In recent years, with the strong growth in the number of customers, the consumption of data traffic from wireless terminals has drastically increased [1-4]. Moreover, according to a study conducted by the ”Beijing Key Laboratory of Network System Architecture and Convergence, China” on mobile Internet penetration in the world from 2013 to 2019 , 48.8% of the world’s mobile phones had access to the Internet in 2014. This figure reached 61.2% in 2018, with an average annual increase of 8.3% in the number of mobile devices. In this context, due to the shortage of spectrum and bandwidth, traditional RANs are not able to meet the growing demands of mobile users. Cloud Radio Access Network (C-RANs) architectures present a promising solution to potentially increase the network flexibility and improve its performance, possibly overcoming the problems of traditional RANs . In fact, real-time cloud infrastructures, cooperative radio, centralized data processing, and cloud radio access networks are increasingly sought by mobile operators to meet the requirements of end-users. Since IBM defined the concept of C-RAN in 2010, this technology has attracted significant attention around the world. The fifth generation of mobile technologies (5G) established C-RAN as its architecture to support their new mobile services and communications .
A C-RAN network, which has a mesh topology, is composed of three main components: Virtualized Base-Band Unit (BBU) pool, Remote Radio Head (RRH), and a fronthaul network connecting the RRHs to the BBU pool. RRHs collect wireless signals from all wireless devices and the fronthaul network sends them to the BBU pool. Thanks to a Digital Signal Processor (DSP) controller in the BBU pool, the C-RAN network can re-assign the fronthaul network to meet the changing traffic needs of mobile devices .
Recently, because of their vulnerability to malicious attacks, the security of C-RAN networks has drawn special attention and concern . Due to the open nature of wireless networks, both authorized and illegitimate users can access the communication channel. Thus, C-RANs inherit all the attacks that can be performed on wireless networks, including the most popular jamming attacks. Due to their ability to easily disable radio channels that use strong high-level security measures, jamming attacks represent the most serious security threat in the wireless communication field. Several forms of this attack can be used against C-RAN, namely constant jamming, random jamming, deceptive jamming, and reactive jamming .
In this context, Intrusion Detection System (IDS) have been developed to enhance the security of the network. Signature-based intrusion detection (S-IDS) is a valuable technology which could protect C-RAN networks against the known attacks. However, this method fails to identify new attacks . On the other hand, anomaly-based intrusion detection (A-IDS) can resolve this limitation by detecting unknown or novel attacks. Among various anomaly-based intrusion detection techniques, machine learning-based intrusion detection (ML-IDS) shows great potential. In this direction, different solutions have been proposed to tackle security threats.
Syed et al.
 proposed a new radio modulation network-based intrusion detection system for jamming attacks named LIDS. They implemented two LIDS algorithms based on the Kullback Leibler Divergence (KLD) and Hamming distance (HD). The detection rates achieved are of 98% and 88%, respectively with a 5% false positive rate. Imenet al.  designed an intrusion detection mechanism to limit DoS attacks in Wireless Sensor Networks. They implemented five machine learning algorithms to detect and classify DoS attacks. Oscar et al.  presented a machine learning-based jamming detection approach capable of detecting constant and reactive jammers under various scenarios in 802.11 networks. Yi et al.  presented a machine learning method for launching jamming attacks in wireless communications and also introduced a defense strategy. For vehicular ad hoc networks (VANETs). Dimitrios et al.  presented a method for detecting and clustering radio frequency (RF) jamming attacks based on the use of unsupervised machine learning. Thi et al.  designed a machine learning based IDS to classify four DoS attacks in Wireless Sensor Networks (WSN).
This work aims to deploy a new multi-stage ML-IDS with a double detection check against jamming attacks which ensures a high attack detection accuracy. Precisely, our main contributions are summarized as follows:
We propose a new ML-IDS concept based on supervised and deep learning for the detection and classification of jamming attacks.
We enhance the security of C-RAN networks by deploying a high accuracy multi-stage jamming attack detection mechanism.
We implement our final solution into the BBU pool without greatly affecting the latency.
Ii Types Of Jammers And Intrusion Detection Systems
In this section we will go through the existing types of jammers then we will justify the chosen detection method.
Ii-a Types Of Jammers
A jammer is an equipment that can disturb a node’s signal by increasing its power spectral density (PSD). There are several types of jammers that may be used against C-RAN networks, namely: constant jammer, random jammer, deceptive jammer, and reactive jammer.
Ii-A1 Constant jammer
a constant jammer continuously produces radio signals completely random. They do not follow any underlying MAC protocol and are only random bits.
Ii-A2 Random jammer
a random jammer works randomly in two states; sleep and jamming. During the sleep state, it is idle and during the jamming state, it acts as a constant jammer.
Ii-A3 Deceptive jammer
as deceptive jammer is a constant jammer that continuously transmits regular packets. It is more difficult to detect because it transmits legitimate packets instead of random bits.
Ii-A4 Reactive jammer
a reactive or intelligent jammer is activated when it detects a transmission on the channel and starts sending illegitimate packets. If the channel is inactive, it stays inactive and continues sensing the channel.
Ii-B The Chosen Detection Method
IDSs are strategically placed on a network to detect threats and monitor network traffic. IDS uses network or host-based approaches to recognize attacks by collecting data from network systems and sources and analyzing it to identify potential threats.
As we can see in Figure 1, there are several intrusion detection methods, the most popular being signature-based. Signature-based detection is governed by a set of rules used to match models in network traffic. It detects well-known attacks; however, it has a major drawback since it is incapable of identifying new attacks. On the other hand, anomaly based-IDS detect unknown or novel attacks. Anomaly-based IDS detect attacks that have not been dealt with before.
Fig. 1: Hierarchical Classification of IDS .
Among the various anomaly based-IDS techniques such as Machine Learning based IDS (ML-IDS), Knowledge Based IDS (K-IDS), Data Mining based IDS (DM-IDS), Statistical Anomaly based IDS (SA-IDS), the most promising one is ML-IDS since it is capable of gradually improving its performance by learning over time while performing a given task.
Iii The Proposed System Model
This section presents the proposed system model by first exhibiting the architecture deployed and then justifying the chosen implemented classifiers.
Iii-a The Deployment Architecture
The deployed architecture of the proposed ML-IDS in C-RAN architecture is shown in Figure 2 with its mesh topology using Low Energy Aware Cluster Hierarchy (LEACH) routing protocol. LEACH is an adaptive and self-organized clustering protocol in WSNs that is characterized by its simplicity and low energy. LEACH assumes that the base station (BS) is fixed and located far from the sensor nodes. The main idea of the LEACH protocol is to arrange nodes into clusters to distribute energy among all nodes in the network. In addition, in each cluster there is a Cluster Head (CH) node that collects the data received from the sensors in its cluster and transmits it to the BS. At the BSs we have a number of antennas distributed geographically to provide higher coverage.
Each antenna is connected with a Remote Radio Head (RRH) through a coaxial cable, and every RRH is connected to a Base Band Unit (BBU) pool via an optical fiber which has a very low loss. The Fronthaul is the part between the RRHs and the BBU pool which is the physical section while the part between the BBU pool and the mobile core network (internet, cloud computing resources …) is called Backhaul which is the virtual section of the network.
Fig. 2: Architecture for deploying the proposed ML-IDS in C-RAN environments.
The proposed ML-IDS collects mobile traffic flowing between the clusters and the FrontHaul, and processes it with Multilayer Perceptron (MLP). Our model classifies traffic into five classes, namely constant jamming, random jamming, deceptive jamming, reactive jamming, and normal traffic. If classified as normal by MLP, the traffic is processed again by a Kernelized Support Vector Machine (KSVM). The motivation to add a KSVM after the MLP is to reduce the false negatives that the MLP has created. In a false negative, the system decides that the situation is normal while in reality there is an attack.
The ML-IDS is deployed into the virtualized BBU pool for several reasons. First, the virtualized BBU pool contains all the functionalities of the C-RAN network such as spectrum allocation, confidential user data, network slicing, cloud services management, etc. Thus, the BBU pool controls the entire C-RAN network. Second, the objective of a jamming attack is to add noise in the area between clusters and BSs where the BBU pool is the only part of the C-RAN that monitors this area. And finally, the BBU pool is the infrastructure that contains enough resources to run such a detection engine without greatly affecting the latency.
Iii-B The Implemented Classifiers
Two classifiers have been implemented in the BBU Pool to detect the aforementioned four types of jamming attacks. Therefore, if an attack is missed with the first classifier the second one will be able to detect it. The first classifier is MLP which is a deep learning algorithm. MLP consists of a system of interconnected neurons as shown in Figure 3, which is a model representing a non-linear mapping between input and output vectors.
Fig. 3: A multilayer perceptron with several hidden layers .
MLP has been chosen because of the very large number of input vectors (we have 374661 vectors in our case) so the stochastic gradient drop is often the best choice (especially for classification) in terms of speed, ability, and control. MLP was chosen among all deep learning algorithms (CNN, RNN, LSTM, DBM…) because of its flexibility which allows it to be applied to different types of data.
The second algorithm implemented is the KSVM which is an efficient binary classifier. Knowing that jamming attacks are not linearly separable in a low dimension space, the KSVM handles such situations when using a kernel function. This function maps the data in a different space where a linear hyperplane can be used to split the attacks. The process is illustrated in Figure 4. This is called thekernel trick as the kernel function transforms the data into a higher dimensional feature space so that a linear separation is possible.
Fig. 4: Non-linear classifier using Kernel trick .
The decision limit or so-called hyperplane separating the classes has weighting coefficients given by the vector W
, which we need to estimate. The KSVM classifier tries to maximize the distance between this vectorW and the nearest points (support vectors) so that it becomes our constraint. This is equivalent to minimizing the following equation:
Where l is the number of data points in our training data, y denote the outputs of the data points, x is the feature vector in each training example, and is the Lagrangian constant.
Iv WSN-DS Description
To obtain experimental results, the WSN-DS, which is a specialized dataset for WSNs was used to classify attacks, which is a dedicated wireless dataset for intrusion detection . It contains exactly 374,661 simple connection vectors, each of which includes 23 features and is labeled as normal or attack. The specific types of attacks are grouped into different categories of attacks, namely Constant jamming, Random jamming, Deceptive jamming, and Reactive jamming, in addition to the normal case (without attack).
The WSN-DS contains 23 attributes (features) to help determine the state of every node in the C-RAN network. Principal Component Analysis (PCA) is a statistical technique primarily used for dimensionality reduction which consists of selecting the attributes that contain the maximum amount of information in the order of importance, to have a model that is easier to interpret and that reduces the calculation time required. As we can see in Figure 5, we were able to extract the most important features from the 23, and these selected attributes are listed as follows:
Energy consumption: the amount of energy consumed in the previous round.
At first, each node generates an arbitrary number between 0 and 1, then a threshold is computed T(n) using the formula below. If the chosen random number is less than the threshold value, the node will become a Cluster Head (CH).
is the CH probability,N is the set of nodes that have not been a CH in the last 1/p rounds, and r is the current round.
Is CH: A flag to distinguish whether the node is a CH (value 1) or a normal node (value 0).
ADV CH send: the number of advertise CH broadcast messages sent to the nodes.
ADV SCH send: the number of advertise TDMA schedule broadcast messages sent to the nodes.
Data sent to BS: the amount of packets of data transmitted to the RRH.
Distance CH to BS: the distance between the CH and the RRH.
Data received: the number of packets received from CHs.
ADV CH receives: the number of advertise CH messages received from CHs.
Join REQ receive: the number of join request messages received by the CHs from the nodes.
Time: the current simulation time of the node.
Fig. 5: Top 10 most important features in WSN-DS.
The WSN-DS was separated into 70% training data and 30% testing data. Table I shows the data separation.
|Class||Number of records used in dataset|
|Training set (70%)||Testing set (30%)|
V Experimentation results
The results obtained from the dataset are presented in this section. All the tasks are performed using the Python programming language and Scikit-learn library. Experiments were conducted on an Intel(R) Xeon(R) CPU E3-1225 v5, 16.00 GB RAM with Windows 10 Enterprise 2016 LTSB 64-bit Operating System, and x64-Based Processor. Table II show the classification accuracy obtained for each stage.
|MLP (first stage)||81,73 %|
|MLP + KSVM (second stage)||94,51 %|
To evaluate the proposed approach, We compared our multi-stage model with another work that used just MLP  applied to the same dataset to confirm that our approach is the most appropriate. Table III illustrates that our model can provide better accuracy of attacks classification than just the MLP model.
|Model||Accuracy of attacks classification||
Moreover, Receiver Operating Characteristic (ROC) curve is used to visualise the performance of the classifiers. It gives us the trade-off between the True Positive Rate (TPR) and the False Positive Rate (FPR) at different classification thresholds.
As shown in the equations above, TPR is the proportion of observations that are correctly predicted to be positive. However, FPR is the proportion of observations that are incorrectly predicted to be positive. Figure 6 shows the ROC curve for each model.
These results showed that the application of MLP and KSVM to WSN-DS dataset provides a higher classification accuracy and better security in C-RAN architectures.
Vi Conclusion and Future Work
In the present paper, we proposed an efficient multi-stage solution that can detect four different types of jamming attacks in Cloud Radio Access Networks (C-RAN) by deploying a new machine learning-based intrusion detection system (ML-IDS). We have implemented a multi-stage detection based on supervised and deep learning classifiers to reduce the number of attacks missed and to decrease the system’s false negatives and false positives rates. The proposed solution guarantees a high detection and classification accuracy that can reach up to 94%. In the future, we aim to create our wireless dataset for intrusion detection to include other types of jamming attacks such as shot noise-based intelligent jamming. In addition, several attacks that target C-RAN architectures like eavesdropping attacks, primary user emulation attacks, and impersonation attacks will be included.
-  J. Yang, Y. Qiao, X. Zhang, H. He, F. Liu and G. Cheng, ”Characterizing User Behavior in Mobile Internet,” in IEEE Transactions on Emerging Topics in Computing, vol. 3, no. 1, pp. 95-106, March 2015.
-  C. I, J. Huang, R. Duan, C. Cui, J. Jiang and L. Li, ”Recent Progress on C-RAN Centralization and Cloudification,” in IEEE Access, vol. 2, pp. 1030-1039, 2014.
-  M. Hadzialic, B. Dosenovic, M. Dzaferagic and J. Musovic, ”Cloud-RAN: Innovative radio access network architecture,” Proceedings ELMAR-2013, Zadar, 2013, pp. 115-120.
-  S. Buzzi, C. I, T. E. Klein, H. V. Poor, C. Yang and A. Zappone, ”A Survey of Energy-Efficient Techniques for 5G Networks and Challenges Ahead,” in IEEE Journal on Selected Areas in Communications, vol. 34, no. 4, pp. 697-709, April 2016.
-  K. Boulos, M. El Helou and S. Lahoud, ”RRH clustering in cloud radio access networks,” 2015 International Conference on Applied Research in Computer Science and Engineering (ICAR), Beirut, 2015, pp. 1-6.
-  F. Tian, P. Zhang and Z. Yan, ”A Survey on C-RAN Security,” in IEEE Access, vol. 5, pp. 13372-13386, 2017.
-  A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos and G. Pantziou, ”A survey on jamming attacks and countermeasures in WSNs,” in IEEE Communications Surveys anf Tutorials, vol. 11, no. 4, pp. 42-56, Fourth Quarter 2009.
-  Veeramreddy, Jyothsna, Prasad, V. Prasad, Koneti. (2011). A Review of Anomaly based Intrusion Detection Systems. International Journal of Computer Applications. 28. 26-35.
-  S. M. Danish, A. Nasir, H. K. Qureshi, A. B. Ashfaq, S. Mumtaz and J. Rodriguez, ”Network Intrusion Detection System for Jamming Attack in LoRaWAN Join Procedure,” 2018 IEEE International Conference on Communications (ICC), Kansas City, MO, 2018.
-  Iman Almomani, Bassam Al-Kasasbeh, and Mousa AL-Akhras, “WSN-DS: A Dataset for Intrusion Detection Systems in Wireless Sensor Networks,” Journal of Sensors, 16 pages, 2016.
-  O. Puñal, I. Aktaş, C. Schnelke, G. Abidin, K. Wehrle and J. Gross, ”Machine learning-based jamming detection for IEEE 802.11: Design and experimental evaluation,” Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, Sydney, NSW, 2014, pp. 1-10.
-  Y. Shi, Y. E. Sagduyu, and J. H. Li, ”Adversarial Deep Learning for Cognitive Radio Security: Jamming Attack and Defense Strategies,” 2018 IEEE International Conference on Communications Workshops (ICC Workshops), Kansas City, MO, 2018, pp. 1-6.
-  D. Karagiannis, A. Argyriou, ”Jamming attack detection in a pair of RF communicating vehicles using unsupervised machine learning,” Vehicular Communications, Volume 13, 2018, Pages 56-63.
-  T. Le, T. Park, D. Cho and H. Kim, ”An Effective Classification for DoS Attacks in Wireless Sensor Networks,” 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN), Prague, 2018, pp. 689-692.
M.WGardnera, S.RDorlinga ”Artificial neural networks (the multilayer perceptron)—a review of applications in the atmospheric sciences” in Atmospheric Environment , IEEE, 1 August 1998, Pages 2627-2636.
-  José Luis Rojo-Álvarez; Manel Martínez-Ramón; Jordi Muñoz-Marí; Gustau Camps-Valls, ”Support Vector Machine and Kernel Classification Algorithms,” in Digital Signal Processing with Kernel Methods , , IEEE, 2018, pp.433-502.
-  Illy, P., Kaddoum, G., Moreira, C.M., Kaur, K. Garg, S. (2019). Securing Fog-to-Things Environment Using Intrusion Detection System Based On Ensemble Learning. ArXiv, abs/1901.10933.