this general architecture by offering an alternative approach. SDR preferred the hardware component could be replaced by a software defined component to gain dynamic configuration. Therefore, implementations of SDR are best characterized by the SDR Forum s 5-tier classification scheme [4]. The SDR Forum s definition begins with Tier 0 - termed a "Hardware Radio" and defined by fixed functionality (each component has specific performance parameters) this is our accepted legacy model. Tier 1 is termed Software Controlled Radio" and defined by offering certain parameters that can be changed via software, but the signal path remains fixed. Tier 2 is termed "Software Defined Radio" and defined by the ability for a signal path to be reconfigured in software without hardware modifications. Tier 3 is termed the "Ideal Software Radio" and represented by more of the signal path resident in the digital domain (i.e. few hardware components). Finally, Tier 4 is termed the "Ultimate Software Radio". Theoretically, the Ultimate Software Radio could provide complete flexibility to a user s dynamic operational requirements by ensuring no single component was fixed in its capability. incorporate additional functionality since it can be modified in the field (after deployment) as well as having the potential capability of self diagnosis for improved reliability. Whereas hardware platforms are essentially fixed, III. FROM CONFIGURABLE TO COGNITIVE The concept of Cognitive Radio was first proposed by Joseph Mitola III. The FCC formally defined CR as a radio that has the technical capability to acclimate their use of the spectrum in response to information external to the radio. Such a definition implies two characteristics of a CR. Cognitive capability refers to the ability of a CR to learn information from its radio environment. The reconfigurable is enabled by the SDR technology, which is a practical reality today [5]. In the DSA prototype, the definition of CR specifically means that CRs used by secondary users need to be able to scan a certain spectrum range and intelligently decide which spectrum band to use for its transmission. Accordingly, the cognitive capability specifically refers to the ability to detect temporally unused spectrum, i.e., spectrum hole or white space, and the reconfigurable refers to the ability to dynamically vary the modulation scheme, transmission power, time, and frequency. IV. FROM OPTIMIZED TO COMPROMISED Fig 3: High level abstraction of the SDR Forum tier definitions. Future growth in software radio will be motivated by six advantages [6]: ease of design, ease of manufacture, multimode operation, use of advanced signal processing techniques, fewer discrete components, and flexibility to incorporate additional functionality Software radio implementations reduce the design cycles for new products by avoiding the iteration associated with analog hardware design and thus lessen the timeline design. Advanced signal processing techniques such as adaptive antennas, interference rejection, and strong encryption yield unparalleled gains in performance and security. A single high-speed digital processor may be able to implement traditional radio functions of synchronization, demodulation, error detection, and decryption Finally, the software defined radio offers a lifetime of flexibility to A. Susceptibility in the Device Sensing Cognitive radios designed for dynamic spectrum access (DSA) rely on their ability to sense the environment to determine if a particular frequency is in use. Often inventorying an entire spectrum allocation, the specific frequencies not in use are referred to as spectrum holes [6]. This sensing capability facilitates opportunistic spectrum access; a practice allowing spectrum licensed to a PU to be used by a SU when it is available. The requirement of the cognitive radio to sense its environment and accurately perceive activity of PUs leads to unique attack vectors. The three categories of attack that have the highest likelihood of being encountered by radios are PU emulation, the lion attack, and false feedback common control data attacks. PU emulation (PUE) is the act of an adversary to impersonate a PU in order to lead a cognitive radio to believe that spectrum allocation is in use. This behavior makes the desired frequency unavailable to the cognitive radio, as it is programmed to avoid spectrum in use by PUs. Therefore any ability of an adversary to present a waveform similar enough to one of a PU is a legitimate threat. The reality is that the relative immaturity of spectral sensing technology (to gauge the received signal) and the high probability the frequency and waveform in use is a published standard gives an advantage to the adversary. In [1], PUE attacks are classified as either selfish or malicious. In a selfish attack, the adversary is preventing access to a particular spectrum allocation to maximize his own spectrum usage. In a malicious attack, the adversary is either initiating a denial of service or posturing his target for a more significant

4 follow-on attack. For example, the adversary could have an exploitation capability residing in the spectrum range he guides the target towards Sporadic sensing of a PU can cause a cognitive radio to use that spectrum allocation inconsistently. Typical cognitive radio spectrum sensing requires a device that senses a PU to vacate. An alternative method to spectrum sensing for PU operation is the implementation of a common control data channel. This channel specifically coordinates access amongst multiple cognitive radios by informing them of available frequencies. In creating a reliance on this shared information the common control data channel also introduces vulnerability. Basically, this is an attempt to solve therefore mentioned spectrum sensing vulnerabilities. The common control data attack implies direct action against this channel. This direct attack can either be active or passive. In an active attack, the channel can be jammed and in turn represent a denial of service. This attack is only passive in nature while the adversary coordinates his malicious action with a significant event, and therefore eventually leads to an active attack just at timing advantageous to the adversary. B. Susceptibility in the Device Cognitive Cycle: The cognitive radio s operation is directed by its cognition cycle. This allows it to act upon the sensing and perception of its environment. And though the ability for it to interpret the outside world is extremely complex, the implementation of a cognition cycle can also be very intricate and involved as well. Depending upon the maturity of the SDR, the cognition cycle may have a number of components to consider in its decision cycle. The more components that are software based, and thus adaptable, the radio can consider how the adjustment of their performance parameters can lead. (a) (b) Fig. 4 :The cognitive cycle (a) and its simplified view (b) Generally, a cognitive engine is designed to accept a set of inputs and determine the optimal output based on a designated function or objective (i.e. data rate, power, security). As the cognitive engine weighs the various performance parameters it can adapt, it deliberates such adjustments with respect to the end result achieving the desired performance objectives. In [2], a scenario was presented where an adversary understands that the radio s policy is to favor data rate over security. As he takes actions to degrade the radio s data rate and as the device recognizes the diminished data rate the radio will alter other performance parameters until it can restore the data rate to an acceptable measure. This could lead to the radio abstaining from a security practice that reduces throughput. If the radio was equipped with a policy engine, it can play a key role as it provides guidance on what objectives are prioritized based on the operating state of the radio. Such policy-based resource allocation adjustments to the cognition cycle could use a diverse set of parameters such as the geographic location of the radio or the role of the user within the organization Regardless, their implementation has a direct influence on the cognition cycle and if understood by an adversary, he could attempt to exploit it. The distinction between an adaptive radio and a cognitive radio is the ability of the cognitive radio to learn. Attacking the learning methodology can be even more catastrophic in collaborative cognitive radio environments, as the adversary s impact on one radio would then be propagated to other radios. Theoretically, an adversary s single action on one target radio could lead to a compromised state for the entire network. Recognizing this potential threat vector is critical during the radio design phase and more specifically the radio s cognitive cycle. In [8] the use of a risk engine to temper the decision cycle was introduced. This approach does not prohibit the radio s designed learning framework, nor does it prohibit the decision cycle. However, it does factor in decisions made by the radio to ascertain if they are causing the radio to enter a more vulnerable state. This approach is discussed further with the introduction of misuse case. C. Susceptibility in the Device Infrastructure The SDR Forum characterizes the radio s operation as an execution of the code providing one of four possible software states. And though some states share the same language, i.e. C++, it is necessary to view them as separate instances and explore each software state as a separate attack vector. In doing so, calculating risk exposure and the likelihood of that particular being exploited can be refined by a distinct awareness of the device s duration in that particular state. The first software state is the Radio Operating Environment. This state represents the software fundamental to the operation of the radio platform. It comprises the operating system, device drivers, and any required middleware for basic operations. The radio operating environment scripted using the C++ language. Investigating vulnerabilities to this software state requires two simple approaches. First, what common exploits in the operating systems of basic computing devices are replicated in this radio device? Second, the radio applications environment is also scripted using the C++ language support the objectives of the user. There are three methods that can further this analysis and lead to better security implementations of future software defined radio technologies. Analyzing design and coding level vulnerabilities including static code analysis, static code analysis can infer existing vulnerabilities based on flawed scripting practices, inherent weakness based on the

5 programming language, or simple errors that could be leveraged towards a nefarious purpose. Second, the associated communication protocols could be translated to a pseudo code and then further to state transitions. These state transitions could then be modeled formally using some modeling language such as Communicating Sequential Process (CSP), Petri Nets or Failure Divergence Refinement (FDR). V. FROM THEORY TO ANALYSIS Visualizing an adversary exploiting the aforementioned vulnerabilities offers a vehicle for applying a more thorough analysis framework. From the perspective of a misuse case, the exploited vulnerability can be viewed as a security event (e.g. a denial of service, an advanced persistent threat, and an insider threat) and discussed in a manner consistent with current security practices. A. Misuse-case 1: Denial of Service (e.g. jamming) The occurrence of jamming is not novel in the realm of radio frequency communications. It was the precursor to today s network-based denial of service attack; an adversary floods a device user with transmissions (typically at a higher power level) and prevents their ability to communicate. Just as the adversary needs to know the target network address to conduct a typical denial of service, the radio attack requires a general understanding of the frequency in use. As stated before, the cognitive technologies introduce more novel versions of jamming; specifically the adversary s PU emulation (PUE) that will prevent secondary users from accessing vacant spectrum. Thus, the usable Frequency is not jammed per se, but its access is prevented. The adversary exploits the target radios sensory and perception capabilities and misleads them into thinking he is a valid PU. The conditions that enable this attack vary based on the sensing technique employed by the radio. Energy detection, matched filter, or cyclostationary feature detection are possible means of distinguishing users, yet none of these techniques are robust enough to counter PUE attacks [1]. The adversary mimics the PU signal and prevents the target device from accessing the fallow bands. The primary approach to mitigating this attack lies in improving the sensory abilities of the cognitive radio and the manner in which it distinguishes signals. B. Misuse-case 2: Advanced Persistent Threat (e.g. C++ manipulation) in this misuse-case, the adversary manages to exploit the device during a software update. In doing so, he has provided a future backdoor to the device operating system. This allows him to compromise the device at a time of his choosing and in a manner that would go undetected by the operator. His ability to do so requires certain conditions. First the radio infrastructure must conduct its software downloads with limited protections. In some instances, user applications lack the necessary safeguards to ensure credentialed operators have access to their underlying code. By failing to incorporate an authentication mechanism, all operators yield the same privileges and access. A savvy operator with minimal training and a basic understanding of Python scripts could alter the code in a manner to effect the radios operation. As discussed before, the perpetrator could act selfishly and take this action to enhance his performance and access to spectrum or he could do it maliciously to degrade, disrupt, yet even accidental modification of code has consequences and must be addressed. For example if an application requires the radio operating system to yield a write access to satisfy the application s function, an adverse can exploit that for other purposes capitalizing on the change to security in the radio operating environment. The best mitigation technique for this scenario is to user applications to ensure they do not influence the radio s other software states. Radio can rely on a risk engine to alert the operator to the impending vulnerable state. The risk engine could detect the user application s influence on the other software states and more importantly indicate if other existing processes pose a greater risk (i.e. open shell). Development of a risk engine to complement the existing policy engine found in cognitive radios offers mitigation to all of the aforementioned misuse cases. It would temper the cognition cycle as appropriate to mitigate assumed risks in the radio s environment. In certain instances, it would act to prevent particular actions within the radio s internal processes. VI. CONCLUSIONS AND FURTHER RESEARCH This paper has presented a holistic approach to the security considerations of cognitive radio technologies by reviewing SDR vulnerabilities as well as those in their associated cognitive engines. Furthermore, the paper offered three misuse cases to present a realization of the exploitation of these Vulnerabilities. Once realized, lessons can be drawn regarding how to better analyze their occurrence and in turn increase the overall understanding of the risks inherent to these technologies. To address the dynamic nature to this risk environment, a risk engine is proposed to complement the SDR s existing policy engine. This risk engine will temper the cognition cycle and thus address the vulnerabilities discussed for the cognitive radio. These improvements can be advanced further with a concerted effort in developing attack graphs for each potential exploit. Correlating a number of attack graphs would offer possible synchronization in the mitigate mitigation techniques, and potentially highlight single mechanisms that address multiple exploits (i.e. cost benefit). Therefore, an additional research effort that can be based in this paper s findings is one that addresses reacting to security events and the digital forensic investigations that follow. Beyond the construct of an attack graph and the pre- and post-condition analysis it finds what other methodologies can explain how the device was exploited? Specifically, can an evidence graph be constructed and what operational parameters or device settings would it reflect? More importantly, what actions

6 must an operator take to preserve evidence and maintain the opportunity to interpret the security event? As these radio technologies begin to saturate the environment, the number of security incidents will increase exponentially and there will be a definitive need for proven digital forensic methodologies to explain them. References [1] R. Chen, J. Park, and J. Reed, Defense against PU emulation attacks in cognitive radio networks, IEEE Journal on Selected Areas in Communications, [2] T. Clancy and N. Goergen, Security in cognitive radio networks: Threats and mitigation, Third International Conference on Cognitive Radio Oriented Wireless Networks and Communications (Crown-Com), [3] O. Leon, J. Hernandez-Serrano, and M. Soriano, Securing cognitive radio networks, International Journal of Communication Systems, [4] A structure for software defined radio security. SDR Forum Input Document. SDRF-03-I-007, May [5] T. Sturman, An evaluation of software defined radio An overview, Internal document produced by QinetiQ, Ltd., [6] S. Haykin, Cognitive radio: Brain-empowered wireless communications, IEEE Journal on Selected Areas in Communications, Vol. 23, No. 2, [7] O. Leon, J. Hernandez-Serrano, and M. Soriano, A new crosslayer attack to TCP in cognitive radio networks, Second International Workshop on Cross Layer Design IWCLD [8] A. Abadie and D. Wijesekera, Cognitive radio technologies: Envisioning the realization of network-centric warfare, Proceedings of MilCIS 208, 208, in press. [9] H. Weinstock, Focus on Cognitive Radio Technology, Novinka Books: New York, 2007.