Securing Cognitive Radio Networks with Dynamic

Securing Cognitive Radio Networks with Dynamic Trust against Spectrum Sensing Data Falsification Yalin E. Sagduyu Intelligent Automation Inc. Rockville, MD 20855, USA Email: [email protected] Abstract—The paper addresses the problem of spectrum sensing data falsification (SSDF) attacks in cooperative sensing and develops a dynamic trust management scheme to reliably detect and mitigate such attacks in cognitive radio networks. Secondary users (SUs) sense the spectrum to identify and dynamically access the available primary user (PU) channel. To improve sensing reliability, SUs send their sensing reports (subject to sensing error of individual spectrum sensor, e.g., energy detector) to a fusion center, where sensing reports are combined to identify the channel state (idle or busy). Three types of SUs are considered: (i) normal users reporting their sensing results honestly, (ii) attackers reporting their sensing results inaccurately in form of random onoff attacks, (iii) irrelevant users observing independent spectrum events. The consistency of sensing results is checked at the fusion center with channel outcome of scheduled transmissions (obtained under possible feedback errors) and the probabilistic trust of each user is updated with Bayes rule. Then, the optimal decision rule for cooperative sensing is determined dynamically with new trust assignments. Performance is evaluated separately under Gaussian signal assumption and with wireless transmission data collected with actual radios. Results show that dynamic trust management reliably detects user types and eliminates effects of SSDF attacks. Both the sensing error probability and the throughput are significantly improved compared to the case when all users are by default trusted to be normal users. This performance gain is maintained as the number of attackers or irrelevant users increases in the cognitive radio network. Keywords—cooperative sensing; spectrum sensing; trust; reputation; spectrum sensing data falsification attack; security; cognitive radio network; software-defined radio.

I.

I NTRODUCTION

Spectrum resources are scarce across space, time and frequency dimensions and their efficient utilization is necessary to meet growing demands of network traffic [1]. However, the current state of spectrum utilization is rather static with fixed spectrum allocation to primary users (PUs) and this leaves behind unused spectrum holes that should be reliably discovered by secondary users (SUs) for opportunistic spectrum access. SUs discover spectrum holes in terms of idle channels via spectrum sensing. For instance, energy detector is a simple but effective spectrum sensing method [2], where a channel is detected as idle or busy by comparing the accumulated energy of received signal to a predetermined threshold. This material is based upon work supported by the Air Force Office of Scientific Research (AFOSR) under STTR Contract FA9550-12-C-0037. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the AFOSR.

Individual spectrum sensing performed by single SU using only its own measurements may suffer from poor sensing sensitivity and high sensing error [3] due to (i) device-level energy constraints, (ii) potential signal degradation (due to fading or mobility), and (iii) hidden terminal problem, where the spectrum is detected at the PU’s transmitter rather than at its receiver, as needed. To overcome these limitations, cooperative (or collaborative) sensing [4], [5] can be applied by combining measurements of multiple sensors into one common decision, either by soft combining of channel measurements or by hard combining of binary channel sensing results. Soft combining requires all sensing data to be transmitted to a fusion center thereby increasing network overhead and traffic congestion. Instead, hard combining is assumed in this paper with an arbitrary spectrum sensor (used at each SU individually) from which the false alarm and misdetection probabilities are used to make the cooperative sensing decision at the fusion center (energy detector is specifically used for performance evaluation). Cooperative sensing improves sensitivity and robustness of spectrum sensing with respect to channel impairments and hidden terminal problem [3], but raises an important security issue by making the cognitive radio network vulnerable to spectrum sensing data falsification (SSDF) attacks [7], [8]. Some malicious users (attackers) may flip their sensing results before they report them to the fusion center with the objective of either blocking transmission initiatives (by making idle channels appear busy to other users) or causing transmission failures (by making busy channels appear idle to other users). In addition, some irrelevant users may sense a different channel (i.e., a different PU’s channel state) and report independent spectrum sensing results. The effect is different from the SSDF attacks but they jointly reduce reliability of spectrum sensing. To mitigate these attack and reliability issues in cooperative sensing, both malicious and irrelevant users should be reliably identified and their negative effects along with random sensing errors should be carefully removed from cooperative spectrum sensing decisions. Cognitive radio networks raise different security issues [6] such as SSDF, PU emulation, and DoS attacks. As defense to a variety of attacks, user types can be tracked by assigning a trust (or reputation) to each user, monitoring user activities and updating their trusts via consistency check with some type of feedback (e.g., RF signature or protocol behavior) [9]–[14]. This paper considers SSDF attacks and follows a dynamic trust management approach under three types of

users (normal, malicious, irrelevant) subject to random sensing errors. The optimal rule for hard combining in cooperative sensing is derived under Bayesian updates of probabilistic trust assignments. By comparing the transmission outcome (may be erroneous due to channel impairments) and the last reported spectrum sensing results, the fusion center assigns trusts to all users and combines spectrum sensing reports accordingly. Analytical framework is evaluated first under Gaussian signal assumptions and then with wireless transmission data, where a software-defined radio (USRP N210) attempts to detect overthe-air transmissions between two radios (RouterStation Pros). The main contributions of the paper are listed follows: 1) 2) 3) 4)

5)

6)

A dynamic trust management scheme is designed to protect cognitive radio networks against SSDF attacks in cooperative spectrum sensing. The model accommodates an arbitrary number of sensing users with three possible types: normal SUs, malicious attackers, and irrelevant users. The model supports random on-off attacks, random availability of feedback, and random feedback errors. A vector of trust values is maintained for all users of three types and dynamically updated (with Bayesian update rule) while making spectrum sensing decisions. Spectrum sensing results from individual users are optimally fused by integrating trust updates to detect channel status and make cooperative sensing decisions. Significant performance gains are reported and validated under Gaussian signal assumptions and with wireless experiment data collected with actual radios.

The rest of this paper is organized as follows. Section II introduces the spectrum sensing model. Cooperative spectrum sensing with dynamic trust management is developed in Section III. This is followed by the introduction of trust update mechanism in Section IV. Performance evaluation is presented in Section V. Section VI summarizes the contributions.

1) 2) 3)

Normal SUs: They report their sensing results honestly without any modification. Attackers: They flip their sensing results with some probability (pa,i by user i) with the purpose of random on-off SSDF attack. Irrelevant users: They sense independently another irrelevant spectrum (e.g., because they are in the vicinity of another PU that is of no interest to a particular SU base station) and report it to the fusion center.

Suppose there are nN normal SUs, nA attackers and nI = n − nN − nA irrelevant users. Let Ri denote the type of user i, where Ri = 1, if the user is a normal SU, Ri = 2, if the user is an attacker, or Ri = 3 if the user is an irrelevant one. Each user makes random errors in its sensing result. Let pF,i and pM,i denote the false alarm probability (the probability of sensing the spectrum to be busy while it is idle) and the misdetection probability (the probability of sensing the spectrum to be idle while it is busy) of any user i. For instance, energy detector can be assumed for spectrum sensing to determine the false alarm and misdetection probabilities. Suppose the actual spectrum is idle with probability p0 . Then, fusion center can optimally decide on the spectrum (where the optimality is with respect to minimizing the average sensing error) by running the following hypothesis testing according to the maximum a posteriori (MAP) estimation rule: p0 P ({di (t)}ni=1 |H(t) = H0 ) ˆ H(t)=H

1 ≷H(t)=H ˆ

(1)

0

(1 − p0 )P ({di (t)}ni=1 |H(t) = H1 ) . Conditioned on true hypothesis, sensing reports are independent (with independent sensing errors) and expressed as: n Y n P ({di (t)}i=1 |H(t) = H0 ) = a0,i (t), (2) P ({di (t)}ni=1 |H(t) = H1 ) =

i=1 n Y

a1,i (t)

(3)

i=1

II.

S PECTRUM S ENSING S YSTEM M ODEL

Consider n SUs (n is an arbitrary positive number), each individually sensing whether the spectrum is idle (hypothesis H(t) = H0 ) or busy (hypothesis H(t) = H1 ) at any time t (time is synchronized and slotted). Suppose the actual spectrum is busy if a PU is transmitting on this assigned channel and idle otherwise. At any time t, each user reports its individual sensing result, di (t), to a fusion center, e.g, SU base station, where di (t) = 0 if user i reports the spectrum to be idle and di (t) = 1 if user i reports the spectrum to be busy. This fusion center combines these decisions and makes ˆ cooperative sensing decision H(t) on whether the spectrum ˆ ˆ is idle (H(t) = H0 ) or not (H(t) = H1 ). Depending on the sensed spectrum, a transmission is coordinated from users and one throughput unit is credited depending on whether the transmission is successful (which consequently depends on whether the actual spectrum is idle and or not, as well as on random channel effects). There are three possible types of users (type of each user is unknown to the fusion center):

where a0,i (t) = P ({di (t)}|H(t) = H0 ) and a1,i (t) = P ({di (t)}|H(t) = H1 ) are the distributions of sensing results of user i under hypothesis H0 and H1 , respectively. First, consider the ideal case when all users are trusted (i.e., Ti (t) = 1). Then, a0,i (t) and a1,i (t) are determined as: 1 − pF,i , if di (t) = 0. a0,i (t) = (4) pF,i , if di (t) = 1, pM,i , if di (t) = 0, a1,i (t) = (5) 1 − pM,i , if di (t) = 1. For the the symmetric case, when pF,i = pF and pM,i = pM for all i, spectrum is reduced to a simple threshold Psensing n rule. Let n0 (t) = i=1 (1 − di (t)) denote the number of users with sensing result that the spectrum is idle. Then, the optimal detection rule for this symmetric case with trusted users follows from comparing n0 (t) with a threshold η: ˆ H(t)=H 1

n0 (t)

≷ ˆ H(t)=H 0

η,

(6)

where the optimal threshold η can be computed as η=

IV.

n(log(1 − pM ) − log(pF )) + log(1 − p0 ) − log(p0 ) . (7) log(1 − pF ) + log(1 − pM ) − log(pM ) − log(pF )

Such a threshold rule does not apply to the general case when false alarm or misdetection probabilities are not symmetric or more importantly when not all users are trusted normal users. For this general case, dynamic trust management is introduced in the next section to obtain the optimal decision rule by tracking what type each user is likely to be. III.

C OOPERATIVE S PECTRUM S ENSING T RUST M ANAGEMENT

WITH

DYNAMIC

Trust Ti (t) = hNi (t), Ai (t)i for each user i at time t consists of a tuple of two probabilities: Ni (t), the probability that user i is believed to be a normal SU (i.e., Ri = 1), and Ai (t), the probability that user i is believed to be an attacker (i.e., Ri = 2). Then, user i is believed to be an irrelevant user (i.e., Ri = 3) with probability 1−Ni (t)−Ai (t). Suppose that the irrelevant spectrum (tracked by irrelevant users) is reported as idle with probability p¯0 at any time t. In expressions (2) and (3), the values of a0,i (t) and a1,i (t) depend on di (t) and these values are determined as a function of trust Ti (t) = hNi (t), Ai (t)i as follows:  Ni (t)(1 − pF,i )    +Ai (t)(pF,i pa,i + (1 − pF,i )(1 − pa,i ))     +(1 − Ni (t) − Ai (t))¯ p0 ,     if di (t) = 0, a0,i (t) = (8)   N (t)p i F,i     +Ai (t)((1 − pF,i )pa,i + pF,i (1 − pa,i ))      +(1 − Ni (t) − Ai (t))(1 − p¯0 ), if di (t) = 1,

a1,i (t) =

           

Ni (t)pM,i +Ai (t)((1 − pM,i )pa,i + pM,i (1 − pa,i )) +(1 − Ni (t) − Ai (t))(¯ p0 , if di (t) = 0, (9)

  Ni (t)(1 − pM,i )     +Ai (t)(pM,i pa,i + (1 − pM,i )(1 − pa,i ))      +(1 − Ni (t) − Ai (t))(1 − p¯0 ), if di (t) = 1.

After computing a0,i (t) and a1,i (t) for each user i, fusion ˆ = H0 or H(t) ˆ = H1 ) center can decide on the spectrum (H(t) by the hypothesis testing rule (1). If the spectrum is detected as idle, a transmission is scheduled. Instead of making a hard decision, fusion center can also make a soft decision by computing the probability that the spectrum is idle, namely Qn p0 i=1 a0,i (t) ˆ Qn Qn P (H(t) = H0 ) = . p0 i=1 a0,i (t) + (1 − p0 ) i=1 a1,i (t)

In this case, fusion center schedules a transmission randomly ˆ with probability P (H(t) = H0 ). The prior distribution p0 in (1) may not be known a priori but can be learned over time ˆ ˆ H(t) as a moving average Pˆ0 (t + 1) = P0 (t)+ of time instants t+1 that are detected to exhibit idle spectrum.

DYNAMIC T RUST U PDATE M ECHANISM

Trust Ti (t) = hNi (t), Ai (t)i of each user i is updated by checking the consistency of the individual sensing report di (t) with the feedback from the channel g(t), namely the transmission outcome at time t provided that fusion center decides that spectrum is idle and a transmission is scheduled. If the actual spectrum is idle, the transmission may still fail with probability pe,0 (e.g., due to channel fading and noise); otherwise it is successful. If the actual spectrum is busy, this transmission may still succeed with probability pe,1 (e.g., due to multi-packet capture capability of the SU receiver). Here, pe,0 and pe,1 correspond to the probabilities of feedback errors under each of the hypothesis H0 and H1 , respectively. The feedback g(t) is not available unless there is a transmission. Even, after scheduled transmission, g(t) may be available with some probability pf due to possible failures in feedback transmission. If the feedback is not available, then the trust is not updated. Otherwise, the Bayesian rule is used to update trust Ti (t) of each user i by comparing g(t) with di (t). Intuitively, if di (t) is consistent with g(t), Ni (t) is increased. Else if di (t) is contradictory to g(t), Ai (t) is increased. Else both Ni (t) and Ai (t) are decreased. Denote φi,t = (g(t), di (t)), φti = {φi,τ }tτ =0 , and φt = Then, formal definition of trust is Ni (t) = P (Ri = 1|φ ) and Ai (t) = P (Ri = 2|φt ). Suppose channel states are memoryless. Then, φi,t and φt−1 are conditionally independent given Ri . The Bayesian trust updates are given by

{φti }nı=1 . t

P (φi,t |Ri = 1) , P (φi,t ) P (φi,t |Ri = 2) Ai (t + 1) = Ai (t) , P (φi,t )

Ni (t + 1) = Ni (t)

(10) (11)

where P (φi,t ) = Ni (t)P (φi,t |Ri = 1) + Ai (t)P (φi,t |Ri = 2) + (1 − Ni (t) − Ai (t))P (φi,t |Ri = 3). The next step is to determine P (φi,t |Ri ) by conditioning on whether g(t) is erroneous (with probability pe,0 under hypothesis H0 or pe,1 under hypothesis H1 ) or not. If g(t) = 0 and di (t) = 0, trust Ti (t) of user i from (10)-(11) is updated with P (φi,t |Ri = 1) = (1 − pe,0 )p0 (1 − pF,i ) + pe,1 (1 − p0 )pM,i , P (φi,t |Ri = 2) = (1 − pe,0 )p0 (pa,i pF,i + (1 − pa,i )(1 − pF,i )) +pe,1 (1 − p0 )(pa,i (1 − pM,i ) + (1 − pa,i )pM,i ), P (θi (t))|Ri = 3) = p¯0 . If g(t) = 0 and di (t) = 1, trust Ti (t) of user i from (10)(11) is updated with P (φi,t |Ri = 1) = (1 − pe,0 )p0 pF,i + pe,1 (1 − p0 )(1 − pM,i ), P (φi,t |Ri = 2) = (1 − pe,0 )p0 (pa,i (1 − pF,i ) + (1 − pa,i )pF,i ) +pe,1 (1 − p0 )(pa,i pM,i + (1 − pa,i )(1 − pM,i )), P (φi,t |Ri = 3) = 1 − p¯0 . If g(t) = 1 and di (t) = 0, trust Ti (t) of user i from (10)-

1

P (φi,t |Ri = 1) = (1 − pe,0 )(1 − p0 )pM,i + pe,1 p0 (1 − pF,i ), P (φi,t )|Ri = 2) = (1 − pe,0 )(1 − p0 )(pa,i (1 − pM,i ) + (1 − pa,i )pM,i ) +pe,1 p0 (pa,i pF,i + (1 − pa,i )(1 − pF,i )), P (φi,t |Ri = 3) = p¯0 . If g(t) = 1 and di (t) = 1, trust Ti (t) of user i from (10)(11) is updated with P (φi,t |Ri = 1) = (1 − pe,0 )(1 − p0 )(1 − pM,i ) + pe,1 p0 pF,i , P (φi,t |Ri = 2) = (1 − pe,0 )(1 − p0 )(pa,i pM,i + (1 − pa,i )(1 − pM,i )) +pe,1 p0 (pa,i (1 − pF,i ) + (1 − pa,i )pF,i ), P (φi,t |Ri = 3) = 1 − p¯0 .

Probability of Normal User Belief, Ni(t)

(11) is updated with

0.9

Normal users 4, 8, 9, 10

0.8 0.7 0.6 0.5 0.4 0.3 0.2 Others users 1, 2, 3, 5, 6, 7

0.1 0 0

50

100

150

200

250

Time, t

Fig. 1.

Trust updates, Ni (t), over time t (thicker plots for normal users).

1

V.

P ERFORMANCE E VALUATION

Dynamic trust management in cooperative sensing is evaluated first with simulations and then with wireless transmission data collected with actual radios. Suppose channel status Ht is i.i.d with Bernoulli distribution (with parameter p0 ) at any time t. Each user performs spectrum sensing individually with an energy detector. The fixed system parameters are n = 10, p0 = 0.5, p¯0 = 0.5, pe,1 = 0.1, pe,2 = 0.1 and pf = 0.9. A. Performance Evaluation via Simulations

=

pM,i

=

Γ( n2s ,

ns ηE,i ) 2σi2

,

Γ(ns /2) n ηE,i γ( n2s , 2(Psi +σ 2) ) i

Γ(ns /2)

(12) ,

(13)

R x n −1 −t s where = e dt and Γ(ns , x) = s , x) 0 t R ∞ n −1γ(n −t s t e dt are the lower and upper x R ∞ incomplete gamma functions, respectively, and Γ(k) = 0 xk−1 e−x dx is the gamma function. Given the signal-to-noise-ratio (SNR) γi = Pi /σ, i2 , the detection threshold ηE,i can be chosen for a target pF,i or pM,i to protect PU, and then pM,i or pF,i is automatically determined. Consider γi = 0dB (where Pi = 1 and σi2 = 1) and ns = 10. Then, ηE,i is chosen as 1.296 such that pF,i = pM,i (and equal to 0.226). Assume n = 10 users in total and vary the number of normal users, attackers, and irrelevant users.

Attackers 1, 3, 6

0.8 0.7 0.6 0.5 0.4 0.3

Others users 2, 4, 5, 7, 8, 9, 10

0.2 0.1 0 0

50

100

150

200

250

Time, t

Fig. 2.

In simulations, let Yk denote the received signal power of s the kth sensing sample. Under H0 , the observations {Yk }ni=1 are i.i.d. ∼ N (0, Pi + σi2 ) and under H1 , the observations s {Yk }ni=1 are i.i.d. ∼ N (0, σi2 ), where Pi denotes the average signal power received at user i and σi2 is the noise variance. Applying energy detector, each user computes the average energy overP ns energy samples and compares it to a threshold s Yk2 ≤ ηE,i , then the spectrum is sensed as ηE,i . If n1s nk=1 idle; otherwise the spectrum is sensed as busy. Under these Gaussian signal assumptions, it is well known that [15]: pF,i

0.9

Probability of Attacker Belief, Ai(t)

Applying P (φi,t |Ri ), trust Ti (t) = hNi (t), Ai (t)i of each user i is updated in (10)-(11), and further used in (8)-(9) to determine the hypothesis testing rule (1) as the optimal decision rule under Bayesian trust updates.

Trust updates, Ai (t), over time t (thicker plots for attackers).

Consider first one realization with nN = 4, nA = 3, and nI = 3. Trust update mechanism maintains trust values, Ni (t), Ai (t), and 1 − Ni (t) − Ai (t) over time t, as shown in Figures 1, 2, and 3, respectively. True user types are quickly discovered while simultaneously performing spectrum sensing and deciding on channel states such that the value of Ni (t), Ai (t), or 1−Ni (t)−Ai (t) approaches 1 quickly for any normal user i, attacker i or irrelevant user i, respectively. Next, the average performance is investigated in terms of sensing error probability ε and achieved throughput τ (number of successful transmissions per time slot). One throughput credit is gained when (i) the idle spectrum is detected as idle and the scheduled transmission is successful with probability 1 − pe,0 , or (ii) the busy spectrum is detected as idle and the scheduled transmission is successful with probability 1 − pe,1 . The following results are averaged over 100 realizations with at least one normal SU, i.e., nN > 0 (so there is at least one user with potential transmission and therefore τ > 0). First, suppose nI = 0 and nA is varied under different values of pa,i = pa for any i. Define ε as the probability of sensing error and τ as the throughput achieved by scheduled transmissions when the channel is detected to be idle. Figures 4 and 5 show ε and τ , respectively, by comparing two cases when (i) dynamic trust management is applied, (ii) no trust is maintained (i.e., all users are trusted by default, i.e., Ni (t) = 1

1

0.9

0.9

0.8

Probability of Sensing Error

Irrelevant users 2, 5, 7

i

i

Probability of Irrelevant User Belief, 1 − N (t) − A (t)

1

0.7 0.6 0.5 0.4 0.3 0.2

Others users 1, 3, 4, 6, 8, 9, 10

0.1 0 0

50

100

150

0.8 0.7 0.6

Without Trust (No Attacker) Without Trust (One Attacker) Without Trust (Two Attackers) Without Trust (Three Attackers) Without Trust (Four Attackers) With Trust (No Attacker) With Trust (One Attacker) With Trust (Two Attackers) With Trust (Three Attackers) With Trust (Four Attackers)

0.5 0.4 0.3 0.2 0.1

200

0 0

250

1

2

Fig. 3. Trust updates, 1 − Ni (t) − Ai (t), over time t (thicker plots for irrelevant users).

4

5

6

7

8

9

Fig. 6. Probability of sensing error, ε, with and without trust management (when pa = 0.9). 0.45

1 0.9

3

Number of Irrelevant Users

Time, t

Without Trust (pa = 1)

0.4

Without Trust (p = 0.9) 0.8

Without Trust (pa = 0.8)

0.7


0.6

0.35 0.3

With Trust (pa = 1)

Throughput


a

WithTrust (pa = 0.9)

0.5


0.4


0.25 0.2 0.15

0.3 0.1 0.2 0.05 0.1 0 0

1

2

3

4

5

6

7

8

9

Number of Attackers

Fig. 4. Probability of sensing error, ε, with and without trust (when nI = 0).

for all t). Dynamic trust management significantly reduces ε and increases τ , since attackers are very reliably identified and their effects are mitigated by flipping their sensing results. The largest performance gain is possible at pa = 1, when ε is reduced by approximately 95% and τ is increased by approximately 12 times via trust management. Performance in

Throughput

0.4

Without Trust (pa = 1) Without Trust (pa = 0.9)

0.2


With Trust (pa = 0.9) With Trust (pa = 0.8) With Trust (pa = 0.7) 1

2

3

4

5

6

7

8

9

Number of Attackers

Fig. 5.

3

4

5

6

7

8

9

Number of Irrelevant Users

Fig. 7. Throughput, τ , with and without trust management (when pa = 0.9).

case without trust improves as pa decreases because malicious users are less likely to attack. Trust management becomes less reliable with decreasing pa in terms of catching malicious users and therefore the performance gain drops. In all cases, as expected, the performance does not improve with the number of attackers but trust management can better tolerate the increased level of attacks.

B. Performance Evaluation with Wireless Transmission Data

a

0 0

2

Without Trust (pa = 0.7) With Trust (p = 1)

0.1

1

Second, consider the case irrelevant users are introduced (i.e., nI > 0). Figures 4 and 5 show ε and τ , respectively. As nI increases by replacing normal users, trust management maintains better performance. When nI = n, the system is completely random where trust management cannot help. In that case, ε becomes 0.5 (namely, equal to p¯0 ). As normal users are replaced with attackers (for a given nI ), the performance gets worse but trust management helps the cognitive radio system maintain significantly low ε and high τ .

0.5

0.3

0 0

Without Trust (No Attacker) Without Trust (One Attacker) Without Trust (Two Attackers) WithTrust (Three Attackers) WithTrust (Four Attackers) With Trust (No Attacker) With Trust (One Attacker) With Trust (Two Attackers) WithoutTrust (Three Attackers) WithTrust (Four Attackers)

Throughput, τ , with and without trust management (when nI = 0).

Next performance is evaluated by replacing simulated sensing data with experiment data collected from actual radio transmissions. In this setup, USRP N210 radio is used as the SDR platform that detects the idle slots of the PU with energy detector, while two configurable RF front-ends (RouterStation Pro from Ubiquiti) become the PU transmitter and the PU

0.5


0.45 0.4 0.35 Without Trust (pF,i = 0.1)

0.3

Without Trust (pF,i = 0.25) 0.25

With Trust (p

F,i

= 0.1)

Without Trust (pF,i = 0.25)

0.2 0.15 0.1 0.05 0

5

10

30

50

70

Number of Sensing Samples

Fig. 8. Probability of sensing error, ε, with and without trust management (when pa = 0.9). 0.45 0.4 0.35

Throughput

0.3 With Trust (p

F,i

0.25

= 0.1)


0.2


0.15


0.1 0.05 0

5

10

30

50

70

Number of Sensing Samples

Fig. 9. Throughput, τ , with and without trust management (when pa = 0.9).

receiver. Wireless tests are performed in the 2.462 GHz channel with 10dBm transmission power and 256 Kbps rate. The noise variance is measured to be σ 2 = 68.7887 dBm and the average received power is 68.2286 dBm leading to SNR value of 0.561 dB. Gaussian signal properties are not observed in this transmission data and therefore false alarm and misdetection probabilities are measured by directly applying energy detector to transmission data. Details of this SDR experiment data are reported in [16]. In this paper, thresholds are set to fix false alarm probability close to two different values, 0.1 and 0.25, and corresponding misdetection probabilities are determined accordingly. For nN = 4, nA = 3 (with pa = 0.9) and nI = 3, Figures 8 and 9 show ε and τ for different number of sensing samples, ns . As ns increases, ε and τ both improve with or without dynamic trust management. In all cases, dynamic trust management provides significant gains for ε (approximately up to 90%) and τ (approximately up to 157%). VI.

C ONCLUSION

The paper addressed the problem of detecting and mitigating SSDF attacks in cooperative spectrum sensing. Users of three different types (normal, attackers and irrelevant) send

sensing reports to a fusion center, where all reports are fused for cooperative sensing to detect a channel as idle or busy. Attackers randomly report wrong sensing results and irrelevant users report independent spectrum events. All users are subject to sensing errors. Dynamic trust management was introduced to track type distributions of all users by comparing sensing reports with channel outcomes and to assign trusts of users in the optimal decision rule for cooperative spectrum sensing. This approach incorporates real-system issues regarding random on-off attacks, sensing and channel feedback errors. Performance was evaluated with simulations under Gaussian signal assumption and with wireless transmission data collected with actual radios. Dynamic trust management was shown to be highly effective in detecting and mitigating SSDF attacks and maintaining low sensing error and high throughput. R EFERENCES [1] I. F. Akyildiz, B. F. Lo, and R. Balakrishnan, “Cooperative spectrum sensing in cognitive radio networks: A survey, Journal of Physical Communication, vol. 4, pp. 40-62, March 2011. [2] T. Yucek and H. Arslan, “A survey of spectrum sensing algorithms for cognitive radio applications,” IEEE Commun. Surveys Tuts., 2009. [3] E. Axell, G. Leus, E. G. Larson, and H. V. Poor, “Spectrum sensing for cognitive radio: State-of-the-art and recent advances,” IEEE Signal Processing Magazine, May 2012. [4] A. Ghasemi, E.S. Sousa, “Collaborative spectrum sensing for opportunistic access in fading environment,” in Proc. of IEEE DySPAN, November 2005, pp. 131136. [5] S. Mishra, A. Sahai, and R. Brodersen, “Cooperative sensing among cognitive radios,” in Proc. IEEE International Conference on Communications, 2006, pp. 1658-1663. [6] T. Clancy, N. Goergen, “Security in cognitive radio networks: threats and mitigation”, International Conference on Cognitive Radio Oriented Wireless Networks and Communications, May 2008. [7] F. Yu, H. Tang, M. Huang, Z. Li, and P. Mason, “Defense against spectrum sensing data falsication attacks in mobile ad hoc networks with cognitive radios,” in Proc. IEEEInternational Conference on Communications, 2009. [8] C. S. Hyder, B. Grebur, and L. Xiao, “Defense against spectrum sensing data falsification attacks in cognitive radio networks,” Secure Comm, London, Springer Berlin Heidelberg, pp. 154-171, 2012. [9] P. Kaligineedi, M. Khabbazian, and V. Bhargava, “Secure cooperative sensing techniques for cognitive radio systems,” in Proc. IEEE International Conference on Communications, May 2008, pp. 34063410. [10] M. F. Amjad, B. Aslam, C.C. Zou, “Reputation aware collaborative spectrum sensing for mobile cognitive radio networks,” in Proc. IEEE Militray Communicatiosn Conference, 2013. [11] S. Jana, K. Zeng, and P. Mohapatra, “Trusted collaborative spectrum sensing for mobile cognitive radio networks,” in Proc. IEEE INFOCOM, Orlando, FL, Mar. 2012. [12] Z. Kun, P. Paweczak, and D. Cabric, “Reputation-based cooperative spectrum sensing with trusted users assistance,” IEEE Communications Letters, vol.14, no.3, pp.226-228, March 2010. [13] H. Li and Z. Han, “Collaborative spectrum sensing with a stranger: to trust or not?”, in Proc. IEEE Wireless Communications and Networking Conference, 2010. [14] W. Wang, H. Li, Y. Sun, and Z. Han, “Securing collaborative spectrum sensing against untrustworthy secondary users in cognitive radio networks”, EURASIP Journal on Advances in Signal Processing, 2010. [15] F. F. Digham, M.-S. Alouini and M. K. Simon, “On the energy detection of unknown signals over fading channels,” in Proc. of IEEE International Conference on Communications, May 2003 [16] A. Fanous, Y. E. Sagduyu, and A. Ephremides, “Reliable spectrum sensing and opportunistic access in network-coded communications,” IEEE Journal on Selected Areas in Communications, Cognitive Radio Series, Mar. 2014.