6. fingerprint-based defense against primary user...
Post on 27-Jul-2020
2 Views
Preview:
TRANSCRIPT
6 Fingerprint-based Defense against PUE Attacks in CR Networks 112
6. Fingerprint-based Defense against Primary User Emulation
Attacks in CR Networks
6.1. Introduction
Spectrum sensing is one of the important mechanisms of CR and its operational
features are being investigated aggressively. However, the security features of
spectrum sensing have got little reflection. The successful operation of CR networks
will depend on the placement of necessary security systems. A system that can
consistently differentiate between genuine primary signal transmitters and secondary
signal transmitters masked as primary users is required. In hostile environments, such
a techniques must be integrated into the spectrum sensing system to improve the
reliability of the sensing outcome. This work focuses on a situation in which a PU
network is composed of TV transmission towers and receivers placed at fixed
locations. In such a site, the location of a given transmitter along with other features
can be used to verify whether the transmitter is a primary transmitter or an attacker.
This thesis has investigated RF fingerprinting such as multiple received signal from
PU to SU in order to counter this threat. If the transmitter (of PU), receiver (of SU)
and reflectors (obstacles) are all immobile, then the characteristics of multiple
received signal paths are fixed and can be viewed as fingerprint pattern. However, if
the PU or SU are mobile then the characteristics of the multiple paths vary with time.
These time variations are deterministic when number, location and characteristics of
reflector are known over time [Wireless communications, Anderea Goldsmith]. The
6 Fingerprint-based Defense against PUE Attacks in CR Networks 113
fingerprint outputs of PU’s transmission are simulated using MATLAB SIMULINK
in this chapter. The security threat in CR has been discussed in following section.
6.2. The Security Threats in CR Networks
There are two security threats to sensing spectrum in CR networks: Primary user
emulation (PUE) and spectrum sensing data falsification attacks [Ruiliang Chen et al.,
PP 50 - 55]. When a PU signal is detected in a given band, all SU avoid accessing
signal in that band. However, when a secondary is detected, other SU may choose to
share that same band. In other words, PUs has higher priority than SU in accessing
spectrum resources. In PUE attack, a malicious SU tries to gain priority over other SU
by transmitting signals that emulate the characteristics of a PU. However, relying
solely on signal feature detection may not be sufficient to reliably distinguish a PU’s
signal from those of an attacker. An adversary may have two different motives for
launching PUE attacks. One motivation is to gain an unfair advantage in accessing
spectrum in the spectrum-sharing paradigm. Because SU will avoid accessing a band
if a PU signal is detected in the band, an attacker can preempt and monopolize a
fallow band if it manages to fool others into believing that it is a PU. The second
motivation is to suppress legitimate SU from accessing spectrum, thereby causing
denial of service (DoS). There are alternative techniques for spectrum sensing, such as
matched filter and cyclostationary feature detection [I.F. Akyildiz]. Such detection
techniques are capable to distinguish the fundamental characteristics of PU signals.
However, these techniques are still not sufficient to counter PUE attacks. The
cyclostationary detectors may be defeated with an attacker as they make its
transmissions identical from PU signals by transmitting signals that have the same
6 Fingerprint-based Defense against PUE Attacks in CR Networks 114
cyclic spectral characteristics as PU signals. For example, when the terminals of a TV
broadcast network are PUs, an attacker may produce signals that follow TV signals.
In PUE attacks, the adversary only transmits in empty bands. Hence, the goal of the
attackers is not to cause interference to PUs, but to obstruct spectrum resources that
might have been used by legitimate SUs. In the next section, transmitter verification
scheme that can be integrated into a spectrum-sensing scheme to detect PUE attacks
under certain conditions are described.
6.3. Transmitter Verification Scheme
Before a discussion on this, the assumptions have to make that the PU networks
consist of TV signal transmitters (TV broadcast towers) and receivers. A TV
transmitter output power is usually thousands of Watts, and transmission range from
several miles to tens of miles. The each SU contains with a hand-held CR device and
form a mobile ad hoc network. Each CR has self-localization capability and has a
maximum transmission output power from a few hundred milli-watts to a few watts
and a transmission range of a few hundred meters. An adversary, prepared with a CR,
is able of changing its modulation mode, frequency, and transmission power.
Assumptions made as above, a transmitter verification scheme for spectrum sensing
that is suitable for hostile environments. For an example, the primary signal
transmitters are TV towers placed at fixed locations. Thus, if a location of estimated
signal source deviates from the known location of the TV towers and the signal
characteristics look like those of PU signals, then it is expected that the signal source
is launching a PUE attack. The transmitter verification scheme consists of three steps
[D. Xu et al.]: verification of signal characteristics, measurement of received signal
6 Fingerprint-based Defense against PUE Attacks in CR Networks 115
energy level, and localization of the signal source. Nowadays, the technical problems
associated to the first two steps, in the framework of CR networks, have concerned a
lot of consideration [I.F. Akyildiz et al.]. There is fewer existing research that concern
with the third step. Thus, the following section focuses on the problem of primary
signal transmitter localization. However, this is more challenging for two reasons.
First requirement is no modification should be made to PUs to system. Therefore, this
localization problem turns into a non-interactive localization problem. Second, the
receivers need not to be localized, if a receiver is localized, one does not need to
consider the presence of other receivers. On the other hand, the presence of multi
transmitters may include complexity to transmitter localization.
6.4. Non-interacting Localization of Primary Signal Transmitters
Before discussion of the localization system, first summarize traditional localization
methods used in wireless networks and its pitfall. And then this thesis discusses how
these methods should be improved to the localization problem in CR networks. In the
next section, existing localization methods has been discussed in detail.
6.4.1. Existing Localization Methods
The global positioning system (GPS) is a satellite-based system that utilizes the time
difference of arrival (TDoA) to locate a receiver [Cognitive Radio Technology by
Bruce Fette]. GPS receivers typically consist of a one-pulse-per-second signal as it
appears at each radio from each source of satellite, resulting in a computing of
6 Fingerprint-based Defense against PUE Attacks in CR Networks 116
propagation delay from each source in spite of position. In the nonexistence of GPS
signals, triangulation method can be used to locate a radio from non-cooperative or
even cooperative emitters.
Other approaches are time difference of arrival (TDoA), time of arrival (ToA),
angle of arrival (AoA) and Received Signal Strength (RSS) explored in [Cognitive
Radio Technology by Bruce Fette, Ruiliang Chen et al.].
TDOA is a passive localization system that uses the difference between the
pulses arrival time transmitted by a transmitter but does not depend on any awareness
of the pulse transmission time. This method measures the time differences at multiple
receivers with known locations and then computes estimate of a location.
In the AOA method, a receiver measures the angel of arrival from two or more
transmitters. If the locations of the transmitters are known, the receiver can compute
its own location using triangulation. Using the same theory, AOA information to
multi receivers can be used to find out the location of transmitter.
In the case of RSS, if the transmit power on a signal is precisely known, the
patterns of the antenna radiation pattern gains are known accurately, and the receiver
is capable to measure receive signal strength accurately, then a propagation model
may be used to compute the distance to the transmitter and receiver as a function of
RSS. But propagation channels are varying dynamically, thus this approach is
challenging. This location finding approach is analogous to the ToA approach. If a
process of correlation based on a PU transmitter’s database, an RSS-based receiver
application can find out in which regulatory area it is located. For example, if a CR is
receiving particular TV channels and particular AM and FM stations all at the same
6 Fingerprint-based Defense against PUE Attacks in CR Networks 117
time, it may conclude its city location. If the location of the transmitters is built-in the
database along with levels of transmission, the RSS process might improve this
computation due to the fairly large number of measurements. The quality of RSS-
based location estimates is somewhat low. It is helpful to CRs for a few applications
but not for others. Among the above methods, TDOA and AOA methods can both be
used for transmitter localization and have comparatively high localization precision.
Applying them to the localization problem, particular care must be taken to consider
the circumstances where multi transmitters or an attacker contains a directional
antenna. The general disadvantage of both methods is the requirement of costly
hardware, preventing it to a large-scale operation. However, RSS-based methods are
more realistic for most consumer premise devices (CPE) in a CR network. One of
transmission verification scheme given in paper [Ruiliang Chen et al.] as localization
based approach. However, this approach is not enough to counter this threat for CR
networks because adversary equipped with CR and capable of changing its
transmission parameters because CRs are highly re-configurable due to their SDR
based air interface [S. Hykins].
A localization-based approach is not the only method to defend against PUE
attacks. An alternative approach that uses the intrinsic characteristics of RF signals to
distinguish and identify emitters. There is alternative method exist like radio
frequency fingerprinting has been explored in next following section.
6.4.2. RF Fingerprinting approach for identification of PU transmitter
In this thesis, the fingerprinting approach has been investigated. The received signal is
extremely location specific because of its dependence on the terrine and intervening
obstructions. So the multi-path structure of the channel is unique to every location and
6 Fingerprint-based Defense against PUE Attacks in CR Networks 118
can be considered as a fingerprint or signature of the location if same RF signal is
transmitted from fixed location [Wireless communications, Anderea Goldsmith, O.
Leon et al.]. This property has been exploited in system to develop a “signature
database” of a location grid in specific service areas. The received signal is measured
as a SU moves along network and recorded in signature database. When another SU
moves in the same area, the signal received from it compared with the entry in the
database, thus is location is determined. Such a scheme may also be useful for indoor
application where the multi-path structure in an area can be exploited. Based on this
principle the detection of legitimate PU by SUs in order to prevent adversary attacks
(denial of service (DoS)) can be established. Before analyzing the results, it important
to highlight the analytical description of the multi path structure that will very useful
in fingerprinting approach.
If a primary single ( )s t pulse is transmitted over a multipath channel the SU
received signal will appear as a pulse train, with each pulse in the train corresponding
to the LOS component or a distinct multipath component associated with a distinct
scatterer or cluster of scatterers as shown in Figure 6.1. An important characteristic of
a multipath channel is the time delay spread mT it causes to the received signal ( )r t .
This delay spread equals the time delay between the arrivals of the first received
signal component (LOS or multipath) and the last received signal component
associated with a single transmitted pulse. If the delay spread is small compared to the
inverse of the signal bandwidth B (i.e. 1mT B ), then there is little time spreading in
the received signal. However, when the delay spread is relatively large (i.e. 1mT B ),
there is significant time spreading of the received signal, which can lead to substantial
signal distortion.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 119
Figure 6.1 A Single Reflector and A Reflector Cluster.
Another characteristic of the multipath channel is its time-varying nature. This
time variation arises because either the PU transmitter or the SU receiver is moving,
and therefore the location of reflectors in the transmission path, which give rise to
multipath, will change over time. Thus, if we repeatedly transmit pulses from a
moving transmitter, it will observe changes in the amplitudes, delays, and the number
of multipath components corresponding to each pulse. However, these changes occur
over a much larger time scale than the fading due to constructive and destructive
addition of multipath components associated with a fixed set of scatterers. This work
will also characterize the statistics of wideband multipath channels using two-
dimensional transforms based on the underlying time-varying impulse response.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 120
Let the transmitted signal be as [Wireless communications, Anderea Goldsmith]
2( ) ( ) ( ) cos(2 ) ( ) sin(2 )cj f tc cs t x t e x t f t x t f t (6.1)
where ( )x t is the complex envelope of ( )s t with bandwidth B and cf is its carrier
frequency. The corresponding received signal is the sum of the line-of-sight (LOS)
path and all resolvable multipath components is given as [25]
(2 ( )( )
0
( ) ( ) c n n
Nj f f t
n nn
r t a x t e
(6.2)
where N, na , n and nf are the total number of multipath, attenuation (or path gain),
path delay and shift in frequency respectively and (6.2) causes small scale time
variations.
For each path with NO Line Of Sight (NOLOS), each time delay is given by
(2 ( )( )
0
( ) ( ) c n n
Nj f f t
l n nn
r t a x t e
(6.3)
where , each time delay n n with is the average time delay, each frequency
doppler shift is given as [25] cos( )n nvf
, where , ,v are the moving speed of
SU, wavelength of carrier and angle of arrival respectively. Using (6.2),
2 (2 ( ) 2
0( ) ( ) n c n n c
Nj f t j f f j f t
n nn
r t a x t e e e
(6.4)
6 Fingerprint-based Defense against PUE Attacks in CR Networks 121
2
In phase Component Quadrature Component
( ) ( ) cos(2 ) ( ) sin(2 )cj f tI c Q cy t e y t f t y t f t
2 2 ( )( )
0( ) ( ) ( ) ( ) n c n n
Nj f t j f f
I Q nn
y t y t jy t a x t e e
gives ( ) ( ) ( )ly t c t x t with
2 2 ( )( )
0( ) n c n n
Nj f t j f f
l nn
c t a e e
is a random and time varying. Therefore, statistical model for the time varying
coefficients is given as:
2 cos 2 ( cos )( )
0( ) n c n n
v vN j t j f
l nn
c t a e e
(6.5)
Non Line of Sight (Rayleigh) Fading Channels is specified by following given
parameters as
Time delays 1 2[ , , , ]NT second, Power distribution 1 2[ , , , ]NP P P P and
Maximum Doppler Df . This thesis chooses a Rayleigh fading channel modal to
realize the fingerprinting approach for PU signal transmitter verification. The results
analysis on SIMULINK modal is explored in next section.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 122
6.4.3. Simulation and results
Let a primary user signal uses QAM digital modulation type with modulation order M
= 16, and symbol rate Rs = 10 kHz, thus bit rate 2logb sR M R , computed as
34 10 10 40 kb / s . It is assumed the transmitted power (Pt) of PU signal is 5 watts
and channel attenuation A = 1/100, thus the received power becomes r tP A P = 0.05
watts. Notice that, these PU signal parameters must known by adversary of others SU.
Therefore, an adversary may transmit his or her own signal with parameters of PU
transmitted signal as shown in Figure 6.2 through 6.3 by use of SIMULINK.
(a) (b)
Figure 6.2. (a) Spectrum of PU signal. (b) Spectrum of Adversary
(a) (b)
Figure 6.3. (a) Time Scatter plot of PU signal. (b) Time Scatter plot of Adversary signal.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 123
From Figure shown above, both signal appear to be the same as experimented by
Bernoulli Binary Generator. However, these two signals are transmitted through
wireless medium with separate channel. Let channel1 and channel2 be the channel of
PU signal and adversary signal respectively, then each channel contains unique
mutlipath structure and must be differ form each other. This thesis assumes a non line
of sight channel (Rayleigh) modal for simplicity. For PU transmit channel1, the
mutlipath power distribution vector is assumed as P1 = [0, -2, -3, -5] dB, time delay
vector T1=[0, 15, 30, 70] nanosecond and Doppler frequency shift Fd1=0.1 Hz.
Similarly, For Adversary transmit channel2, the mutlipath power distribution vector is
assumed as P2 = [0, -4, -7, -10]; dB, time delay vector T2=[0 10 20, 80] nanosecond
and Doppler frequency shift Fd2=0.5 Hz. Figure 5.4 shows similarity between PU
signal and adversary signal, but actual variations in these parameters due to variation
in multipath structure shown in Figure 6.5 through 6.6.
(a) (b)
Figure 6.4. (a) Spectrum of PU signal through channel1. (b) Spectrum of Adversary signal through channel2.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 124
(a) (b)
Figure 6.5. (a) Scatter plot of PU signal through channel1. (b) Scatter plot of Adversary signal through channel2.
(a) (b)
Figure 6.6. (a) Eye diagram of PU signal through channel1. (b) Eye diagram of Adversary signal through
channel2.
From Figure 6.6, fingerprint can be view and it can be observed that the fingerprint of
the channel1 and channel2 varies. The difference of frequency and power has been
computed by use of SIMULINK yield the differences in original PU transmitted
signal and signal of Adversary transmitted as shown in Figure 6.7. This model can be
integrated into spectrum sensing system of CR device and possibly it can identify the
PU signal in order to avoid the denial of service (DoS). The SIMULINK model has
been shown in Figure 6.8.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 125
Figure 6.7 Plot of differences in Power and frequency between PU signal and Adversary signal.
B-FFT
SpectrumScope4(PU)
B-FFT
SpectrumScope3 (PUE)
B-FFT
SpectrumScope2(Diff)
B-FFT
SpectrumScope1(Fading PUE)
B-FFT
SpectrumScope(FadingPU)
Rectangular16-QAM
Rectangular QAMModulator
Baseband (PUE)
Rectangular16-QAM
Rectangular QAMModulator
Baseband (PU)
RayleighFading
Multipath RayleighFading Channel1(PUE)
RayleighFading
Multipath RayleighFading Channel (PU)
-K-
Gain5
-K-
Gain4 -K-Gain3
-K-
Gain2
-K-
Gain1(PU)-K-
Gain
Discrete-TimeScatter Plot
Scope3(PUE)
Discrete-TimeScatter PlotScope2(PU)
Discrete-TimeScatter Plot
Scope1(FadingPUE)
Discrete-TimeScatter Plot
Scope(Fadding PU)
Discrete-TimeEye Diagram
Scope3 (PUE)
Discrete-TimeEye Diagram
Scope2(Fading PUE)
Discrete-TimeEye DiagramScope1(PU)
Discrete-TimeEye Diagram
Scope(Fading PU)
Complex PhaseDifference
Complex PhaseDifference
Bernoul liBinary
Bernoulli BinaryGenerator(PUE)
BernoulliBinary
Bernoulli BinaryGenerator (PU)
PU PUE
Figure 6.8. Fingerprinting approach by SIMULINK model for PU signal and Adversary signal.
6 Fingerprint-based Defense against PUE Attacks in CR Networks 126
6.5. Summary
In section 6.4.2, the mathematical modal was explored and on the basis of this modal
it has been resolved that concept of fingerprinting approach for identification of
primary users signal transmission by legitimate SU. This is demonstrated by use of
SIMULINK modal as explored above. If the fingerprinting data of PU transmitted
signal will stored in computer memory and can be compared present signal of
fingerprint in environment and thus attacker can be avoided by no response i.e. no
spectrum mobility takes place by SU.
top related