An Adaptive Primary User Emulation Attack Detection Mechanism for Cognitive Radio Networks

04/24/2018 ∙ by Qi Dong, et al. ∙ George Mason University Binghamton University 0

The proliferation of advanced information technologies (IT), especially the wide spread of Internet of Things (IoTs) makes wireless spectrum a precious resource. Cognitive radio network (CRN) has been recognized as the key to achieve efficient utility of communication bands. Because of the great difficulty, high complexity and regulations in dynamic spectrum access (DSA), it is very challenging to protect CRNs from malicious attackers or selfish abusers. Primary user emulation (PUE) attacks is one type of easy-to-launch but hard-to-detect attacks in CRNs that malicious entities mimic PU signals in order to either occupy spectrum resource selfishly or conduct Denial of Service (DoS) attacks. Inspired by the physical features widely used as the fingerprint of variant electronic devices, an adaptive and realistic PUE attack detection technique is proposed in this paper. It leverages the PU transmission features that attackers are not able to mimic. In this work, the transmission power is selected as one of the hard-to-mimic features due to the intrinsic discrepancy between PUs and attackers, while considering constraints in real implementations. Our experimental results verified the effectiveness and correctness of the proposed mechanism.



There are no comments yet.


page 14

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The rigid spectrum allocation scheme regulated by governmental agencies leads to great deficit on spectrum band resources. Static spectrum access technology results in lots of waste on wireless spectrum resources. The emergence of new intelligent spectrum allocation/re-allocation schemes, especially cognitive radio network (CRN), are studied elaborately in the last decade, due to the ever-increasing wireless applications. Cognitive radio (CR), or known as secondary user (SU) in CRN, is a technology that allows wireless devices (unlicensed users) access spectrum resources dynamically without introducing major interference to licensed primary users (PUs). Because of the great difficulty and high complexity in dynamic spectrum access (DSA), and many open issues on security deployment, CRN study still under development [25].

Spectrum sensing allows CRs acquire real-time spectrum occupation status such that interleaving communications shared by PUs and SUs become feasible. Basically, a well-designed CRN aims to serve for two purposes [3]: to maximize the usage of spare spectrum resource as well as to protect the incumbent primary system from secondary network interference. Due to the requirement to SUs that they shall not interfere the PU functionalities, SUs should adapt their behaviour in accordance to PU activities. Such requirement can be regarded as two separate parts: (1) monitoring PU activities, and (2) behaving properly.

In general, knowing PU activities is essentially critical for cognitive radios to share the spectrum resource with legitimate users. One of the effortless ways to acquire PU activity information is that PUs are able to notify SUs their spectrum usage status; or there exist a third party as an inquiry center that knows what PUs will do in the near future. An alternative solution is to develop robust and efficient spectrum sensing technique to acquire knowledge on PU activities. Also, the spectrum sharing efficiency greatly depends on a secure CR operating environment. In addition, due to the opportunistic spectrum access (OSA) nature, CR systems encounter several CR-specified security problems.

Regarding spectrum sensing, one major challenge is to detect PU signals with high accuracy while maintain low false alarm rate. The false detection rate may become extraordinarily high when primary user emulation (PUE) attacks happen. A PUE attack is that malicious entities mimic PU signals in order to either occupy spectrum resource selfishly or conduct Denial of Service (DoS) attacks. PUE attacks can be easily implemented in CRNs. It introduces great overhead on cognitive radio communication and causes chaos in dynamic spectrum sensing [9, 10]. However, defense against the PUE attacks is nontrivial because traditional authentication and authorization (AA) methods are no longer applicable to CR systems. A more adaptive and practical PUE attack detection technique is highly desired.

Inspired by radiometric used to identify short range transceivers and the interpulse/intrapulse fingerprint in radar identification, we propose to detect PUE attacks in CRN environment leveraging the hard-to-mimic PU transmission features. As one type of hard-to-mimic feature, the PU transmission features are determined by the inherent physical characteristics of the device. Attackers are not able to generate such kind of features. A received signal strength (RSS)-based hypothesis detection mechanism is designed, which can detect attackers who attempt to fool the system by mimicking PUs’ patterns.

In general, RSS-based approaches have been studied elaborately in many literatures for PUE attack defense. It is applied either as one direct rudimentary feature of PU [6], or as the premise for PU localization [13, 8, 17]

. These works can be challenged by either smart attackers or the practical constraints such as SUs are unaware of their geographical information. There are two major advantages that make our work more feasible and efficient in real-world applications than exiting solutions: (1) in general, our proposal allows mobility of nodes in the CRN and does not require prior geographical information of either PUs, SUs, or attackers; and (2) compared to machine learning or neural network based methods, our proposal does not need the training process.

The rest of this paper is organized as follows. Section 2 provides background knowledge that motivated this work. Section 3 describes a practical CRN model on which our detection mechanism is built. Section 4 discusses a PUE attack intuition under perfect propagation model assumptions. The proposed RSS-based PUE attack detection method is introduced in section 5. Section 6 presents a tentative trail based on real-world measurements. Section 7 shows our numerical experimental results and comparison to other related schemes, and finally, Section 8 concludes this paper.

2 Background Knowledge and Related Work

According to Federal Communications Commission (FCC): “no modification to the incumbent signal should be required to accommodate opportunistic use of the spectrum by Secondary Users (SUs)” [1]

. Obviously FCC places constraints on PUs such that PUs are not obligated to notify CR users with their activity scheduling and intention, neither to provide AA services. Consequently, CR systems are expected to collect and process sufficient and highly accurate information of the spectrum environment without imposing overhead on incumbent users by adding new features, such as redundant symbolic pads or authentication protocols.

In CR systems, it is necessary to distinguish attacker signals from PU signals in spectrum sensing stage. PUE attacks will cause severe problems on the efficiency of spectrum utility. Since no obligation is imposed on PUs, it is natural to explore the features of different wireless transceivers. In general, there are two categories of transceiver features: the primary/strong radiometric/fingerprint, and the secondary/weak radiometric. The primary radiometric denotes the intrinsic characteristics or imperfections of wireless transceivers, that can be used to identify the uniqueness of the hardware. Transient is one of the most discussed radiometric that can be used to identify short range transceivers. Transient is the part of the signal where the amplitude rises from background noise to full power. In literature, five transient features are used [22]:

  1. The length of the transient, along the x-axis;

  2. The variance of the normalized amplitude of the transient;

  3. The number of peaks (periods) of the carrier signal in the transient;

  4. The first part of a discrete wavelet transform of the transient; and

  5. Difference between the normalized mean and the normalized maximum value of the transient.

It is proved that transient features are useful fingerprints for wireless transceivers identification. They are not well studied in PU recognition in CRNs, however, due to the difficulties in detecting transient on the scale and scope of CRNs.

Another inspiration comes from radar identification, in which two kinds of fingerprint are usually discussed. One is interpulse fingerprint that considers factors including frequency, amplitude, pulse width, pulse repetition rate, etc. The other one is intrapulse fingerprint that pays attention to pulse waveform characteristics, such as unintentional modulation on pulse (UMOP) feature [15] and time domain waveform feature, including rise slope and fall time, falling angles, angle of pulse, and pulse point [14]. It looks intriguing, but requires accurate measurements on signals that is usually not available for CRs.

There are other ideas based on the imperfections of transceivers such as frequency offset error caused by different transmitter and receiver oscillators, or modulation errors caused by the imperfection of electric circuits [5]. Usually, those fingerprint extraction requires prior knowledge of modulation/mulplexing technology, and it is often very computational intensive.

The secondary/weak radiometric usually does not identify signals from a particular transceiver. Instead, it identifies signal characteristics that are not reproducible to attackers. A smart attacker is able to mimic some PU signal features such as spectrum bandwidth, activity pattern, and adaptively change transmission power. Many studies tried to extract features of communication channel of the wireless environment [6, 7, 13], which is known as geometrical information of the PU transmitter, because PUs and attackers are unlikely be at the same place.

Two types of channel fingerprint detection approaches are well discussed. The first category is distance-based approaches [6]

. A rudimentary approach is to use RSS-based location estimation techniques, which record the received energy level from the PU as the reference radiometric, and compare with the sensed spectrum signal strength for detection. A novel idea was proposed to deploy helper nodes around PUs, which are able to help verify PU signal based on helper node’s authentic link signatures

[16]. A smart attacker model was presented to prove that the first order feature of RSS is not adequate for PUE attacks detection, and then a RSS detection method using second order feature is proposed to confront the smart attackers [6]. However, the assumption that all SUs and PUs’ positions are prefixed and known is not applicable to many situations in CRNs. The second category is location-based approach [13], which requires geographical information from at least part of network participators. In those proposals, peripherals such as GPS, helper nodes and prior knowledge of PU position, are necessary.

PUE attack detection happens in spectrum sensing stage. In 2010, FCC announced that they adopted condition a device’s use of TV White Spaces on its consultation of a geolocation database to ensure the availability of the desired spectrum [4]. Several literatures have discussed the feasibility of constructing PU activity database and the details in design of prototypes [11, 18, 21, 24]. The database will record, model and predict PU activities in order to regulate CR access and optimize spectrum use efficiency. These base stations are able to provide many critical PU information, such as geographical location, activity pattern, and modulation/mulplexing technology. Even further, a FCC Commission’s Rule proposes that PUs such as Federal Primary Users are going to register in a database before accessing 3.5 GHz band [2].

On one hand, while such kind of database model can eliminate PUE attacks, they do violate the original FCC requirement [1]. Database enabled spectrum sensing provides a new inspirations on against of PUE attack, but still remains problematic. As the general PU information is known to CRs with involvement of regular database, smart attackers can mimic PU signal features. In addition, the geographic information of PU is not available for moving base stations or radars. On the other hand, the PU registry approach has been deployed in very limited scale, which is only in federal PU environments [2].

As discussed above, a more adaptive and practical PUE attack detection technique is highly desired. Considering the limited prior knowledge of PUs and constraints on computing resources of CRs, it is natural to extend our vision on hard-to-mimic PU signal features for PUE attack detection. While the secondary radiometric can be easily reproduced by smart attackers, the actual transmission power is an exception. Although the attacker can smartly adapt their transmission power to disguise their locations, they are usually incapable of mimicking counterpart power as PUs. PUs are usually radars, TV stations, and cellular base stations, which signal strength is normally tens to thousands of times higher comparing to what PUE attackers can produce [19]. For example, the strength of CRs signals is normally in scale of milliwatts [19]. With cooperative spectrum sensing, and involvement of a fusion center (FC), the emitter transmission power based PUE detection is applicable without requiring any prior knowledge of PUs and CRs location information.

3 Detection Model

In CR spectrum sensing study, the cooperative sensing method is preferable due to the well-known “hidden PU problem”. This problem happens when a SU cannot sense an active PU either due to the PU signal is out of range or because the signal faded away in concurrent wireless fading channel. In cooperative spectrum sensing, CRs have to share their sensing results to obtain the most comprehensive knowledge of the desired spectrum environment. In centralized CRNs, a fusion center can collect and synthesize sensed spectrum information from all CRs, and make a joint decision on PU appearance. Our detection model is based on such deployment with the following assumptions.

  • The PUs are either public infrastructures (i.e. TV stations) or federal facilities (i.e. weather radar system). They have powerful transmission capability to serve their own purposes.

  • The PUs are not required to be geographically fixed, such that PUs including moving radars or stations are considered.

  • Without loss of generality, assume CRs and the FC are randomly scattered in an circular area with radius of . CRs are not equipped with localization peripherals, and they are unaware of the location of either themselves or the peers.

  • CRs are able to sense the radio environment and report processed spectrum features to the FC.

  • The FC can collect spectrum features from CRs and perform deliberate analysis. The FC has knowledge of general information of measured PUs, such as their occupied spectrum bands, their approximate propagation power, etc.

Figure 1: A centralized CRN sharing the spectrum with a PU.

Figure 1 shows a scenario of centralized CRN jointly share the spectrum resource with a PU. In order to be more consistent to real-world situation, in our detection model, the position of the PU and distances among each parties are unknown, and there is not localization peripherals, such as GPS, time of arrival (TOA) based equipment, is equipped by CRs because these peripherals are unaffordable in many applications. In consequence, this detection model poses a higher challenge on PUE attacks detection.

4 PUE Attacks Detection under perfect propagation model

As discussed earlier, the attackers can hardly emit the magnitude of signal power as PUs do, so the propagation power becomes a useful hard-to-mimic secondary radiometric of transmitters. The challenge is, however, such a secondary radiometric feature remains unmeasurable in wireless environment. Usually, the receiver can measure the RSS, which is determined by many factors, such as transmission power, propagation environment, and transmission distance.

An ideal propagation model, Free-Space Path Loss (FSPL) model, assumes no obstructions between the transmitter and receiver, and the signal propagate along a line-of-sight (LOS) channel. This ideal propagation model inspires a reasonable intuition on PUE attacks detection. In this section, our new idea on PUE attacks detection is introduced with consideration of some restrictions in real world such as unknown PU and CRs locations, but we assume an ideal wireless propagation environment. The FSPL model is expressed as:


where and are received signal power and transmitted signal power respectively; is signal wave length; is the LOS distance between transmitter and receiver; is the product of the transmit and receive antenna field radiation patterns, and it is a constant if the pattern is known. Thus, the received to transmitted power ratio is proportional to the reciprocal of as:


4.1 A Naive Detection Model

In the ideal propagation model, given the RSS measurement and global information of PU propagation power, the transmitter-receiver distance is deducible, which gives us a hint on the relation between the uncloneable radio feature and the wireless channel feature . In our PUE attacks detection model, a hypothesis test is adopted to decide the presence of the attacker.

the signal is from the PU

the signal is from the attacker

The PU propagation power is usually in scale of hundreds or thousands of watts, defined as . In contrast, the attacker, usually comparable to CRs, has the propagation power of tens to hundreds of milliwatts, defined as . Thus, the ratio of PU propagation power to attacker propagation power is computed as .

In a CRN with CRs, the transmitter-receiver distance () can be easily computed given the propagation power and individual CR received power . If the signal is transmitted by the PU, the distance is computed as:


Here, is defined as a constant . Similarly, if the signal is transmitted by the attacker, the distance is computed as:


Further, if the distance between individual CR and the FC is also known, ideally, it is easy to infer to the distance between the PU and the FC in a range . If the signal is transmitted by the PU, the computed does not belong to an empty set, as demonstrated in Fig. 2. If the signal is transmitted from the attacker, the distance is computed as , according to Eq. 4. Thus, the range set is possibly empty as shown by Fig. 3. The FC can apply the hypothesis test by:

  • If , the signal is from the PU (); or

  • If , the signal is from the attacker ().

Figure 2: In the case of PU transmission, compute distance range between the transmitter and the FC. The radius of blue circles are the lower bounds of , computed as ; the radius of green circles are the upper bounds of , computed as . The PU is supposed to locate between the lower and upper bounds.
Figure 3: In the case of PUE attacks, compute distance range between the transmitter and the FC. The radius of blue circles are the lower bounds of , computed as ; the radius of green circles are the upper bounds of , computed as . The figure shows no intersection between the lower and upper bounds.

Following the hypothesis test, the detection rate is calculated as:



is the false negative probability. In Eq.

5, the first inequality originates from the expansion of the inequality to the abosulote value of . The second inequality can be explained that the greatest false negative probability happens (suppose ) when the attacker is located in the center of CRN, and all CRs are located in the ring-shape area centered at the attacker with inner radius of and outer radius of . The false positive probability is zero under such hypothesis test condition.

4.2 Evaluation of hypothesis test by Monte Carlo method

A Monte Carlo method is applied to calculate the detection accuracy in a scenario where CRs and attackers are randomly distributed in an circular area, which is centered at the FC with radius . Figure 4 shows the result. The detection accuracy increases dramatically as the number of CRs increases. And is approaching one when there are more than four CRs in the testing scenario.

Figure 4: The detection accuracy of the hypothesis test computed by Monte Carlo method with different number of CRs in the CRN. For each different number of CRs, repeat the hypothesis test for 100000 times.

5 A RSS based PUE attack detection approach

The above hypothesis test is discussed under ideal propagation model, which provides a reasonable intuition on PUE attack detection, with the given propagation power features of PUs and attackers. But, in reality, the RSS based distance measurement method is not well applicable for several reasons. First of all, the FSPL propagation model cannot faithfully describe the actual propagation environment. Secondly, signal propagation patterns are variant in different environments. Also, RSS can be vary by a large magnitude over short distances.

Therefore, we choose the single transmitter log-normal shadowing fading propagation model to describe the relationship among transmitted power , received signal power , and distance between transmitter and receiver.


where and are measured in . is the path loss variable at the reference distance , which depends on the antenna characteristics and propagation environment. is the empirical path loss exponent, which is learned to have different values in different environment [12]. Table 1 presents some values measured by empirical studies.

is a normal random variable with zero mean and standard deviation

. Most empirical studies for outdoor channels measure the standard deviation in macrocells and in microcells [12].

Environment range
Urban macrocells
Urban microcells
Table 1: Empirical Path Loss Exponents

Over the years of development, a number of propagation models have been developed in different wireless environments, such as Hata model, COST231 model, piecewise linear model, etc. [12]. In some literatures, a statistical model is used to obtain maximum likelihood of the propagation model parameters with great fitness [23]. In our work, we assume the model parameters with some errors, are accessible either from historically empirical study, or statistical estimation. Thus, the path loss propagation model, inferred from Eq. 6, can be written as Eq. 7, where is a constant determined by reference propagation path loss, and is the empirical path loss exponent.


Because is a normal random variable, the optimal estimator of is obtained by averaging the propagation loss . Thus, we smooth the RSS by using a local averaging method from neighboring CR groups. Then, we apply our hypothesis test to detect PUE attacks.

5.1 CRs Grouping

A RSS smoothing method that divides secondary network into circular areas has been studied [6]. One major restriction of this method lies in the requirement that all CR positions are known globally and CRs remain geographically static. In our work, as discussed in Section 3, a dynamic CRN is assumed where CRs can be either static or mobile, and the CRs are assumed unaware of their positions. In order to estimate distance to the PU in a small area, a CR grouping technique is applied, which assumes the distances between the PU and CRs in a group can be uniformly treated as , where represents the -th CR as the group leader.

Figure 5: Process of CR grouping and PUE attack detection.

In comparison to clustering patterns in traditional wireless sensor networks (WSNs), CRs grouping does not meant to construct a hierarchical CRN structure. Instead, it is a logical grouping process that is completed by the FC. The grouping process is shown in Fig. 5. Every CR will maintain a dynamic neighbor list by intermittently requesting in a short broadcasting range . In spectrum sensing stage, CRs will send their neighbor list along with the RSS measurements to the FC, which enables the FC create a binary CR neighbor matrix with each element be denoted as . The FC will group RSS measurements by rows (for every ), shown in Fig. 6. In each group, the averaged propagation loss is computed as . Further, the distance between the PU and each group is estimated as , when it assumes all CRs in a group have approximately the same distance to the PU, because .

Figure 6: CRs grouping and RSS smoothing diagram.

5.2 Hypothesis test of PUE attack detection

In practical PUE attack detection, the hypothesis test defined in Section 4 is adopted. The propagation powers of the PU and attacker are denoted as and , respectively, where the propagation power difference, regarded as radiometric difference, is calculated as .

Refer to Eq. 7, the distance between a transmitter and the -th CR group is estimated as:


where is the ramaining error term. If the signal is transmitted by the PU, the estimated distance is the approximate distance between -the CR and the PU :


If the signal is transmitted by the attacker, the path loss is computed as:


Thus, the estimated distance is a scaled approximate distance between -the CR and the attacker :


As assumed in section 4, all CRs are randomly distributed in a circular area with radius of . The transmitter-receiver distances satisfy:


Refer to Eq. 9 and Eq. 11, the FC can apply the following hypothesis test:

  • If , the signal is from the PU (), or

  • If , the signal is from the attacker ()

Here is the threshold factor that affects the accuracy of the hypothesis test. The probability of false negative can be calculated as:

where is the error term. The interpretation to Eq. 5.2 is similar to the one to Eq. 5. It is noteworthy that the equality happens only when attacker is located at some particular locations. The probability of false positive can be calculated as:

where . The Eq. 5.2 can be explained as the complementary of the probability to the case that all CRs are located in the intersection area between a ring-shape area with width of and the CRN distributed area. According to Eq. 5.2 and Eq. 5.2, with larger value of and lower value false negative rate , better hypothesis threshold factor can be designed. With the larger number of CRs , the lower false negative rate can be achieved, but a higher false positive rate may occur.

6 Real-world Emulation Trial

In this section, a deployment trail of our method in real-world PUE attack detection is presented. To perform spectrum sensing in CRN, we used Universal Software Radio Peripheral (USRP) N210 as the sensing nodes, one of which acts as a smart PUE attacker. Due to the practical limitations, we are unbale to emulate PU activities. Thus, we regard one of the local digital television (DTV) station as the primary user. The PUE attacker impose malicious signal on another unused spectrum band. In order to conduct effective attacks, the smart attacker will mimic the DTV behavior: it will record the DTV signal from near spectrum band and broadcast the exact received signal data.

We implemented the experiment in our lab. The attacker (one USRP N210) is allocated to a fixed spot, and the sensing nodes (other USRP N210 Devices) are placed in 6 different places/rooms, shown in Fig. 7. Due to lack of empirical model parameters, we directly applied Hata propagation model for urban environment [12]. The PU signal information is presented in Table 2, where is the transmitter height. Accordingly, we take of the value of receiver height as m.

Figure 7: Experiment deployment.
Frequency MHz
Power 345 kW
Table 2: PU parameters

The result is shown in Fig 8, which indicates an almost perfect detection. It is because the great discrepancy between PU transmission power and attacker transmission power (over 60 dB difference), despite the inaccurate propagation model parameters. The sensing nodes will receive a relatively high power of PUE attack signal if near to the attacker, but receive barely nothing if too far away from the attacker. In next section, we will present more detail discussions on detection performance regarding to model parameter errors and attacker transmission power.

Figure 8: ROC of emulation.

7 Numerical evaluation

7.1 Practical Model Evaluation

Further, a numerical experiment with more comprehensive network topology, is designed to evaluate the proposed hypothesis test. The parameters in Eq. 7 is estimated from empirical study, which may not be the best estimation. The empirical model we used for distance estimation is:


While the best fit propagation model is:


where and are the empirical propagation model estimation errors ( and ). Thus, the estimated distance is, if signal is transmitted by the PU:


Similarly, the estimated distance calculated based on the attacker transmission signal is:


Compared to Eq. 5.2 and Eq. 5.2, the empirical propagation model estimation errors may increase both the false positive and false negative probabilities, due to the increasing uncertainty from the estimated distance.

7.2 Numerical Test and Comparison

The designed test scenario is in a field. The PU and the FC are initially randomly located in the field. The PU is able to move. CRs and the attacker are randomly distributed in a circular area with radius . The best fitted propagation model parameters, and , are designed by refering to the empirical Hata model [12]

. The model parameter errors follow Gaussian distribution, defined as

and . The details are shown in Table 3.

PU Mobility Yes
Table 3: Parameter Setting

We have compared the performance of our proposal with a back propagation neural network (BPNN) based approach [20]. It is a PUE attack detection scheme that does not need geographical information of the PU, which is similar to our work. However, it does require CRs’ geographical information for both training and testing process. Although there are other PUE attacks detection methods, their strong assumptions make it inappropriate to compare them with our approach. In the evaluation test, we apply a three layer BPNN with three input nodes, four hidden nodes and two output nodes, as shown in Fig. 9.

Figure 9: BPNN structure for PUE attack detection.
Figure 10: ROC of two approaches,, when and , with different number of CRs () and different attacker propagation power .
Figure 11: ROC of two approaches,, when and , with different number of CRs () and different attacker propagation power .
Figure 12: ROC of two approaches, when and , with different number of CRs () and different attacker propagation power .
Figure 13: ROC of two approaches,, when and , with different number of CRs () and different attacker propagation power .

Figures 10, 11, 12, and 13 present the comparison between our proposal and the BPNN approach using the receiver operating characteristics (ROC) curves corresponding to different number of CRs () and different propagation power differences () under several different parameter error propagation models.

The performance evaluation results in the figures show that both our proposed approach and BPNN approach for PUE attack detection have achieved better performance when there are larger number of CRs and larger propagation power difference between the PU and the attacker. When compared all result figures, however, it is shown that the BNPP approach is not sensitive to model parameter errors and , while the performance of our approach greatly depends on the accuracy of model estimation. It is because the training data feeding to the neural network in BPNN approach is directly from real propagation environment, thus the testing process does not rely on the propagation model estimation. As shown in Figs. 10 and 11, on the other hand, our approach achieves a superior performance when the propagation model is well estimated.

However, the comparison based only on performance does not provide a comprehensive vision. The BPNN is robust against the inaccuracy in propagation model estimation because it is essentially empirical and learns from historical data. Actually the BPNN detector does not work with the same inputs that are required by our proposed method.

In summary, our proposed detection approach possesses two major advantages over the BPNN detector. Firstly, the BPNN approach requires CRs’ geographical information in both training and testing process, which may greatly increase the cost by equipping CRs with extra peripherals, such as GPS, while our approach does not rely on any prior geographical information. Secondly, in our approach, no training process, especially supervised training process, is required. In PUE attack detection, training signal at receiver sides with tag of the PU is not always available in practical. Therefore, our approach, compared to BPNN detector, is more feasible in a wide selection of scenarios.

8 Conclusions

In this work, we proposed a novel PUE attack detection approach leveraging the hard-to-mimic feature of high PU transmission power, compared to the attacker transmission capability. The detection model considered many constraints in real-world situations, such as mobile PUs, unknown geographical information of each party, and the geographical randomness of PUs and attackers as well as the CRN formation. Both theoretical analysis and experimental results have validated our proposal.


Q. Dong, Y. Chen and X. Li are supported by the NSF via grant CNS-1443885. K. Zeng is partially supported by the NSF under grant No. CNS-1502584 and CNS-1464487.


  • [1] : Federal Communications Commission. Facilitating opportunities for flexible, efficient, and reliable spectrum use employing spectrum agile radio technologies. Et et docket (03-108) edn. (December 2003)
  • [2] : Enabling innovative small cell use in 3.5 ghz band nprm & order (Dec 2012)
  • [3] Adelantado, F., Verikoukis, C.: Detection of malicious users in cognitive radio ad hoc networks: A non-parametric statistical approach. Ad Hoc Networks (2013)
  • [4] Baker, M.A.: Introductory remarks: Panel on the future of radio technology. Technical report, Federal Communications Commission (2010)
  • [5] Brik, V., Banerjee, S., Gruteser, M., Oh, S.: Wireless device identification with radiometric signatures. ACM (2008)
  • [6] Chen, R., Park, J.M., Reed, J.H.: Defense against primary user emulation attacks in cognitive radio networks. Selected Areas in Communications, IEEE Journal on 26(1) (2008) 25–37
  • [7] Chen, Z., Cooklev, T., Chen, C., Pomalaza-Ráez, C.: Modeling primary user emulation attacks and defenses in cognitive radio networks. In: Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International, IEEE (2009) 208–215
  • [8] Das, D., Das, S.: Primary user emulation attack in cognitive radio networks: A survey. IRACST-International Journal of Computer Networks and Wireless Communications 3(3) (2013) 312–318
  • [9] Dong, Q., Yang, Z., Chen, Y., Li, X., Zeng, K.: Anomaly detection in cognitive radio networks exploiting singular spectrum analysis. In: International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS), Springer (2017) 247–259
  • [10] Dong, Q., Yang, Z., Chen, Y., Li, X., Zeng, K.: Exploration of singular spectrum analysis for online anomaly detection in crns. EAI Endorsed Transactions on Security and Safety 4(12) (2017)  e3
  • [11] Feng, X., Zhang, J., Zhang, Q.: Database-assisted multi-ap network on tv white spaces: Architecture, spectrum allocation and ap discovery. In: New Frontiers in Dynamic Spectrum Access Networks (DySPAN), 2011 IEEE Symposium on, IEEE (2011) 265–276
  • [12] Goldsmith, A.: Wireless Communications. Cambridge University Press (2005)
  • [13] Huang, L., Xie, L., Yu, H., Wang, W., Yao, Y.: Anti-PUE attack based on joint position verification in cognitive radio networks. Volume 2. IEEE (2010)
  • [14] Kawalec, A., Owczarek, R.: Specific emitter identification using intrapulse data. In: Radar Conference, 2004. EURAD. First European, IEEE (2004) 249–252
  • [15] Langley, L.E.: Specific emitter identification (sei) and classical parameter fusion technology. In: WESCON/’93. Conference Record,, IEEE (1993) 377–381 0780399706
  • [16] Liu, Y., Ning, P., Dai, H.: Authenticating primary users’ signals in cognitive radio networks via integrated cryptographic and wireless link signatures, IEEE (2010) 286–301
  • [17] Marinho, J., Granjal, J., Monteiro, E.: A survey on security attacks and countermeasures with primary user detection in cognitive radio networks. EURASIP Journal on Information Security 2015(1) (2015) 4 1687–417X
  • [18] Murty, R., Chandra, R., Moscibroda, T., Bahl, P.V.: Senseless: A database-driven white spaces network. In: IEEE TRANSACTIONS ON MOBILE COMPUTING. (2012)
  • [19] Paisana, F., Marchetti, N., DaSilva, L.A.: Radar, tv and cellular bands: Which spectrum access techniques for which bands? IEEE Communications Surveys & Tutorials 16(3) (2014) 1193–1220
  • [20] Peng, K., Zeng, F., Zeng, Q.: A new method to detect primary user emulation attacks in cognitive radio networks. In: International Conference on Computer Science and Service System (CSSS 2014). (2014)
  • [21] Pesko, M., Javornik, T., Kosir, A., Stular, M., Mohorcic, M.: Radio environment maps: The survey of construction methods. TIIS 8(11) (2014) 3789–3809
  • [22] Rasmussen, K.B., Capkun, S.: Implications of radio fingerprinting on the security of sensor networks. In: Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, IEEE (2007) 331–340
  • [23] Roos, T., Myllymaki, P., Tirri, H.: A statistical modeling approach to location estimation. IEEE Transactions on Mobile computing 99(1) (2002) 59–69
  • [24] Yilmaz, H.B., Tugcu, T., Alagoz, F., Bayhan, S.: Radio environment map as enabler for practical cognitive radio networks. IEEE Communications Magazine 51(12) (2013)
  • [25] Zhang, X., Jia, Q., Guo, L.: Secure and optimized unauthorized secondary user detection in dynamic spectrum access. In: IEEE Conference on Communications and Network Security (CNS). (October 2017) 1–9