Dynamic Spectrum Access Security Issues

Timothy R. Newman, Ph.D.Virginia Tech

Dynamic Spectrum AccessWhat is DSA?

Dynamically changing channel in response to environmental stimuli

Why do we want DSA?Commercial: Inefficient spectrum usageMilitary: Ease spectrum management tasks

avoid jamming

DSA Current StateWhere is DSA technology currently at?

DARPA XG radio program has come and gone WNaN program now pushing SOME development No REAL deployment of these radios yet

Commercial companies now involved Microsoft, Google, Dell HP, Intel, Philips, Samsung,

…. First “white space” network in Oct. 2009, Claudville,

VA. No adaptation but it’s a first step

Estimate at least 7-9 solid prototype DSA systems exist

DSA Current StateWhere is DSA technology currently at?

(cont..)Majority of the current prototype devices using

energy detection techniques for signal detection

Final consensus – TRL 6What’s next for DSA?

Army purchase WNaN radios for deployment?SSC integrating DSA technology with ARGON’s

HyNET wireless mesh network system (US Army)

Ultimate white space network deployed for WORLDWIDE broadband access!!!

Cognitive Radio and DSA SecurityCR security is slowly coming into focus for academia

and industrySDR Forum session devoted to CR/SDR securityPublications with CR/SDR security topics are on the

riseTwo DARPA programs on CR/SDR security proposed

Security research for CR/SDR is still largely overlookedXG program had NO output related to security of DSA

protocolsNone of the current prototypes have any DSA specific

security features

DSA Radio Security AnalysisWhat are the primary DSA security issues?

Primary User Emulation Spoofing the intended primary user

Spectral Honey Pot threats Forcing the victim DSA radio to operate on a

specific channelDSA DoS threats

“I can sense and hop faster than you!”– PHY level threat

LPD jamming – Waveform level threat

Primary User EmulationPUE threat is the baseline for many other DSA

related attacksOnce you can manipulate the radio the

floodgates are open, you’ve got root!!Classifiers and Detectors are all over and have

been for a long timeDSA brings a new twist – Detection/Classification

affects communication parametersEnergy Detection is usually “settled” for to gain

low complexity and processing speedProblem now: Any error is a possible hole

Primary User Emulation

Primary User Emulation

Primary User EmulationDSA algorithms commonly focus on

maximizing Pd

Pd is probability the PU is detected when it is there

Pd = 100% is still not secure!!This is what REALLY gets overlooked

Remember XG Moto: “No Harm”

This can guarantee no interference but can not guarantee security of DSA system

Spectral HoneypotObjective is to manipulate a signal into a specific

channel in order to have a better chance of exploitation

Simplistic approach will simple emulate a primary user until the user jumps to the target channel

Advanced approaches take advantage of the DSA algorithm by manipulating other portions of the environment

-80

-70

-60

-50

-40

-30

-20

-10

0

Pow

er/f

requ

ency

(dB

/Hz)

Periodogram Power Spectral Density Estimate

Channel 2 Channel 3 Channel 4 Channel 5Channel 1-80

-70

-60

-50

-40

-30

-20

-10

0

Pow

er/f

requ

ency

(dB

/Hz)

Periodogram Power Spectral Density Estimate

Frequency (kHz)Channel 2 Channel 3 Channel 4 Channel 5Channel 1-80

-70

-60

-50

-40

-30

-20

-10

0

Pow

er/f

requ

ency

(dB

/Hz)

Periodogram Power Spectral Density Estimate

Frequency (kHz)Channel 2 Channel 3 Channel 4 Channel 5Channel 1

DSA Denial of ServiceStraightforward DSA DoS – Sense and Hop

faster than the receiversDSA radio networks must rendezvous on

another channel if a PU appearsWhat if a PU appears before network can

rendezvous?Waveform level

Commonly DSA algorithm interleave the sensing and communication

Synchronize and jam only the communication time blocks

Analyzing a Real Radio!Shared Spectrum DSA2100 – WiMAX DSA Radio

Phase 3 contractor for DARPA XG ProgramInteresting Radio Characteristics

Wavesat chipset: 802.16-2004Agility - 138 MHz – 3 GHzBandwidth - 1.75 MHz, 3.5 MHz, or 7 MHzTuning speed – 300 μsTX spur level - -60 dBc

DSA Channel Selection AlgorithmsLeast occupiedLeast energyRandom

Analyzing a Real Radio!DSA Specific Parameters

Co-channel sample rate: 10 HzNon-occupancy period: 5 secDetection Algorithm: Energy detectionFreq. Range for analysis: 350 – 450 MHz, 400 –

480 MHz

** Non-occupancy period – Time a channel should be “blocked out” if a PU signal is detected

SSC Radio TestsAnalysis focused on DSA DoS and spectral

honeypotPUE was a gimme!How much QoS is degraded?How fast can they be manipulated?

High Performance TestsDone with a signal generator (Agilent)Restricted to sweeping-type tests

Practical TestsDone with GNUradio and USRP (RFX400)SDR enabled “smarter” tests

DSA Denial of ServiceDSA DoS = Never able to rendezvousSignal generator parameters

Pulse sweep time - Amount of time pulse dwells in a channel before going to channel + 1

Signal Power – Is the detection threshold really enforced?

Channel Step Size – 1 MHz (2 MHz probably would’ve been better)

DSA Denial of Service

Non-Occupancy Period = 5 sec

Spectrum Range = 100 MHz

Sweep Rate = 100 ms

50 % Channels BLOCKED

DSA Denial of ServiceAdding a bit of intelligence (sensing)

Using GNUradio we can easily put together a waveform that can sense the location of the signal and send a pulse

Pulse power only needs to be just above detection threshold

What happens if DSA radio ALWAYS sees a PU?

DSA Denial of ServiceSweeper

Pulse < 50ms: pulse is going to fast

Theoretical optimal pulse sweep time =

Smarter Jamming~92% packet loss!100% because

radio isn’t perfect

SampleRate

SignalBWpSizeChannelSte /

** Optimal = largest block size

Spectral HoneypotGoal is to manipulate radio into using a

specific channelSignal Generator Sweep Method

Notch out a channel from the sweep list

Spectral HoneypotTiming results for sweeper method

Spectral HoneypotTiming results for sense and pulse

Security Analysis - Take AwaysWhat do we get from this analysis?

Motto of this specific DSA technology is “No Harm” Focus is on existing systems QoS, not their own

No Harm to existing systems may mean ZERO communication for the DSA radios

Manipulation is possible when radios use an unauthenticated environment when making decisions

Non-occupancy period is a critical hole

DSA Security MitigationPrimary User Emulation Denial

Signal Detection != Signal Classification Robust classification is the objective Unique feature selection is critical

Embed signatures Watermarking techniques

Non-Occupancy PeriodRandomize in order to create “holes” in the

jamming blockEmbedding “common sense”

Integrate security cognition into the system to filter for obvious malicious acts

Future Generation of CR ThreatsCognitive Radio technology is adding more

autonomous operating into the wireless deviceIncreased exposure to possible threats

Threats to this technology is analogous to social networking attacks rather than traditional network attacksSensory Manipulation (DSA)Belief Manipulation (Learning Attacks)Cognitive Radio Viruses (Learning Network

Attacks)ETA until radios are using advanced AI:

long…

Other SDR/CR related items at VT

Cognitive Radio Network TestbedDefense University Research Instrumentation

Program (DURIP) grant for CR testbed equipment.

Physical testbed deployed throughout a new campus building

Total size of testbed is 48 nodes12 nodes per floor

No restrictions on other wireless systems inside buildingReservation System for Nodes

CR Testbed HardwareCustom RF Daughterboard

Host PC ServersMotorola RFIC4100 MHz – 4 GHz20 MHz instantaneous bwHighly variable receive

gain 25 dB – 50 dB

Multiple TX (3) and RX (5) paths

Sideband Rejection 40 dB - 60 dB

Intel Xeon Quadcore 2.13 GHz

6 GB RAM, Gigabit Ethernet

Upgradable to Intel Nehalem for future

Much different from existing testbeds

Cognitive Radio Network TestbedCurrent Testbed Status

5 PC nodes with USRP and RFX400 daughterboardPower and network installed

throughout buildingServer’s are racked and

readyWaiting on USRP2’s to be

deliveredManagement back-end is

being developed

Cognitive Radio Open Source SystemOpen Source Cognitive Engine System APICurrent reference implementation uses a Case-Based

Reasoning Cognitive EngineRadio Configuration described in XML

For more information:http://cornet.wireless.vt.edu

Application simply links to library to access system

Modular SystemCognitive Engines can be

swapped in and outOptional components

Policy EngineService Management

Layer

Cognitive Radio TestbedModular architecture provides

mechanism to simply “plug-in” components on remote systems where higher quality resources may be available

Cognitive Engine developers can now focus on specific cognition algorithms No more worrying about physical

layer hardware issues

Remote Access

Remote Access

Resource Rich Testbed

Cognitive Radio Open Source System Integrated into both OSSIE and GNUradio for intelligent control of

waveforms and applicationsDemonstrated DSA application with “hot-swappable” cognitive engineService Management Layer component provides the service oriented

architecture support Manages services and capabilities provided to the cognitive radio by

components Translates radio missions into operations and instructions for CROSS

componentsMission 1: Jam all enemy signals

Detect signals Enemy using Wifi? Detect wifi channel Jam Wifi

Mission 2: Covert Jam Signals Signal Classifications Optimize Power for jamming Jam signal Monitor for resurgence on

multiple channels