Using Sybil Identities for Primary User Emulation and Byzantine ...

Using Sybil Identities for Primary User Emulation and Byzantine Attacks in DSA Networks Yi Tan, Kai Hong

Shamik Sengupta

K.P. Subbalakshmi

Department of ECE Stevens Institute of Technology Hoboken, NJ Email: {ytan, khong}@stevens.edu

Department of Math. & Comp. Sci. John Jay College of Criminal Justice CUNY, New York, NY Email: [email protected]

Department of ECE Stevens Institute of Technology Hoboken, NJ Email: {ksubbala}@stevens.edu

Abstract—In this paper, we investigate a new type of denialof-service attack on dynamic spectrum access networks - Sybilenabled attack. In this attack, the attacker not only launches the primary user emulation (PUE) attacks but also creates and infiltrates multiple Sybil identities to compromise the decision making process of the secondary network via Byzantine attacks. We implement this attack in our cognitive radio testbed to show the feasibility and attack impact. We further analyze the optimal attack strategy from the perspective of the malicious attacker, i.e., the optimal allocation of Sybil interfaces for different attacks, to maximize the impact on the secondary network. The attack models are analyzed under two different scenarios: with and without a reputation system in the network fusion center. Numerical analysis and simulations are conducted to solve the optimal attack strategy and demonstrate the impact of attacks on the secondary network.

I. I NTRODUCTION Dynamic spectrum access (DSA) provisions are being made to allow unlicensed secondary users to opportunistically transmit in the unused licensed bands. The success of this policy depends on the ability of secondary users to dynamically identify and access unused spectrum bands, detect the return of the primary user (PU) and evacuate promptly upon sensing the PU. Cognitive radios (CRs) that can intelligently adjust their transmission/reception parameters based on interaction with the environment [1], are anticipated to make DSA a reality. Providing security supports for DSA networks is challenging due to the lack of comprehensive security protocols for DSA [2]. Particularly, due to the open paradigm, interoperability and dynamic nature of CR devices, authenticating individual CR nodes is technically difficult. Hence, DSA networks are highly susceptible to identity spoofing attacks such as the Sybil attack. In the Sybil attack, one physical malicious attacker (MA) is able to create multiple identities for itself and behaves as multiple distinct nodes (Sybil nodes) in the system [3]. The MA can generate multiple Sybil identities (SIs) via MAC address spoofing [4], which is difficult to identify in both distributed and centralized DSA networks. In this paper, we investigate the vulnerability of DSA networks through the implementation and study of a novel Sybil-enabled DoS attack. Here, the MA is capable of creating multiple SIs to achieve different classes of attacks on the secondary network (SN). More concretely, the MA uses

several SIs pretending to be the normal CR secondary nodes to launch Byzantine attacks [5], and at the same time, launches primary user emulation (PUE) attacks [6], [7] in multiple candidate channels1 to prevent the SN from transmitting there. To show the practicality of the attack, we implement it in our CR testbed, SpiderRadio [8]. Moreover, we analyze the optimal attack strategy of the MA, i.e., the allocation of Sybil interfaces for different attacks, in order to maximize the attack impact under two scenarios, with and without a reputation mechanism built in to the SN. We derive the false alarm probability and expected switching cost for the SN in these two scenarios respectively. Through numerical analysis and simulations, we present the optimal attack strategies for the MA and demonstrate how the impact of the attack changes in different network circumstances. The rest of the paper is organized as follows. Section II describes the Sybil-enabled attack model and demonstrates the implementation. In Section III, we derive the optimal attack strategies for the MA to cause maximum expected cost on the SN. Section IV shows the numerical and simulation results and conclusions are drawn in the last section. II. T HE S YBIL - ENABLED PUE ATTACK A. System Model We consider one typical SN consisting of multiple good CR nodes. Every node performs spectrum sensing periodically and reports the result to the fusion center that makes the final decision on whether a given spectrum channel is available for use or not [9]. We also consider that there are a number of candidate spectrum channels the SN can use. We consider one MA that is capable of generating multiple SIs for different classes of attacks. Note that, since all CR devices can monitor the open spectrum channels, we assume that the MA can also obtain the information of candidate channels. In this attack, the MA aims to prevent the SN from using the available spectrum channels and creates two kinds of attack interfaces: 1) Sybil saboteur (SybS): The MA will use these identities to launch Byzantine attacks, i.e., pretending to be good 1 The term “candidate channels” represents possible spectrum channels the SN can use for transmissions.

Candidate chennel 1

Tra in nsmit cha tin nne g l1

A typical SN

Candidate Channel 2

Candidate Channel 3

Candidate channel k

The fusion center Physical CR node

Candidate channel M

SybS interface SybA interface

Fig. 1.

The Sybil-enabled DoS attack system model

secondary devices to infiltrate the SN and send false sensing reports to the fusion center to spuriously claim primary transmission in case of PUE attacks. The goal of these saboteur identities is to influence the decision making process of the SN. 2) Sybil attacker (SybA): The MA will use these identities to launch PUE attacks in the candidate channels to prevent the SN from communicating in these channels. Note that, these interfaces simply adopt the function of pure PUE attacks. Fig. 1 shows an example of the attack model where SybS and SybA perform different attacks both inside the SN and on candidate channels. By launching the Sybil-enabled attack, the MA can effectively make the SN erroneously think that the PU is active in the current channel as well as in other candidate channels. This may cause the SN to switch frequently and abruptly to find available spectrum channels, and in the worst case even terminate the opportunistic spectrum access operations because of unavailability of candidate channels. B. Feasibility Demonstration For illustrative purposes, we consider a pair of transmitter and receiver of secondary users and an attacker in the experiment. We use Soekris Net-5501 board as the secondary user running Linux 2.6 operating system. The wireless network interface cards (WNICs) for the board are equipped with Atheros chipset with Madwifi device driver2 . The SUs adopt energy based spectrum sensing to detect the primary signal. We use a USRP2 board with XCVR2450 daughter-board3 as the MA which transmits an OFDM modulated 25MHz bandwidth signal. The distance between the MA and SUs is set to be 5-20 meters. We use Wi-Spy DBX adapter to monitor and display the transmitted signals. Moreover, we choose three non-overlapping standard 802.11 spectrum channels as candidate channels, i.e., Channel 1, 6 and 11 with center frequencies at 2.412GHz, 2.437GHz and 2.462GHz respectively and bandwidth 20MHz. The transmitted signals are shown in Fig. 2, where the horizontal axis represents the frequency and the vertical axis represents time. 2 3

Refer to http://madwifi.org/ Refer to http://www.ettus.com/downloads/ettus ds usrp2 v5.pdf

(a)

(b)

Fig. 2. The performance of CR devices under (a) traditional PUE attack and (b) proposed Sybil-enabled PUE attack. In (a), Part (i): initial secondary transmission signal in Channel 1; Part (ii): attack signal in Channel 1; Part (iii): subsequent secondary transmission signal in Channel 6. In (b), Part (i): initial secondary transmission signal in Channel 1; Part (ii), (iii) and (iv) represent the attack signals in Channel 1, 6 and 11.

To start with, we implement the “traditional” PUE attack where the MA only attacks one spectrum channel where the secondary transmissions are on-going. As shown in Part (i) in Fig. 2 (a), the secondary transmitter begins to transmit in Channel 1. Then, the MA generates a PUE attack signal in Channel 1, as shown in Part (ii) in the figure. Both secondary transmitter and receiver then detect the signal and vacate from the current channel. However, they switch to another clear spectrum channel, i.e., Channel 6, in order to continue to communicate, as shown in Part (iii) in Fig. 2 (a). Next, we implement the Sybil-enabled attack where the MA attacks multiple candidate channels simultaneously. Three interfaces with distinct MAC addresses and service set identifiers (SSIDs) are generated, compatible with Channel 1, 6 and 11 respectively. We also modify the USRP2 library code of the GNU Radio [10] to make the attacking device switch among three channels via time division (TD) mechanism. More specifically, the MA generates an attack signal in every channel for 250ms with one interface and then quickly switches to another channel with approximately 200µs delay using a different interface. As illustrated in Fig. 2 (b), Parts (ii), (iii) and (iv) represent the signal spectra of all three channels generated by the MA using three identities. In our example shown in Part (i) of Fig. 2 (b), the secondary users are unable to find a clear spectrum channel to use and thus, have to shut down the transmission. Meanwhile, the MA also generates SybS interfaces to launch Byzantine attacks by sending beacons containing false reports to secondary users to compromise the spectrum sensing. For implementation, we use FTW IEEE 802.11a/g/b OFDM Frame Encoder and GNU Radio to generate 802.11g beacon frames with different MAC addresses and SSIDs. The details of generating Sybil nodes are described in [4]. Although the experiment is conducted using Wi-Fi bands (solely for the purpose of developing and testing our prototype without the complexity of buying and managing several licensed spectrum bands), the concept is not just limited to Wi-Fi radios. The proposed techniques are equally applicable to any CR radios in any type of bands. From the experimental results, it is clear that by launching the Sybil-enabled attack, the MA can cause more severe damage, even completely break down the DSA. In the next section, we look into the analysis of attack strategies.

III. A NALYSIS OF O PTIMAL ATTACK S TRATEGY We consider n physical CR nodes in a SN and M candidate channels. We also assume that the resource constraint on the MA allows it to generate at most L SIs for different attacks. The tradeoff for the MA is that if it uses more SIs to launch Byzantine attacks, the number of identities for PUE attacks will be fewer, and vice versa. Hence, it is important for the MA to derive the optimal attack strategy to allocate appropriate number of SIs for each attack in order to maximize the overall attack impact on the SN. We assume L < M , which indicates that the MA is not powerful enough to attack all candidate spectrum channels simultaneously. Let ls represent the number of SybS identities used for Byzantine attacks and L−ls be the number of SybA identities used for PUE attacks. The MA’s attack plan is described as follows: • use ls SybS identities to launch Byzantine attacks to compromise the decision making process, • use one SybA identity to launch PUE attack in the channel in which the SN is currently communicating, • and the rest, L−ls −1, SybA identities to attack L−ls −1 out of M − 1 candidate channels via PUE attacks. We define false alarm as the event that the SU thinks that the PU has returned, where as in reality a PUE attack is in progress. Thus, the objective of the attack is to cause false alarms to force the SN switch out of the spectrum channel. We assume that all good nodes perform spectrum sensing independently and send their individual results to the fusion center. Let q be the individual false alarm probability for the good node, we study the problem under two situations: (a) the fusion center does not incorporate a reputation mechanism and (b) the fusion center applies a reputation mechanism. It is noted that the fusion center only handles decision making and has no authentication functionality to identify Sybil nodes.

n+ls s where b n+l 2 c = n + ls − d 2 e. Once the false alarm occurs, the SN has to vacate from the current channel. Therefore, the switching probability for the SN is equal to Pf . For simplicity, we assume that the SN will randomly choose one of the other candidate channels when it switches. However, some of these candidate channels are still under attack by the MA using SybA identities. Hence, there will be two outcomes for the SN in this case: (i) it switches to the spectrum channel under attack; (ii) it switches to clear channel where no attack is in progress. If (i) happens, the SN may continue to switch because the false alarm happens again due to the PUE attack. On the other hand, if (ii) happens, the SN will stay in that channel to communicate. Every time the SN chooses to switch, it will face one of the two scenarios. Thus, we can calculate the probability for the number of switches for the SN as follows: (1) Probability of switching once:

p(1) = Pf ·

¶ n+ls n+ls n q d 2 e−ls +i (1 − q)b 2 c , s e − l + i d n+l s 2 (1)

s b n+l 2 cµ

Pf =

X i=0

(2)

−L+ls where MM is the probability for the SN to switch to a −1 clear spectrum channel. Note that the SN will never switch back to the channel it vacated because it has already detected some energy there. Thus, we have: (2) Probability of switching twice:

p(2)

= =

M − L + ls L − ls − 1 · Pf · M −1 M −2 (L − l − 1)(M − L + ls ) s Pf2 · . (M − 1)(M − 2) Pf ·

(3)

(3) Probability of switching three times: p(3) =

A. SN without a Reputation Mechanism In this case, we consider that there is no reputation mechanism in the SN, which means that the fusion center treats all nodes equally regardless of the correctness of their sensing reports in the past. We use the majority rule in decision making: if more than half of the individual decisions say that there is a PU, then the final decision declares that the PU is s active. Hence, if d n+l 2 e or more local sensing reports say that the PU is present, the fusion center will conclude so and all nodes have to switch to another candidate channel. In this case, since there is no memory in the system, the MA makes all ls SybS identities report false results to maximize the false alarm probability for the entire SN. Thus, according s to the majority rule, if d n+l 2 e − ls or more good nodes report false alarm, the fusion center will wrongly conclude the PU is active. Hence, the false alarm probability for the entire SN, Pf , can be calculated as:

M − L + ls , M −1

=

L − ls − 1 L − ls − 2 M − L + ls · Pf · · Pf · M −1 M −2 M −3 (L − l − 1)(L − l − 2)(M − L + l s s s) Pf3 · . (4) (M − 1)(M − 2)(M − 3) Pf ·

It can be shown that the probability of switching k times is given by: Qk−1 j=1 (L − ls − j)(M − L + ls ) k p(k) = Pf · (5) , Qk j=1 (M − j) 1 ≤ k ≤ L − ls . In practice, there is an overhead associated with switching for the SN. Let c represent the cost incurred per switch for the SN. The expected switching cost, E(c), for the SN is calculated as: L−l Xs (6) E(c) = c · k · p(k). k=1

To maximize the expected cost of the SN, the optimal attack strategy for the MA, ls∗ , is derived as: ls∗ = arg

max

ls ∈[0,L−1]

E(c).

(7)

where d is the pre-determined quantum of increase in reputation for each correct report. To incorporate the reputation factor of each node into the decision making process, we associate a weight, wi , for node i, which is calculated byP normalizing its reputation value as: wi = Pri r . Obviously, i wi = 1. It is clear that the weight

i∈F

j∈S

0

where Pf (i) represents the false alarm probability for the 0 0 entire SN in ith sensing period and Pf (1) 6= Pf (2) 6= · · · 6= 0 Pf (k). Following the same logic as the previous case, we derive the expected cost for the SN and the optimal attack strategy for the MA in this case as: 0

L−l Xs

0

k · p (k).

(11)

k=1 0

ls∗ = arg

max

ls ∈[0,L−1]

14

14

12

12

10

10

8 6 4 2 0 0

0

E (c).

(12)

8 6 4 2

4

8

12

16

20

24

0 0

28

4

8

Number of SybS

16

20

24

28

20

24

28

(b)

16

20

14

18 16

12 10 8 6 4

14 12 10 8 6

2 0 0

12

Number of SybS

(a)

4 4

8

12

16

Number of SybS

(c)

Note, since the reputation value and weight for each node are updated, the false alarm probability calculated from Equation (9) is also dynamically changing in every sensing period. Based on Equation (5), we derive the probability of switching k times for the SN in this case as: Qk−1 k Y 0 0 j=1 (L − ls − j)(M − L + ls ) p (k) = Pf (i) · , Qk j=1 (M − j) i=1 1 ≤ k ≤ L − ls , (10)

E (c) = c ·

Expected cost of SN

j

for a node will increase with each correct sensing result and decrease with each incorrect sensing result. A weighted majority rule is used for the fusion center in the decision making process: if the sum of weights of individual nodes declaring PU activity is equal or greater than 0.5, then the fusion center declares that the PU is active. To avoid low reputation scores in this case, the SybS nodes may occasionally report true results. Let the probability that they report true results be α. Also, we denote F to be the set of good nodes who make errors due to the PUE attack and S to be the set for SybS nodes who report false results. Thus, the 0 false alarm probability for the entire SN, Pf , in this case is derived as: X X 0 Pf = Pr( wi + wj ≥ 0.5) (9)

Expected cost of SN

j

A. Without Reputation Mechanism In this case, we can obtain the optimal ls∗ from Equation (7) numerically. Fig. 3 shows the expected cost for the SN with respect to varying numbers of SybS identities, ls , and different values of q. As illustrated, there is a maximum in each case, corresponding to a unique optimal number of SybS identities, ls∗ , for the MA. Another important insight is that as q increases, the expected cost for the SN also increases. This is because, if the individual false alarm is large, the MA can use fewer SybS identities to compromise spectrum sensing and generate more SybA identities to attack more candidate channels.

Expected cost of SN

In this case, the fusion center uses a reputation mechanism that weighs the decisions from each node. It is possible for the fusion center to judge the correctness of reports for each node in the past based on non-real time data obtained from some policy nodes which will periodically monitor spectrum activity across spectrum channels. Let ri be the reputation factor for node i, which is set to be 1 at the beginning and updated according to the following relations: ½ ri + d, sensing report is correct ri = (8) ri , sensing report is wrong

IV. N UMERICAL AND S IMULATION R ESULTS In this section, we conduct numerical analysis and simulations to demonstrate the attack impact and optimal attack strategies for the MA under different network circumstances. We set L = 30, M = 35, c = 10 and vary number of good nodes, n and the individual false alarm, q.

Expected cost of SN

B. SN with a Reputation Mechanism

20

24

28

2 0

4

8

12

16

Number of SybS

(d)

Fig. 3. The expected cost for the SN with respect to varying number of SybS identities and different individual probabilities of false alarm: (a) q = 0.35; (b) q = 0.4; (c) q = 0.45; (d) q = 0.5. Note that n = 35.

Fig. 4 shows the expected cost with respect to the number of SybS identities for different number of good nodes in the SN with fixed value of q. It is observed that the expected cost for the SN increases with the decrease in the number of good nodes. This is because the MA can save some SybS identities with fewer good nodes and convert them to SybA identities to attack more candidate channels, thereby forcing more switching actions for the SN. B. With Reputation Mechanism In this scenario, since reputation values are dynamically updated, we track the weight for each node. Fig. 5 presents the comparison of the attack impact on the SN between the cases with and without reputation system. It is observed that incorporating the reputation updating mechanism can significantly decrease the expected cost for the SN. Moveover, with the increase in the quantum of increase, d, the expected cost for the SN decreases. This is because the greater quantum indicates that the fusion center puts more emphasis on the correctness of

14

14 α=0 α = 0.1 α = 0.2

12

12

8 6

10

8 6

8 6

4

4

4

2

2

2

0 0

0 0

4

8

12 16 Number of SybS

20

24

28

4

(a) Fig. 6.

α=0 α = 0.1 α = 0.2

12

Expected cost of SN

10 Expected cost of SN

10 Expected cost of SN

14 α=0 α = 0.1 α = 0.2

8

12 16 Number of SybS

20

24

0 0

28

4

8

12 16 Number of SybS

(b)

20

24

28

(c)

The expected cost for the SN with different values of α and quantum of increase. (a) d = 1; (b) d = 2; (c) d = 3 (q = 0.45 and n = 35). 0

15

12

Expected cost of SN

in the largest Pf because of the quick decrease in wj , j ∈ S. This observation implies that with a reputation mechanism, reporting only false results indefinitely, will result in a point of no returns for the MA. Hence, it is important for the MA to consider the tradeoff between maximizing cardinality |S| and slowing down the decreasing rate in weights and properly adjust the value of α based on specific circumstances.

n = 30 n = 35 n = 40 n = 45

9

6

3

0

0

4

8

12

16

20

24

28

Number of SybS

Fig. 4. The expected cost for the SN with respect to different numbers of physical nodes in the network, n (q = 0.35). 16 14

Expected cost of SN

12 10 8

R EFERENCES

6 Without reputation system With reputation system (d=1) With reputation system (d=2) With reputation system (d=3)

4 2 0 0

V. C ONCLUSIONS In this paper, we studied a new Sybil-enabled DoS attack in DSA networks, in which the MA is capable of creating multiple SIs for different attack purposes. To prove the feasibility of this attack, we implemented this attack in the CR testbed. We also analytically derived the optimal attack strategies in two scenarios, with and without a reputation mechanism. The numerical analysis and simulations were conducted to demonstrate the optimal attack strategy for the MA as well as the attack impact.

4

8

12 16 Number of SybS

20

24

28

Fig. 5. Comparison of expected cost for the SN with and without reputation mechanism (q = 0.45, n = 35, α = 0).

sensing reports for every individual node, thereby reducing the weights of SybS identities that frequently send false reports. To investigate the effect of the reputation value updating process, we change the probability, α, for SybS nodes in simulations. Fig. 6 shows how the expected cost for the SN changes with different values of α and d respectively. From Fig. 6 (a) and (b), we can see that the MA achieves the maximum attack impact by making SybS nodes send false report always, i.e., α = 0. However, as the quantum of increase, d, increases from 1 to 2, the distances between cases when α = 0 and α 6= 0 get smaller. Furthermore, in Fig. 6 (c) when d = 3, the expected cost for the SN with α = 0.1 becomes the greatest, which indicates that the MA cannot always maximize the impact with α = 0. The is because: for relatively small quantum, the weights for SybS nodes do not drop fast enough, the MA can set α = 0 to increase 0 the false alarm probability, Pf (Equation (9)). However, when the quantum increases, the weights for SybS nodes degrade drastically. Under this situation, maximizing |S| may not result

[1] I. F. Akyildiz, W.-Y. Lee, M. C. Vuran, and S. Mohanty, “Next generation/dynamic spectrum access/cognitive radio wireless networks: a survey,” Comput. Netw., vol. 50, no. 13, pp. 2127–2159, 2006. [2] Y. Tan, S. Sengupta, and K. Subbalakshmi, “Coordinated denial-ofservice attacks in IEEE 802.22 networks,” IEEE International Conference on Communications (ICC), 2010, May. 2010. [3] J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks: analysis defenses,” Third International Symposium on Information Processing in Sensor Networks (IPSN), pp. 259 – 268, 2004. [4] Y. Tan, K. Hong, S. Sengupta, and K. Subbalakshmi, “Spectrum stealing via Sybil attacks in DSA networks: Implementation and defense,” To appear in 2011 ICC. [Online]. Available: http: //jjcweb.jjay.cuny.edu/ssengupta/ [5] R. Chen, J.-M. Park, and K. Bian, “Robust distributed spectrum sensing in cognitive radio networks,” in IEEE INFOCOM 2008, Apr. 2008. [6] R. Chen, J.-M. Park, and J. Reed, “Defense against primary user emulation attacks in cognitive radio networks,” IEEE Journal on Selected Areas in Communications, vol. 26, no. 1, pp. 25–37, Jan. 2008. [7] Z. Jin, S. Anand, and K. Subbalakshmi, “Performance analysis of dynamic spectrum access networks under primary user emulation attacks,” IEEE Global Communications Conference (GLOBECOM) 2010, Dec. 2010. [8] K. Hong, S. Sengupta, R. Chandramouli, and K. Subbalakshmi, “Spiderradio: A cognitive radio network with commodity hardware and open source software,” IEEE Communications Magazine, Mar. 2011. [9] A. Kattepur, A. T. Hoang, Y.-C. Liang, and M. J. Er, “Data and decision fusion for distributed spectrum sensing in cognitive radio networks,” 6th International Conference on Information, Communications Signal Processing, pp. 1–5, Dec. 2007. [10] P. Fuxjager, A. Costantini, D. Valerio, P. Castiglione, G. Zacheo, T. Zemen, and F. Ricciato, “IEEE 802.11p transmission using GNURadio,” 6th Karlsruhe Workshop on Software Radios, Mar. 2010.