Upload
eugene-robertson
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Dynamic Spectrum Access Security Issues
Timothy R. Newman, Ph.D.Virginia Tech
Dynamic Spectrum AccessWhat is DSA?
Dynamically changing channel in response to environmental stimuli
Why do we want DSA?Commercial: Inefficient spectrum usageMilitary: Ease spectrum management tasks
avoid jamming
DSA Current StateWhere is DSA technology currently at?
DARPA XG radio program has come and gone WNaN program now pushing SOME development No REAL deployment of these radios yet
Commercial companies now involved Microsoft, Google, Dell HP, Intel, Philips, Samsung,
…. First “white space” network in Oct. 2009, Claudville,
VA. No adaptation but it’s a first step
Estimate at least 7-9 solid prototype DSA systems exist
DSA Current StateWhere is DSA technology currently at?
(cont..)Majority of the current prototype devices using
energy detection techniques for signal detection
Final consensus – TRL 6What’s next for DSA?
Army purchase WNaN radios for deployment?SSC integrating DSA technology with ARGON’s
HyNET wireless mesh network system (US Army)
Ultimate white space network deployed for WORLDWIDE broadband access!!!
Cognitive Radio and DSA SecurityCR security is slowly coming into focus for academia
and industrySDR Forum session devoted to CR/SDR securityPublications with CR/SDR security topics are on the
riseTwo DARPA programs on CR/SDR security proposed
Security research for CR/SDR is still largely overlookedXG program had NO output related to security of DSA
protocolsNone of the current prototypes have any DSA specific
security features
DSA Radio Security AnalysisWhat are the primary DSA security issues?
Primary User Emulation Spoofing the intended primary user
Spectral Honey Pot threats Forcing the victim DSA radio to operate on a
specific channelDSA DoS threats
“I can sense and hop faster than you!”– PHY level threat
LPD jamming – Waveform level threat
Primary User EmulationPUE threat is the baseline for many other DSA
related attacksOnce you can manipulate the radio the
floodgates are open, you’ve got root!!Classifiers and Detectors are all over and have
been for a long timeDSA brings a new twist – Detection/Classification
affects communication parametersEnergy Detection is usually “settled” for to gain
low complexity and processing speedProblem now: Any error is a possible hole
Primary User Emulation
Primary User Emulation
Primary User EmulationDSA algorithms commonly focus on
maximizing Pd
Pd is probability the PU is detected when it is there
Pd = 100% is still not secure!!This is what REALLY gets overlooked
Remember XG Moto: “No Harm”
This can guarantee no interference but can not guarantee security of DSA system
Spectral HoneypotObjective is to manipulate a signal into a specific
channel in order to have a better chance of exploitation
Simplistic approach will simple emulate a primary user until the user jumps to the target channel
Advanced approaches take advantage of the DSA algorithm by manipulating other portions of the environment
-80
-70
-60
-50
-40
-30
-20
-10
0
Pow
er/f
requ
ency
(dB
/Hz)
Periodogram Power Spectral Density Estimate
Channel 2 Channel 3 Channel 4 Channel 5Channel 1-80
-70
-60
-50
-40
-30
-20
-10
0
Pow
er/f
requ
ency
(dB
/Hz)
Periodogram Power Spectral Density Estimate
Frequency (kHz)Channel 2 Channel 3 Channel 4 Channel 5Channel 1-80
-70
-60
-50
-40
-30
-20
-10
0
Pow
er/f
requ
ency
(dB
/Hz)
Periodogram Power Spectral Density Estimate
Frequency (kHz)Channel 2 Channel 3 Channel 4 Channel 5Channel 1
DSA Denial of ServiceStraightforward DSA DoS – Sense and Hop
faster than the receiversDSA radio networks must rendezvous on
another channel if a PU appearsWhat if a PU appears before network can
rendezvous?Waveform level
Commonly DSA algorithm interleave the sensing and communication
Synchronize and jam only the communication time blocks
Analyzing a Real Radio!Shared Spectrum DSA2100 – WiMAX DSA Radio
Phase 3 contractor for DARPA XG ProgramInteresting Radio Characteristics
Wavesat chipset: 802.16-2004Agility - 138 MHz – 3 GHzBandwidth - 1.75 MHz, 3.5 MHz, or 7 MHzTuning speed – 300 μsTX spur level - -60 dBc
DSA Channel Selection AlgorithmsLeast occupiedLeast energyRandom
Analyzing a Real Radio!DSA Specific Parameters
Co-channel sample rate: 10 HzNon-occupancy period: 5 secDetection Algorithm: Energy detectionFreq. Range for analysis: 350 – 450 MHz, 400 –
480 MHz
** Non-occupancy period – Time a channel should be “blocked out” if a PU signal is detected
SSC Radio TestsAnalysis focused on DSA DoS and spectral
honeypotPUE was a gimme!How much QoS is degraded?How fast can they be manipulated?
High Performance TestsDone with a signal generator (Agilent)Restricted to sweeping-type tests
Practical TestsDone with GNUradio and USRP (RFX400)SDR enabled “smarter” tests
DSA Denial of ServiceDSA DoS = Never able to rendezvousSignal generator parameters
Pulse sweep time - Amount of time pulse dwells in a channel before going to channel + 1
Signal Power – Is the detection threshold really enforced?
Channel Step Size – 1 MHz (2 MHz probably would’ve been better)
DSA Denial of Service
Non-Occupancy Period = 5 sec
Spectrum Range = 100 MHz
Sweep Rate = 100 ms
50 % Channels BLOCKED
DSA Denial of ServiceAdding a bit of intelligence (sensing)
Using GNUradio we can easily put together a waveform that can sense the location of the signal and send a pulse
Pulse power only needs to be just above detection threshold
What happens if DSA radio ALWAYS sees a PU?
DSA Denial of ServiceSweeper
Pulse < 50ms: pulse is going to fast
Theoretical optimal pulse sweep time =
Smarter Jamming~92% packet loss!100% because
radio isn’t perfect
SampleRate
SignalBWpSizeChannelSte /
** Optimal = largest block size
Spectral HoneypotGoal is to manipulate radio into using a
specific channelSignal Generator Sweep Method
Notch out a channel from the sweep list
Spectral HoneypotTiming results for sweeper method
Spectral HoneypotTiming results for sense and pulse
Security Analysis - Take AwaysWhat do we get from this analysis?
Motto of this specific DSA technology is “No Harm” Focus is on existing systems QoS, not their own
No Harm to existing systems may mean ZERO communication for the DSA radios
Manipulation is possible when radios use an unauthenticated environment when making decisions
Non-occupancy period is a critical hole
DSA Security MitigationPrimary User Emulation Denial
Signal Detection != Signal Classification Robust classification is the objective Unique feature selection is critical
Embed signatures Watermarking techniques
Non-Occupancy PeriodRandomize in order to create “holes” in the
jamming blockEmbedding “common sense”
Integrate security cognition into the system to filter for obvious malicious acts
Future Generation of CR ThreatsCognitive Radio technology is adding more
autonomous operating into the wireless deviceIncreased exposure to possible threats
Threats to this technology is analogous to social networking attacks rather than traditional network attacksSensory Manipulation (DSA)Belief Manipulation (Learning Attacks)Cognitive Radio Viruses (Learning Network
Attacks)ETA until radios are using advanced AI:
long…
Other SDR/CR related items at VT
Cognitive Radio Network TestbedDefense University Research Instrumentation
Program (DURIP) grant for CR testbed equipment.
Physical testbed deployed throughout a new campus building
Total size of testbed is 48 nodes12 nodes per floor
No restrictions on other wireless systems inside buildingReservation System for Nodes
CR Testbed HardwareCustom RF Daughterboard
Host PC ServersMotorola RFIC4100 MHz – 4 GHz20 MHz instantaneous bwHighly variable receive
gain 25 dB – 50 dB
Multiple TX (3) and RX (5) paths
Sideband Rejection 40 dB - 60 dB
Intel Xeon Quadcore 2.13 GHz
6 GB RAM, Gigabit Ethernet
Upgradable to Intel Nehalem for future
Much different from existing testbeds
Cognitive Radio Network TestbedCurrent Testbed Status
5 PC nodes with USRP and RFX400 daughterboardPower and network installed
throughout buildingServer’s are racked and
readyWaiting on USRP2’s to be
deliveredManagement back-end is
being developed
Cognitive Radio Open Source SystemOpen Source Cognitive Engine System APICurrent reference implementation uses a Case-Based
Reasoning Cognitive EngineRadio Configuration described in XML
For more information:http://cornet.wireless.vt.edu
Application simply links to library to access system
Modular SystemCognitive Engines can be
swapped in and outOptional components
Policy EngineService Management
Layer
Cognitive Radio TestbedModular architecture provides
mechanism to simply “plug-in” components on remote systems where higher quality resources may be available
Cognitive Engine developers can now focus on specific cognition algorithms No more worrying about physical
layer hardware issues
Remote Access
Remote Access
Resource Rich Testbed
Cognitive Radio Open Source System Integrated into both OSSIE and GNUradio for intelligent control of
waveforms and applicationsDemonstrated DSA application with “hot-swappable” cognitive engineService Management Layer component provides the service oriented
architecture support Manages services and capabilities provided to the cognitive radio by
components Translates radio missions into operations and instructions for CROSS
componentsMission 1: Jam all enemy signals
Detect signals Enemy using Wifi? Detect wifi channel Jam Wifi
Mission 2: Covert Jam Signals Signal Classifications Optimize Power for jamming Jam signal Monitor for resurgence on
multiple channels