Mitigating Primary User Emulation Attacks via Time

Report
Mitigation of Primary User
Emulation Attack
using
Time of Emission Estimation
Natraj Jaganmohan (njaganm)
Sandeep A Rao (sarao)
CSC774 - NCSU
ADVANCED NETWORK SECURITY
1
Agenda of the presentation:








Background about Cognitive Radio Networks
Primary User Emulation Attack (PUEA)
Existing approaches to solve PUEA.
PUEA attack model with Directional antennas.
Attack mitigation using TOE estimation.
Simulation results.
Limitations of the approach.
Future directions of research.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
2
It all started here:
“All consumers . . . deserve a new spectrum policy
paradigm that is rooted in modern-day
technologies and markets.We are living in a
world where demand for spectrum is driven by
an explosion of wireless technology and the
ever-increasing popularity of wireless services.
Nevertheless, we are still living under a
spectrum 'management' regime that is 90
years old. It needs a hard look, and in my
opinion, a new direction.”
Michael K. Powell (Chairman FCC Spectrum
Policy Task Force)
CSC774 - NCSU
ADVANCED NETWORK SECURITY
3
Spectrum Scarcity:

Cognitive Networks help us solve the problem.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
4
Background: Cognitive Radio Networks.



CSC774
Wireless spectrum is very scarce leading to
spectrum crisis.
FCC recommends use of opportunistic or
cognitive networks to increase spectrum
utilization.
This technology would put unused and
under-used spectrum assets to work –
without impacting primary users within
those bands. It is a bold, yet workable
solution.
ADVANCED NETWORK SECURITY
5
Background: Cognitive Radio Networks.

“A Cognitive Radio is a radio frequency
transmitter/receiver that is designed to
intelligently detect whether a particular
segment of the radio spectrum is currently in
use, and to jump into (and out of, as
necessary) the temporarily-unused spectrum
very rapidly, without interfering with the
transmissions of other authorized users.”

http://www.ieeeusa.org/forum/POSITIONS/cognitiveradi
o.html
CSC774 - NCSU
ADVANCED NETWORK SECURITY
6
Cognitive Radio networks operation:
PU-Tx
PU-RX
PU-RX
SU
SU
PU-RX
CSC774 - NCSU
ADVANCED NETWORK SECURITY
7
What makes Cognitive Networks possible?
Key enablers of CRNs:
Radio manufacturers have started to create
flexible software-defined radios.
 Research funding and support for spectrum reuse.
 Support for Dynamic Channel selection, channel
scanning and adjustable transmission power.

CSC774 - NCSU
ADVANCED NETWORK SECURITY
8
Some terminologies used in this presentation:







CRN: Cognitive Radio Network
PU: Primary User (licensed user)
SU: Secondary user (CRN node)
PUEA: Primary User Emulation Attack
FC: Fusion Center
TOE: Time of Emission
TOA: Time of Arrival.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
9
Most important attacks on CRNs

Spectrum data falsification attacks: In this
case, one or more SUs are compromised
and hence report wrong sensing values to
FC. This makes the FC make incorrect
decision about the presence of PU.

The most preferred way to mitigate the
attack is to collect sensing values from a
group of SUs and remove the outlier
values.
CSC774
ADVANCED NETWORK SECURITY
10
Primary User Emulation Attack:
Primary Transmitter
PU1
PU2
SU2
SU1
PU3
CSC774 - NCSU
ADVANCED NETWORK SECURITY
11
Primary User Emulation Attack:
Primary Transmitter
PU1
PU2
Attacker
SU2
SU1
PU3
CSC774 - NCSU
SUs cannot access channel
as they think PU is
transmitting
ADVANCED NETWORK SECURITY
12
Why are we facing this attack :

Secondary users cannot authenticate the
PU transmission.

FCC states that PU cannot be modified to
support security. Hence regular
authentication schemes don’t work.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
13
General approaches to defeat this attack:
Solution 1

RSSI based PU localization:
(x,y)
Decision is
made based on
all received
sensing reports
FC
RSSI values are
measured at all SUs
and calculate the
location of PU.
Ideal case of a PU transmitting, all RSSI values will be correct w.r.t distance
CSC774 - NCSU
ADVANCED NETWORK SECURITY
14
Solution 1 proposed by:

Zhou Yuan et al, suggested the use of
localization schemes to estimate and
authenticate the location of PU.

Scheme based on Received signal power.
Pr = Pt + a 10 log (do/d) + w


It can be defeated by attacker by using
Antenna arrays with different power levels.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
15
General approaches to defeat this
attack: Solution 2

Dr. Peng Ning et al proposed integrating
cryptographic signatures and wireless link
signatures to enable primary user
detection. Essential to the approach is a
helper node placed physically close to a
primary user.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
16
General approaches to defeat this
attack: Solution 2

Working with helper nodes.
Helper Node
(x,y)
Helper node
transmits signals
identical to PU
SUs can try to verify the PU
authenticity by verifying the
Wireless Link signature of Helper
node
CSC774 - NCSU
ADVANCED NETWORK SECURITY
17
General approaches to defeat this
attack: Solution 2

This technique is very effective in terms
of authenticating primary user. We
exploit the proximity of Helper node with
PU.

Problem is the authentication of wireless
link signature of the helper node. Also if
attackers are placed near helper nodes,
then it causes problems.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
18
General approaches to defeat this
attack: Solution 3

IRIS model proposed by Alexander et al,
has a secure attack detection by verifying
the consistency of system state (Transmit
power and path loss).

This technique is very effective and it
defeats both Data Falsification attacks and
PUEA. But, it fails in the case of attacker
with antenna arrays and directional
antenna.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
19
Attack model: Assumptions :
All nodes are loosely time synchronized.
 Location of PU is fixed and known to all
SUs.
 Fusion Center is used to make decision
about presence of PU.
 All SUs are connected to FC using a
secure link.
 There is a LOS path between every SU
and PU.

CSC774 - NCSU
ADVANCED NETWORK SECURITY
20
Attack model : Motivation

This attack model fails all the localization
based solutions for PUEA which have
been proposed previously.

Attacker uses a multi antenna array or
MIMO technology with directional
antennas to send PU-TX like signals to
different SUs with various power levels
faking the presence of PU.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
21
Attack model: Representation

The power levels at different nodes are expected with respect to
the distance from the PU-TX.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
22
Attack model:

Antenna array – multiple antenna
transmitter
CSC774 - NCSU
ADVANCED NETWORK SECURITY
23
Attack model:
This attack is possible because:
 1. Antenna arrays are low cost and easy to
setup
 2. Attacker can manipulate the power
levels in each directional beam from every
antenna element to make sure every SU
calculates the RSSI equal to the RSSI
when PU transmits.

CSC774 - NCSU
ADVANCED NETWORK SECURITY
24
Attack model: Validation

We have simulated the attack model to
verify whether such an attack is really
possible.

Modeler: Opnet Network modeler 16
CSC774 - NCSU
ADVANCED NETWORK SECURITY
25
Attack model: Directional Antenna
pattern formation in Opnet
CSC774 - NCSU
ADVANCED NETWORK SECURITY
26
Attack model: Directional Antenna
pattern formation in Opnet
CSC774 - NCSU
ADVANCED NETWORK SECURITY
27
Attack model: Directional Antenna pattern formation in Opnet
CSC774 - NCSU
ADVANCED NETWORK SECURITY
28
Attack model: A sample scenario
proving the possibility of attack
CSC774 - NCSU
ADVANCED NETWORK SECURITY
29
Attack model: Throughput graphs.
PU-TX
(antenna 1)
SU-1
SU-2
CSC774 - NCSU
ADVANCED NETWORK SECURITY
30
Attack model: Multiple antenna
array simulation.
Ref: http://fens.sabanciuniv.edu/telecom/eng/comnet/cisco/smart.htm
CSC774 - NCSU
ADVANCED NETWORK SECURITY
31
Attack model: Validation

Hence if the attacker can configure each
antenna element with the appropriate
power levels to produce required RSSI
values at each SU, then attack is achieved.

Regular localization based methods
cannot defeat this attack. This forms the
motivation for our solution.
CSC774 - NCSU
CSC774
ADVANCED
NETWORK
SECURITY
DVANCED
NETWORK
SECURITY
32
Time of Emission Estimation Based
Approach : Our solution to PUEA
CSC774 - NCSU
ADVANCED NETWORK SECURITY
33
Model
SU
PU
SU
Fusion
Center
SU
PUE
SU
CSC774 - NCSU
ADVANCED NETWORK SECURITY
34
Assumptions

Secondary Users and Fusion Center
◦ are loosely Synchronized
◦ have secure communication

Fusion Center
◦ cannot be compromised
◦ knows locations of all users (secondary as
well as primary)
◦ has good computational power and storage
CSC774 - NCSU
ADVANCED NETWORK SECURITY
35
Attacker Capabilities

Can use antenna array
◦ But transmitting with a beam formation at
different locations at different times is
restricted.

Multiple Attackers can coordinate
◦ They can be synchronized among themselves
Attacker knows location of all nodes
 SU may be compromised

CSC774 - NCSU
ADVANCED NETWORK SECURITY
36
Proposed Approach
Sensors measure Time of Arrival
 Fusion Center estimates Time of Emission
 Robust against,

◦ Multiple, coordinated attackers
◦ Multiple compromised secondary users
◦ Node with Antenna Array!
CSC774 - NCSU
ADVANCED NETWORK SECURITY
37
Design
Estimate TOA!
TOA
SU
PU
TOA
SU
Estimate TOA!
PUEA result
Fusion
Center
PUEA result
Estimate TOE!
TOE estimated for every sensor must be
almost same in an ideal scenario
In the presence of an attack there
will be deviations in some TOE
estimations
CSC774 - NCSU
ADVANCED NETWORK SECURITY
38
Intuition
Time
CSC774 - NCSU
ADVANCED NETWORK SECURITY
39
Procedure
FC
TOA
TOA
TOA
TOA
TOA
FOR EACH NODE MEASURE TOE!
TOEi = TOAi – Dist/c + ξ
COMPUTE MEAN 
CSC774 - NCSU
TOEmean
ADVANCED NETWORK SECURITY
40
Procedure
FOR EACH NODE, MEASURE DEVIATION!
δi = TOEAVG ~ TOEi
If δi > μ Increment C
μ -> Maximum allowable deviation!
C -> number of deviated values
If C > k then PUEA!
k -> Maximum no. of allowable deviated
reports
CSC774 - NCSU
ADVANCED NETWORK SECURITY
41
Parameters!

Determining μ
◦ The maximum deviation in the measurement
by a node under a non-attack scenario!

Determining k
◦ Too small? Increase in false negative!
◦ Too large? Increase in false alarm!
◦ Tradeoff needed!
CSC774 - NCSU
ADVANCED NETWORK SECURITY
42
Simulation Results
CSC774 - NCSU
ADVANCED NETWORK SECURITY
43
Limitation

If an attacker is capable of compromising
almost every node!
◦ Attacker too powerful!
◦ Note: We have a threshold which is used to
tolerate certain number of configured node
compromises. But, if almost all nodes in
network are compromised, then the network
is not useful.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
44
Future work

FCC may relax rule “no modification to
the incumbent (primary) system should
be required to accommodate
opportunistic use of the spectrum by
secondary users”
◦ Already relaxed for wireless microphones

Removing Fusion Center
◦ May decrease latency and increase
performance of system.
CSC774 - NCSU
ADVANCED NETWORK SECURITY
45
Summary
An Attack Model against the approaches
using RSSI is proposed and simulated
 A Novel approach to mitigate PUEA is
proposed using Time of Emission
Estimation and simulated
 Approach is compared with a similar RSSI
based approach

CSC774 - NCSU
ADVANCED NETWORK SECURITY
46
Thank you!
CSC774 - NCSU
ADVANCED NETWORK SECURITY
47

similar documents