Exploiting and defending trust models in cooperative spectrum sensing
© Jackson et al.; licensee Springer. 2015
Received: 1 September 2014
Accepted: 24 November 2014
Published: 8 January 2015
Cognitive radios are currently presented as the solution to the ever-increasing spectrum shortage problem. However, their increased capabilities over traditional radios introduce a new dimension of security threats. Cooperative spectrum sensing (CSS) has been proposed as a means to protect cognitive radio networks from the well-known security threats: primary user emulation (PUE) and spectrum sensing data falsification (SSDF). In this paper, we demonstrate a new threat to CSS protocols that rely on sensor reputations, called the Rogue Signal Framing (RSF) intrusion. Rogue signals can be exploited to create the illusion of malicious sensors which leads to the framing of innocent sensors and, consequently, their removal from the shared spectrum sensing. Ultimately, with fewer sensors working together, the spectrum sensing is less robust for making correct spectrum access decisions. The simulation experiments illustrate the impact of RSF intrusions which, in severe cases, shows roughly 40% of sensors removed. To counter the RSF’s impact on the cooperative spectrum sensing (CSS), we introduce a new defense based on cluster analysis and community detection from analyzing the network’s received signal strength (RSS) diversity. Tests show up to 95% damage mitigation to the integrity of sensor reputations, thus retaining the benefits of trust-based CSS protocols.
The growing demand for wireless services shows an inevitable overcrowding of the spectrum bands, in large part due to the rapid increase of wireless mobile services in recent years. Conventionally, the Federal Communications Commission (FCC) statically assigned spectrum bands to licensed users for exclusive use on a long-term basis, precluding anyone else from access [1, 2]. Yet, analysis of the spectrum bands clearly indicate that current FCC policies have created severely under-utilized channels, causing a bottleneck for new wireless services [1, 3, 4]. Dynamic spectrum access (DSA) is the proposed solution to alleviate the overcrowding of bands by allowing licensed primary users (PUs) to share unused spectrum with unlicensed secondary users (SUs) in an opportunistic fashion [1, 5].
Cognitive radios (CR) utilize the DSA technology that enables autonomous optimization of radio configurations and the scanning of spectrum bands to locate the best available channels on a non-interference basis [6–8]. The cognitive radio network (CRN), consisting of SUs, is given permission to coexist in licensed channels under two preconditions mandated by the FCC: (1) giving spectrum priority to licensed users and (2) minimizing interference to licensed users. The faster the SUs can detect the primary signal and vacate the licensed channels, the smaller the interference. For this reason, the secondary network must achieve accurate spectrum sensing to know exactly when primary users occupy the channel.
The cornerstone of the IEEE 802.22, the first standard for cognitive radio networks, requires the SUs to yield to the PUs immediately after detecting the primary signal within a designated region . The 802.22 WRAN standard is aimed at using DSA technology to allow sharing of geographically unused spectrum allocated for television broadcast services. So in the 802.22 WRAN implementation, the primary network would consist of a TV broadcasting station (primary transmitter) and the corresponding subscribed viewers (primary receivers) [5, 9]. Ideally, SUs would occupy unused TV spectrum in geographical locations where the primary network is absent, but may coexist as long as the SUs do not interfere with the subscribed viewers’ reception of the primary signal. However, guaranteeing a minimal level of interference to the primary network is perhaps the biggest obstacle to the commercialization of DSA technology and a very difficult problem to solve . In order to have minimal interference, cognitive radios must be able to reliably detect, in real time, the presence or absence of a primary signal from a given spectrum band. Otherwise, these cognitive radios can unknowingly transmit signals simultaneously with the primary transmitter, causing unacceptable levels of interference to nearby PUs.
Cooperative spectrum sensing (CSS) has been proposed as an effective approach for boosting the detection of primary signals in CR networks [5, 10, 11]. In centralized CSS, the SUs submit their sensor reports to the fusion center (FC), which is a server for aggregating and cross-examining the network’s sensor reports to make a robust analysis of the spectrum availability. The purpose of the FC is to output a global spectrum decision, based on the sensor reports, to notify SUs if they can access a licensed spectrum band, in accordance to the FCC statutes. Research results from [1, 12] indicate that shadow fading and multipath fading can be alleviated by requiring multiple SUs to cooperate with each other in determining the spectrum availability.
However, CSS is vulnerable to attacks like the spectrum sensing data falsification (SSDF) where malicious SUs make false reports on the spectrum availability to mislead the FC . To counter SSDF, various trust models have been proposed to protect CCS from malicious SUs [13–17]. These trust-based CSS protocols build reputation profiles for sensors and filter out the sensing reports from those with low reputations. Thus, they can single out attackers and mitigate their influence in the shared spectrum sensing.
Unfortunately, we find that the sensor reputations are exploitable by rogue signals in trust-based CSS protocols. In secondary networks, it is very hard to conclude the root cause of bad sensor reports such as malfunctioning sensors, the hidden node problem, SSDF attacks, and rogue signals. Typically, trust models (from CSS protocols) treat all inaccurate sensors the same way, in a loss of reputation. We consider trust models as overly sensitive intrusion detection systems (IDS) for penalizing sensors without taking into account the root cause of the abnormal sensor reports. As a result, attackers can cause inaccurate sensor reports by transmitting rogue signals in order to destroy the reputation of the targeted sensors. Accordingly, we present a new threat to a variety of trust-based CSS protocols, named the Rogue Signal Framing (RSF) intrusion. To launch this attack, we exploit directional antennas to isolate a radiation pattern to a group of sensors in proximity. The outcome is the emulation of an SSDF attack through sporadic and misleading rogue signals, causing different conclusions of channel availability in the network. The split between local spectrum decisions leads to innocent sensors being treated as malicious and consequently removed from the shared spectrum sensing.
Introduced the Rogue Signal Framing intrusion, an attack on the trust model of CSS protocols
Developed a solution, the RSF Clustering Defense (RCD), that protects sensor reputations from manipulation in trust models
Ran simulations that demonstrated the impact of the RSF intrusion and the RCD solution
The rest of the paper is outlined as follows. Section 2 reviews common CRN attacks and trust-based CSS protocols. Then, we present the system model in Section 3, and show the details and analysis of the RSF intrusion in Section 4. We propose the RCD defense and evaluate it in Section 5 and conclude the paper in Section 6.
2 Related works
Our work is mostly related to the following attacks and defenses in CRNs.
PUE and SSDF attacks. Although CRNs are vulnerable to a variety of attacks , two attacks received much attention. One is the primary user emulation (PUE) attack [6, 18], where an attacker masquerades as the primary transmitter from the vantage point of its neighbors. The other attack is the SSDF [5, 13], in which compromised users falsify the local spectrum sensor reports to obscure the existence or create the illusion of a primary signal at the FC . Both of these attacks attempt to deceive the FC on the availability of spectrum resources, causing networks to behave in unintended ways. In contrast, the RSF intrusion disrupts the trust between the FC and sensors, which makes the spectrum sensing less stable.
Tom Clancy et al.  lists a host of threats such as sensory manipulation attacks, belief manipulation attacks, and objective function attacks to cognitive radios with embedded learning engines. However, the RSF intrusion focuses on cognitive radio networks with trust schemes and cooperative spectrum sensing, independent of the learning engine.
Trust-based CSS protocols. To defeat SSDF attacks, several trust-based schemes were developed. Chen et al.  presented a sequential probability ratio test (SPRT) that scales the contribution of sensors by their reputation in order to mitigate the impact of SSDF attacks. Their model incorporates sampling votes on the detection or absence of the primary signal and weighing each vote according to the sensor’s reputation. For every vote identical to the global decision, the sensor’s reputation is incremented, such that their vote carries more weight in future decisions made at the fusion center. Kaligineedi et al.  presented a pre-filtering average combination scheme. The scheme’s filters are responsible for (1) filtering extreme outlier sensor reports and (2) ignoring sensors that have continuously deviated from the majority over a length of time. Arshad et al.  presented a beta reputation system model for hard-decision CSS protocols. Similar to , the sensors are rewarded for agreeing with the global spectrum decision, but otherwise penalized. Feng et al.  introduced the SensingGuard trust model intended to protect the CSS from rational collusive SSDF attacks, in contrast to sporadic SSDF attacks. Lai et al.  introduced a game theory model, based on the Newton-Raphson algorithm, that aims to punish selfish SUs and reward cooperation. In [17, 22, 23], the authors developed a trust-based CSS protocol that penalized sensors if their reports deviated too far from the expected received signal strength (RSS) values determined by common RSS models. The similarity of these approaches are to build reputation profiles for spectrum sensors in order to filter out sensing reports from untrustworthy sensors. However, our work shows that the reputations can be manipulated and, as a consequence, well-behaved sensors are framed and removed from the shared spectrum sensing.
Received signal strength anomaly detection. Apart from reputation profiles, there are solutions that rely on RSS models and statistical methods to validate the authenticity of sensor reports. Min et al.  presented an algorithm that analyzes sensor clusters and their RSS correlation, based on distance and approximated shadow fading, to pinpoint malicious sensors and reduce/remove their input from the fusion center. A big difference in our work and theirs is that they rely (and assume) a priori knowledge of the environment’s shadow fading to accurately predict the expected RSS value for a cluster of sensors. Secondly, they have no reputation model to go along with anomaly detection, so their solution discards the sensor reports in single intervals instead of penalizing the sensors for an extended duration. In [19, 25], the authors developed solutions using RSS estimation models and support vector machines (SVMs), a machine learning technique, to classify sensors as either anomaly or normal. Unlike the various aforementioned solutions, we developed our own defense based on cluster analysis and community detection to safeguard sensor reputations from manipulation, instead of only focusing on the integrity of the CCS.
What makes our solution unique is that our defense protects the integrity of trust models, i.e., sensor reputations, from rogue signal manipulation. Previous literature used trust models to stop malicious SUs (and their sensors) from deceiving the CSS, but did not consider the trust models themselves to be the target of attacks. Trust models were considered reliable solutions against SSDF attacks and malfunctioning sensors, but to our knowledge, none of the papers discussed how to manipulate and disrupt trust models. We realized the vulnerability of trust models due to their coarse threshold of penalizing inaccurate sensor reports, i.e., a sensor is deemed untrustworthy if it does not behave in a predetermined way. However, if an attacker knows how the sensors should behave, then they can leverage rogue signals to disrupt typical sensor behavior and thus destroy their reputations. To protect sensor reputations, we explored techniques from social network analytics, such as cluster analysis and community detection, as opposed to relying on RSS models or shadow fading estimations to predict the correct sensor report.
2.1 Motivation for distinguishing between RSF and SSDF
In an NSF 2009 workshop, the FCC had raised the question, ‘What authentication mechanisms are needed to support cooperative cognitive radio networks? Are reputation-based schemes useful supplements to conventional Public Key Infrastructure (PKI) authentication protocols?”  Reputation-based schemes in CSS (a.k.a. trust-based CSS protocols) are a popular technique for performing robust and accurate spectrum sensing without any inter-communication with the primary network, but the question remains on how effective they are at satisfying the FCC security requirements. Our work takes a closer look at the robustness of trust-based CSS protocols.
In secondary networks, it is very hard to conclude the root cause of bad sensor reports, which can vary from (1) malfunctioning sensors, (2) the hidden node problem, (3) SSDF attacks (i.e., malicious secondary users), and (4) rogue signals. Yet, the trust-based CSS protocols treat all inaccurate sensors the same way, in that they penalize secondary users and diminish sensor reputation all the same. An important question we wanted to investigate was, ‘Should the trust-based CSS protocols treat all inaccurate sensor reports the same way, regardless of the root cause? Or does it cause more harm than good to the system in certain scenarios’.
To test our hypothesis, we simulated multiple directional rogue signals against targeted clusters in a cognitive radio network. The simulation illustrated the impact of rogue signals negatively affecting sensor reputations which, in severe cases, shows roughly 40% of sensors penalized and eventually ignored in the shared spectrum sensing process. In other words, nearly half of the sensors were removed without any fault of their own, e.g., the sensors were not malfunctioning nor behaving maliciously but were still penalized. That means an outsider has the potential to trick the reputation scheme in order to filter out nearly half of the sensors, thus diminishing the performance of the network’s shared spectrum sensing. Trust-based CSS protocols have proven effective against malicious secondary users who report falsified sensing reports, but they did not consider the impact of rogue signals. Hence, based on the outcome of our simulations, we consider trust models as overly sensitive intrusion detection systems (IDS) for penalizing sensors without taking into account the root cause of abnormal sensor reports.
Not being able to determine the origin of inaccurate sensor reports opens the possibility for attackers to use RSF as a stepping stone attack against trust-based CSS protocols. Chen et al.  models attacks against CSS protocols as a Byzantine fault tolerance system, in that the CSS protocol can continue functioning as intended as long as there are not too many Byzantine failures, which in this case are generally hidden, malicious, or malfunctioning sensors. In contrast, our work demonstrates that the RSF attack lowers the Byzantine fault tolerance of trust-based CSS protocols, due to having less secondary users participate in the shared spectrum sensing, thus making the system less robust against Byzantine failures.
Clancy et al.  warns of a similar threat of rogue signals, but in a different context. They claim that rogue signals can cause faulty statistics, collected from the physical layer (e.g., RSS, channel availability, etc.), and stored in the knowledge base. The cognitive radio’s behavior is determined by the learning and reasoning engines which, in turn, depends on the knowledge base of spectrum observations across many channels overtime. Hence, the cognitive radio may not behave as intended, or in fact cause harm, when the knowledge base contains faulty statistics that inhibits good decision-making. Both our work and theirs  express the importance of being able to defend against rogue signals. The difference, however, is that our work protects the sensor reputations in trust-based CSS protocols whereas their idea is related towards protecting the integrity of the knowledge base.
3 Attack model
In this section, we define the RSS model and the method of attack for the RSF which employs directional antennas. The attacker manipulates sensor reputations by transmitting rogue signals to targeted sensors, thus causing conflicting sensor reports in the network. To ensure that reports do conflict, directional antennas are used to avoid targeting the entire network.
3.1 Propagation model
Energy detection. We decided to use energy detection because it is the most widely used spectrum sensing technique for cognitive radio networks [10, 24]. Secondly, energy detection is used on three trust-based CSS protocols that we borrow for our simulations, from papers [13, 14, 16].
where d ij is the distance between s i and the jth attacking antenna, λ denotes the wavelength (meters), P t is the emission power, G t and G r are the antenna gains of the transmitter and receiver, and .
The RSS value R i is measured in decibels per milliwatt (dBm). However, the Rayleigh fading model (from Equation 2) is in milliwatts (mW), so we apply the unit conversion dBm=10 log10(mW) in Equation 2 under hypothesis H1. In addition, is the correlated shadow fading gain  between s i ’s position [ x i ,y i ] and the jth antenna’s position [ x j ,y j ], and σ L is the shadow fading variance. In the propagation model, we assume that the channel bandwidth is much larger than the coherent bandwidth, so the effect of a multi-path fading is negligible, and thus removed from Equation 1 .
3.2 Directional antenna model
4 Rogue signal framing intrusion
In this section, we introduce the RSF intrusion and demonstrate its impact on the network’s total trust through simulations.
In the CSS paradigm, the physical layer (i.e., the sensor) provides local signal detection. The FC collects the sensor reports and validates the signal authenticity through cross-examination of the RSS spatial diversity from the network. However, verifying the source of RF waves at the physical layer is incredibly challenging, especially for energy detectors that can only observe the RSS. Since the energy detectors only measure raw RF energy, there is no cryptographic means to identify the source .
According to the first CRN standard, the IEEE 802.22, the secondary network must be self-reliant in minimizing interference to the primary network which requires accurate spectrum analysis . In the case of SSDF attacks, trust models have been effective at removing malicious sensors from the shared spectrum sensing [13–17]. However, these trust models cannot distinguish between malicious sensors and accurate sensors misled by rogue signals (as opposed to the legitimate primary signal). In other words, sensors are labeled untrustworthy when they have a consistent history of abnormal sensor reports, regardless of the cause.
Rogue signals can raise a sensor’s RSS well above what is expected, especially in the absence of the primary signal. So a prolonged rogue signal on a group of sensors can cause a sharp contrast in local spectrum observation from the others, thus appearing malicious and no different than SSDF. Consequently, the security protocol brands these sensors as untrustworthy and removes them from the shared spectrum analysis for as long as the stigma remains. As such, launching rogue signals on specific regions of the network over many quiet periods leads to the exploitation of the trust model via the RSF attack. In the context of CSS, we define the term Rogue Signal Framing attack as follows:
Rogue Signal Framing attack breaks the trust between the fusion center and a group of sensors via rogue signals to create the illusion of malicious sensors.
To launch this attack, we exploit directional antennas to launch rogue signals on a regional group of sensors and thereby causing them to report abnormally high RSS compared to the rest of the unaffected network. When sensors start reporting differently, the FC interprets the situation as an SSDF attack, when in fact, the sensors reported honestly. In essence, we can use rogue signals to emulate false SSDF attacks to harm innocent sensors and mitigate their cooperation in shared spectrum sensing.
4.1 Motivation for directional antennas
In a CRN with energy detectors, the RSF attacker must limit the rogue antenna’s coverage in order to avoid a successful PUE. Directional antennas make it possible to isolate its radiation pattern to a targeted group of sensors (with the rest of the network unaffected), thus convincing the FC that the defecting sensors are malicious. On the other hand, isotropic antennas emit RF waves in all directions and maximize the antenna’s coverage. This leaves a massive RF finger print in a network of energy detectors. Chen et al.  proposed an RSS-based location verification scheme to detect and pinpoint PUE attacks enforced by a dense network of sensors. However, this scheme was not tested or tailored for pinpointing directional antennas.
Directional antennas are difficult to detect, and even harder to pinpoint, because of their ability to emit rogue signals with narrow and asymmetrical radiation patterns. Any changes made to the beam direction and beamwidth of a directional antenna can drastically change the network’s RSS spatial diversity. These observations are supported by work from Bauer et al. . In their experiments, they demonstrated that directional antennas can disrupt localization algorithms on IEEE 802.11 WLANs that resulted in very high errors.
4.2 Trust damage
where t i [ q] is the trust score of sensor s i ∈S. In each trust-based CSS protocol, the trust score is represented differently. In order to compare the trust damage between each protocol, we normalized the trust score t i such that t i [ q]∈[0,1] in the equation.
In each quite period, a group of sensors may lose their trust due to the RSF intrusion, so T Σ [ q] changes from one quiet period to the next. As the time passes on, sensors exposed to RSF suffer an increasing amount of trust damage, so we expect T Σ [ q] will decrease as the number of quiet periods q increases.
4.3 Attack evaluation
To test our proposed framing intrusion, we borrow three different trust-based CSS protocols. The first protocol F A , by Chen et al. , utilizes the sequential probability ratio test (SPRT) and weights the probability by the sensor’s reputation to mitigate the impact of SSDF attacks. The second protocol F B , by Kaligineedi et al. , utilizes a pre-filtering average combination scheme. These filters are responsible for (1) filtering extreme outlier sensor reports and (2) ignoring sensors with high-trust penalties. The third protocol F C , by Arshad et al. , utilizes a beta reputation system model for hard-decision CSS protocols. Like F A , the sensors are rewarded for agreeing with the global spectrum decision, but otherwise penalized.
We make the following assumptions on the simulation’s environment according to an IEEE 802.22 WRAN environment that encompasses UHF/VHF TV bands between 54 and 862 MHz . In our simulation, 400 sensors are located inside a 2,000×2,000 grid. We assume the incumbent broadcasting station operates at the UHF frequency of 615 MHz. Like Figure 2, there are four rogue directional antennas facing the cardinal directions and positioned on the map’s center. Protocols F A , F B , and F C are tested on RSF attack scenarios, labeled as RSF-15, RSF-30, and RSF-45 which corresponds to the scenario’s antenna beamwidths of 15°, 30°, and 45°, respectively.
● Protocol F A : sensor trust is increased when the local spectrum decision agrees with the FC’s global spectrum decision and penalized otherwise, only applies to a random sample of sensors with varying sizes
● Protocol F B : the rate and scope of trust damage depends on the environment’s RSS variance, the protocol’s penalty threshold scales with the environment’s noise variance
● Protocol F C : sensor trust is increased when the local spectrum decision agrees with the FC’s global spectrum decision and penalized otherwise, applies to all sensors
From Figure 4, we observe that both protocols F A and F C start to plateau because the t i of misled sensors eventually falls to 0, causing the ΔT Σ [ q] to become stagnant over time. However, protocol F B differs in that it does not have local spectrum decisions to compare to FC’s global spectrum decisions. Instead, it determines if a sensor is malicious when the reported RSS value exceeds a dynamic threshold that correlates with the network’s RSS variance. As the attack coverage increases from RSF-15 to RSF-45, so does the RSS variance and the F B ’s behavior towards the RSF attack.
The CSS paradigm can be modeled in the context of the Byzantine fault tolerance problem. The authors in  describe a Byzantine failure as either a malfunctioning sensor or an SSDF attack. In both cases, the sensors perform unreliable local spectrum sensing that could ultimately mislead the FC to a wrong spectrum decision in the form of a misdetection or false alarm. These decisions are based on the null hypothesis H0, where the primary signal is presumed absent, and the alternative hypothesis H1, where the primary signal is presumed present, from Equation 1.
Primary signal absent (H0)
H0 is accepted
H0 is rejected
The RSF’s ability to damage sensor reputations does not directly influence the FC’s spectrum decision like in SSDF or PUE attacks. Instead, the RSF lowers the system’s fault tolerance because the FC has to rely on less sensors to infer the presence of the primary signal. Hence, the RSF weakens the reliability of shared spectrum sensing for trust-based CSS protocols in the aftermath of the intrusion.
4.4 Two types of framing
To create an illusion of malicious sensors, there needs to be a separate group of well-behaved sensors to delineate good-from-bad sensor reports. Unfortunately, classifying sensors as either honest or malicious is speculative, as the FCC regulations remove any obligations of the primary network to communicate with the secondary network . Hence, the secondary network is left to assume channel occupancy (i.e., the global spectrum decision) with hypotheses like H0 and H1. Therefore, if all sensor reputations are in good standing, such that all sensors equally participate in the shared spectrum sensing, then the global spectrum decision is typically determined by the majority of sensors.
This is especially true for hard-decision combining, which is when the FC makes a global spectrum decision based on a collection of local spectrum decisions, reported by sensors individually, in the form H0 and H1. Protocols F A and F C use hard-decision combining, with each decision weighted by sensor reputations. Alternatively, the FC can perform soft-decision combining to determine the global spectrum decision based on a collection of non-discrete sensor observations, e.g., energy detectors that report the RSS values instead of a local spectrum decision.
Soft-decision combining not only benefits from using more descriptive data but also becomes more vulnerable to outliers in sensor reports, e.g., extremely high or low RSS values. Generally, CSS protocols are designed to reduce the impact of outliers or remove them entirely, but this still leaves the majority of sensor reports as a strong determinant of the global spectrum decision, just like in hard-decision combining. That is, a majority of sensors will typically decide the global decision, even if that majority is comprised of malicious sensors or affected by a wide-reaching rogue signal, as seen in the case of a PUE attack. In such a case, the FC concludes that the disagreeing minority of sensors, even if well-behaved, are presumed inaccurate.
Type 1 framing: the sensors misled by the rogue signal are in the minority and lose trust, while the rest of the network gains trust
Type 2 framing: the sensors misled by the rogue signal are in the majority and gain trust, while the rest of the network loses trust
Number of rogue
Noise power std
N x ×N y
2,000 m ×2,000 m
Prior to this section, type 1 framing has been the designated type of trust manipulation to describe the RSF attack. Type 2 framing, which is also a result of rogue signals, is worthy of discussion for simultaneously accomplishing a PUE attack and harming sensor reputations. Both attacks are manifested through rogue signals but can only be distinguished by the attack’s outcome, such as misleading the trust model (via RSF attack) or the FC (via PUE attack). To our knowledge, the fact that a PUE attack may inadvertently affect sensor reputations has not yet been considered in previous literature. We believe that type 2 framing is important in that it highlights the more subtle deficiencies in trust models, like how PUE attacks can also harm sensor reputations as a side effect.
Attack outcomes on trust models
Number of false alarms for each corresponding beamwidth (degrees) from Figure 6
Number of false alarms
From observing the results in Figure 6 and Table 4 and understanding the trust model algorithms, we see a clear pattern between the relationship of trust damage and false alarms. In the polar cases of 0 or N s false alarms (where N s is the number of sensors), the trust damage is virtually 0, since the FC cannot find any disagreements among the sensor reports.
The RSF and PUE labels over Figure 7 reflect the likely outcome of an attack from rogue signals. As the false alarms approach N s due to rogue signals, a successful PUE attack is more likely to occur than the RSF attack. This can be observed in the PUE success rate in Figure 6 as the directional antennas’ beamwidth broadens and the number of false alarms increases. It is important to note that regardless of the attack (RSF or PUE), trust damage occurs unless the number of false alarms is either 0 or N s .
Trust model comparison
5 Rogue signal framing clustering defense
This section introduces the RSF clustering defense (RCD) module that operates in three steps: 1) analyze the RSS diversity for any clustering behavior, 2) compute the clustering strength in order to conlude the presence of a rogue signal, and if so 3) ignore trust penalties of sensors in the attacked clusters. The defense relies on the fact that directional antennas leave isolated radiation patterns that form dense communities of sensors reporting H1. Malicious sensors can perform SSDF attacks from the software layer without the need of rogue signals and thus operates outside the physical limitations of signal properties. In contrast, the RSF attack coverage is bound by the rogue signal’s radiation pattern. Hence, we look towards a solution involving cluster analysis to exploit the rogue signal’s physical characteristics and the finger print it leaves behind in a region of the network.
5.1 Network classification and clustering
The beginning of this section briefly examines the necessary network terms and concepts for better understanding the RCD algorithm and its motivation. We use graph partitioning and community detection as the basis for discovering clusters of RSF-attacked sensors. To partition the graph in a meaningful way, we assume that the nodes (e.g., sensors) have discrete characteristics such as a type or class. In our system model, the sensors are classified based on their local spectrum decision such that a given sensor s i has a corresponding class c i where (c i =−1) if s i reports H0 and (c i =1) if s i reports H1. This allows for the measuring of the network’s assortative mixing, a term defined as the pairing of nodes with the same class . However, the network of sensors also needs meaningful edges for community detection. The RCD module pairs any two sensors s i ,s j based on their class c i ,c j and their mutual distance d ij from each other in order to observe spatial clustering.
where c i ,c j are the node classes and δ(c i ,c j ) is the Kronecker’s delta function from Equation 6. The left side of the Equation 7 is a summation series that iterates through an edge list and increments for each pair of the same class. The right side of Equation 7 is the matrix formula which iterates through an adjacency matrix and increments the same way. The one-half fraction from the matrix formula is there to remove the double counting of pairs.
where d ij is the distance between sensors s i and s j and d θ is the distance threshold.
In the off chance that a number of malicious sensors from SSDF are positioned near each other, we want to have a level of tolerance Z θ and a required minimum number of sensors per cluster Cmin. The restraint Cmin prevents a high clustering score Z k from an insignificant-sized cluster.
The red and blue graph both give valuable information in detecting directional rogue signals by the cluster formations they create. The goal of the red graph is to identify a strong concentration of sensors perceiving a radio signal within a small area. In contrast, the blue graph demonstrates disagreements in spectrum decisions (i.e., H0 and H1) between neighboring sensors. As can be seen in the RSF scenario in Figure 9a, the red graphs (created by the rogue signals) is surrounded by the blue graph and lacks any significant overlap between the two graphs. The presence of a red graph, without the intersections of blue edges, outlines a radio’s antenna coverage and becomes a clear indication of a rogue signal. However, the SSDF scenario in Figure 9b shows that an overlapping of red and blue graphs reveal a strong likelihood of malicious or malfunctioning sensors, instead of a rogue signal’s presence, since there is no apparent pattern of spectrum decisions.
Since we are assuming an environment that conforms to the IEEE 802.22 standard, we assume a network of Customer Premise Equipment (CPE) sensors that infers a static network. This eliminates the option of malicious users moving closer together and forming dense clusters in order to be protected by the RCD module during SSDF attacks. There is a possibility that a group of CPE sensors remain in proximity by coincidence, but the chances can be reduced by adjusting Cmin, Z θ , or d θ accordingly.
5.2 Defense evaluation
In this section, we evaluate the RCD module’s performance on its ability to mitigate trust loss from RSF intrusions. Additionally, we compare the RCD module’s outcome on RSF and SSDF attacks.
In our simulations, we have two groups of scenarios, the RSF and SSDF. The simulation environment is the same as the one used by the RSF intrusion in Section 4. The beamwidth of each rogue antenna is 15°, 30°, and 45° for scenarios RSF-15, RSF-30, and RSF-45, respectively. The SSDF scenarios simulate malicious sensors by randomly selecting a percentage of the sensors and raising their RSS by 20 dBm from the noise floor. We randomly selected 20%, 30%, and 40% of sensors from the scenarios SSDF-20, SSDF-30, and SSDF-40, respectively.
where is the network’s total trust on quiet period q when using the RCD module, T Σ [ q] is the network’s total trust without the RCD module (from Figure 4), and T Σ [ 0] is the initial state of trust scores. We use a minimum cluster size Cmin=5, a clustering threshold Z θ =0.3, and a distance threshold d θ =150 m.
As shown in Figure 11, each protocol benefited from our proposed defense against the RSF intrusion. However, the RCD module offered less protection to protocol F A due to its sequential random sampling of sensors, instead of cross-examining all sensor reports for a more robust analysis. The spikes from F B in Figure 11c are due to its protocol design of having a dynamic threshold for deciding malicious sensors. During the spikes, F B ’s dynamic threshold is stabilizing as it replaces the old RSS statistics with new data.
5.3 Overhead of defense
Connect all the vertices in the adjacency matrix A ij to its neighbors within a distance threshold d θ ; this step has a time complexity of O(|V|2) where |V| is the number of sensors
Find all non-overlapping subgraphs (i.e., clusters C k ) using a breadth-first search; this step has a time complexity of O(|V|2) since it traverses the adjacency matrix A ij and creates adjacency lists that represent each C k cluster
Calculate the clustering strength of cluster C k based on the assortative mixing equations (Equations 9 and 10); this step iterates through each C k adjacency list, thus it has a time complexity of O(|E|+|V|)
So the time complexity of the RCD defense is the summation of all three parts: O(|V|2)+O(|V|2)+O(|E|+|V|). Yet, in a static network, where the cognitive radios do not move, we can ignore the complexity of part 1 since it is only computed once during the program initialization. Hence, the time complexity for each reoccurring quiet period is O(|V|2)+O(|E|+|V|). The quiet period is when the cognitive radio network stops transmitting to listen for the primary signal.
Time complexity can be an issue if an attack is able to impact the network before the defense can adequately prevent or mitigate the damage. However, our algorithm has a descent order of growth, i.e., O(|V|2)+O(|E|+|V|)≈O(|V|2), which is smaller than many clustering algorithms such as the Kernighan-Lin algorithm that have an order of growth of O(|V|3). Secondly, we are assuming that all intensive processing happens at the base station, with a dedicated server and adequate computing resources performing the analysis, and not on the cognitive radios itself. As such, the time complexity is very feasible for most anticipated network sizes, e.g., no more than several thousand sensors. Furthermore, the calculation of the clustering strength is only applied to small sections of the network, which is usually much smaller than the total number of sensors |V|. This occurs in part 2 of our defense where C k clusters with identical sensor reports are identified using BFS, in similar fashion to the flood fill algorithm.
The need for more intensive processing, like graph algorithms, in radio networks usually raises concerns about the impact it has on a radio’s battery life. This is not a concern in our system because the cognitive radios only submit sensor reports every 30 s to a stationary base station that does all the processing on a dedicated server. Hence, the cognitive radios are spared the processing that would otherwise quickly deplete itself of battery life. In a decentralized CSS protocol, each cognitive radio is responsible for computing the shared spectrum algorithms locally, but our system employs a centralized CSS protocol which removes the intensive processing burden on the radio itself.
5.4 Cluster parameters and impact
Naturally, the size and topology of the cognitive radio network has an effect on our RCD solution. A dense network can easily show patterns of rogue signals where as a sparse network gives less information to analyze. To show the difference, we tested our solution on a second network, denoted as the sparse network, consisting of 100 randomly placed sensors. In contrast, the dense network has 400 randomly placed sensors, which is the same network tested and discussed in previous sections. For both dense and sparse networks, we only display the RSF-45 scenario to limit the number of graphs. The RSF-45 scenario emits four rogue signals in the cardinal directions with 45° beamwidth.
The distance threshold d θ is the condition required to form edges between two sensors. A red graph indicates a strong concentration of sensors perceiving a signal, such that it potentially reveals a rogue signal’s antenna coverage. The red graph is formed by sensors that share H1 reports within the distance threshold, d θ . Likewise, the blue graph is formed by sensors that simply disagree with their neighbors’ spectrum decisions (i.e., H0 and H1) within d θ . The blue graph helps reveal an SSDF attack, especially when the red and blue graph are overlapping, and not clearly segregated. When a rogue signal is present, the red graph should be surrounded by the blue graph, outlining the reach of the rogue signal’s antenna coverage.
Figure 17 shows the accuracy of the RCD solution for both dense and sparse networks with d θ =150,300, and 450 m. The accuracy is represented by the number of sensors protected by the RCD solution divided by the number of sensors inside the rogue signal’s attack coverage, i.e., S P /S A . Notably, the d θ =300 m in the sparse network reaches 100% accuracy, but d θ =450 m does not, even with more edges to analyze. The reason for this phenomena is due to the blue edges lowering the clustering score Z k for cluster C k . This can seen in Equation 11, where the clustering score Z k decreases because the denominator increases as more blue edges form (from variable ).
There are many variables in our simulations that are worth analyzing at a more comprehensive level. The number of sensors, the number of attackers, the shape and size of the rogue signal, the network’s topology, and even the environment’s landscape. In future studies, we intend to explore how these variables impact our solution and to establish metrics that fit the parameters according to different scenarios.
In this paper, we demonstrated the RSF intrusion, a new threat to trust-based CSS protocols. The attackers can transmit rogue signals onto groups of sensors to emulate SSDF and ruin their reputation with the intent of having them removed from the shared spectrum sensing. Our work cautions the use of trust-based CSS protocols and warrants a line of defense against rogue signals. The RSF simulations were conducted in a realistic environment based on the 802.22 WRAN standard and illustrates the impact of the RSF intrusions on sensor reputation scores. To mitigate the trust damage, we introduced a new defense based on community detection and cluster analysis. The simulation experiments showed that our defense solution, the RCD module, could effectively keep the sensor reputations intact while distinguishing rogue signals from malicious sensors.
This work was supported by the National Science Foundation under Grant Nos. 0915318, 1048339, and 0916469.
- Akyildiz IF, Lee W-Y, Vuran MC, Mohanty S: Next generation/dynamic spectrum access/cognitive radio wireless networks: a survey.Compu. Netw 2006,50(13):2127–2159. 10.1016/j.comnet.2006.05.001View ArticleMATHGoogle Scholar
- Song M, Xin C, Zhao Y, Cheng X: Dynamic spectrum access: from cognitive radio to network radio.IEEE Wireless Commun 2012,19(1):23–29.View ArticleGoogle Scholar
- Higginbotham S: Spectrum Shortage Will Strike in 2013 Tech News and Analysis. 2013.http://gigaom.com/2010/02/17/analyst-spectrum-shortage-will-strike-in-2013/Google Scholar
- Li W, Cheng X, Jing T, Cui Y, Xing K, Wang W: Spectrum assignment and sharing for delay minimization in multi-hop multi-flow CRNs.IEEE J. Selected Areas Commun. (JSAC) 2013,31(11):2483–2493.View ArticleGoogle Scholar
- Chen R, Park J-M, Hou Y, Reed J: Toward secure distributed spectrum sensing in cognitive radio networks.IEEE Commun. Mag 2008,46(4):50–55.View ArticleGoogle Scholar
- Clancy T, Goergen N: Security in cognitive radio networks: threats and mitigation.Cognitive Radio Oriented Wireless Networks and Communications, 2008. CrownCom 2008. 3rd International Conference on 2008, 1–8.Google Scholar
- Xing X, Jing T, Cheng W, Huo Y, Cheng X: Spectrum prediction in cognitive radio networks.IEEE Wireless Commun 2013,20(2):90–96.View ArticleGoogle Scholar
- Xing X, Jing T, Huo Y, Li H, Cheng X: Channel quality prediction based on Bayesian inference in cognitive radio networks.IEEE INFOCOM, April 14–19 20131465–1473.Google Scholar
- Shellhammer SJ, SS N, Tandra R, Tomcik J: Performance of power detector sensors of DTV signals in IEEE 802.22 WRANs.Proceedings of the First International Workshop on Technology and Policy for Accessing Spectrum, ser TAPAS ‘06 (ACM, NY, USA, 2006). [Online]. Available: http://doi.acm.org/10.1145/1234388.1234392
- Wang B, Liu K: Advances in cognitive radio networks: a survey.IEEE J Sel. Topics Signal Process 2011,5(1):5–23.View ArticleGoogle Scholar
- Jing T, Chen X, Huo Y, Cheng X: Achievable transmission capacity of cognitive mesh networks with different media access control.IEEE INFOCOM, March 25–30, 20121764–1772.Google Scholar
- Li H, Cheng X, Li K, Xing X, Jing T: Utility-based cooperative spectrum sensing scheduling in cognitive radio networks.IEEE INFOCOM Mini-Conference, April 14–19, 2013165–169.Google Scholar
- Chen R, Park J-M, Bian K: Robust distributed spectrum sensing in cognitive radio networks.INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, April 20081876–1884.Google Scholar
- Kaligineedi P, Khabbazian M, Bhargava V: Secure cooperative sensing techniques for cognitive radio systems.Communications, 2008. ICC ‘08. IEEE International Conference on, May 20083406–3410.Google Scholar
- Zhu F, Seo S-W: Enhanced robust cooperative spectrum sensing in cognitive radio.J. Commun. Netw 2009,11(2):122–133.View ArticleGoogle Scholar
- Arshad K, Moessner K: Robust collaborative spectrum sensing based on beta reputation system.Future Network and Mobile Summit 2011 Conference Proceedings 2011.Google Scholar
- Bhattacharjee S, Debroy S, Chatterjee M: Trust computation through anomaly monitoring in distributed cognitive radio networks.Personal Indoor and Mobile Radio Communications (PIMRC) 2011 IEEE 22nd International Symposium on, Sept 2011593–597.Google Scholar
- Chen R, Park J-M: Ensuring trustworthy spectrum sensing in cognitive radio networks.Networking Technologies for Software Defined Radio Networks, 2006. SDR ‘06.1st IEEE Workshop on, Sept 2006110–119.Google Scholar
- Min A, Shin K, Hu X: Secure cooperative sensing in IEEE 802.22 WRANs using shadow fading correlation.IEEE Trans. Mobile Comput 2011,10(10):1434–1447.View ArticleGoogle Scholar
- Feng J, Zhang Y, Lu G, Zhang L: Defend against collusive SSDF attack using trust in cooperative spectrum sensing environment.Trust, Security and Privacy in Computing and Communications (TrustCom) 2013 12th IEEE International Conference on, July 20131656–1661.Google Scholar
- Lai J, Dutkiewicz E, Liu RP, Vesilo R: Comparison of cooperative spectrum sensing strategies in distributed cognitive radio networks.Global Communications Conference (GLOBECOM) 2012 IEEE, Dec 20121513–1518.Google Scholar
- Akbari M, Falahati A: Ssdf protection in cooperative spectrum sensing employing a computational trust evaluation algorithm.Telecommunications (IST) 2010 5th International Symposium on, December 201023–28.Google Scholar
- Zeng K, Paweczak P, Cabric D: Reputation-based cooperative spectrum sensing with trusted nodes assistance.IEEE Commun. Lett 2010,14(3):226–228.View ArticleGoogle Scholar
- Min A, Shin K, Hu X: Attack-tolerant distributed sensing for dynamic spectrum access networks.Network Protocols, 2009. ICNP 2009. 17th IEEE International Conference on, Oct. 2009294–303.Google Scholar
- Liu S, Chen Y, Trappe W, Greenstein LJ: Aldo: An anomaly detection framework for dynamic spectrum access networks.INFOCOM, (IEEE, 2009)675–683.Google Scholar
- Peter Steenkiste GMDR, Sicker D: Future directions in cognitive radio network research.NSF Workshop 2009.Google Scholar
- Patwari N, Agrawal P: Effects of correlated shadowing: connectivity, localization, and RF tomography.IPSN 2008, 82–93.Google Scholar
- Trenkler G: Statistical distributions: M Evans, N. Hastings & B. Peacock. New: John Wiley; 1993. isbn 0–471–55951, [pound sign] 24.95,” Computational Statistics & Data Analysis, vol. 19, no. 4 (1995), pp. 483–484, [Online]. Available: http://EconPapers.repec.org/RePEc:eee:csdana:v:19:y:1995:i:4:p:483-484Google Scholar
- Forkel I, Schinnenburg M, Ang M: Generation of two-dimensional correlated shadowing for mobile radio network simulation.Proceedings of The 7th International Symposium on Wireless Personal Multimedia Communications, WPMC 2004, Abano Terme (Padova, Italy, Sep 2004)5–5. [Online]. Available: http://www.comnets.rwth-aachen.de
- AIR-4.5, AD: Electronic Warfare and Radar Systems Engineering Handbook. Washington, DC 20361: Naval Air Systems Command; 1999.Google Scholar
- Bauer K, McCoy D, Anderson E, Breitenbach M, Grudic G, Grunwald D, Sicker D: The directional attack on wireless localization: how to spoof your location with a tin can.Global Telecommunications Conference, 2009. GLOBECOM 2009. IEEE, 30 2009-Dec. 4 20091–6.Google Scholar
- Newman MEJ: Networks: An Introduction. Oxford: Oxford University Press; 2011.Google Scholar
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.