U NIVERSIDAD P OLITÉCNICA DE M ADRID
E SCUELA T ÉCNICA S UPERIOR DE I NGENIEROS DE
T ELECOMUNICACIÓN
DOCTORAL THESIS
C OGNITIVE STRATEGIES FOR SECURITY IN
W IRELESS S ENSOR N ETWORKS
Javier Blesa Martínez
2015
U NIVERSIDAD P OLITÉCNICA DE M ADRID
E SCUELA T ÉCNICA S UPERIOR DE I NGENIEROS DE
T ELECOMUNICACIÓN
DOCTORAL THESIS
C OGNITIVE STRATEGIES FOR SECURITY IN
W IRELESS S ENSOR N ETWORKS
Author: Javier Blesa Martínez
Advisor: Alvaro Araujo Pinto
2015
Resumen
Las redes de sensores inalámbricas son uno de los sectores con más crecimiento
dentro de las redes inalámbricas. La rápida adopción de estas redes como
solución para muchas nuevas aplicaciones ha llevado a un creciente tráfico en el
espectro radioeléctrico. Debido a que las redes inalámbricas de sensores operan
en las bandas libres Industrial, Scientific and Medical (ISM) se ha producido una
saturación del espectro que en pocos años no permitirá un buen funcionamiento.
Con el objetivo de solucionar este tipo de problemas ha aparecido el paradigma de
Radio Cognitiva (CR).
La introducción de las capacidades cognitivas en las redes inalámbricas de
sensores permite utilizar estas redes para aplicaciones con unos requisitos más
estrictos respecto a fiabilidad, cobertura o calidad de servicio. Estas redes que aúnan
todas estas características son llamadas redes de sensores inalámbricas cognitivas
(CWSNs). La mejora en prestaciones de las CWSNs permite su utilización en
aplicaciones críticas donde antes no podían ser utilizadas como monitorización
de estructuras, de servicios médicos, en entornos militares o de vigilancia. Sin
embargo, estas aplicaciones también requieren de otras características que la radio
cognitiva no nos ofrece directamente como, por ejemplo, la seguridad. La seguridad
en CWSNs es un aspecto poco desarrollado al ser una característica no esencial para
su funcionamiento, como pueden serlo el sensado del espectro o la colaboración. Sin
embargo, su estudio y mejora es esencial de cara al crecimiento de las CWSNs.
Por tanto, esta tesis tiene como objetivo implementar contramedidas usando
V
R ESUMEN
VI
las nuevas capacidades cognitivas, especialmente en la capa física, teniendo en
cuenta las limitaciones con las que cuentan las WSNs. En el ciclo de trabajo de esta
tesis se han desarrollado dos estrategias de seguridad contra ataques de especial
importancia en redes cognitivas: el ataque de simulación de usuario primario (PUE)
y el ataque contra la privacidad eavesdropping.
Para mitigar el ataque PUE se ha desarrollado una contramedida basada en
la detección de anomalías. Se han implementado dos algoritmos diferentes para
detectar este ataque: el algoritmo de Cumulative Sum y el algoritmo de Data
Clustering. Una vez comprobado su validez se han comparado entre sí y se han
investigado los efectos que pueden afectar al funcionamiento de los mismos.
Para combatir el ataque de eavesdropping se ha desarrollado una contramedida
basada en la inyección de ruido artificial de manera que el atacante no distinga
las señales con información del ruido sin verse afectada la comunicación que nos
interesa. También se ha estudiado el impacto que tiene esta contramedida en los
recursos de la red.
Como resultado paralelo se ha desarrollado un marco de pruebas para CWSNs
que consta de un simulador y de una red de nodos cognitivos reales. Estas
herramientas han sido esenciales para la implementación y extracción de resultados
de la tesis.
PALABRAS CLAVE: redes cognitivas, radio cognitiva, redes de sensores inalámbricas,
redes de sensores inalámbricas cognitivas, seguridad,
cumulative sum, data clustering.
Abstract
Wireless Sensor Networks (WSNs) are one of the fastest growing sectors in
wireless networks. The fast introduction of these networks as a solution in many
new applications has increased the traffic in the radio spectrum. Due to the
operation of WSNs in the free industrial, scientific, and medical (ISM) bands,
saturation has ocurred in these frequencies that will make the same operation
methods impossible in the future. Cognitive radio (CR) has appeared as a solution
for this problem.
The networks that join all the mentioned features together are called cognitive
wireless sensor networks (CWSNs). The adoption of cognitive features in WSNs
allows the use of these networks in applications with higher reliability, coverage,
or quality of service requirements. The improvement of the performance of CWSNs
allows their use in critical applications where they could not be used before such
as structural monitoring, medical care, military scenarios, or security monitoring
systems. Nevertheless, these applications also need other features that cognitive
radio does not add directly, such as security. The security in CWSNs has not yet
been explored fully because it is not necessary field for the main performance of
these networks. Instead, other fields like spectrum sensing or collaboration have
been explored deeply. However, the study of security in CWSNs is essential for
their growth.
Therefore, the main objective of this thesis is to study the impact of some
cognitive radio attacks in CWSNs and to implement countermeasures using
VII
VIII
A BSTRACT
new cognitive capabilities, especially in the physical layer and considering the
limitations of WSNs. Inside the work cycle of this thesis, security strategies against
two important kinds of attacks in cognitive networks have been developed. These
attacks are the primary user emulator (PUE) attack and the eavesdropping attack.
A countermeasure against the PUE attack based on anomaly detection has
been developed. Two different algorithms have been implemented: the cumulative
sum algorithm and the data clustering algorithm. After the verification of these
solutions, they have been compared and the side effects that can disturb their
performance have been analyzed.
The developed approach against the eavesdropping attack is based on the
generation of artificial noise to conceal information messages. The impact of this
countermeasure on network resources has also been studied. As a parallel result, a
new framework for CWSNs has been developed. This includes a simulator and
a real network with cognitive nodes. This framework has been crucial for the
implementation and extraction of the results presented in this thesis.
KEY WORDS: cognitive networks, cognitive radio, wireless sensor network,
cognitive wireless sensor network, security,
cumulative sum, data clustering.
A mi familia
Acknowledgements
¡Creo que cuando la gente lea esto pesaré 100 kilos menos que cuando lo estoy
escribiendo! ¡Qué peso me quito de encima! Tras años y años de buenos y malos
momentos, de planificaciones incumplidas y de papers con diversa suerte aquí está:
mi tesis.
Si me paro a recordar todo el camino hasta aquí podría decir sin duda alguna
que ha sido genial. El B105 tiene gran parte de la culpa, pero todo me ha aportado
para que esto, además de terminar con éxito, haya sido divertido. Partidas de
futbolín, gordos suppliers, los cafés hobbits o cañas after lunch han sido momentos
irrepetibles.
Solo hay algo que no me ha gustado durante esta tesis. Si tuviera que destacar
algo negativo sería que mientras dedicaba horas y horas a esta tesis, han pasado
muchos momentos en los que me hubiera gustado estar y que ya no va a poder
ser. Los primeros meses de los pequeños Pablo, Sandra y Blanca, las cañas de los
viernes en el Santa Elena, las cenas de navidad, los viajes para ver a los europeos, los
festivales, las mañanas de piscina, o esos planes de viajes. Muchas son las personas
a las que he tenido en un segundo lugar durante todo este viaje, y a ellas, como una
pequeña compensación, les quiero dedicar esta tesis.
A Bea, Mario, Gloria y Borja, por tenerme siempre en cuenta para esas partidas
que tanto nos animan. A Cris y a Javi, que a pesar de no vernos mucho siempre
los tenemos en la mente. A Laura y Nacho, por ser la chispa de locura que todo el
mundo necesita.
XI
A CKNOWLEDGEMENTS
XII
A mi grupo de vicalvareños, ¡tan grande como siempre! Me acuerdo de esas casi
doctoras, Diana y Zaida, que pronto se unirán a este club de sufridores. A Vike,
un hermano desde que nos conocimos. A Esther, una valiente que se añora. A esos
pedazo de padres, Cris y Felipe, por ser un ejemplo para todos. A Tamara, Noe,
Ana, todas un apoyo siempre que lo he necesitado. A Maribel, Dani, Arantxa y
Jose, por seguir ahí tras tanto tiempo ¡Vivan los vicalvareños!
A mis telecos del alma. Repartidos por el mundo, pero siempre como una piña.
A Raúl, por ser durante tanto años el cemento de este grupo y a Cris, un fichaje de
élite! A Mila, la mujer incansable que aparece siempre que necesitas ayuda. A Maca,
¡desde el principio de teleco urdiendo escapadas a la cafetería! y a Rober por unirse
a esta aventura. A Lore, la monitora del grupo, creadora de planes. A los recientes
esposos Ally y Pablo. A Melenas, por ser un confidente para mí. A Diego y Paula,
por ser una pareja 10. A Mario, por unirse a la resitencia sureña. A Borja y Fani, los
master barbecue parties! A Toni e Isa, unos papis muy enrollaos. Y a Nacho, Miguel
y todos los que han estado ahí desde que entré en esa aula HP.
¡Al B105! Mi segunda casa, donde están las personas que más horas han sufrido
mis penurias y alegrías. A Alvaro, por ser ese tutor que te imaginas de pequeño
cuando con cinco años dices: ojalá mi tutor de tesis fuera así. Por guiarme a través
de algo que no pensaba que podría acabar. A Octavio, el boss, por buscar siempre
lo mejor para el B105. A Elena, siempre ahí desde que llegué, ayudando en todo lo
posible e imposible. A Paco, presi de Quintanar y de B105 kinball club. A Alba, por
mantener Twitter online y Bender lleno. A Rami y Rober, yestis de vocación que tan
buenos momentos nos hacen pasar. A Mariano y a Curro, churreros de vocación. Y
a todos lo que siguen o han sido tan importantes para mí como para mi tesis: Josem,
Dani, Juancar, Pedro, Marina, Elfo, Patri, Fer, Esther, César, Elena, Juan, y todos esos
rookies que me hicieron pasar por debajo y me vengué tras 15 temporadas.
A mi familia. Porque cuando buscas en Wikipedia familia de verdad debería
aparecer su foto. A mis padres, que tanto me han dado y que se merecen todo
A CKNOWLEDGEMENTS
XIII
lo bueno que les pase. A mis hermanos, dos de golpe que han llenado más mi
vida y mi habitación, literalmente... A mis abuelos, que son lo más grande y un
espejo donde mirarse. ¡De mayor quiero ser como mi abuelo! A mi abuela Luci,
por sus sopas, por sus partidas de cartas, por cuidarme y aconsejarme. A mi abuela
Dolores, siempre serás ese genio danzarín para mí. A Fidel, todavía me acuerdo de
ese verano en Calpe contigo. Y mi nueva familia que me ha tratado como si fuera
uno más, ¡includo cuando éramos sin techo!
¡Y a tí! Mi golpe de suerte, la que cambió todo, la que ha dado sentido a tantas
cosas en 10 años y la que siempre me acompaña cuando me imagino el futuro. Si
tuviera que agradecerte todo lo que has hecho por mí durante esta tesis debería
escribir otras 230 páginas u otras 98 razones :) Pero me voy a quedar aquí, porque
ya sabes que esto es tan tuyo como mío.
Gracias a todos vosotros, por haberme apoyado. Os lo dedico y sabéis que
siempre podréis gritar eso de: ¿Hay algún doctor en la sala? ¡Allí estaré!
Index
Resumen
V
Abstract
VII
Acknowledgements
XI
1. Introduction
1.1. Wireless Sensor Networks . . . . . . . .
1.2. Cognitive Wireless Sensor Networks . .
1.3. Motivation: the security in CWSN . . .
1.4. Objectives . . . . . . . . . . . . . . . . .
1.5. Methodology . . . . . . . . . . . . . . .
1.5.1. Previous analysis . . . . . . . . .
1.5.2. Strategy design . . . . . . . . . .
1.5.3. Implementation of the strategies
1.5.4. Cognitive tools . . . . . . . . . .
1.5.4.1. Results and evaluation
1.6. Organization . . . . . . . . . . . . . . . .
1.7. Publications . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
1
1
3
7
10
12
12
14
15
15
16
17
17
.
.
.
.
.
.
.
.
.
.
.
21
21
24
26
32
33
34
34
35
36
37
38
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2. Related work
2.1. Security in Cognitive Radio . . . . . . . . .
2.2. Threats in CWSN . . . . . . . . . . . . . . .
2.2.1. Communication attacks . . . . . . .
2.2.2. Against privacy attacks . . . . . . .
2.2.3. Node targeted attacks . . . . . . . .
2.2.4. Power consumption attacks . . . . .
2.2.5. Policy attacks . . . . . . . . . . . . .
2.2.6. Cryptographic attacks . . . . . . . .
2.3. Security approaches . . . . . . . . . . . . . .
2.3.1. Physical layer . . . . . . . . . . . . .
2.3.1.1. Theoretical secure capacity
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
XV
I NDEX
XVI
2.3.1.2. Channel approaches . . . . . . . . . . . .
2.3.1.3. Code approaches . . . . . . . . . . . . . .
2.3.1.4. Power approaches . . . . . . . . . . . . .
2.3.2. MAC layer . . . . . . . . . . . . . . . . . . . . . . .
2.3.2.1. Authentication/Identifying approaches
2.3.2.2. Other secure MAC approaches . . . . . .
2.3.3. Other security approaches . . . . . . . . . . . . . .
2.3.3.1. Geolocation approaches . . . . . . . . . .
2.3.3.2. Based on behavior . . . . . . . . . . . . .
2.3.3.3. Trust and reputation approaches . . . . .
2.3.3.4. Game theory approaches . . . . . . . . .
2.4. Cognitive frameworks . . . . . . . . . . . . . . . . . . . .
2.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . .
2.5.1. Cognitive frameworks . . . . . . . . . . . . . . . .
2.5.2. Side effects . . . . . . . . . . . . . . . . . . . . . . .
2.5.3. Future solutions . . . . . . . . . . . . . . . . . . . .
2.5.4. Summary . . . . . . . . . . . . . . . . . . . . . . .
3. Proposed security strategies
3.1. Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2. System architecture . . . . . . . . . . . . . . . . . . . . .
3.3. Strategy 1: Anomaly Detection approach . . . . . . . . .
3.3.1. Introduction to Anomaly Detection . . . . . . .
3.3.2. PUE attack description . . . . . . . . . . . . . . .
3.3.3. Anomaly detection design and characteristics .
3.3.4. CUSUM algorithm . . . . . . . . . . . . . . . . .
3.3.5. Data Clustering algorithm . . . . . . . . . . . . .
3.3.6. Side effects analysis . . . . . . . . . . . . . . . .
3.3.6.1. Mobile nodes . . . . . . . . . . . . . . .
3.3.6.2. Wireless path loss . . . . . . . . . . . .
3.3.6.3. Adding nodes to the network . . . . .
3.3.6.4. Virtual Control Channel imperfections
3.3.6.5. Spectrum data errors . . . . . . . . . .
3.3.6.6. Attack in the learning phase . . . . . .
3.4. Strategy 2: Artificial Noise generation approach . . . .
3.4.1. Introduction to Artificial Noise . . . . . . . . . .
3.4.2. Eavesdropping attack description . . . . . . . .
3.4.3. Cooperative artificial noise countermeasure . .
3.4.4. Side effects analysis . . . . . . . . . . . . . . . .
3.4.4.1. Energy consumption . . . . . . . . . .
3.4.4.2. Spectrum occupancy . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
40
42
43
45
45
46
48
48
49
50
51
52
61
61
62
64
67
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
69
69
72
76
76
78
81
85
89
92
92
96
96
97
97
98
98
98
99
101
103
104
105
I NDEX
XVII
3.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4. Tools for CWSNs
4.1. Introduction . . . . . . . . . . . . . . . . . . . .
4.2. Cognitive simulator . . . . . . . . . . . . . . . .
4.2.1. Requirements . . . . . . . . . . . . . . .
4.2.2. Cognitive Radio extension for Castalia
4.2.3. Changes in radio module . . . . . . . .
4.2.4. Graphical configuration interface . . . .
4.3. Cognitive New Generation Device . . . . . . .
4.3.1. cNGD Requirements . . . . . . . . . . .
4.3.2. Hardware description . . . . . . . . . .
4.3.3. Software description . . . . . . . . . . .
4.3.3.1. Firmware . . . . . . . . . . . .
4.3.3.2. Cognitive Radio Module . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
107
107
108
110
112
118
119
120
121
122
127
128
131
5. Results
5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2. Cognitive tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2.1. Cognitive Simulator . . . . . . . . . . . . . . . . . . . . . . . .
5.2.1.1. Scenario 1: multiple channels and interfaces . . . . .
5.2.1.2. Scenario 2: power optimization . . . . . . . . . . . .
5.2.1.3. Scenario 3: spectrum sensing, history learning and
anomaly detection . . . . . . . . . . . . . . . . . . . .
5.3. Strategy 1: anomaly detection approach . . . . . . . . . . . . . . . . .
5.3.1. CUSUM algorithm . . . . . . . . . . . . . . . . . . . . . . . . .
5.3.2. Clustering algorithm . . . . . . . . . . . . . . . . . . . . . . . .
5.3.3. Anomaly detection algorithms comparison . . . . . . . . . . .
5.3.4. Side effect analysis . . . . . . . . . . . . . . . . . . . . . . . . .
5.3.4.1. Mobile nodes . . . . . . . . . . . . . . . . . . . . . . .
5.3.4.2. Wireless path loss . . . . . . . . . . . . . . . . . . . .
5.3.4.3. New nodes . . . . . . . . . . . . . . . . . . . . . . . .
5.3.4.4. Virtual Control Channel imperfections . . . . . . . .
5.3.4.5. Spectrum sensing data errors . . . . . . . . . . . . . .
5.3.4.6. Attacks in the learning phase . . . . . . . . . . . . . .
5.4. Strategy 2: artificial noise generation approach . . . . . . . . . . . . .
5.4.0.1. Cognitive eavesdropping strategies . . . . . . . . . .
5.4.1. Side effects analysis . . . . . . . . . . . . . . . . . . . . . . . .
5.4.1.1. Energy consumption . . . . . . . . . . . . . . . . . .
5.4.1.2. Spectrum occupancy . . . . . . . . . . . . . . . . . .
133
133
134
134
135
137
139
141
141
149
158
164
167
170
170
172
173
174
178
181
187
187
192
6. Conclusions
195
XVIII
I NDEX
6.1. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
6.2. Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
References
203
List of Acronyms
217
List of Figures
1.1. ISM bands in Europe. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2. United states frequency allocations. http://www.nasa.gov . . . . . .
1.3. An
example
of
how multiple CR networks coexists in the same frequency region.
http://personal.ee.surrey.ac.uk/Personal/Tinghuai.Wang/ . . . . .
1.4. Opportunities in the frequency and time domain. . . . . . . . . . . .
1.5. Scheme of the methodology followed in this thesis. . . . . . . . . . .
1.6. Iterative scheme of the methodology applied to multiple thesis
contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
4
5
6
13
13
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
Taxonomy of attacks in CWSN. . . . . . . . . . . . . . . .
Security approaches and attacks . . . . . . . . . . . . . . .
Reference scenario for theoretical secure approaches . . .
Building blocks of the cognitive radio extension for NS-3.
CREW project scheme overview. . . . . . . . . . . . . . .
TWIST: functionality overview. . . . . . . . . . . . . . . .
VT-CORNET scheme overview. . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25
37
39
54
58
59
59
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
3.7.
3.8.
3.9.
3.10.
3.11.
3.12.
Virginia tech CR architecture. . . . . . . . . . . . . . . . . . . . . . .
Connectivity Brokerage agent modules. . . . . . . . . . . . . . . . .
Representation of a data set with 3 possible anomalies. . . . . . . .
Anomaly detection scenario. . . . . . . . . . . . . . . . . . . . . . . .
Cognitive features and modules responsible of them. . . . . . . . .
Anomaly detection using CUSUM and the received power average.
Representation of the two phases in CUSUM algorithm. . . . . . . .
Modules involved in the CUSUM algorithm and interactions. . . .
Grouping the data set in clusters. . . . . . . . . . . . . . . . . . . . .
Linear and random movement. . . . . . . . . . . . . . . . . . . . . .
Random movement effect example. . . . . . . . . . . . . . . . . . . .
Artificial noise and eavesdropping scenario. . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
73
74
76
82
83
86
88
89
90
93
95
99
4.1. Project development lifecycle. . . . . . . . . . . . . . . . . . . . . . . . 108
4.2. Castalia network architecture adapted to Cognitive Radio . . . . . . . 112
XIX
L IST OF F IGURES
XX
4.3.
4.4.
4.5.
4.6.
4.7.
4.8.
4.9.
4.10.
4.11.
4.12.
4.13.
Castalia node modules before the changes. . . . . . . . . . . . . .
Castalia inner blocks adapted to Cognitive Radio. . . . . . . . . .
Cognitive Radio Module structure. . . . . . . . . . . . . . . . . . .
Cognitive simulator configuration interface. . . . . . . . . . . . . .
Global hardware modules of the platform developed. . . . . . . .
Detailed view of the µTrans module. . . . . . . . . . . . . . . . . .
Detailed view of the cNGD module. . . . . . . . . . . . . . . . . .
Detailed view of the rs232SHIELD module. . . . . . . . . . . . . .
Detailed view of the chargerSHIELD module. . . . . . . . . . . . .
Global software structure and firmware inclusion. . . . . . . . . .
CRModule architecture including the new Messenger submodule.
5.1.
5.2.
5.3.
5.4.
Throughput received by node 0. . . . . . . . . . . . . . . . . . . . . . . 136
Results of the power optimization scenario. . . . . . . . . . . . . . . . 138
Comparison of power consumption with and without CR optimization.139
Results of scenario 3 with spectrum sensing, learning and anomaly
detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
PUE attack detection rate with 50 nodes and 5 PUE attackers. . . . . 144
PUE attack detection results with 50 nodes. . . . . . . . . . . . . . . . 145
PUE attack detection results without filtering in the nodes. . . . . . . 146
PUE attack detection results in a network with 200 nodes. . . . . . . . 147
PUE attack detection results in a multiple attack. . . . . . . . . . . . . 148
Clustering detection rate with 50 nodes and 5 PUE attackers. . . . . . 149
Clustering detection rate with not recommended parameters. . . . . 150
Generated clusters depending on the initial radius. . . . . . . . . . . 151
PUE attack detection results with clustering algorithm and one
malicious node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
PUE attack detection results with clustering algorithm and ten
malicious nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
cNGD nodes and the ICD3 debugger from Microchip used in the real
tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Generated clusters by a cNGD node and classification of the samples.
PUEA varies its transmit power from -4.9dBm to -3.7dBm. . . . . . . 154
Generated clusters by a cNGD node and classification of the samples.
Initial cluster radius is 0.5 and learning phase lasts 60 seconds. . . . . 155
Generated clusters by a cNGD node and classification of the samples.
Initial cluster radius is 1 and learning phase lasts 60 seconds. . . . . . 156
Generated clusters by a cNGD node and classification of the samples.
PUEA varies its data rate from 1 packet/s to 0.66 packets/s. . . . . . 156
Generated clusters by a cNGD node and classification of the samples.
The initial cluster radius is 0.02. . . . . . . . . . . . . . . . . . . . . . . 157
5.5.
5.6.
5.7.
5.8.
5.9.
5.10.
5.11.
5.12.
5.13.
5.14.
5.15.
5.16.
5.17.
5.18.
5.19.
5.20.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
113
114
115
120
124
125
126
127
128
129
132
L IST OF F IGURES
5.21. False positives rate depending on the standard deviations allowed
and the learning period time. . . . . . . . . . . . . . . . . . . . . . . .
5.22. False positives rate depending on the initial cluster radius and the
learning period time. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.23. False positive rate using CUSUM algorithm in a 200 nodes network.
5.24. False positive rate using clustering algorithm in a 200 nodes network.
5.25. A comparison of the CPU time and memory usage in a PC by the
anomaly detection algorithms. . . . . . . . . . . . . . . . . . . . . . .
5.26. CPU spent time and number of clustering created depending on the
initial cluster radius in a PC. . . . . . . . . . . . . . . . . . . . . . . . .
5.27. CPU spent time depending on the initial cluster radius in a cNGD
node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.28. False negatives in the reference scenario with no anomaly effects. . .
5.29. False positives in the reference scenario with no anomaly effects. . .
5.30. False negatives with 20 mobile nodes with a linear trajectory. . . . . .
5.31. False positives with 20 mobile nodes with a linear trajectory. . . . . .
5.32. False negatives with the PUE node moving in a linear trajectory. . . .
5.33. False negatives with 20 mobile nodes with a random trajectory. . . .
5.34. False positives with 20 mobile nodes with a random trajectory. . . . .
5.35. False negatives with Xσ = 9. . . . . . . . . . . . . . . . . . . . . . . . .
5.36. False negatives including five new nodes during the learning phase.
5.37. False negatives including five new nodes during the detecting phase.
5.38. False negatives with Xσ = 9 in the VCC . . . . . . . . . . . . . . . . .
5.39. False positives with Xσ = 9 in the VCC . . . . . . . . . . . . . . . . .
5.40. False negatives with an error of N(0, 20) dBm . . . . . . . . . . . . . .
5.41. False negatives with an error of N(20, 0) dBm . . . . . . . . . . . . . .
5.42. False negatives when the attack starts in the learning phase . . . . . .
5.43. False positives when the attack starts in the learning phase . . . . . .
5.44. False negatives for different initial times of the attack . . . . . . . . .
5.45. False positives with 20 mobile nodes with a random trajectory only
in the detection phase. . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.46. Comparison of false negatives percentage for different side effects
(initial cluster radius = 0.5). . . . . . . . . . . . . . . . . . . . . . . . .
5.47. Comparison of false positives percentage for different side effects
(initial cluster radius = 0.5). . . . . . . . . . . . . . . . . . . . . . . . .
5.48. Optimum points for different side effects . . . . . . . . . . . . . . . .
5.49. SOP for different emitter and noise power with 5 jamming nodes. . .
5.50. SOP for different emitter and noise power with 20 jamming nodes. .
5.51. Cognitive eavesdropping attack flow chart. . . . . . . . . . . . . . . .
5.52. SOP for different noise power and two channels in each interface. . .
5.53. SOP for different noise power and ten channels in each interface. . .
XXI
159
160
160
161
162
163
164
166
166
167
168
168
169
169
170
171
171
172
172
173
173
174
174
175
176
177
177
178
180
181
182
184
184
XXII
L IST OF F IGURES
5.54. Effects of noise strategies against three different eavesdropping
strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
5.55. Effects of collaboration in multiple eavesdroppers scenarios. . . . . . 186
5.56. Limitations in the number of jammer nodes related to the SOP obtained.187
5.57. Additional power consumption in the network with 20 jamming nodes.188
5.58. Jamming power variable. Function of the SOP and additional power
with A=1 and B=1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
5.59. SOP for different number of jamming nodes. . . . . . . . . . . . . . . 190
5.60. Number of jamming nodes variable. Function of SOP and additional
power with A=1 and B=1. . . . . . . . . . . . . . . . . . . . . . . . . . 190
5.61. Number of jamming nodes variable and emitter power 0dBm.
Function of SOP and additional power with different values of A and
B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
5.62. SOP for different emitter and jamming rates. . . . . . . . . . . . . . . 192
5.63. SOP for different emitter and jamming rates. . . . . . . . . . . . . . . 193
5.64. Function of SOP and jamming rate with different values of A and B
and emitter rate 0,1 packets/s. . . . . . . . . . . . . . . . . . . . . . . . 193
List of Tables
1.1. Most important ICS incidents in the last five years . . . . . . . . . . .
8
2.1. Comparison between NS-2 and NS-3 simulators. http://wrcejust.org/crn/images/Tutorials/ns2vsns3.pdf . . . . . . . . . . . . .
53
3.1. Anomaly detection techniques . . . . . . . . . . . . . . . . . . . . . .
3.2. Typical values of sigma parameter . . . . . . . . . . . . . . . . . . . .
77
96
5.1.
5.2.
5.3.
5.4.
Packets received by two interfaces in node #0 . . . . . . . . . . . .
CPU spent time for anomaly detection algorithms . . . . . . . . .
Optimum values for different weigths . . . . . . . . . . . . . . . .
Optimum values for different weights with jamming rate variable
.
.
.
.
.
.
.
.
137
164
189
194
XXIII
Chapter 1
Introduction
Once you replace negative thoughts with positive
ones, you’ll start having positive results.
Willie Nelson
1.1.
Wireless Sensor Networks
Global data traffic in telecommunications has an annual growth rate of over
50 % [1]. While the growth in traffic is stunning, both the rapid adoption of wireless
technology over the globe and its penetration through all layers of society are even
more amazing. Over the span of 20 years, wireless subscription has risen to 100 %
of the world populations, and by 2018, there will be 1.4 mobile devices per capita.
Overall, mobile data traffic is expected to grow to 15 exabytes per month by 2018,
an 11-fold increase over 2013.
Recently, wireless and mobile communications have increasingly become
popular with consumers. The mentioned Cisco report indicates that there will be
over a 10 billion mobile-connected devices by 2018, including Machine-to-machine
(M2M) modules.
1
2
C HAPTER 1. Introduction
One of the fastest growing sectors in recent years has been undoubtedly
that of Wireless Sensor Networks (WSNs). WSNs consist of spatially distributed
autonomous sensors that monitor a wide range of ambient conditions and
cooperate to share data across the network. These networks are increasingly being
introduced into our daily lives. Potential fields of applications for WSNs range from
the military to the home to commerce or industry. The emergence of new wireless
technologies such as ZigBeeTM or IEEE 802.15.4 have allowed for the development
of interoperability among commercial products, which is important for ensuring
scalability and low cost.
The growth of the WSNs is amplified by the recent emergence of new scenarios
where these networks are very important: health monitoring, the Internet of
Things (IoT), smart grids, or smart cities. Their reduced cost, easy installation, and
adaptability make WSNs one of the fundamental solutions for present and future
challenges.
Most WSN solutions operate in unlicensed frequency bands. In general, they use
ISM bands. These bands are reserved bands for a non-commercial radio frequency
use in the industrial, scientific, and medical areas. All the systems that fill in these
areas can operate in the ISM bands. In Europe, the ISM bands in WSNs use the most
are 433 MHz, 868, MHz and 2.4 GHz (Figure 1.1). Other ISM bands, such as 5.8 GHz,
are used on a limited basis by WSNs due to the power consumption limitation.
Currently, the ISM bands are very popular for Wireless Personal Area Networks
(WPANs) and Wireless Local Area Networks (WLANs). Their free use has resulted
in the emergence of many technologies that operate in these bands. For example,
Wi-Fi, Bluetooth, and ZigBeeTM technologies coexist in the 2.4 GHz band. For this
reason, unlicensed spectrum bands are becoming overcrowded with the increasing
use of WSN-based systems. As a result, coexistence issues in unlicensed bands
have been the subject of extensive research [2, 3]. In particular, it has been
shown that IEEE 802.11 [4] networks can significantly degrade the performance of
1.2. Cognitive Wireless Sensor Networks
3
ZigBeeTM /802.15.4 [5] networks when operating in overlapping frequency bands.
Figure 1.1: ISM bands in Europe.
The coexistence problem of multiple communication networks with a huge
number of devices transmitting in the same frequencies has become a challenge
in spectrum allocation. This problem is going to become more acute with the
continuous growth of WSNs. These networks usually have a large number of
nodes that transmit at the same time in a limited area. Therefore, new collaborative
strategies to share the spectrum are needed.
1.2.
Cognitive Wireless Sensor Networks
As we have introduced in Section 1.1, the increasing demand for wireless
communication presents a challenge for the efficient use of the spectrum. To address
this challenge, cognitive radio has emerged as the key paradigm that enables
opportunistic access to the spectrum.
A Cognitive Radio (CR) is an intelligent wireless communication system that
is aware of its surrounding environment, and adapts its internal parameters to
achieve reliable and efficient communication. CR allows the coexistence of multiple
users and networks in the same frequency band as shown in Figure 1.3. These new
networks have many applications such as the cognitive use of the TV white space
spectrum defined in [6]. Due to the strict regulation of the radio spectrum (Figure
1.2), some overcrowded frequencies and other frequencies with spectral holes can
be used by other users. Another CR application is the efficient routing of emergency
4
C HAPTER 1. Introduction
Figure 1.2: United states frequency allocations.
http://www.nasa.gov
calls in hostile environments such during as a natural disaster or a global energy
network breakdown.
In order to create these new applications, CR differentiates between two kinds
of users: (a) the Primary Users (PUs) who are the licensed users that can use the
spectrum when they need it, and (b) the Secondary Users (SUs) who try to use the
same bands when they detect a spectral hole, as Figure 1.4 shows. That means, that
the SUs only transmit when none of the PUs are transmitting.
In a CWSN, we assume a different behavior for SUs and PUs because of the
nature of these networks. For example, CWSNs usually operate on ISM bands
where anyone can transmit without a license. Because of this feature, the definitions
of PUs and SUs are different. In a CWSN, the differences between PUs and SUs are
based on the priority of their functionality. For example, in a domotic service, a
fire sensor would have more priority than a temperature sensor. While PUs take
preference because they are responsible for critical sensors and information, SUs
1.2. Cognitive Wireless Sensor Networks
5
Figure 1.3: An example of how multiple CR networks coexists in the same frequency region.
http://personal.ee.surrey.ac.uk/Personal/Tinghuai.Wang/
only send information when the channel is free.
In order to detect when it is possible to transmit, cognitive users have to
implement a new feature called spectrum sensing [7]. Spectrum sensing is the task
of obtaining awareness about the spectrum usage and the existence of PUs in a
geographical area. This task consumes the time and resources of the SUs. For this
reason, new strategies have been studied such as cooperative sensing. In order to
implement these kinds of strategies, communication among nodes is mandatory.
The cognitive scenarios usually assume the existence of a control channel through
which SUs collaborate.
Adding cognition to the existing WSN infrastructure brings about many
benefits. In fact, WSNs form one of the areas with the highest demand for
cognitive networking because CR can mitigate the limitations of these networks
such as energy consumption, security, coverage, or Quality of Service (QoS). The
use of cognitive features allows the control of critical applications with WSNs.
For example, in WSNs, the node resources are constrained in terms of battery
6
C HAPTER 1. Introduction
Figure 1.4: Opportunities in the frequency and time domain.
power, computational power, and spectrum availability. In contrast, with cognitive
capabilities, a CWSN can find a free channel in unlicensed or licensed bands in
which it can transmit.
In addition, the cognitive technology does not only provide access to a
new spectrum; it also provides better propagation characteristics. By adaptively
changing system parameters like modulation schemes, transmit power, carrier
frequency, and constellation size, a wide variety of data rates can be achieved. This
improves the power consumption, network life, and reliability of a WSN.
Cognitive Wireless Sensor Networks (CWSNs) are a new concept in many
respects [8], as they:
Have a higher transmission range.
Require fewer sensor nodes to cover a specific area.
Make better use of the spectrum.
1.3. Motivation: the security in CWSN
7
Have better communication quality.
Have lower delays.
Have better data reliability.
When added to WSNs, these new features can improve the performance of the
WSNs in many areas such as energy consumption, quality of communications, new
routing opportunities, or higher level security. Also, these features allow the use of
WSNs in new applications with higher requirements.
1.3.
Motivation: the security in CWSN
One of the largest growing sectors for CWSNs are the Cyberphysical Systems
(CPSs), which are the union of cyber technologies and physical processes [9]. WSNs
play a fundamental role in CPSs by acquiring a huge amount of information.
One of the most representative examples of a CPS is the Industrial Control
System (ICS), which is included in applications of critical infrastructure monitoring,
smart grids, chemical processing, and healthcare. The integration of these control
systems in an interconnected world increases the risk of intrusions or attacks
against these critical systems. In the past, the Supervisory Control and Data
Acquisition (SCADA) systems were not connected to any other systems. However,
today, Internet of Things (IoT) applications and the new possibilities of CWSNs
make interconnections between SCADA systems and other systems a common
scenario. The authors of [9] include a table of the most relevant incidents related
to ICS security in the last years. In Table 1.1, we list the most recent attacks.
In 2011, the European Network and Information Security Agency (ENISA)
published a study on ICS security, which is an important reference in this area
[10]. This document indicates that ICS applications require security because of their
characteristics. First, these systems are becoming more accessible and connected
to the internet. Second, these systems imply a much broader scope and impact
8
C HAPTER 1. Introduction
Date
2013
Location
South Korea and Japan
2012
Global incident
2012
Moddle East
2011
Global incident
2011
U.S.
2011
Japan
2010
Global incident
Details
Icefog is a small yet energetic APT group, who maintain
a foothold in corporate and governmental networks to
smuggle out sensitive information.
Elderwood attack, spear phishing emails, watering hole,
and zero-day exploits are always used.
Flame is being used for targeted cyberespionage
inMiddle Eastern countries.
Duqu
virus was found, a complex attack tool specifically for
critical infrastructure.
Hackers attacked the control systems of water supply
facilities in Illinois.
Hackers invaded the control and management system
of Shinkansen in Japan.
Stuxnet virus was found. Iran is the most serious that
the generation of its nuclear power plant was delayed.
Table 1.1: Most important ICS incidents in the last five years
than traditional information processing systems. Therefore, ENISA indicates that
security in wireless networks is an important future research line.
Another critical area that has been enhanced with CWSNs is healthcare. The use
of new technologies and wireless communications within these systems opens up
a new problem related to security and privacy: the monitoring and acting system
controls the users health. Therefore, any attack on these systems should be avoided
in order to eliminate any risk to patient health. On the other hand, the information
obtained by these monitoring networks is sensitive, so the privacy of this data must
be guaranteed. These risks come together with the increased number of sick and
aging people. The authors of [11] indicate that the number of aging people in 2040
is expected to be 1.3 billion (14 % of the total world population).
All these applications and the need for security can be also found in the Work
Programme for Information and Communication Technologies 2014-2015 published
by the European Commission under the Horizon 2020 programme [12]. The new
document for the next two years has been not published yet, but the IoT and ICS
security will be included as the European Commission indicates in this document
1.3. Motivation: the security in CWSN
9
[13]. Hence, as we can observe, security in CWSNs is a fundamental challenge. Their
large, dynamic, and adaptive nature presents significant challenges in designing
security schemes.
A CWSN has many constraints and many different features compared to
traditional WSNs. These differences and constraints obviously affect their security.
While security challenges have been widely tackled in traditional networks, this
is a novel area in CWSNs. A wireless medium is inherently less secure than
a wired one because its broadcasting nature makes eavesdropping simple. Any
transmission can be easily intercepted, altered, or replayed by an adversary. The
wireless medium allows an attacker to intercept valid packets easily and also to
inject malicious ones easily.
The task of SUs is to distinguish between incumbent and malicious signals.
However, this task is complicated because of the limitations of CWSNs and the
complex scenarios where they are deployed. A PUE attack takes advantage of this
situation in order to transmit as it desires. Moreover, the quality of the service of SUs
is degraded. Furthermore, the hostile environment in which cognitive sensor nodes
work with the possibility of the destruction or capture of them, the extreme resource
limitations of CWSN devices, the scale of these networks, and the goal of reliable
communications are threads or challenges for cognitive security. In this context, it
is important to understand that ensuring the security of CWSNs is crucial to its
development and growth. Therefore, it is important to analyze, design, and test the
security of these kinds of networks against any potential threats.
Despite the research interest in CWSN, security aspects have not yet been
fully explored even though security will likely play a key role in the long-term
commercial viability of the technology. The security paradigms are often inherited
from WSNs and do not fit with the specifications of cognitive radio networks.
Looking at previous works related to CR, security researchers have appreciated
that cognitive radio has special characteristics, such as new attacks, the spectrum
10
C HAPTER 1. Introduction
sensing information, or collaboration. These characteristics make CR security an
interesting research field, because more chances are given to attackers by CR
technology compared to general wireless networks.
This thesis deals with the CWSN security problem. This hardly studied field
should be analyzed focusing on the new specific cognitive attacks, modeling their
behavior, and creating efficient countermeasures.
1.4.
Objectives
The main objective of this thesis is to study the impact of some CR attacks in
CWSNs and to implement countermeasures using their new cognitive capabilities,
especially in the physical layer and considering the limitations of WSNs. The impact
of these solutions will be evaluated in order to validate their use in low resource
wireless devices.
The main objective can be divided into two sub-objectives. The first subobjective is the evaluation of the impact of the attacks. This step is crucial in order
to understand how CWSNs actually behave under these attacks. The evaluation
of the impact or the attack complexity are important conclusions for the future
development of these networks in real scenarios.
The second sub-objective is the implementation of security strategies thanks to
CWSN features such as spectrum sensing, collaboration, learning, redundancy, and
adaptation. These strategies should be based on the features that CWSNs provide.
The mix of new cognitive capabilities with the inherited ones of WSNs is a possible
solution to improve the security in CWSN scenarios. The four main features on
which our security approaches are based are:
Redundancy. A CWSN usually has a high degree of spatial redundancy [14]
(many sensors that should provide coherent data), and temporal redundancy
(habits, periodic behaviors, causal dependences). Both types of redundancy
1.4. Objectives
11
can be used effectively to detect and isolate faulty or compromised nodes.
Spectrum aware. The key of the opportunistic access is that all the nodes
involved in this technique are aware of the spectrum situation [7]. Nodes
should be analyzing the spectrum to detect incumbent users or the best
medium to share the information with other users. For that purpose, the
nodes should make spectrum sensing. This collected information could be
transmitted to other nodes or simply used to create a knowledge database.
The node behavior can be modelled in order to detect and isolate malicious
attacks thanks to this valuable information.
Collaboration strategies. These strategies are a common solution in other
cognitive areas like spectrum sensing. For example, in [15], authors present
collaborative strategies as a solution for multipath and shadowing. This way,
cooperative spectrum sensing can mitigate the sensitivity requirements on
individual radios. The same approach can be applied to security in order to
improve attack detection.
Adaptation. This is one of the main characteristics of CR. A cognitive node
is spectrum-aware and adapts its internal states to statistical variations in the
incoming RF stimuli by making corresponding changes in certain operating
parameters (e.g., transmit power, carrier frequency, and modulation strategy)
in real time with several primary objectives in mind:
• Reliable communications.
• Efficient utilization of the radio spectrum.
• Low power consumption.
• QoS.
• High availability.
Most cognitive attacks and countermeasures can be executed because of this
feature. A cognitive node has usually multiple radio interfaces, channels or
12
C HAPTER 1. Introduction
transmission parameters that can be changed according to the necessities or
the goals of the network.
1.5.
Methodology
We have studied the features of CWSNs mentioned in Section 1.4 in order to
verify if they can be useful for the proposed security mechanisms. This section
describes the methodology followed in the development of this thesis to achieve
the goals presented in Section 1.4.
The methodology followed is based on an iterative prototyping approach
where small-scale mock-ups of the system are developed following an iterative
modification and evaluation process until the system evolves to meet the
requirements [16]. The selection of this methodology is based on its adaptation to a
research work. For example, it is especially useful for resolving unclear or novelty
objectives, developing and validating the requirements, and experimenting with or
comparing various design solutions.
Each contribution of this thesis followed the four-phase process represented in
Figure 1.5: (a) strategy design, (b) implementation of these strategies, (c) cognitive
tools development, and (d) results and evaluation. This cycle was performed until
the contribution satisfied the objectives of the thesis. When a cycle was finished, a
new one started with the previous acquired knowledge as shown in Figure 1.6. In
the next subsections, each phase of the process is presented in more detail.
1.5.1.
Previous analysis
In the previous analysis phase, the effort is focused on the analysis of new CWSN
scenarios. Considering that the CWSN is a new paradigm, it is very important to
analyze all the parameters completely to facilitate the next work steps.
The CWSN merges two technologies into a different state of development. The
first technology, the WSN, is a mature technology, and extensive research has been
1.5. Methodology
13
Figure 1.5: Scheme of the methodology followed in this thesis.
Figure 1.6: Iterative scheme of the methodology applied to multiple thesis contributions.
14
C HAPTER 1. Introduction
conducted on it over the last 20 years. However, the second technology, CR, is an
emerging topic in an early state. As we will explain in Section 2, all the researches
on security in CR only span the design phase.
This thesis merges these two technologies. The new cognitive capabilities of
CWSNs will be exploited to improve and resolve the limitations of WSN security.
The analysis will be done according to this schema:
Analysis of current scenarios. The first part of the analysis consists of the study
of the present scenarios on WSN security. The results of this step are a list of
constraints, strengths, and weaknesses in CWSNs.
Examination of new opportunities and challenges in CWSNs. The inclusion
of cognitive capabilities in WSNs creates good opportunities to improve the
security.
Perspective of new scenarios. When all the characteristics of CWSNs are clear,
the definition and parameter setting of future scenarios will be the next step.
All the new roles, functions, and strategies will be quite clear after this section.
Extraction of conclusions. The comprehensive analysis of CWSN scenarios
brings a complete vision to the in-depth study of security issues.
1.5.2.
Strategy design
Cognitive wireless sensor networks face a dangerous problem in security.
Several attacks could be adapted from WSNs to the new paradigm of cognitive
networks. In the last ten years, some researches related to security on CR networks
have appeared. The researchers relate specific attacks against these networks, but
they propose few countermeasures. The related work chapter (Chapter 2) will
discuss the most studied attacks on WSNs and CWSNs.
In order to improve the defenses in a CWSN, we need to study the attacks
in detail. For example, a PUE attack is always a reference in security, but this
1.5. Methodology
15
thesis faces a new scenario where the PUE attack exhibits different behavior. The
characteristics of wireless scenarios such as mobility and adaptation affect both the
attackers and the defenses. Therefore, first, the defining and the modeling of the
attacks should be done.
After the design of the attack model, the development of countermeasures is
the main task. The design should take into account the objectives of the thesis
defined in Section 1.4, the attack characteristics, and the features that the CWSNs
provide. The countermeasures in CWSNs are an unexplored field, but it is easy to
deduce that cognitive behaviors such as collaboration, spectrum sensing, learning,
and reconfiguration will improve security in these networks.
1.5.3.
Implementation of the strategies
Once the attack has been parametrized, the next step is to define the interesting
scenarios and to implement them. These scenarios should be realistic but also
sufficiently general in order to cover all the possibilities that the strategy can deal
with.
After this study, modeling, and implementation of the attack, the next step
is the implementation of collaborative security strategies in CWSNs in order to
understand which ones are usable. The implementation can be done in a simulated
or real scenario. Both of them must use the same parameters and model in order to
compare the results. The simulated strategies allow for a faster development of the
contributions while the real scenario contributes real results that are fed back to the
model.
1.5.4.
Cognitive tools
Because the CWSN is a new paradigm, appropriate tools for its development are
not available. Therefore, the design of new tools is an important task of this thesis.
As in common WSNs, the first investigations in CR are usually implemented in
16
C HAPTER 1. Introduction
a WSN simulator. Simulators help developers avoid possible failures in hardware.
Cost and time reduction is another advantage of simulators. This advantage is
emphasized in CWSNs, where the needed increase of the radio interfaces and the
complexity of the software are higher. Moreover, real cognitive wireless devices
hardly exist, so the implementation cost of a new scenario is very high. However,
it is important to remember that these strategies would be implemented in real
devices in the future. The information obtained from a real scenario is the most
valuable result.
The development of the simulation and the implementation tools has been a
continuous task in this thesis. The requirements of the security strategies have
defined changes in these tools.
1.5.4.1.
Results and evaluation
One of the requirements imposed on the cognitive tools is the fast and complete
presentation of the results. These results have been analyzed in order to evaluate the
attack impact, the countermeasure effectiveness, and the lateral effects that these
solutions provoke in the system.
The evaluation can produce three kinds of decisions: (a) the modification of the
approach, (b) the modification of the tools, or (c) the validation of the contribution.
The modification of the approach occurs when the results indicate that there
have been wrong assumptions or definitions. Modifications of the tools have been
made when the evaluation indicates that a new feature is required for the good
performance of the approach or when the tools are the cause of a failure. Finally,
regarding the validation of the contribution, the iterative cycle is closed only if the
results indicate that the approach fills the objectives of the thesis.
1.6. Organization
1.6.
17
Organization
The thesis starts with an extensive and thorough review of the related work
about security in cognitive networks. The related work is presented in Section 2 in
the form of two subsections. The first subsection shows the most relevant attacks
in CWSNs that take advantage of CWSN vulnerabilities. The second subsection
analyzes the existing security mechanism for the mentioned threats.
Section 3 presents the analyzed threats and the proposed security strategies
implemented in the thesis. The starting point of this work opens this section. Then,
the architecture adopted in this work is detailed. Finally, we explain the design and
implementation of the scenarios and security strategies.
In order to develop new security strategies for CWSN, specific tools are
necessary. Section 4 shows the developed tools for this thesis that include a WSN
simulator with cognitive capabilities and a real hardware platform for CWSN. Both
tools integrate a complete framework for cognitive strategies in WSN.
Section 5 presents the results obtained in this thesis. All the information obtained
from the experiments is analyzed. A discussion about the viability of the solutions,
the security level obtained, and the impact of these solutions in other aspects of
the network is discussed. Finally, the conclusions obtained and the proposed future
research directions are showed in Section 6.
1.7.
Publications
This is a list of the published works related to this thesis:
J. Blesa, E. Romero, A. Rozas, and A. Araujo, “PUE attack detection in CWSNs
using anomaly detection techniques”, EURASIP J. Wirel. Commun. Netw., vol.
2013, no. 1, p. 215, Aug. 2013.
J. Blesa, A. Araujo, E. Romero, and O. Nieto-Taladriz, “Evaluation, Energy
18
C HAPTER 1. Introduction
Optimization, and Spectrum Analysis of an Artificial Noise Technique to
Improve CWSN Security”, Int. J. Distrib. Sens. Networks, vol. 2013, pp. 1-8,
2013.
J. Blesa, E. Romero, A. Rozas, A. Araujo, and O. Nieto-Taladriz, “PUE Attack
Detection in CWSN Using Collaboration and Learning Behavior”, Int. J.
Distrib. Sens. Networks, vol. 2013, pp. 1-8, 2013.
E. Romero, A. Mouradian, J. Blesa, J.M. Moya, and A. Araujo,
“Simulation framework for security threats in cognitive radio networks”, in
Communications, IET, vol.6, no.8, pp. 984-990, 2012.
J. Blesa, E. Romero, D. Villanueva, A. Araujo, “A Cognitive Simulator for
Wireless Sensor Networks”, in UCAMI 2011 - 5th International Symposium
on Ubiquitous Computing and Ambient Intelligence, pp. 21-32, 2011.
E. Romero, J. Blesa, A. Tena, G. Jara, J. Domingo, and A. Araujo, “Cognitive
test-bed for wireless sensor networks”, in 2014 IEEE International Symposium
on Dynamic Spectrum Access Networks, DYSPAN 2014, pp. 346-349, 2014.
A. Araujo, J. Blesa, E. Romero, and D. Villanueva, “Security in cognitive
wireless sensor networks. Challenges and open problems”, EURASIP J. Wirel.
Commun. Netw., vol. 2012, no. 1, p. 48, Feb. 2012.
A. Araujo, J. Blesa, E. Romero, and O. Nieto-Taladriz, “Artificial noise
scheme to ensure secure communications in CWSN”, in IWCMC 2012 - 8th
International Wireless Communications and Mobile Computing Conference,
2012, pp. 1023-1027.
A. Araujo, J. Blesa, E. Romero and O. Nieto, “Cooperative jam Technique
to Increase Physical layer Security in CWSN”, in COCORA 2012 - 2th
International Conference on Advances in Cognitive Radio , pp. 11-14.
1.7. Publications
19
E. Romero, J. Blesa, A. Araujo, and O. Nieto-Taladriz, “A game theory based
strategy for reducing energy consumption in cognitive WSN”, Int. J. Distrib.
Sens. Networks, vol. 2014, 2014.
A. Araujo, E. Romero, J. Blesa, and O. Nieto-Taladriz, “A framework for the
design, development and evaluation of Cognitive Wireless Sensor Networks”,
Int. J. On Advances in Telecommunications, vol. 5, no.3&4, pp. 141-152, Dec.
2012.
E. Romero, A. Araujo, J. Blesa and O. Nieto-Taladriz, “Developing Cognitive
Strategies for Reducing Energy Consumption in Wireless Sensor Networks”,
in COCORA 2012 - 2th International Conference on Advances in Cognitive
Radio , pp. 63-66, 2012.
A. Araujo, E. Romero, J. Blesa, O. Nieto-Taladriz, “Cognitive wireless sensor
networks framework for green communications design”, in COCORA 2012 2th International Conference on Advances in Cognitive Radio , pp. 34-40, 2012.
A. Araujo, J. García-Palacios, J. Blesa, F. Tirado, E. Romero, A. Samartín,
and O. Nieto-Taladriz, “Wireless measurement system for structural health
monitoring with high time-synchronization accuracy”, IEEE Trans. Instrum.
Meas., vol. 61, no. 3, pp. 801-810, 2012.
A. Araujo, F. Tirado, J. García-Palacios, and J. Blesa, “High precision structural
health monitoring system using wireless sensor networks”, in IALCCE 2012 Third International Symposium on Life-Cycle Civil Engineering, 2012.
Chapter 2
Related work
The more I read, the more I acquire, the more certain I
am that I know nothing.
Voltaire
2.1.
Security in Cognitive Radio
This first subsection tries to explain all the aspects related to the security in
CWSNs that will be used in the analysis of previous works. For example, the
influence of the new cognitive characteristics or the CWSNs principles.
According to chapter 1 is very clear that CWSNs face a dangerous problem in
security. The new cognitive features and the integration with WSNs ones becomes
the security in these scenarios in a challenge unresolved. In addition to this,
CWSNs are and will be used as a viable solution for critical applications, such as
military scenarios, healthcare or structural monitoring. The security should be one
of the most important aspects to take in account from the earlier stages of CWSNs
development.
21
22
C HAPTER 2. Related work
Despite the extensive volume of research results on WSN [17], the considerable
amount of ongoing research efforts on CR networks [7], and the new interest in
CWSN [8], security in CWSN is vastly unexplored field. The reason why security
has no priority is that is not necessary for the development of the technology. Other
features, such as spectrum sensing or communications are indispensable for CWSN
functioning. The early stage of the technology has left the security in a secondary
place. However, the security of CWSNs is a new paradigm that offers many research
opportunities and it is essential for the future of critical applications.
Several attacks could be adapted from WSNs to the new paradigm of cognitive
networks. In the last ten years some researches related to security on Cognitive
Radio Networks (CRNs) have appeared. They describe specific attacks against these
networks, but few countermeasures are proposed.
Most of first publications related to the security field in cognitive radio
were developed specifically to analyze the effects produced by characteristics of
cognitive radio in the security of the systems and how they could be used to
mitigate the negative effects.
The article of Jack L. Burbank [18] probably presents one of the most important
works related to security in Cognitive Radio. In this paper, each characteristic and
the attacks that could take advantage of it are analyzed. The authors indicate two
differences between a traditional wireless sensor network and a CR network:
1. The potential far reach and long-lasting nature of an attack. CRNs
perform tasks in order to acquire as much information as possible from
the environment. For example, the wireless interfaces perform a periodic
spectrum sensing that the nodes uses in order to create an image of the
current state of the radio spectrum. If the attackers can create signals in order
to modify the perception of the environment by cognitive network nodes,
the decision taken by them will be wrong. Using this information, the CRN
adapts its parameters. Some attackers can force a desire change modifying the
2.1. Security in Cognitive Radio
23
information. This way, the malicious attackers can control the behavior of the
network.
2. The ability to have a profound effect on network performance and behavior
through simple spectral manipulation. The decisions taken in the past
improves the behavior in CRNs. That means, these networks reason and learn
in order to reach a goal. If the decisions are based on altered information, the
attack effect on the CRN continues during more time. Finally, the collaboration
between nodes is an opportunity to propagate the attack through the network.
These two differences are the consequences of how the malicious node takes
advantage of the new characteristics. If the attacks are more dangerous in terms of
affected area and time duration the security should obviously be improved.
Maintains awareness of surrounding environment and internal state. It could
be an opportunity for spoofing that send malicious data to the environment to
provoke an erroneous perception.
Adapts to its environment to meet requirements and goals. It is an opportunity
to force desired changes in behaviour in the victim.
Adapts to its environment to meet requirements and goals. It is an opportunity
to force desired changes in behaviour in the victim.
Reasons on observations to adjust adaptation goals. It could be an opportunity
to influence fundamental behaviour of CRN.
Learns from previous experiences to recognize conditions and enables faster
reaction times. This could an opportunity to affect long-lasting impact on CR
behaviour.
Anticipates events in support of future decisions. It could be an opportunity
for long-lasting impact due to an erroneous prediction.
24
C HAPTER 2. Related work
Collaborates with other devices to make decisions based on collective
observations and knowledge. This is an opportunity to propagate an attack
through network.
Wireless communication. Data might be eavesdropped and altered without
notice; and the channel might be jammed and overused by adversary. Access
control, confidentiality, authentication and integrity must be guaranteed.
On the other hand, CRN features also help to mitigate malicious manipulation
using:
The ability to collaborate for authentication of local observations that are used
to form perceived environments. Collaboration can improve the results of any
security mechanisms in long term. Moreover, it can improved the knowledge
about the network of all nodes.
The ability to learn from previous attacks. Some security approaches can use
the experience in order to reduce the impact of future attacks.
The ability to anticipate behaviours to prevent attacks. This is a further step
towards the reduction of the attack influence.
The ability to perform self-behaviour analysis. Shared knowledge is also
useful in order to learn of the errors and correct them.
2.2.
Threats in CWSN
As we showed in Section 2.1, CWSNs have special features that make security an
important area to develop. However, security in CWSNs needs to be further studied
by scientific community.
In this section, a complete taxonomy of attacks for CWSNs is shown. We are
going to compare the impact between these attacks in a traditional WSN and in a
cognitive one.
2.2. Threats in CWSN
25
Figure 2.1: Taxonomy of attacks in CWSN.
A taxonomy of attacks on CWSNs is very useful to design optimistic security
mechanisms. There are several taxonomies of attacks on wireless networks [19] and
focus on WSNs [8]. Moreover, some classifications of attacks in CR exist [3, 20, 21].
However, there is not a deep classification of attacks in CWSNs and study of attacks
against cognitive WSNs does not exist.
We have analyzed special network features that make CWSNs better against
attacks: high transmission range, spectrum awareness, low delays, wireless
adaptation and reliability of data. Their security is obviously endangered by the
medium used, radio waves, but also by specific vulnerabilities of CWSNs like
battery life or low computational resources.
Considering these features, we propose a taxonomy which contains various
attacks with different purposes, behaviours and targets. This helps researchers to
better understand the principles of attacks in CWSNs, and further design more
optimistic countermeasures for sensor networks. Figure 2.1 shows an outline of
this CWSN taxonomy of attacks. CWSN attacks are divided into communications,
against privacy, node-targeted, power consumption, policy and cryptographic
attacks.
26
C HAPTER 2. Related work
2.2.1.
Communication attacks
The first category of CWSN attacks is communication attacks. In this kind
of attack, the attacker affects data transmissions between nodes with a concrete
purpose either to isolate a node or to change the behavior of the whole network.
Communication attacks can be classified into three different types according to
the attack behaviour: replay attack, Denial of Service (DoS) attack and Sybil attack.
A replay attack [22] consists of the replay of captured packets, possibly in a
different time or location. For example, a message is directed to a node other than
the intended one. This receiver node replays the message to the intended principle
node and this receives the delayed message. This delay is fundamental to calculate
network characteristics (channel, topology, routing, etc.). Cognitive wireless sensor
networks could be affected by this delay more than regular WSNs because nodes
share information about the environment. If a node receives the wrong information
and then repeats it, network behavior could be affected drastically. If PU packets
are repeated, SUs could have a wrong inference of the spectrum, too, avoiding the
communications in frequencies or the protocols used by the attacker. There is no
specific work about this kind of attack in a CN. However, it can be considered an
important attack in this area with a special impact, as we have explained above.
The second type of communication attack is DoS attack, which are characterized
by an explicit attempt to prevent the legitimate use of a service. In this case, services
are the spectrum or a special node, such as a proxy, a coordinator, or a router. Three
kinds of DoS attacks related to CR require important attention, such as a jamming
attack, a spoofing attack, or a Spectrum Sensing Data Falsification (SSDF) attack.
However, there are more DoS, such as collision attack, routing ill-directing attack
or flooding attack.
A jamming attack is the transmission of a radio signal that interferes with
the radio frequencies used by nodes. The jamming attack is one of the most
2.2. Threats in CWSN
27
studied attacks against WSN [23]. In fact, cognitive features such as fast
channel switching, software reconfigurability, and power transmission control
can transform a normal node into an effective jammer like Prasad et al. show
in [24].
The use of cognitive features reduces the limitation in the cost of large attacks,
allowing the same impact with fewer devices. If an attacker node can cover
multiple frequency channels, the number of malicious nodes required and the
total cost decrease. Moreover, fast-switching channels and spectrum sensing
benefit the attacks. The faster the switching channel is, the higher the jamming
impact in the network because each individual node can interfere with more
frequencies at the same time. On the other hand, the spectrum sensing channel
increases the information the attackers has about the incumbent nodes: the
transmission cycle, the most used channels, or the transmit power. With this
information, the jammer can optimize the attack in terms of impact and energy
saving.
The work by Prasad et al.[24] is based on these ideas and they present
simulation results about how a jamming attack affects the throughput. The
studied parameters are the jamming period, the transmit rate, the packet size,
and spectrum sensing information. The results indicate that an intelligent
jammer can reduce the throughput of the network between five to seventeen
times more than a non-cognitive jammer using between two to eight jamming
signals less. The added value of this work is that it is one of the first security
approaches characterized in terms of energy consumption.
Another example of a specific jamming attack against cognitive networks is
explained in [25]. In this work, Peng et al. use a two-step procedure using
spoofing and jamming in order to minimize the SU’s throughput. A spoofing
attack is when a malicious node impersonates other devices by falsifying data
in order to launch an attack. For example, an attacker can supplant a real PU.
28
C HAPTER 2. Related work
On the other hand, a jamming attack occurs when a malicious node disrupts
communications by transmitting a noise signal by the same transmission
band. There is a difference between spoofing and jamming. Whereas spoofing
happens in the sensing phase, jamming happens in the transmission phase.
During the sensing intervals, the attackers emit spoofing signals in order
to disturb the real vision of the spectrum. At the end of these intervals,
some allowable bands are identified as busy. The empty bands are where the
secondary nodes transmit. However, the second action of the attackers is to
transmit a jamming signal in order to avoid the SU’s transmissions. The author
analyzes the union of the spoofing and jamming attack and tries to reduce
the computational cost. Complete results about the attack power consumption
and SU throughput degradation are presented. The main two conclusions of
this work are:
1. Spoofing capability increases when i) the number of allowable bands
decreases; ii) the number of allowable bands required by the CRN
increases; and iii) the integration-time-bandwidth product increases.
2. Jamming capability increases when i) the number of allowable bands
decreases; and ii) the number of allowable bands required by the CRN
decreases.
The work presented in [26] is another example of how cognitive features
increase the damage caused by the attack. Using a cooperative jamming attack,
attackers achieve 10-15 % improvement compared with a non-cognitive attack.
A discrete-time Markov chain is implemented in order to get the optimal
number of malicious nodes that are needed to participate in the attack.
Despite these examples, CWSN has great advantages to solve jamming. These
advantages are explained in the following sections, but they can also have
negative effects like energy consumption or communication failures. For
example, the CWSN nodes have a very short battery life. The detection of a
2.2. Threats in CWSN
29
jamming attack implies continuous spectrum sensing with its associated high
energy consumption. Probably, in other cognitive networks, this additional
energy consumption is irrelevant, but in CWSNs, it is very important. Another
aspect that benefits the jamming attack in CWSNs is the low transmit power
and coverage of the nodes. The higher the relationship between jamming and
the incumbent signal, the higher the consequences of the attack. However, as
we have indicated before, other features in CWSNs can mitigate the attacks.
For example, the spatial and temporal redundancy benefits communications
even in hostile or noisy scenarios.
A Spectrum Sensing Data Falsification (SSDF) attack [27] occurs when
malicious users send wrong spectrum sensing information. For example, a
malicious user can send information that a specific channel is always occupied
in order to use it for the user’s own benefit. The consequence of this situation
is the DoS of the affected nodes. This is one of the most dangerous attacks
in CRNs because the network decisions depend on the spectrum sensing
information. If the origin of this information is wrong or the data are falsified,
the next decisions will be erroneous.
A collision attack [28] consists of the intention of violate the communication
protocol. This kind of attack does not consume much of the attacker’s energy,
but it can cause many disruptions in the network operation. Due to the
wireless broadcast nature, it is not trivial to identify the attacker. For example,
the SUs have to share the spectrum. Therefore, the use of this type of attack
is very efficient in order to disrupt SU communication. Nodes, detecting
collisions, will relay the information, making communication very difficult.
There is no specific previous work about this kind of attack in CR, but as in
the replay attack case, problems in the transmission affect cognitive networks
in a more profound way than traditional WSNs.
In a routing ill-directing attack, a malicious node simply refuses to route
30
C HAPTER 2. Related work
messages. Examples of this kind of attack are grey hole and black hole attacks.
In these attacks, the nodes refuse all packets that arrive or a percentage
thereof. Because of this misinformation, the network can change the routes,
the topology, or leave isolated nodes.
In a flooding attack, a malicious node sends many connection request
messages to a susceptible node, rendering the node or the resource useless.
For instance, a joint network request message to the coordinator node. Both
flooding and routing ill-directing attacks are important threats in CR because
of their dependence on communications and spectrum status.
The third type of communication attack is Sybil attacks. A Sybil attack is defined
as a malicious device illegitimately taking multiple identities. A Sybil attack is
effective against routing algorithms, voting, reputation systems, and misbehavior
detection. For instance, the Sybil attack might utilize multiple identities to generate
additional reputation to malicious nodes or to change the sensing spectrum
information.
Primary User Emulation Attack (PUEA) is a special kind of Sybil attack where
a malicious node emulates the behavior of an incumbent node with the purpose
of using the radio spectrum for its own interest or denying the access to other
nodes. Most of the studies in cognitive radio security are focused on PUE detection.
According to the origin of cognitive radio networks, the efficient use of TV spectrum
in the USA and early studies used the location in order to detect malicious attacks.
These PUs are TV towers with a precise behavior and location. In [29] the PUEA
is defined for the first time. The authors explain this attack as a malicious attacker
that makes indistinguishable transmissions from incumbent signals by transmitting
signals that have the same cyclic spectral characteristics. The cognitive features
make it possible for a SU to mimic the PU’s behavior. Depending on the goal, the
authors classify the PUEA in selfish PUE attacks and malicious PUE attacks. In a
selfish attack, the attacker’s objective is to maximize the attacker’s own spectrum
2.2. Threats in CWSN
31
usage. Meanwhile, a malicious PUE attacker tries to obstruct SUs from accessing
the spectrum. These two PUE attacks can be applied to a CWSN scenario, because
the goals of an attacker in a CWSN are the same. However, the characteristics of the
attacker and the spectrum will be different (for example, ISM bands, low resources,
or low transmit power).
The authors of [30] explain in more detail the effect of PUEA in a cognitive
network. If a PUEA is successful, then cognitive radio technology is unable to
deliver the purpose it has been devised for (i.e. providing access to unlicensed
users whenever the spectrum is vacant). However, the situation can get worst if
a malicious SU schedules PUE during each sensing interval, ultimately causing
a DoS attack. After the analysis of the attack, they also make on of the
firsts’classification of the Primary User Emulator (PUE) attack countermeasures.
They divide the approaches using three characteristics: distributed/individual,
centralized/cooperation and intrusion detection systems. In this thesis, this
classification is not applicable because all the proposed solutions are distributed
and make use of the cooperation among nodes.
More detailed work about the impact of PUE Attack on SUs is presented in
[31]. The researchers compare the dropping probability parameter using no PUEA
detection, individual decisions, and centralized and distributed protocols. Also,
they implement two PUEAs: i) the obstructive malicious user, who only requests
a band when all the channels are occupied, and ii) the greedy malicious user, who
behaves like a SU when the system is not full. The proposed centralized protocol
reduces the number of dropped calls by about one order of magnitude for low
malicious traffic loads. Also, the distributed protocol provides a similar result for
low malicious traffic loads.
In conclusion, PUEA was observed to result in a one and half times larger
number of dropped real-time traffic calls and a 75 % additional delay for non-realtime traffic calls. This work supports the idea that collaborative approaches can
32
C HAPTER 2. Related work
be very efficient in detecting this kind of attack. In this work, where the number of
nodes in the network is higher, the performance of collaborative solutions increases.
If the system has more inputs, the success rate in the decisions taken will rise.
2.2.2.
Against privacy attacks
The second important category or attack class is comprised of attacks against
privacy. A privacy attack tries to discover the information in the transmissions
among nodes. Cognitive wireless sensor networks allow the sharing of resources to
establish communication and to be aware of the environment. Attackers could use
this access to take some node information. There are three types of privacy attacks:
i) eavesdropping, ii) impersonating, and iii) traffic analysis.
In an eavesdropping attack, the attacker eavesdrops on wireless transmissions
by taping information. By doing this, the attacker can easily discover the content
of a communication. An impersonating attack is where the attacker joins the
network and impersonates the original victim sensor node to receive a packet. In
a traffic analysis attack, an attacker uses wireless and cognitive features to listen
into the entire spectrum. Traffic analysis attacks [32] try to deduce the context
information of nodes by analyzing the traffic pattern from eavesdropping on
wireless communication. The acquired information could be used to prepare a most
harmful attack. The eavesdropping attack is the most widespread privacy attack in
CRNs.
Some previous works introduce the problem of privacy in cognitive scenarios.
Shu et al. [33] introduce the eavesdropping attack as one of the most important
attacks in these scenarios and the secrecy capacity as an interesting topic to be
studied. These authors discuss the origin of the secrecy capacity, which is defined
as the rate at which information can be transmitted secretly from a source to
its intended destination. Also, they indicate that the complexity of dealing with
eavesdropper attacks in cognitive scenarios is higher because of the user’s two
2.2. Threats in CWSN
33
roles: the PU and the SU. The secrecy capacity is more important in CR scenarios
than in WSN ones, because the nodes transmit not only information from sensors
but also knowledge about the radio spectrum and the network. Therefore, the
secrecy capacity is linked closely with the level of security.
2.2.3.
Node targeted attacks
The third category of CWSN attacks is node-targeted attacks. Taking into
account the applications and environments where CWSNs are deployed, wireless
nodes can be compromised physically. For example, in a fire detection system where
the nodes are deployed randomly in the forest, the nodes can be captured by anyone
and can be used against the same network. Node-targeted attacks need more
attention in CWSNs than in normal WSNs because the propagation of information
is more important for the correct working of a CWSN. A node can be captured, the
attackers use reverse-engineered, and then the node can become an instrument for
mounting counterattacks. For example, if a node is captured, the secrecy keys can
be compromised, the security algorithm discovered, and the sensitive information
used against the node’s own network. In spite of the importance of this attack, there
are still no solutions for node targeted attacks in CR. In a node-targeted attack, an
attacker can install any malicious software such as new firmware, which tries to
disturb the correct network behavior. Another possibility is the attacker can destroy
the nodes physically. This destruction not only affects node functionality, it also
affects the whole network. Usually, node-targeted attacks are less important for
WSNs because of the high spatial and temporal redundancy. However, distributed
information and co-operational behavior in a CWSN make a captured node a
powerful weapon for attackers.
34
C HAPTER 2. Related work
2.2.4.
Power consumption attacks
The fourth category of CWSN attacks is power consumption attacks. Battery life
in a CWSN is a crucial factor. The small size of nodes and batteries makes CWSN
very vulnerable to power consumption attacks. The attacker can inflict sleep torture
on an energy-constrained node by engaging it in unnecessary communication work
to drain its battery power quickly. Depriving the power of a few crucial nodes (e.g.
Access Point) may lead to the communication breakdown of the entire network.
The attacker node can then request a channel change every time, increasing power
consumption. In [34], a power consumption attack against WSN is explained.
The authors indicate that these attacks, also known as denial of sleep attacks,
usually have the target in MAC protocol because is the layer responsible for the
transceiver’s sleep time.
Power consumption attacks become more dangerous in a CWSN than in a WSN
due to the higher complexity in the algorithms and communications and the higher
amounts of information transmitted. These reasons make a CWSN particularly
vulnerable to power consumption.
As with previous kinds attacks, such as DoS attacks or privacy attacks, power
consumption attacks have been not studied yet in cognitive scenarios. The reason
for this could be the origin of CR, where the devices have higher resources and the
power consumption is a secondary problem.
2.2.5.
Policy attacks
The fifth category of CWSN attacks is policy attacks. Cognitive wireless sensor
networks base their operation in policies in order to take decisions. For example,
the policies of a network can be to reduce the power consumption and maintain an
acceptable QoS. These two policies will be pondered with fixed or variable weights.
A policy attack tries to change this policy function in order to modify the network
behavior. Security and privacy policies are imperative since the policy influences
2.2. Threats in CWSN
35
the setup principles of a CWSN [35]. Baldini et. al. explain that the main security
threats are closely related to the main functions of the policy system (i.e. policy
derivation, policy distribution, policy reasoning, and policy enforcement). Usually,
CWSNs reflect their policies in an objective function. A network tries to maximize
this function by modifying the available parameters. Therefore, the goal of policy
attacks is to minimize the function value or disturb the way in which the formula is
calculated. If the attack deceives some nodes into believing they are maximizing
their results, the attack will be successful. Baldini et al. indicate three kinds of
threats related to the policies:
Policy derivation threats. In this attack, the goal is to derivate wrong or
misleading policies. The attackers can use spoofing, Sybil, or forgery attacks
in order to achieve their objective. An example of this situation can be
shown when a malicious node represents a valid SU that broadcasts wrong
information such as false spectrum sensing results or a non-valid list of
available channels. The result for this attack is the suboptimal use of the
spectrum and a lower QoS.
Policy distribution threats. In this case, the attackers try to prevent access to
the policy messages or send false policy messages. The rest of the network
nodes cannot adapt their parameters correctly, and finally, the performance of
the entire network gets worse.
Policy reasoning and enforcement threats. The third attack occurs when a
malicious attack denies access to the spectrum to other SUs or PUs. Even
though the authors classify this attack in the policy category, it can be
categorized alternatively as a DoS attack, as it is very close to a SSDF attack.
2.2.6.
Cryptographic attacks
Concluding the taxonomy, the sixth category of CWSN attacks is cryptographic
attacks. Cryptographic attacks try to find weaknesses in the system by analyzing
36
C HAPTER 2. Related work
the information transmitted. Several kinds of cryptographic attacks exist, but their
objectives are the same: to acquire the cryptographic key to identify weakness in
the algorithms or in the node software. Cognitive wireless sensor networks nodes
do not have enough resources to implement a powerful cryptographic code and
they are vulnerable to these attacks. The cryptographic attacks are still unexplored,
but they have a special interest in CWSNs. The low resources nodes are, in most
cases, defenseless against powerful cryptographic analysis. The CWSN nodes have
a simple cryptographic security level and their keys or algorithms can be cracked
easily. Apart from the above listed attacks that may hinder the key management
of CWSNs, the following actions will also endanger the key management within
CWSNs: brute forces, dictionary attacks, and monitoring attacks.
2.3.
Security approaches
Cognitive Radio has its origin in United States where an important problem with
the spectrum occupancy become real. The main reason is that the access to the radio
spectrum is ruled by a restrictive regulatory regime that emerged when the Radio
Act of 1927 declared the “ether” to be a publicly owned resource. The goal of CR
was to use the radio spectrum when base stations did not transmit.
According to that, first real and simulated scenarios were static, with base
stations making the role of Primary User (PU) and different devices like SU. If an
attacker tries to emulate a PU, the geolocation is an efficient method. First security
strategies tries to solve the PUEA assuming location restrictions. From the first
security works in cognitive radio in 2009 has been different approaches that explore
solutions to this attack and other ones, such as DoS or policy attacks.
Although Section 2.2, where the attacks in CR have been described, proposes
a taxonomy divided by cognitive features, this section proposes a classification of
countermeasures divided by stack layers. The CWSN protocol stack is based on
the traditional Open System Interconnection (OSI) model, but with the difference
2.3. Security approaches
37
Figure 2.2: Security approaches and attacks
that some wireless technologies only implement the lower levels (physical, medium
access (MAC), and network). In this classification, it is possible to observe that
multiple solutions in different layers can be applied together in order to mitigate
a specific attack, as we can see in Figure 2.2.
2.3.1.
Physical layer
The physical layer and the MAC layer are the most important and studied layers
in CWSNs because they contain new features that modify the security problem,
such as spectrum sensing. The reason for this interest is the importance of these
characteristics in the operation of these networks. If either the physical layer or the
MAC layer are compromised by an attack, the complete system will be operating
over corrupted information.
Security in the physical layer has been studied in WSNs for more than ten years,
but the security of cognitive radio is an unexplored field. Moreover, the existing
work in physical layer security is mostly focused on the possible vulnerabilities
that we have presented in Section 2.2. For this reason, this section use the
38
C HAPTER 2. Related work
classification presented on [17], where the authors show a tutorial of physical layer
security in WSNs. This classification has been complemented with the analysis of
how these countermeasures apply in CWSNs and how they may be affected by
cognitive features. Also, the existing solutions in the literature are organized in this
classification.
2.3.1.1.
Theoretical secure capacity
The spectrum capacity limitation is one of the most important motivations that
prompted the emergence of cognitive radio. The use of two roles in the same
frequency (SU and PU) is an opportunity for maximizing the radio spectrum usage.
However, new rules had to be created in order to protect the incumbent users. For
example, the interference temperature limit [36] is the threshold of the maximum
interference power at the PU’s receivers. The interference temperature limit appears
in order to fill a recommendation of the Federal Communications Commission
(FCC) Spectrum Policy Task Force. This recommendation tries to protect the
communications from sources of interference. The interference temperature limit
is the worst case in which an Radio Frequency (RF) antenna can operate.
On the other hand, sharing spectrum has become in an opportunity for attacks
against privacy. Malicious nodes can eavesdrop the wireless transmissions looking
for private information. Despite the fact these kinds of attacks are known from
other wireless networks, the eavesdropping attacks become more dangerous in a
cognitive network for many reasons. For example, the cognitive nodes transmit not
only the information that they obtain from sensors, but also transmit knowledge
acquired during the operation time or control packets with information about the
network behavior.
The work related to security in this area has been focused on the study of secrecy
capacity, which is the maximum rate between two nodes to the constraint that the
eavesdropper is kept ignorant of the information. These research areas appear with
2.3. Security approaches
39
Figure 2.3: Reference scenario for theoretical secure approaches
the pioneering work of Wyner [37]. In this work, the reference scenario for future
works was defined. The transmitter (T) wants to maximize the information sent
through the main channel (from T to a receiver (R)) and minimize the information
in the eavesdropper channel (from T to an eavesdropper (E)). In this scenario, the
author showed that the secret capacity is the difference of the capacities for the two
channels (Figure 2.3).
The following works use the Wyner theory in order to explore derived
approaches. First, Leung and Hellman [38] extends the Wyner’s work for discrete
memoryless wire-tap channel to Gaussian wire-tap channels. The authors in [39]
also make a generalization of the Winer’s work. Another example of related
work is [40], where the authors show that security is achievable even when the
eavesdropper has a better Signal to Noise Ratio (SNR) than the legitimate receiver.
They develop a secure communication protocol to ensure wireless informationtheoretic security based on common randomness via opportunistic transmission,
message reconciliation, common key generation via privacy amplification, and
finally, message protection with a secret key. It was shown that the protocol is
effective in secure key renewal even in the presence of incomplete Channel State
Information (CSI).
40
C HAPTER 2. Related work
In recent years, the secure capacity has been applied to scenarios closer to
cognitive radio. For example, in [41]. Pei et al. address the physical layer security
problem in multiple-input single-output (MISO) cognitive radio channel scenarios.
The main contributions of this work are the characterization of the secrecy capacity
of the secure MISO CR channel and a mathematical development in order to
find the optimal transmit covariance matrix based on the transmit power and
interference power. The authors use three suboptimal schemes to obtain this matrix.
The simulation experiments show that all of them can approach the maximum
theoretical secrecy capacity under certain conditions (for example, when the
secondary channel is strictly stronger than the eavesdropper channel). This work
provides us with the idea that it is possible to achieve secure communications even
under strong privacy attacks while working with the radio parameters.
2.3.1.2.
Channel approaches
This section shows the security mechanisms based on the exploitation of the
channel characteristics. These techniques can be applied to detect and mitigate
some CR attacks such as PUEAs or eavesdropping attacks.
One of the most studied solutions in order to detect PUEAs is the detection of
some radio frequency fingerprints, which can differentiate between an attacker and
an incumbent PU. For example, Zhao et al. [42] use the phase noise of the noisy
carrier from the receiver in order to identify the transmitter. The authors consider
other parameters, such as the modulation, the signal bandwidth, or the transfer
rate easy to copy. However, the phase noise of the local oscillator has characteristics
that identify the transmitter unambiguously. The fingerprints are extracted, erasing
the modulation, and these features are the input of an artificial neural network
classifier. They compare this solution with the location-based approaches and
indicate that this solution is valid for ad-hoc networks. Applied to CWSNs, this
solution has certain factors to take into account. Although it is a good solution, the
necessary resources in order to analyze the wireless transmissions and to detect
2.3. Security approaches
41
the phase noise are not possible in CWSN nodes. These devices only have some
modulations and channels available in order to transmit and receive signals, but
not for signal analysis. Therefore, other types of features should be evaluated in
CWSN approaches.
In [43], the method called DECLOAK uses the spectrum sensing information
to join channel independent features and create fingerprints for each device.
The authors propose four features in order to distinguish the nodes: i) the
carrier frequency difference, ii) the phase shift difference, iii) the second-order
cyclostationary, and iv) the amplitude of the received signal. An unsupervised, nonparametric Bayesian classification method is applied to distinguish between PUE
attackers and real PUs. The presented results analyze how the DECLOAK method
distinguishes between the attackers and the PUs. They compare the hit rate with
the number of nodes in the network and the KLD metric, which is a measure of the
difference between two probability distributions. For the most of the KLD values,
the system has a hit rate over 80 %, reaching 90 % for KLD >10.
To conclude the solutions against the PUEA, it is interesting to point out the
work of Rehman et al. [44], in which the radio frequency (RF) fingerprint technique
presented in [45] was analyzed in low-end cognitive radios. The devices used in
this paper are seven Universal Software Radio Peripheral (USRP)s. The limited cost
of these platforms implies imperfections in the analogue components, responsible
of the RF stage. In this case, the RF fingerprints are built with the power spectral
density coefficients from the preamble signals. The evaluation consists of two WiFi scenarios: infrastructure and ad-hoc. The results conclude that this approach is
valid for the ad-hoc scenario, but not for the infrastructure scenario. Although this is
an approximation to a CWSN, the devices still have enormous resources compared
with a WSN device. The cost of an USRP is two orders of a magnitude higher than
a CWSN node.
Channel approaches can also be applied against privacy attacks. As the
42
C HAPTER 2. Related work
references in Section 2.3.1.1 explain, the Multiple-Input Multiple-Output (MIMO)
networks can exploit their features in order to avoid the eavesdropping attack using
orthogonal transmission for the receiver and the eavesdropper. In [46], the authors
randomize the MIMO transmitted coefficients that weigh up the antenna transmit
power. These variations are undetectable for the eavesdropper but detectable
to the receiver. Moreover, the redundancy of MIMO transmissions disturbs the
eavesdropper functionality.
In order to finish the application of channel approaches in security, an innovative
approach is the detection of variations in the transmission features in order to
notify a power consumption attack. If a node is forced to have an anomalous
behavior that implies higher power consumption, its RF fingerprint will be
different (a higher transmit power or a higher transmit rate). A research related
to this idea is presented in [47]. The main contribution of this work is to detect
unauthorized software execution in Software-Defined Radio (SDR). This approach,
called power fingerprinting, monitors the dynamic power consumption and uses
pattern recognition to detect anomalous behaviors. If the same concept is applied to
CWSNs, it could be possible to detect attacks analyzing the changes in transmission
features that an attacker produces.
2.3.1.3.
Code approaches
Code approaches are faced with the challenge of security protecting the data
through encryption mechanisms or secret and public keys. Following this idea, the
authors in [48] propose a scheme against PUEAs using public key cryptography.
The PU attaches a digital signature to the data units it transmits. The digital
signature is generated using the PU identity, the current time-stamp, and a private
key. Each time a SU senses the spectrum and detects a signal, it sends the digital
signature to the Base Station (BS). Finally, the BS is responsible for completing the
verification. The main problem with adopting these kinds of solutions to CWSNs
is the computational weight. In spite of the authors indicating that this scheme
2.3. Security approaches
43
consumes less resources than traditional public key signatures solutions, it still uses
a 2 GHz Pentium processor, which is something unacceptable for CWSNs.
Code approaches improve resilience against jamming and eavesdropping. In
[49], a combination of turbo coding and the Advanced Encryption Standard
(AES) cryptosystem is proposed. An error in the received ciphertext can cause a
large number of errors in plain text after decoding. Depending on the channel
condition, this method can be adopted to choose the number of redundant bits
required to protect the information in order to achieve high efficiency. Another
technique is spread-spectrum coding in which a signal is spread by a pseudonoise sequence over a wide-frequency bandwidth much wider than that contained
in the frequency ambit of the original information. The main difference between
convention cryptographic systems and spread-spectrum systems lies in their key
sizes. Traditional systems can have a very large key space. However, in a spreadspectrum system, the key space is limited by the range of carrier frequencies and
the number of different sequences.
Despite the fact these kinds of solutions are well accepted in others high
resources networks, they are not fully compatible or viable in CRs and CWSNs. In
CRs, the Federal Communications Commission (FCC) indicates, "no modification
to the incumbent signal should be required to accommodate opportunistic use of
the spectrum by SUs". However, the solution of including keys contradicts FCC
recommendations. On the other hand, CWSNs are low resource networks and some
cryptographic solutions require complex implementations that are impossible to
integrate inside them.
2.3.1.4.
Power approaches
The main idea behind physical-layer security is to limit the amount of
information that can be extracted at the bit level by an unauthorized receiver by
the exploitation of all available channel state information (CSI). The fundamental
44
C HAPTER 2. Related work
problem of WSNs is the difficulty to obtain a full CSI. The cognitive paradigm
allows for spectrum monitoring and provides this information to the network. New
physical-layer security techniques that complement higher layer ones are emerging
in order to increase the privacy in multi-antenna scenarios like the introduction of
artificial noise.
Discriminatory channel estimation is performed by injecting artificial noise to
the left null space of the legitimate receivers channel to degrade the estimation
performance of the eavesdropper [50]. The approach consists of two phases. First,
the transmitter emits a collection of training signals without artificial noise. These
sequences help the legitimate receivers estimate the legitimate channel. In the
second phase, the receiver sends back the estimation. Then the emitter sends
another set of training signals with artificial noise in the left null space of the
estimated channel. The receiver and the eavesdropper will make use of this new set
in order to improve their estimations. However, the eavesdropper will degrade the
receiver’s estimation. The metric to validate this algorithm is the Normalized Mean
Square Error (NMSE) of the channel estimation. If the second phase of the algorithm
is repeated more than two times, the NMSE performance of the legitimate receiver
is greatly improved in comparison with the eavesdropper (between 2 and 5 orders
of magnitude).
Dong et.al [51] present some cooperative approaches in order to improve
wireless security by including relays that run some security strategies. The
decode-and-forward (DF), amplify-and-forward (AF), and cooperative jamming
(CJ) schemes represent an improvement in the secrecy rate depending on certain
parameters. For example, depending on the distance between the source and the
eavesdropper, the secrecy rate is doubled with the DF and AF schemes. It is also
shown that the necessary transmit power is reduced by 6 dBm approximately.
However, they do not include the required power for the implemented scenario.
This is the first work where the idea of collaboration between nodes is performed.
Although some of these approaches show the importance of the eavesdropping
2.3. Security approaches
45
attack and the artificial noise as a possible countermeasure, they do not take full
advantage of the cognitive features.
Another example is the work presented by Wu et. al. in [52]. They apply a
cooperative Stackelberg game, where the SUs and PUs modify the transmit power.
The results indicate that cooperation in the game improves the secrecy rate in
a range between 0.2 to 0.6 depending on the channel gains. This work can be
interpreted as a new step in the introduction of cognitive features in artificial noise
countermeasures. However, the eavesdropping model of these scenarios is passive,
and jammer nodes introduce noise in the spectrum without a full cognitive strategy.
2.3.2.
MAC layer
Even though Medium Access Control (MAC) security approaches have been
studied with less depth than physical layer approaches, some works deal with
the security problem. The MAC layer has the critical task in CRs of managing
the spectrum access. In these networks where SUs and PUs have to coexist, the
SUs need to implement new medium access protocols in order to meet the rules.
Most CR attacks can disturb the correct behavior of the MAC layer. For example, an
attacker can change the perception of spectrum availability, and prevent SUs from
accessing the spectrum. However, the research in this area is still in an early stage.
2.3.2.1.
Authentication/Identifying approaches
Authentication is the process of determining whether someone or something is,
in fact, who or what it is declared to be. In CRNs, it is the mechanism by which the
identity of a node is confirmed or denied.
The authors of [53] suggest that authentication is the key technology to assure
secure communications in CR. They indicate that previous protocols used in
wireless networks, such as PPP Extensive Authentication Protocols, are not suitable
for CR because of the nature of CR networks (multi-channel and multi-standard).
46
C HAPTER 2. Related work
They propose a new authentication mechanism based on a third-party certification
authority (CA). However, this work focuses on mobile phone scenarios where the
entities involved are completely different.
A similar solution can be found in [54] where an authenticator server has
the function to provide a certificate for each node that has been registered and
authorized to join the network. After this step, the nodes receive a public key that
they have to use for the communications. The authors indicate that this security
MAC protocol makes DoS and eavesdropping attacks difficult. However, they do
not present any results that support the theoretical idea. The overheads produced
by this solution in transmissions and processing are usually unreachable for CWSN
nodes.
An authentication method is applied in [55] in order to improve the security
in the Common Control Channel (CCC). The security in the CCC is a critical
challenge in CR because of the nature of the information that nodes share through
it. The authentication method is applied to the first security phase where the sender
and receiver must authenticate each other. After this phase, any communications
between them are encrypted using a key.
For the authors of [56], a solution for the low resource CR network security is
using a public key cryptography as a digital signature. This method facilitates the
task of identifying incumbent PUs. This secure authentication reduces the relative
calculating overheads and communication cost. The same authors present another
authentication method using a trust-based mechanism [57]. Also, they include the
trust table update procedure.
2.3.2.2.
Other secure MAC approaches
Most of the MAC security approaches are based on an authentication and
identifying mechanism. However, others use the MAC layer to implement the main
part of the solution.
2.3. Security approaches
47
For example, Shaukat et. al. propose a solution to improve the security in
Institute of Electrical and Electronics Engineers (IEEE) 802.22 MAC Layer Protocol
including the timing parameter during channel negotiation procedure [58]. This
approach consists of the introduction of a time interval parameter by the receiver.
If the sender transmits at higher rate than the time interval, the sender is marked
as a malicious node. The work proposes an interesting and new solution, but the
authors do not present results that validate the approach.
Wu et. al. [59] present a punishment mechanism of MAC layer against selfish
behaviors. They make use of the puzzle model proposed by Pekka et. al. [60]. The
server creates this puzzle when a device is marked as a possible selfish node. This
puzzle has random entries and a difficulty. The server sends this information to the
client in order to solve the puzzle. The possible selfish node has to solve the puzzle
and broadcast the result in order to restart the communication. The authors show
the simulation results made in the tool NS-2. They compare the fairness index with
the number of attackers. The algorithm achieves a fairness rate of over 60 %, even
with 100 % of selfish nodes.
A multilevel security solution is presented in [61]. Encryption, free channel list
privacy, time stamp inclusion, and common control channel adaptation are the
methods that the authors propose to create a four level secure mechanism for the
MAC layer. Although the authors present the design and the pseudo-code of the
solution, no results are related to the improvement of security.
These solutions can be useful combined with other security level approaches.
In CWSNs, where the ad-hoc protocols allow the complete adaptation of the
communication stack, these solutions can be applied. However, the computational
overhead should be controlled.
48
C HAPTER 2. Related work
2.3.3.
Other security approaches
In this section, all the security solutions which involves multiple stack layers are
presented.
2.3.3.1.
Geolocation approaches
As we introduced in section 2.3, the origin of CR cause that first security
solutions were based on geolocation. These solutions try to use the position of
the agents in the scenario in order to distinguish between legitimate users and
attackers.
In [29], Chen and Park present the first method for detecting a PUE attack
based on location. The idea of this method is to differentiate the attacker from a
licensed user by comparing the transmission origin with the previously known
PU position. After the analysis of the attack, they also make one of the first
classifications of the PUE attack countermeasures. They divide the approaches
using three characteristics: i) distributed/individual, ii) centralized/cooperation,
and iii) intrusion detection systems. In this work, this classification is not applicable
because all the proposed solutions are distributed and make use of the cooperation
among nodes.
The same authors use a mechanism based on location in [62]. They propose
a location-based authentication scheme in TV white spaces. If the signal from a
transmitter has similar characteristics as TV broadcasters, localization based on
RSS measurements is performed, and the results are matched against a known
location database to determine whether attacks have occurred. Clearly, such a
scheme assumes that PUs are stationary and channel variations are not significant.
In [63], the authors assume that the attacker is close to the victim, and the real PU
is much farther from the SUs than the attacker. Moreover, the position of each node,
including the attacker, is fixed. Given this assumption, SUs can learn about the
characteristics of the spectrum according to the received power. The authors in [31]
2.3. Security approaches
49
follow a similar approach. Despite not using any location information, they assume
a static scenario with the PU much farther away from other possible malicious
nodes than the SUs.
More location-based countermeasures can be found in [64] and [65]. In the first
work, SUs calculate the estimated position of the PUE attacker and then propagate
this knowledge to reach a coordinate decision. The second work is focused on the
algorithm used to detect the position of the PUE attacker.
All these solutions for TV tower scenarios make some assumptions that are
wrong in CWSNs where the nodes can be mobile. Consequently, the use of these
approaches should be discarded or at least adapted to CWSN characteristics.
2.3.3.2.
Based on behavior
Like geolocation countermeasures, defenses based on behavior try to model the
attackers characteristics. However, they use the spectrum sensing information in
order to generate the behavior pattern of the node transmissions. For example,
in [66], the PU modeling problem is studied. The model is used to look for
differences between a PU and attackers. For example, in [62] authors use some
radio parameters to decide if the transmitter is an incumbent transmitter or an
attacker. These parameters are as follows: transmitted power and location. For
a typical TV scenario on CR the PU model can be very precise. However, as
with geolocation countermeasures, the previous studies do not work with CWSNs.
Unfortunately, a model for PU on CWSNs does not exist yet. PUs are usually more
unpredictable than in previous scenarios. Moreover, the PUE’s behavior can be
very different depending on the application. However, if we focus our CWSN on
limited scenarios, for example, ambient intelligence in a home or a building, the
PU is specifically defined. Parameters like power transmission, time occupancy of
spectrum, and transmission frequency could be modeled.
The learned behaviors of these parameters allow the system to create some
50
C HAPTER 2. Related work
profiles which are compared with periodically acquired measures. It is easy to
understand that, when a PUE attack happens, an anomaly in learned parameters
can be detected. The intrinsic goals of an attacker make it impossible to have a
complete likeness between a PU and a PUE attack. For example, if the goal of a PUE
attack is the use of a whole frequency band, it needs to transmit more frequently,
with more power and different types of packets than a normal PU.
The authors of [67] propose an Intrusion Detection System for a Wireless
Regional Area Network (WRAN). The intrusion detection system detects anomalies
in the behavior of network nodes using a cumulative sum algorithm. The
solution has two phases: i) the learning phase, where the nodes construct a
static profile with the spectrum sensing information, and ii) the detection phase,
where the detection of anomalies using the profiles generated in the first phase
is performed. This algorithm has a low complexity and overhead features, which
allow the implementation of the solution in a distributed architecture. Moreover,
the behavior-based solutions can detect attacks that are not known beforehand.
2.3.3.3.
Trust and reputation approaches
Reputation systems are based on the idea that, in most networks, there can be
no assurance regarding the identity of nodes. Trust and reputation systems are
needed in order to deal with principles of honesty and reliability. Trust is defined
as the expectation by an agent node about the outcomes of the actions of a subject
node based on past experiences and observations from witness nodes. On the other
hand, reputation is the global perception of a node’s trustworthiness in a network
[68]. These two concepts can help to improve the security in many CR areas, such
as spectrum sensing or channel access. For example, in [69], the authors apply
a reputation system for securing the cooperative sensing mechanism. In a CRN,
the spectrum sensing information is crucial for good operation. An attacker can
compromise this information by reporting false information affecting the decisions
taken by the network (a SSDF attack). The secure approach presented by Zhang et.
2.3. Security approaches
51
al. is distributed to allow the scalability of the solution by using reputation to weigh
received values from neighbors and protect the location privacy.
Similar approaches can be found in [70, 71]. In the first work the authors use
the statistics of primary band occupancy in order to update the reputation levels. In
this solution, the false alarm rate values are between 0.02 and 0.3, depending of the
initial reputation value. The detection rate is between 0.7 and 0.98. In the second
work, the SUs reputation varies depending on their sensing results too. When a
node reputation falls below a threshold, its reports are not taken into consideration.
The proposed solution is simulated against different attacks: SSDF, DoS, power
consumption and combinations of attacks. The authors present the Total Utility Loss
(TUL) metric in order to measure the effectiveness of the scheme. The TUL metric
is a pondered sum of the false alarm rate and miss detection error rate. The results
vary depending on the attack, but in all scenarios the TUL is improved reaching
values under 0.5. Without the proposed scheme, the TUL is between 1.1 and 4.0
(varying the PU band usage rate).
2.3.3.4.
Game theory approaches
Game theory is the study of mathematical models of conflict and cooperation
between intelligent rational decision-makers [72]. Due to the characteristics of CR,
such as spectrum sharing or history learning, game theory approaches can model
some scenarios. More specifically, game theory has been applied to the security field
in CR for a few years.
One of the first research where game theory was applied to security in CR is
described in [73]. In this work, the authors face the problem of selfish attacks, where
SUs want to increase the use of the spectrum for their own purposes. A secure
access method for CR is formulated as a static game in order to find the Nash
equilibrium. Then, a punishment mechanism for a selfish user is implemented in
order to maintain a balanced use of the spectrum.
52
C HAPTER 2. Related work
Another problem where game theory has been applied is the secure routing. Zhu
et. al. [74] propose a game-theoretic routing protocol where malicious attackers and
honest nodes are the opponents. The authors formulate the game over an AOVD
algorithm. Despite the fact that they propose this protocol to defeat the network
from different attacks, the results show the performance against a jamming attack.
For example, the proposed algorithm reduces the increase in routing delay that a
jamming attack causes from 90 % to 20 %.
In the work of Tan et. al.[75], the PUEA is modeled as a non-cooperative game
between the attackers and the SUs. They formulate the scenario and propose a
belief-updating mechanism that SUs use in order to know the PU’s activity. The
results demonstrate that the mechanism increases the SU’s payoff and decreases
the probability of mistaking the attacker for the PU missing the PU.
Finally, in [76] the authors analyze the use of game theory for security in CRNs.
After a classification of the attacks in these networks, they propose the game theory
approach as a new solution for these issues. Moreover, a classification of which
game model can be used for each issue is presented.
2.4.
Cognitive frameworks
A common research project has the following steps: design, simulation,
implementation, installation and maintenance. The design is the first step, where
the developers focus their ideas on a new approach. CWSN is still in the first
stage, the design. The second stage requires the suitable tools for the simulations.
Nowadays, these tools do not exist or they do not have the suitable characteristics
required to develop a complete CWSN scenario. The reason is that CR is an
emerging technology. Most of the studied reach only the design phase and only
few of them have simulations. In the next years, when this technology are going to
be deployed in real devices, the necessity of cognitive frameworks will be crucial.
There are several WSN simulators used by researchers to develop their work.
2.4. Cognitive frameworks
53
For example, NS-2 [77] is one of the best-known simulators. The majority of the
WSN research society uses this simulator, although its latest release was in 2008.
NS-2 is a discrete network simulator built as an Object-Oriented extension of Tool
Command Language and C++. This simulator is open source and provides online
documentation. NS-2 can support a considerable range of protocols in all layers.
The emergence of the new simulator NS-3 was a great step forward in order to
improve the features of the NS-2 simulator [78]. Table summarizes the differences
between NS-2 and NS-3.
Programming languages
Memory Managment
Packets
Performance
Simulation output
NS-2
NS2 is implemented with
oTCL and C++. It was very
time consuming. There is
overhead introduced with
large simulations. oTCL is
the only available scripting
language
NS2 requires basic manual
C++ memory management
functions.
Two
regions:
header and payload. NS2
never frees memory used to
store packets.
Bad scalability.
Network
(NAM).
animation
NS-3
NS3 is implemented using
C++. NS3 can be developed
with C++ entirely. There
is a limited support for
Python in scripting and
visualization.
All normal C++ memory
management functions are
still available. Automatic
de-allocation of objects is
supported using reference
counting.
Single
buffer
of
bytes and tags. Information
is added to the packet using
subclasses.
Better
memory
management. Packets do
not
contain
unused
reserved header space.
PyViz,
a python based realtime
visualization package.
Table
2.1:
Comparison
between
NS-2
and
http://wrc-ejust.org/crn/images/Tutorials/ns2vsns3.pdf
NS-3
simulators.
NS-3 also has a new cognitive radio extension which was published in 2014
[79]. This extension provides the basic blocks that are necessary to provide such
functionality in NS-3. As we can see in Figure 2.4, a spectrum management block
54
C HAPTER 2. Related work
has been included. Also, a repository in order to store valuable information and
a new primary user database are available. Finally, the availability of 3 different
wireless interfaces in each node allows the implementation of cognitive strategies.
Figure 2.4: Building blocks of the cognitive radio extension for NS-3.
Another WSN simulator is TOSSIM [80], which is an emulator specifically
designed for WSN running on TinyOS, an open source operating system. This is a
very simple but powerful emulator. EmStar [81] is a trace-driven simulator running
in real time, specifically designed for WSN, built in C. EmStar has a robustness
feature that can mitigate faults among the sensors. It also provides a lot of modes,
making debugging and evaluation much easier. OMNET++ [82, 83] is another very
well-known framework among researchers. It proposes a modular library which
can be used to develop network simulators. Only by composing different modules,
the developer can create his/her own simulator or scenario.
Several other simulators have been developed for WSN [84]. We can mention
COOJA, OPNET, NetSIm, J-Sim, ATEMU, Avrora, QualNet, etc. None of these
simulators have cognitive features. As it was described in the previous section, a
cognitive network has two main characteristics:
2.4. Cognitive frameworks
55
Maintain awareness of its environment, including the spectrum.
Optimize its radio parameters according to the requirements.
These two main features could be divided into several derived characteristics.
According to these necessary characteristics a CWSN simulator should be
implemented. In the past, some attempts to develop a CWSN simulator have been
made. The first approach has been to develop cognitive features over an existing
WSN simulator. In [85], the authors propose a new model over NS2 for routing in
cognitive networks. With this goal, changes to the NS2 architecture are explained,
such as support for multiple channels. Multiple channel supporting is one of
the first changes that any simulator should handle. However, the implemented
changes in [86] are not enough because only a few radio parameters can be
changed. For example, power transmission and propagation can be modified but
other parameters must remain the same. Moreover, other CWSN aspects like
power management, collaboration, scalability and learning are not mentioned or
implemented in the NS-2 model.
Despite the limitations of the NS-2 simulator in cognitive scenarios, multiple
researchers have chosen NS-2 for their investigations because NS-2 is the only
WSN simulator with some cognitive features. For example, work [87] presents an
algorithm to optimize the route selection in a disaster situation. The main idea is
that the wireless nodes sense the spectrum. According to some parameters such
as latency, jitter or packet error rate, the nodes choose the optimal communication
interface between them. The decision is made individually and is transmitted by
satellite communications. This scenario is simulated in NS-2 using nodes with three
wireless interfaces. The interfaces change during the simulation time. That is, the
nodes cannot use more than one interface at the same time. However, the work
does not explain how the spectrum sensing works, and collaboration and learning
do not exist. Finally, the scenario presented in this work is a cognitive application
with different traffic and protocols than the ones from WSN.
56
C HAPTER 2. Related work
Another work is presented in [88]. It evaluates a solution for coexistence in
wireless LAN, based on a new MAC layer. The simulations are implemented over
NS-2, but it is not focused on WSN. The authors describe how the cognitive nodes
sense the channels and agree on the active channel. In order to make this decision,
they use a control channel. In this work, the simulator architecture was not modified
and the cognitive features are poorly explained. For example, they talk about
predicting the length of a spectrum hole. However, it is not explained how this data
is obtained. Power management is not presented and the scalability is untested. In
addition, only a simulation with 10 nodes is presented.
Apart from the NS-2 simulator and its new cognitive features, some cognitive
simulators have appeared over the past few years. The following simulators have
not been implemented for WSN but they include some cognitive features. For
example, in [89], the platform presented is focused on spectrum sharing. For that
reason, the physical layer and the spectrum resource manager are the modules
that implement cognitive features to avoid primary-user collisions. Important
characteristics of WSN such as mobility, consumption and protocols are not in the
scope of this simulator.
The authors of [90] present software to simulate cognitive networks scenarios.
They divide their architecture into five modules: scheduling module, mobile node
module, statistics module, wireless environment module and the interface. The
cognitive features are implemented in the mobile radio module and the statistics
module. Among the mentioned implemented characteristics are spectrum sensing
and information storage. The collaboration between nodes is not explained. As in
the previous work, WSN key features are not presented.
Another example of a cognitive simulator is presented in [91]. It is focused on
the definition of an autonomic communication element (ACE) architecture. The
architecture is not for WSN and the development is in RuleML language. The
authors present an interesting approach to cognitive nodes. They define some
2.4. Cognitive frameworks
57
modules that represent the cognitive features. Some of them are the spectrum
sensing or the experimental database modules. However, the authors do not explain
in detail the implementation of the cognitive strategies in detail and they do not
present results or any evaluation.
SENDORA (Sensor Network for Dynamic and Cognitive Radio Access).
SENDORA project developed in 2010 supposed a new approach of CR called
Sensor Network aided Cognitive Radio. This project was led by Thales, Eurecom,
NTNU, Telenor, KTH, TKK, Universities of Rome, Valencia and Linköping. It
was divided into 8 work packages that covered from to management activities
to dissemination, passing through definition, integration, implementation and
demonstrations activities. Developed software was based on the NS simulator and
hardware implementations operated over VHDL language.
The SENDORA project brought a high amount of papers and literature,
nevertheless, the software developed has come shifted to the background because
of other simulators. Regarding hardware implementations, carried out over FPGA
(Field Programmable Gate Array), revealed useful data but not realistic for WSNs.
Hence, simulations deployed do not use real device data for power models.
The emerging problem of spectrum saturation in WSN that we have explained
in the introduction and the current state of cognitive simulators explain the
motivation of this work. Only NS-2 supports today’s cognitive characteristics in
WSN scenarios, but it has a lot of limitations. The other simulators present more
cognitive features but they obviate the WSN ones.
After the simulation stage, researchers generally use a test-bed, before the real
implementation. There are multiple test-beds for specific developments. TWIST [92]
and VT-CORNET [93] are the most important test-beds nowadays because of their
general purpose features and their quality.
The TKN Wireless Indoor Sensor Network Testbed (TWIST) is a multiplatform,
hierarchical test-bed architecture developed at the Technische Universität Berlin.
58
C HAPTER 2. Related work
Figure 2.5: CREW project scheme overview.
This test-bed is part of the CREW European FP7 project [94]. The self-configuration
capability, the use of hardware with standardized interfaces and the inclusion of
open source software make the TWIST architecture scalable, affordable, and easily
replicable. The TWIST instance at the TKN office building is one of the largest
remotely accessible test-beds The nodes are deployed in a 3D grid spanning 3
floors of an office building at the TUB campus, resulting in more than 1500m2 of
instrumented office space. Currently the setup is populated with 102 TmoteSky [82]
nodes operating over 2.4 GHz and 102 eyesIFX [57] nodes over 868 MHz resulting
in a fairly regular grid deployment pattern with intra node distance of 3 m. A set of
low-cost USB WiSpy Spectrum Analyzers for the 2.4 GHz band dig over data and
store it on a repository, this information is used as data-base for the CR algorithms
and spectrum use optimization.
It must be clarified that nodes employed at TWIST do not posses frequency
agility beyond their single frequency band. Hence, none of them can be considered
CWSN nodes. Even though the test-bed supposes an approach, it is not yet a
completely valid and trustable CWSN platform.
2.4. Cognitive frameworks
59
Figure 2.6: TWIST: functionality overview.
The Virginia Tech COgnitive Radio NEtwork Testbed (VT-CORNET) [93] is a
collection of Cognitive Radio nodes deployed throughout a building at the Virginia
Tech main campus. The test-bed consists of a total of 48 Software-Defined Radio
nodes. It is implemented with a combination of a highly flexible RF front end, and
an openly available Cognitive Radio Open Source System framework.
The test-bed consists of a total of 48 static SDR nodes based on USRP2, located
at the ceiling throughout the ICTAS building, being placed 12 nodes per floor.
Figure 2.7: VT-CORNET scheme overview.
60
C HAPTER 2. Related work
In addition to the static nodes, low-power mobile nodes will also be available in
order provide a research environment that accommodates a wide variety of research
topics.
Remotely accessible, emphasis is on cognitive engine design, self-organizing
networking algorithms, and network security. The test-bed enables researchers
to implement and test their algorithms, protocols, applications, and hardware
technologies within a realistic environment.
Devices used at this platform are not real WSN nodes since their RI are based on
SDR. These RIs are not suitable for WSN regarding their high power consumption.
Despite their possibilities for frequency mobility, the solution implemented by this
test-bed is not a real CWSN implementation.
The ORBIT project, launched in 2003 [95] is a large-scale open-access wireless
test-bed. It can be used by the research community working in new wireless
communications. In some aspects it is similar to the TWIST test-bed, a large
deployment of wireless nodes with spectrum sensing capabilities, but it lacks the
possibility of different radio interfaces combined into the same node.
Research on CWSN simulators is emerging, but it is still in a primary state. A
simulation with a high number of nodes is necessary in WSN scenarios. It is very
expensive to build a lot of real devices to test a concrete low-power strategy. The
integration of real data devices and a high number of nodes is only possible using a
feedback relation. Currently, there is not a CWSN simulator with standard protocols
and feedback from real devices that uses cognitive characteristics for an intelligent
energy management in order to test new policies, assess collaboration schemes or
validate different optimization mechanisms.
SENDORA, the only simulator with cognitive capabilities does not use
real device data for the power model. Other simulators like NS-2 lack
cognitive capabilities such as learning, using different radio interfaces or manage
collaboration between nodes. Therefore, an implementation of a completely
2.5. Conclusions
61
new cognitive module over an existing WSN simulator, specifically the Castalia
Simulator (based on the OMNET++ framework), and a new CWSN device with
three different radio standard interfaces are proposed.
2.5.
Conclusions
As noted in the previous section, security strategies have been focused in the
physical layer where multiple solutions have been studied. This is logical because
of the cognitive characteristics such as spectrum sensing and wireless parameter
adaptation. Nevertheless, an unexplored area remains in security strategies for
upper layers.
On the other hand, the security for CWSNs is an important aspect due to the
recent growth in the demand of these networks in critical areas such as military,
industrial, or medical applications. Moreover, the specific restrictions of the nodes
that form the networks make them vulnerable to most attacks and limited in
capacity to execute countermeasures. In this section, some of the biggest challenges
facing the security in CWSNs have been analyzed.
2.5.1.
Cognitive frameworks
In the past, some attempts to develop a CRSN simulator have been made
[85]. However, the implemented changes in the simulator are not enough because
only a few radio parameters can be changed. The conclusion is that research on
cognitive wireless sensor simulators is emerging, but it is in a primary stage.
Real or simulated scenarios scarcely exist and realistic platforms are crucial to the
improvement and development of this new field. The shortage of CRSN devices or
test-beds contributes to the scarcity of results in this area.
If the previous work in a cognitive simulator is insufficient, the use of realistic
CWSNs platforms with access to different spectrum zones and the real possibility
to adapt their interface according to the state of the spectrum does not exist. Most
62
C HAPTER 2. Related work
works related to CWSN platforms are related to software defined radio. In most
cases, these platforms use high resources devices such as the FPGAs of USRPs,
which are not WSN devices. On the other hand, there are many WSN platforms with
low resources but without cognitive characteristics. Focusing on CWSN devices,
there are no specific platforms to develop applications and services with cognitive
capabilities.
Therefore, it is important to increase the effort in the development of real
simulator platforms and test-beds for CWSNs in order to test new security
mechanisms.
2.5.2.
Side effects
The use of cognitive features in WSNs opens tremendous possibilities for new
applications and better performance. Nevertheless, the potential risks of CWSNs
have been increasing compared to traditional WSNs. The wireless nature and the
restrictions of WSNs become a problem in order to detect new specific attacks on
cognitive networks, such as PUEAs.
The performance of security techniques is affected by some factors related
to WSN restrictions. If these factors affect the information acquired, such as the
received power or the received data rate, they will modify the decisions taken by
the system.
In CWSNs, nodes can be mobile, including linear or random patterns. The
random movement covers a general scenario where the nodes have complete
freedom of movement. Applications that can be represented for this kind of scenario
are countless, such as monitoring with robots or wearable nodes. The random
movement implies that the nodes check the received power constantly and with
a high rate. This is because the node can modify its trajectory at any moment,
which affects the learned parameters (received power and received packet rate).
The random movement can be modeled by a linear movement when the sensing
2.5. Conclusions
63
rate is high or the movement is slow. In this case, the study of a linear movement
represents a specific scenario where the SUs do not require frequent spectrum
sensing, reducing the energy consumption. Moreover, the SUs would predict the
trajectory of the nodes, and therefore, adapt the strategy in order to get better
results. In both cases, the negative effect of the movement in security strategies has
never been studied. In fact, most security approaches in CR assume a static scenario,
which is not applicable to CWSN scenarios.
Another important side effect in security strategies is the produced by variations
in the wireless path loss model. Most of the path loss models include a random
term in order to simulate the effects of wireless communications such as multipath propagation or shadowing. Changes in this model affect the perception of the
spectrum usage, which is the main information in most of the strategies. Added
to the fact that CWSNs work in completely different environments with different
path losses, it makes the wireless path loss one of the most interesting parameters
to study.
In a CWSN, the connection and disconnection of nodes during the entire
network life is completely normal. Also, it is possible that some nodes leave the
network because they enter in a sleep mode, and when they wake up, they start the
joining process again. The nodes that join the network after the global starting time
will have a shorter learning stage and, therefore, worse node profiles. Moreover, if a
node is in the network for less time during the learning period, the rest of the nodes
will have a less precise profile of it provoking more false positives.
As the security algorithms and a CWSN’s operation are based on the spectrum
sensing information, errors in this critical data can result in wrong decisions.
The CWSNs can be deployed in hostile environments including electromagnetic
interference, changing climate, or physical obstacles. Moreover, when placed in
accessible locations, the nodes can be damaged by machines or people in an
intentional or unintentional manner. This side effect can be interpreted like a SSDF
64
C HAPTER 2. Related work
attack by some strategies. However, security mechanisms in hostile environments
should be more precise in order to avoid these situations.
The mentioned side effects can be very dangerous for most security strategies.
However, they have not usually been taken into account when a countermeasure is
analyzed.
2.5.3.
Future solutions
The first steps in security in CR attempted to deal with the PUEA. The
approaches used in the research were developed for scenarios completely different
from the CWSN. In these scenarios, the PU are usually static TV towers with
a defined transmission pattern. The attackers try to simulate the same behavior
to deceive the SUs. Taking into account these static conditions, the pioneer
countermeasures were location-based.
Geolocation countermeasures do not work in most cases in CWSN scenarios,
with almost the same approach as those in previously mentioned works. In a
regular WSN, nodes can change their location, and even attackers can change it.
In fact, attackers have the great advantage their movement not being detected.
Another disadvantage of node mobility is that, to monitor PU movements,
there is a need to sense the spectrum continuously to detect new locations. This
continuous sensing drains the node’s batteries. Moreover, if the PU could be in any
spatial point, its location is irrelevant for security. For example, a mobile phone with
Wi-Fi could be a PU and this device could stay in any location. Other parameters
should be observed to differentiate between a PU and an attacker.
To conclude, if we want to use a countermeasure based on geolocation, some
restrictions should be defined such as restricted areas for attackers or a fixed
number of PUs in the scenario. This discussion aims to emphasize the importance
of including security strategies that could manage networks with some dynamic
parameters: the node location, the power transmission or the number of nodes.
2.5. Conclusions
65
On the other hand, the imposed resource limitations of CWSN devices increase
the challenge of implementing tighter security mechanisms, which usually need
a higher power consumption and processing resources. The hardware constraints
necessitate extremely efficient security algorithms in terms of bandwidth,
computational complexity, and memory. This is no trivial task. Energy is the most
precious resource for these networks. Communication and cognitive algorithms are
especially expensive in terms of power. Nodes in CWSNs are usually not easily
accessible after their deployment. As a result, it is very difficult and undesirable
to change their batteries. Given this limited power source, making efficient use of
the energy is crucial in these kinds of networks. Cognitive networks usually reduce
power emission to save batteries. An attacker can isolate a node easily. Clearly, a
special effort must be made for security mechanisms to be communication efficient
in order to be energy efficient.
Some of the proposed solutions in the related bibliography do not comply with
the requirements set out in CWSNs. For example, physical layer strategies such as
theoretical, code, and power approaches involve significant costs in terms of energy
and computation resources.
Theoretical approaches try to find better transmission parameters in order
to maximize the information between the sender and receiver. This includes a
mathematical process and ad-hoc values for the wireless interfaces. Nevertheless,
CWSNs devices always have a discrete number of values for each transmission
parameter (e.g. transmit power or modulation). Furthermore, if the execution of
these techniques is carried out in an unpredictable environment, the estimation of
new transmission parameters means energy depletion.
Code or encryption approaches have similar problems to theoretical ones. The
data encryption has been adopted by many wireless networks, but in CWSN nodes,
the encryption method is usually set by the specific hardware or the communication
stack. The complete system can use the provided encryption method by the
66
C HAPTER 2. Related work
manufacturer. Usually, these ones are soft algorithms that can be implemented in
low resource microcontrollers. This is an advantage for attackers that can usually
employ higher resources in order to break the security mechanisms. However, code
approaches are usually a compatible solution with other security approaches.
Power approaches, at least initially, go against the power saving principle
in CWSNs. The use of artificial noise leads to an unavoidable increase in
energy consumption. However, these countermeasures do not need computation
resources, which make them a solution to be taken into account. However, the
energy optimization of these techniques is indispensable.
As we explained previously, the most recommended solutions are the ones
that take into account the modifications in the environment and the network, use
the resources available moderately, and take advantage of the opportunities that
CWSNs allow. In this category, three solutions could be highlighted: i) the behaviorbased, ii) reputation, and ii) game theory solutions. All of them could be deployed
in low resource and distributed CWSNs and have demonstrated a suitability for
variable environments.
Behavior based solutions has been applied to security since WSN exists. Some
solutions have been presented in Section 2.3.3.2, but many more strategies exist.
The greatest benefit of these countermeasures is that they can be implemented
with algorithms of different complexities. An example of a low complex algorithm
for detecting anomalies is the cumulative sum algorithm, where a learning phase
of some spectrum feature and some dynamic threshold can obtain satisfactory
results. On the other hand, the genetic algorithms of self-organizing maps (SOM)
algorithms could be used to detect PU behavior and to differentiate them against
attackers. These algorithms can detect patterns and behavior changes, so they are
a good solution for this problem. However, again, computational cost and battery
life should be taken into account.
Trust and reputation systems share some advantages with CWSN features. The
2.5. Conclusions
67
main advantages of reputation systems in WSN are their objectivity, temporariness,
and dynamism. Also, reputation systems can be distributed in all nodes to improve
security, reducing the workload on any platform. Including spectrum sensing
inputs to the reputation system could also improve the performance of these
systems in cognitive networks. Finally, the dynamic and unsupervised features
make trust and reputation approaches a good intrusion detection system for
unknown attacks.
In the end, game theory approaches are one of the most recent solutions applied
to security in recent years. The collaboration between nodes, the distributed taken
decisions, the adaptation to changes, and performance evolution are the shared
features of CWSNs and game theory. Moreover, they are one of the simplest
solutions to implement. As in the case of behavior-based solutions, game theory
can be implemented with games of different complexity. These factors make
game theory approaches an excellent solution for attacks such as jamming or
eavesdropping.
2.5.4.
Summary
In our opinion, security in CRNs is starting to obtain results, but the adaptation
of these approaches to CWSNs will be a difficult challenge. The improvement of
cognitive development frameworks is a fundamental step if these networks want
to have success in critical applications. There are no simulation tools, but neither are
there real CWSNs on the market. The adaptation of WSNs to these scenarios is an
intermediate step, but the real growth will come when these devices implement real
cognitive characteristics such as multiple wireless interfaces, learning processes, or
intelligent collaboration.
The analysis of the side effects produced by WSN characteristics is an interesting
area to study. Most of the solutions presented in the literature make some
assumptions that are incompatible with CWSNs. However, mobile nodes, variable
68
C HAPTER 2. Related work
wireless path loss, or spectrum sensing data errors are characteristics intrinsic to
CWSNs. This sentence is even more real if we take into account some of the future
applications of these networks: wearable devices, Body Area Networks (BAN), or
the IoT.
Putting all this analysis together, it is coherent to think that the most
promising countermeasures for security in CWSNs are behavior-based, reputation,
and game theory countermeasures. The possibility of implementing these three
countermeasures with the resources of a wireless node, their adaptation to changes
in the parameters of the scenario of a CWSN, and their performance evolution
using information and collaboration are all reasons for recommending them for
consideration.
Chapter 3
Proposed security strategies
If you want total security, go to prison. There you’re
fed, clothed, given medical care and so on. The only
thing lacking... is freedom.
Dwight D. Eisenhower
3.1.
Scenario
Security is a rarely studied field in cognitive networks, and maybe their
expansion may be small now but this does not mean that security is not important.
On the contrary, security is important in WSNs and so will be in future cognitive
applications such as health, home security, or military scenarios. Spectrum sensing
is crucial in order to detect malicious behaviors in the transmissions or to analyze
suspicious changes in the radiospectrum. The ability to learn and collaboration are
also essential for many security algorithms. Finally, adaptation is the base of some
countermeasures against jamming or routing attacks.
The CWSNs devices usually have a reduced size in order to be deployed in any
place. This is an advantage in terms of installation time or flexibility but also this is a
69
70
C HAPTER 3. Proposed security strategies
disadvantage in other aspects such as computational resources, coverage or battery
life. Limitations in memory storage and processing speed affect directly to the
security. A lot of complex security solutions become unapproachable in CWSNs. For
example, the signal spectrum analysis is hardly to adapt because of both hardware
and processing limitations.
The coverage can be limited because of the size of the antennas. However, in
low ISM band, such as 434 MHz this problem is less critical than other mentioned
limitations.
Finally, the battery life has been one of the most important problems since the
emergence of the WSNs. The limited battery power is a higher problem when the
nodes are in hostile environments where these batteries can not be changed. Given
this limited power source and the requirement of to run autonomously for long
periods makes the battery life an important challenge. There are a lot of works that
deals with this problem [96] that present different approaches in energy reduction.
However, any new cognitive feature or security mechanism involves more energy
consumption. The transmission frequency is also a parameter which affect to the
consumption. The highest ISM frequency, such as 5.8 GHz, need a better hardware
and involve higher energy consumption.
This limitation is the most important to take into account and limits the
complexity of the countermeasures developed.
In our model, a CWSN consists of a set of cognitive wireless sensor nodes with
different roles. Each node can communicate with other nodes within a certain range.
In WSN, the common transmission range varying from 5 meters to 1 kilometer,
depending on the frequency and the transmit power. For example, the WSN nodes
in domotic applications have a transmission range of 20-30 meters.
In a common CR application, the PUs are usually a TV tower or a base station.
In most cases, the SUs know the location and the transmission parameters of PUs,
but with CWSNs we cannot assume that. The location and the radio parameters
3.1. Scenario
71
of the nodes are unknown. However, we assume that the nodes have a stationary
behavior that allows them to learn from spectrum sensing.
The spectrum sensing functionality in CWSNs is implemented using the
information that the wireless interfaces offer to us. For example, if a cognitive device
has only one WiFi interface we can extract from it information such the Received
Signal Strength Indication (RSSI) or the link quality. These interfaces work in the
ISM bands (2.4 GHz, 868 MHz and 434 MHz). The algorithm can change when the
scanning task is executed, but the interface limitations should be taken into account.
Another key aspect of CWSNs is the mobility of the nodes. In contrast to original
cognitive scenarios, the nodes of these networks can be mobile. Despite this is not a
widespread situation in WSN applications, the possibility of movement exists. For
example, in robotic applications, where each node is installed in a mobile robot.
Another example is the assembly line monitoring, where a sensing device follows
the building process of a product in a linear movement.
The possibility of movement has been taken into account in order to propose
adaptable countermeasures which would be not very affected by these movements.
However, these characteristics can produce a reduction of the performance that
needs to be studied.
In CWSNs the roles of SUs and PUs are different from traditional CRNs.
Meanwhile in CR the PUs are the users that have paid for the use of a certain
frequency band, in CWSNs the PUs do not pay. This is because the CWSNs operates
in the free ISM bands, and anyone is allowed to transmit in them. Therefore,
the difference between PUs and SUs in CWSNs is based on other criteria: the
controlled sensors and the preference. While PUs take preference because they are
responsible for critical sensors and information, SUs only send the information
when the channel is empty or it satisfies some conditions. For example, in a domotic
application the nodes that controls the alarm sensors will be PUs and the nodes
which control temperature sensors will be SUs.
72
C HAPTER 3. Proposed security strategies
In a typical CWSN, the number of nodes can usually vary between few nodes
and hundreds of them. The security mechanisms take advantage of these spatial
redundancy. For example, the information captured from the environment is
proven by multiple sensors. However, the collaboration between nodes should be
implemented. In other case, the redundancy will not be exploited. For this reason,
we further assume the existence of a Virtual Control Channel (VCC) to share this
information, with no extra overhead over regular cognitive communications. The
VCC is a logic channel that can be implemented over any physical channel. In fact,
the VCC is logic because can vary the physical channel on which it is operating over
time. Moreover, we also assume that the VCC has ideal characteristics. For example,
there no interference, path losses or delays in the VCC.
3.2.
System architecture
To this day, commercial wireless sensors are constantly improved in terms of
hardware and software resources. Wireless sensors have now an acceptable level
of memory, battery life and processing capacity. Moreover, the number of services
that the software protocols implement allow new features in the networks. The most
important feature for this thesis is the spectrum sensing capacity.
Despite most wireless sensor nodes have the ability to know some parameters of
the spectrum, there are not a common solution in order to integrate this feature in a
cognitive architecture. The use or the definition of a cognitive architecture offers
many advantages. For example, in a research work, where multiple developers
are working at the same time with different systems, the definition of a common
architecture is the only way in order to share the advances. In this thesis, new
cognitive tools have been developed and need to share the same architecture in
order to make easier the solution portability.
On the other hand, a common cognitive architecture clarifies the functional
blocks and encapsulates the new features in their corresponding module. The task
3.2. System architecture
73
of including a new feature or improving an older one is easier if an architecture is
implemented.
The reference laboratories in cognitive radio have developed their own cognitive
architecture. For example, the Mobile and Portable Radio Research Group at
Virginia Tech has developed an architecture that is showed in Figure 3.1. Other
of the most important architectures in this area is the Connectivity Brokerage [97]
developed by the Berkeley Wireless Research Center (BWRC) at UC Berkeley.
Figure 3.1: Virginia tech CR architecture.
As the authors say, Connectivity Brokerage is a distributed functionality that
dynamically maps traffic requests to physical wireless resources and enables
optimization over heterogeneous set of technologies. Their goal is to take advantage
of the new advances in agile radios in order to adapt the network to the continuous
changes in the radio spectrum or in the resources of the nodes.
Criteria for the selection of the architecture was the relationship and the
collaboration among our laboratory, the B105 Electronic System Lab, the BWRC and
74
C HAPTER 3. Proposed security strategies
the Telecommunication Networks Group (TKN) at TU Berlin. In this last group, the
author of this thesis made a research stage where he could collaborate in a European
project using the CB architecture.
The architecture defined by Parsa et.al. [97] follows general concepts in order
to be adaptable to any system, technology or platform. They define the concept of
Connectivity Agent (CAgent), which is the main component of the network. Every
CAgent has six main functions, that can be shown in Figure 3.2.
Figure 3.2: Connectivity Brokerage agent modules.
Discovery. Allows learning from the environment.
Access. The learned knowledge can be distributed thanks to this function.
Repository. The information is stored in this module.
Optimizer. The network uses the information in order to optimize some
parameters.
Policies. In this module is where the parameters to be optimized are defined.
3.2. System architecture
75
Executive. The decisions taken by the optimizer are transmitted by this
module.
Four types of CAgent can be distinguished:
Air Interface (AI), associated to each wireless interface, manages all the
properties and parameters than can be modified in the interface.
Platform Agent (PA), associated to each platform in the network. It controls
the AI presents in the platform.
Unified Network (UniNet), joins the AI that follows the same communication
protocol, for example, a IEEE 802.15.4 network.
Composite Network (CompNet), is a collection of UniNets that collaborate for
a common purpose.
All Cagents can communicate among them using a VCC. The VCC is an
abstraction layer for communications that each network can implement according
to its resources and spectrum status. This channel defines a general interface that
CAgents use in order to share or to request information among Cagents.
The general definition of the CR architecture makes it a good candidate for the
purpose of this thesis, where different tools and strategies have been developed.
It defines the components of the network and their functionalities but the design
of each module is a task for the developers. This is the first reason why the CB
architecture has been adopted in this thesis. Furthermore, I have collaborated in the
redesign of this architecture in an internship in the Telecommunication Network
Group in the Technische Universität Berlin.
Then, once the scenario has been defined, the proposed security strategies are
going to be explained.
76
C HAPTER 3. Proposed security strategies
3.3.
Strategy 1: Anomaly Detection approach
This section explains the design of the first contribution of the thesis: the use of
anomaly detection strategies against PUE attacks. Firstly, the basic characteristics
of the anomaly detection strategies are explained, then the attack model is defined
and finally the strategies adopted in this thesis are pointed out.
3.3.1.
Introduction to Anomaly Detection
Anomaly detection is defined as the action of finding patterns that do not
follow the expected behavior. Anomaly detection has been used in many critical
application such as military activities, financial security, medicine or intrusion
detection.
The information of any application can be modeled as a n-dimensional data
set. For example, if we defined a 2 dimensional set as Figure 3.3 shows, we can
determine that there are some anomalies in points a1, a2 and a3.
Figure 3.3: Representation of a data set with 3 possible anomalies.
The first step to find the anomalies is to define the expected behavior. This is a
critical task and can vary depending of the application. Some applications will have
the valid data densely grouped and the anomalies far from this normal regions.
3.3. Strategy 1: Anomaly Detection approach
77
However, the critical scenario is when the normal data and the anomalies are very
similar. Moreover, there are external parameters, such as noise, system failures or
lower precision that can affect the detection.
Several techniques are resumed in Table 3.1:
Technique
Bayesian
Ruled-based
Cumulative Sum
Clustering
Nearest Neighbor
Neural Networks
Self Organizing Maps
Support Vector Machine
Genetic Algorithms
Type
unsupervised
supervised
unsupervised
unsupervised
unsupervised
supervised/unsupervised
unsupervised
supervised/unsupervised
supervised/unsupervised
Complexity
medium
low
low
low
low
high
high
medium
high
Cite
[43]
?
[98]
[99]
[100]
[101]
[102]
?
[103]
Table 3.1: Anomaly detection techniques
The anomaly detection techniques can be classified in two groups attending to
the manner that the technique grouped the data set:
Supervised Anomaly detection. These techniques assume that there are a
trained data set where each data is labelled as a normal or an anomaly.
Unsupervised anomaly detection. These techniques do not require a training
data set. The key idea is that the most common or frequent values are assumed
as normal.
All these techniques are based on the principle that the data set is divided in
correct information and anomalies. This is the idea to apply in order to detect
the malicious behaviors that happen in the network. The difference between the
techniques are the process by which the regions of the space are divided in order to
classify the data set. This process can be more complex and precise or simpler and
less accurate.
The use of anomaly detection techniques in this thesis is a decision based on
the good characteristics of some of them in order to detect unknown anomalies
78
C HAPTER 3. Proposed security strategies
without a previous training and limiting the complexity of the system. The latter is
particularly important because of the limitations of CWSNs in terms of processing
resources and battery life.
In order to measure the effectiveness of the anomaly detection algorithm two
metrics have been selected: Probably of false positives and Probably of false
negatives. These two metrics can be defined as:
Probability of false positives (PF P ) is when a signal is from a PU and the
receiver classifies it as from an attacker.
PF P = P (H1 |H0 )
(3.1)
Probabilbity of false negatives (PF N ) is when the signal from an attacker is
classified as an incumbent signal.
PF N = P (H0 |H1 )
(3.2)
where H0 is the signal from a PU and H1 is the signal from an PUE attacker.
Using this metrics, we can analize if the selection of the technique is correct in
order to detect the attack that is defined in next section.
3.3.2.
PUE attack description
As we have seen in section 2.2 PUE attack is one of the most important new
attacks in CR. PUE attack has been modelled in cognitive scenarios [66, 62]. Chen
and Park are the first researches that classify the PUE attacks in two different
categories depending of their objective:
Selfish PUE attacks. In this attack, the attacker’s objective is to maximize its
own spectrum usage. They prevent the use of the spectrum to others SUs
emulating signals of incumbents users and taking the most of the spectrum
3.3. Strategy 1: Anomaly Detection approach
79
usage time by themselves.
Malicious PUE attacks. The objective of this attack is to obstruct SUs from
accessing the spectrum. The attacker does not want to use the spectrum, just
avoid its usage for other users. The adaptive features of CR makes possible
that a single attacker obstructs multiple frequencies.
Both PUE attacks finally have the same characteristics: the attacker tries to
emulate the PU behavior and to avoid the use of the spectrum by other SUs.
In CWSNs, we assume these two characteristics, complemented by some new
assumptions:
A PUE attacker has a similar hardware and radio interface characteristics to
those of the rest of nodes.
The network does not have any information about the position of the PUE
attacker or its strategy.
The PUE attacker and the PU cannot have exactly the same radio behavior.
Usually, the attacker will be a node inside the network or a similar one that
wants to join the network. If the attacker is a node of the network, normally has
the same characteristics than the rest of the nodes. This situation occurs when a
node is compromised or captured physically. It can be assumed that this problem
is common in CWSNs because of the hostile, large and unattended scenarios where
these networks can be deployed. Second case is when an external node wants to
join the network being an attacker. In order to do that the wireless transmitter of
the attacker should be compatible with the network. If its behavior is suspicious
from the first moment, the anomaly will be detected easily. If the attacker is more
sophisticated, the network will discover it in the moment in which the attacker
changes its behavior in order to get its goals.
We can assume that regardless of the kind of PUE attack, the malicious node
has to change its behavior. If the attacker is a selfish PUE, the malicious node
80
C HAPTER 3. Proposed security strategies
will change its power transmission or transmission rate in order to acquire more
spectrum time. In this case, the SUs receive new information that changes their
perception of the spectrum usage. In the other case, if the attacker is a malicious
PUE, the attacker node has to change its behavior in order to affect the transmission
of the SUs. An example of this situation is a home security sensor network where
a malicious PU is captured and used to attack the network. If it tries to perturb the
correct behavior of the network, it should change the radio parameters to interfere
with PUs and SUs. If the attacker continues to have the same behavior since the
creation of the network and if it uses exactly the same radio parameters, attack
detection becomes almost impossible using either behavior learning or any other
method. Moreover, in this situation, the network behavior is not affected, so the
attack has no effect.
In CWSNs the nodes have limited number of wireless configurations. Each
configuration has a defined value for each radio parameter, such as transmit power,
frequency or modulation. If the PUE attacker wants to inflict the greatest possible
damage, it will use the highest power transmission, the highest tramission rate or
other intelligent strategy that requires multiple changes in the radio interfaces. If
the PUE attacker wants to avoid detection, it will use the parameters as similar as
possible to others incumbent nodes. This last situation becomes more dangerous
taking into account that the first step in any security strategy is to detect the attack.
For this reason, during the design and experiments, this premise has been taken as
the worst scenario.
Finally, the position of the attacker is unknown for the rest of the network
for three main reasons: first, the CWSN nodes usually do not have a localization
module and they do not implement a location algorithm. Second, the attacker can
be any node captured in a random time. Finally, the nodes in this scenario can be
mobile, for instance, their position changes and tracking algorithm should be used
to follow the position of any node.
3.3. Strategy 1: Anomaly Detection approach
3.3.3.
81
Anomaly detection design and characteristics
Taking into account this PUE attack scenario and the characteristics of CWSNs a
solution based on the use of node behavior is presented as the first approach. If we
focus our CWSNs on limited scenarios, for example, ambient intelligence in a home
or a building, the PU is specifically defined. Parameters like power transmission,
time occupancy of spectrum, and transmission frequency could be modeled.
Learned behaviors of these parameters allow to create some profiles which are
compared with periodically acquired measures. As has been said before, when a
PUE attack happens, an anomaly in learned parameters can be detected.
As we have explained before in Section 3.3.2, the intrinsic goals of an attacker
make it impossible to have a complete likeness between a PU and a PUE attack. For
example, if the goal of a PUE attack is the use of a whole frequency band, it needs
to transmit more frequently, with more power and different types of packets than a
normal PU. Taking into account this assumption, the next step is to define which are
the most possible parameters that an attacker would change. If the attacker want
to transmit with a higher transmission rate or to take the control of the spectrum
during more time, it needs to change the period between packets, the data rate or
the power transmission. Also, a more efficient modulation will be a new possibility
but this is not possible in most of the CWSNs. In this thesis, we have selected power
transmission or data rate as the more possible features that changes when a PUE
attack happens. Other advantage of these parameters is that they can be used in
more flexible networks or independently of the application.
The detection of these anomalies in a CWSN is improved thanks to some
cognitive features such as spectrum sensing and learning. The spectrum sensing
concedes to the nodes to capture a more complete information about the
communications and the spectrum state. The learning feature is very important
because it allows the implementation of the anomaly detection strategy. Another
advantage over the previous works is the collaboration between nodes. The
82
C HAPTER 3. Proposed security strategies





Figure 3.4: Anomaly detection scenario.
final decision in the detection of anomalies is collaborative. The more the nodes
collaborating in the decisions, the better the PUE detection results. One important
reason in order to use collaboration in these scenarios is the ignorance of the
attacker’s position. If the system only uses the information of one or a few nodes the
node profiles might be wrong because of the attenuation or the distance between
the SU and the attacker. For example, if an SU is still far from the attacker as we
can appreciate in Figure 3.4 with node SU2, it might not receive all the transmitted
packets by the attacker. Moreover, the power received could be very variable
because of the attenuation. For example, in the same Figure node SU1 is in another
room and the attenuation produce by the walls make less accurate the information
captured by this node.
The redundant information, inherent in WSN, and the collaboration in CWSN
reduce the possibilities of errors in the sensed information, creating better
profiles and improving the security related decisions. Another motivation for the
collaboration is the resource limitations. Nodes of CWSNs have to sleep, and their
computing resources and energy are limited. During the sleep state, the nodes
do not capture information. In these moments, other active nodes can captures
3.3. Strategy 1: Anomaly Detection approach
83
Figure 3.5: Cognitive features and modules resposible of them.
information, and the profiles are developed with data from every time.
The anomaly detection technique is obviously influenced by the application. If
the application of the nodes has a shifting behavior, this solution will detect these
abrupt changes as anomalies. An example of this application is an fire monitoring
network, where the nodes transmit just a keep it alive packet with a very low
data rate in order to save energy. However, when they detect an approaching fire
they start to transmit a lot of information. In order to solve this problems, some
additional techniques should be included. For example, adding more policies to
the system. In this example, we will have two correct profiles for each node, one
when the nodes have the energy saving policy active and the second one when the
nodes have the alarm policy active.
The system architecture presented in Figure 3.5, based on the CB architecture
described in Section 3.2, makes use of the collaboration in order to achieve the
anomaly detection goal. Its main characteristics are the distributed learning and
the collaboration in the final decisions.
Spectrum sensing is the first module of the entire chain in the system. All the
nodes in the system sense the radio spectrum analyze the data to create a precise
enough profile of each node. The spectrum sensing in this system consists of the
84
C HAPTER 3. Proposed security strategies
detection of the signal level in each channel. Each node is aware of the spectrum
occupancy in its near range. Moreover, the nodes are able to detect all the valid
packets over a reception power threshold. Despite the fact that the packets are
usually sent to a specific node, the rest of the nodes in a sensing stage can capture
the packets and extract information from them such as the source, the sink, and the
time stamp.
Cognitive wireless nodes have some constraints that limit the system when a
data base has to be created. For example, low computational resources and low
available memory do not allow for the creation of complex detection algorithms or
the storage of large data bases. For instance, it is important to reduce the number of
information stored in the nodes.
When the system has captured enough packets, the node profiles are ready to
compare with the new samples. During this step, the optimizer applies the anomaly
detection algorithm, compares the current samples with the generated profiles and
sends anomaly warnings to the application.
The application layer is responsible for managing anomaly warnings. Above
the application layer, the whole system can be applied for any anomaly detection.
In this work, the application filters the warnings and only creates a PUE attack
warning when the anomaly continues for a configurable time. If the anomaly
behavior in a node exceeds that time, the application marks the node as a possible
PUE attacker.
The stored information or alarms used by an isolated node could be useful
for a particular optimization, but if the final goal of the network is a general
optimization of a parameter, in this case the security and collaborative strategies
are essential. Collaboration strategies are a common solution in other cognitive
fields like spectrum sensing and also in security scenarios, such as PUE detection.
The next section shows how the introduction of collaborative detection significantly
improves results.
3.3. Strategy 1: Anomaly Detection approach
85
In this work, the SU nodes collaborate by sharing information about the detected
anomalies. This information may be characteristic of spectrum sensing or anomalies
detected by a single node. When an application marks a node as a possible PUE
attacker, it sends a message through the VCC, a method for sharing information in
cognitive networks. Finally, as we will explain later, the VCC allows other nodes to
access to almost any information stored in other neighbour nodes.
Once the general design of the anomaly detection system has been explained,
the details of each anomaly detection technique proposed in this thesis is going to
be described.
3.3.4.
CUSUM algorithm
We propose as the first approach the nonparametric Cumulative Sum (CUSUM)
algorithm[99] for the detection of changes in some key spectrum sensing captured
features. The CUSUM is an algorithm used in WSNs in order to detect changes in
the mean value of a stochastic process. An anomaly is detected by comparing this
accumulated mean value with a predefined threshold value.
The advantages of this algorithm in CWSNs are the low computational
requirements and the no assumption of any previous knowledge about the PUE
attack. Also, this algorithm only needs to save a few data which is essential for
low resources nodes. As it has been explained in 3.3.3, if the scenario is limited,
usually the sensor nodes have a stationary behavior. Moreover, the attack happens
at unknown time. These are the reasons why the CUSUM algorithm is applicable in
this approach.
There are two main parameters that affect the performance of the CUSUM
algorithm. First one is the value of the threshold that separate the incumbent
information from the anomalies. The use of a high value causes more delays in the
detection and fewer false positives. However, a lower value increases the number
of false positives. Figure 3.6 shows an example where the threshold is very limited
86
C HAPTER 3. Proposed security strategies
Figure 3.6: Anomaly detection using CUSUM and the received power average.
compared with the change in the signal when the anomaly starts.
The second aspect is the selection of the features used to detect the anomalies.
In this case, the received power are necessary to model the node behavior. This
feature has been selected because of the reasons explained in Section 3.3.2, assuming
that the PUE attackers have to modify its behavior in order to reach their goals.
Moreover, the received power is accessible in any real wireless protocol.
Once the main parameters has been selected, the design of the solution is going
to be described. The first task is the definition of the spectrum sensing function.
This task is made by the Discovery module which is implemented in the physical
radio layer. This layer is configured in reception mode in order to detect all the
packets in the operation frequency band. These packets are analyzed at physical
layer extracting some parameters such as the carrier frequency, the bandwidth, the
modulation type or the received power. In this solution we use the received power
that is stored in the repository.
In order to do that, an internal message with sensing information has been
created. This message contains information about the sensing parameters, the
interface and the channel where this information has been obtained and the identity
of the transmitter node if it is possible.
The sensing message is sent to the repository and the optimizer modules. The
3.3. Strategy 1: Anomaly Detection approach
87
repository module saves this information but reducing as much as possible the
memory usage, which is a limitation in CWSNs.
A good approximation is to save the key parameters that define the feature. In
this work, the number of measures, the average, and the variance are stored in each
node repository. The average “Xn ” and the variance “Sn ” are calculated using only
the previous one’s values and the current sample as shown in:
1X
n − 1 xn
Xn =
xi = Xn−1
+
n i=1
n
n
n
1X 2
=
x − |Xn | 2 = En2 − |Xn | 2
n i=1 i
(3.3)
n
Sn2
2
En2 = En−1
n − 1 xn 2
+
n
n
(3.4)
(3.5)
where En2 is the average of the squared values. So, each node creates a table with
the following data:
[N odeID, n, Xn , Sn2 , En2 ]
(3.6)
During the learning phase, each node’s repository stored the profile of
the network, created by the optimizer, with the information sensed from the
environment. The learning phase duration implies quicker or longer adaptation
which is inversely proportional to the failures of the system. Longer learning phases
implies better detections.
Throughout the learning stage, the nodes update and refine these values which
will be used as the base in the anomaly detection algorithm.
We assume that this learning phase should be made in a controlled scenario,
where an attack cannot be produced. If this controlled learning phase is
compromised, the algorithm will learn wrong profiles of the nodes and the
88
C HAPTER 3. Proposed security strategies
detection rate will be affected. The results for this situation could be seen in Section
5.3.4.
Figure 3.7: Representation of the two phases in CUSUM algorithm.
Once the learning phase has been finished, the optimizer starts a new task,
the comparison between the new data and the profile. The comparison between
the samples and the profile is calculated according to the Euclidean distance. This
metric has been adopted because of their popularity in many research areas and its
simplicity.
When the distance between a new sample and the profile is lower than a number
of standard deviations, the sample is considered as a normal value. However, if
the sample is out of the allowed range, the optimizer sends an anomaly warning
to the application level. In this way, the algorithm can be configured with a high
threshold values, which imply a low false positive rate and a slow detection or with
a low threshold values which imply more false positives but a faster detection. This
behavior can be see in Figure 3.6, where in the first moment, the received power is
quite similar to the learned average. However, in the second 27, the received power
changes, indicating a possible anomaly.
Finally, the optimizer filters the warnings and only creates a PUE attack warning
when the anomaly continues for a configurable time. If the anomaly behavior in a
3.3. Strategy 1: Anomaly Detection approach
89
node exceeds that time, the application marks the node as a possible PUE attacker.
This avoids point anomalies which can be produced by a non relevant signal fading
or a simple spectrum sensing mistake. Using this filter, the number of false positive
is reduced.
VCC
PUEA
alarms
request
data
Repository
Optimizer
response
data
Sensing Messages
Radio
Figure 3.8: Modules involved in the CUSUM algorithm and interactions.
In the collaboration level, the nodes send the PUEA alarms through the VCC.
The final requirement in order to mark a node as an attacker is that a number of
nodes send the PUEA alarm in an interval of time. The collaborative detection of the
attackers is the union of individual decisions that could be influenced by punctual
details, such as the position, the movement or the status of one isolate node.
3.3.5.
Data Clustering algorithm
The second proposed algorithm for anomaly detection is called data clustering.
Data clustering algorithm is an unsupervised classification of data into groups as
Figure 3.9 shows, called clusters. This classification is made taking into account the
similarity among the data set. The goal is to obtain a set of clusters that represents
90
C HAPTER 3. Proposed security strategies
the different patterns followed by the nodes.




Figure 3.9: Grouping the data set in clusters.
Data clustering algorithm has some similarities with CUSUM algorithm. For
example, both use an unsupervised classification. This feature allows us to
detect new attacks that we cannot know or predict. Other similarity is that both
algorithms have low computational resources requirements. This is essential for
their implementation in WSN.
However, data clustering algorithm is presented as a better solution than
CUSUM algorithm because of two reasons: data clustering performs a better
division of the data value space and it can take into account multiple data features
as a whole.
There are multiple clustering techniques [104] that can be divided taking into
account different criteria. In this thesis, the sample space is divided using a
partitional algorithm with divides the samples in two areas using multiple clusters.
The reason for this is to adapt the shape of the partitions to the samples.
The spectrum sensing task is made similarly than in the CUSUM algorithm.
However, in this case, the radio module notifies the received power and the time
between received packets. This is a two dimensions clustering technique. If the
clustering algorithm includes more dimensions or parameters to be monitoring
3.3. Strategy 1: Anomaly Detection approach
91
the algorithm increase their complexity. In fact, the complexity of the clustering
algorithm follows the formula 3.7 [105]:
O(ndk+1 log n)
(3.7)
where d is the number of dimensions, k the number of clusters and n the
number of data samples to be clustered. Therefore, the dimensions increase the
complexity of the algorithm but increase the possibilities to detect the attacker. As
much dimensions the algorithm monitors the better the detection rate.
Our decision was to take only two dimensions in order to improve the tradeoff
between performance and the consumption of computational resources. In the
analysis made in Section 3.3.3, we have explained why the transmit power and the
data rate are the more possible features that changes when a PUE attack happens.
Moreover, these two parameters are configurable in the most of commercial sensor
nodes.
The optimizer creates flexible width clusters with a variable radius. The round
shape reduces to two the number of parameters to save: the center C and a radius
R. In this way, the amount of information stored in the repository is even less than
in the CUSUM algorithm.
Each node creates its own cluster set. At the end of the learning phase, the
clusters are marked as allowed values. Then, in the detection phase, if a new data
does not fit in any cluster, the system assumes it as an anomaly.
The data clustering learning phase is summarized in Algorithm 1.
The data clustering algorithm compares the data obtained with the set of
clusters. The comparison is made using the euclidean distance between the center
of the clusters Ci and the sample. This distance works well when a data set has
compact or isolated clusters.
If the distance is lower than the radius Ri the system marks the value as a normal
data and updates the cluster. If the sample does not fit this requirement for any
92
C HAPTER 3. Proposed security strategies
Algorithm 1 Data clustering algorithm
1:
2:
3:
4:
5:
6:
7:
procedure M Y P ROCEDURE
while Learning phase do
Get a new data sample Di
Normalize Di (kDi k)
Find the nearest cluster which satisfied d <Rj , where Rj is the cluster’s radius
and d is the distance between the data Di and the cluster centroid Cj
if d<Rj then
Add the date to the cluster and update the cluster parameters
if d>Rj then
Create a new cluster
end while
8:
9:
10:
cluster is marked as an anomaly.
As in the previous algorithm, the nodes filters the pint anomalies requiring that
an anomaly was continuous over a configured time. Finally, the same strategy is
adopted in order to mark a node as a PUE attacker. When the number of nodes that
send a PUE alarm about the same node is over a threshold, the node is marked as
an attacker.
3.3.6.
Side effects analysis
In this section, we present the analysis of six parameters that can affect the PUE
attack detection using the anomaly detection technique presented in Section 3.3.3.
We have chosen these six parameters for three reasons. The first reason is that all of
them affect the received power and the received packet rate, which are the features
used by the clustering algorithm. Secondly, these side effects are very common in a
WSN scenario and finally, the simulation framework allows us to test them.
3.3.6.1.
Mobile nodes
WSNs include mobile nodes in many applications, such as monitoring systems,
wearable devices or medical assistance. For this reason, is very interesting to study
the influence of its effect.
We have studied two different kinds of movements showed in Figure 3.10:
3.3. Strategy 1: Anomaly Detection approach
93
the linear and the random movements. The reasons for the study of these two
movements are the following. First, the random movement covers a general
scenario where the nodes have complete freedom of movement. Applications that
can be represented for this kind of scenario are countless, such as monitoring with
robots or wearable nodes.
Figure 3.10: Linear and random movement.
The random movement implies that the nodes check the received power
constantly and with a high rate. This is because the node can modify its trajectory
in any moment affecting the learned parameters (received power and received
packet rate). The random movement can be approximated by a linear movement
when the sensing rate is high or the movement is slow. In this case, the study
of a linear movement represents a specific scenario where the SUs do not require
sensing frequently the spectrum, reducing the energy consumption. Moreover, the
SUs would predict the trajectory of the nodes and therefore, adapt the algorithm in
order to improve the learning phase.
Linear movement can be associated also with multiple WSN applications such
as mobile nodes in linear structures (corridor, rail, road or following a wall). Also,
the linear movement is a simpler scenario where the side effect can be studied easily.
94
C HAPTER 3. Proposed security strategies
Linear movement The linear movement can distort the learned information. The
received power and the number of received packets are affected by the movement
of one or more nodes. We can model the received power of a static node like:
Prx = Ptx − P L(d)
(3.8)
where Ptx is the transmit power, P L(d) is the path loss that is the term influenced
by the node movement.
We can consider the Ptx almost constant over time. The Ptx in a sensor node in
a specific application has minimum changes, in the range of a few dBm. The path
loss model used in this work, log normal shadowing model, follows the following
Formula 3.9 [106] :
P L(d) = P L(d0 ) + 10 · σ · log(d/d0 ) + Xσ
(3.9)
Where P L(d0 ) is the known path loss at reference distance d0 , η is the path loss
exponent, and Xσ is a Gaussian zero-mean variable with standard deviation σ. This
indicates that the differences in the power received by a node have a standard
deviation of σ, which implies differences absolutely insignificant compared with
the movement effect. The linear movement creates the following time-dependant
linear function for the received power:
Prx (t) = Ptx − P L(di + st)
(3.10)
where di is the initial distance, s the speed and t the time.
In an ideal scenario, where all the nodes are static the anomaly detection
approach would create a clustering map without disturbances, where the clusters
are concentrated in a specific area. The clustering radius would be adapted to the
PUs and SUs of the network and the PUEA would be detected with good accuracy.
However, when the system includes mobile nodes the effect is reflected in the
3.3. Strategy 1: Anomaly Detection approach
95
results. In this case, it is expected that the learning stage will create clusters with
a bigger radius and that covers higher space in the normalized area. The reason is
that the sensed transmission parameters vary depending on the distance between
the transmitter and the receiver. This implies more false negatives in the detection
of anomalies. It is expected that the speed of the movement or the distance covered
will be proportional to the impact.
Random movement Something similar occurs with the random movement of the
nodes. In this case, the P L(d) includes in the path loss an extra term that can be
represented by a normal distribution with zero mean and standard deviation σmov .
Prx (t) = Ptx − P L(d) + N (0, σmov )
(3.11)
This parameter tries to model the effect of a random mobile node in the path
loss and the received power. Taking into account that the movement is completely
random, a normal distribution can model this side effect. The zero mean represents
that this effect does not affect in the instant t=0s with the node in its initial position.
After that, the effect starts to change the sensed parameters. The speed and the
scope of the movement define the standard deviation of the normal distribution.
Figure 3.11: Random movement effect example.
96
C HAPTER 3. Proposed security strategies
3.3.6.2.
Wireless path loss
As we can explain in sub-section 3.3.6.1 the path loss includes a random term in
order to model effects of wireless communications such as multipath propagation
or shadowing. Changes in this model affect to the received power and the received
packet rate which are the elements of the learning stage. Added to the fact that
CRSN works in completely different environments with different path losses, this
makes the wireless path loss one of the most interesting parameters to study.
Normal values for the random variable Xσ are shown in Table 3.2:
Environment
Outdoor
Office, hard partition
Office, soft partition
Factory
σdB
4 to 12
7
9,6
3 to 6
Table 3.2: Typical values of sigma parameter
This random parameter affects the learning and the detection stage. It provokes
an increase in the number of clusters in the first stage and, consequently, an
increment of false negatives and a decrement of false positives.
3.3.6.3.
Adding nodes to the network
In a WSN the connection and disconnection of nodes during the entire network
life is completely normal. Also, it is possible that some nodes leave the network
because they enter in a sleep mode and, when they wake up, they start the joining
process again.
The nodes that join the network after the global starting time will have a shorter
learning stage and, therefore, worse node profiles. Moreover, if a node is in the
network for less time during the learning period, the rest of the nodes will have a
less precise profile of it provoking more false positives.
3.3. Strategy 1: Anomaly Detection approach
3.3.6.4.
97
Virtual Control Channel imperfections
The Virtual Control Channel (VCC) is a new method for sharing cognitive
information among the nodes as we have explained in Section 3.2.
In our previous work, the VCC was modelled ideally. However, in a real
application the VCC should be modelled as a normal wireless channel and,
therefore, it has losses. These losses follow the model described in sub-section
3.3.6.2.
The packets lost in the VCC are critic because they can provoke a malfunction
in the network. If the nodes share decisions and information about the attack, the
anomaly detection approach does not operate ideally.
3.3.6.5.
Spectrum data errors
As the algorithm and the CRSN’s operation are based on the spectrum sensing
information, errors in these critical data can result in wrong decisions.
The CRSNs can be deployed in hostile environments including electromagnetic
interference, changing climate or physical obstacles. Moreover, the nodes, placed
in accessible locations, can be damaged by machines or people in an intentional or
unintentional manner.
These variations in a hostile application are also included in the wireless model
with the η parameter. If the path loss exponent varies during the application
lifetime, the information captured would be erroneous.
These errors cannot be modeled because, depending on the error nature, the
node can send a random value, a constant value or any other value distribution.
This anomaly operation can be interpreted like an attack in the detection period,
which is the purpose of the developed approach.
98
C HAPTER 3. Proposed security strategies
3.3.6.6.
Attack in the learning phase
In Section 3.3.4 we assume that the learning phase is done in a controlled
scenario, where there are not attacks. This way, each node learns correct profiles
with valid information. However, if this learning phase is compromised, the
network learns profiles that are based in wrong data. Therefore, the detection will
be affected.
Taking into account the current behavior of the solution, it is supposed that this
strategy does not work when the attack starts in the learning phase.
The impact of all these parameters will be studied and discussed in Section 5.3.4.
3.4.
Strategy 2: Artificial Noise generation approach
3.4.1.
Introduction to Artificial Noise
The key idea in this strategy is that a transmitter, in cooperation with helper
nodes, can artificially generate noise to conceal the secret message that it is
transmitting. The noise is generated in such a way that only the eavesdropper is
affected but the intended receiver is not because noise is generated in an orthogonal
channel or modulation.
CWSNs avoid one of the main constraints when using artificial noise injection
techniques, the knowledge of the CSI. CSI is the knowledge of the channel
properties that defines how a signal propagates from the transmitter to the receiver.
For example, in Figure 3.12, the CSI between the source S and the destination D is
h. h is a matrix that includes all the possible wireless configurations between S and
D. Each configuration includes channel effects such as attenuation, shadowing or
fading.
In a cooperative scenario there are several network entities. All these agents have
cognitive capabilities and different radio interfaces. In this approach, otherwise
inactive nodes in the relay network can be used as cooperative artificial noise
3.4. Strategy 2: Artificial Noise generation approach
99
D
h
S
R1
h''
h'
g'
R2
g
g''
E
Figure 3.12: Artificial noise and eavesdropping scenario.
sources to confuse the eavesdropper and provide better performance in terms of
security. In addition, we allow non-colluding eavesdroppers (E) to individually
overhear the communication between S and D without any central processing.
3.4.2.
Eavesdropping attack description
In this system model the adversaries are eavesdroppers. Eavesdropping is a
way for an unintended receiver to intercept a message called an eavesdropper. A
wireless communication session may contain confidential data. Thus, we have to
prevent the eavesdroppers from learning the contents.
We assume a global adversary controlling some eavesdroppers which can
collaboratively overhear all messages on the incoming and outgoing channels of
the closer sensor nodes. Our eavesdropper model is captured by the following set
of assumptions for the eavesdropper E:
The eavesdroppers have cognitive capabilities, such as multiple interfaces
or spectrum sensing. We define that E is a wireless node with NK wireless
100
C HAPTER 3. Proposed security strategies
configurations (where NK ≤ NW (number of wireless configurations of an
incumbent user)).
E can perform sophisticated spectrum processing with its available elements.
The eavesdroppers sense the available channels and interfaces during a
period. If they do not locate any signal they commute to the next channel or
interface. If they detect a signal, it will listen during a period.
The network does not have any information about the position of E or its
strategy.
The eavesdroppers communicate among themselves via a separate channel
invisible to the rest of the network. We point out that the assumption of a
global eavesdropper who can monitor the entire network traffic is realistic for
some applications.
The eavesdroppers are passive, hence they cannot transmit noise signals.
One eavesdropper can sense the spectrum using its different wireless
configurations. They can collude among themselves, sharing information to
obtain a global spectrum state.
The first assumption can be adopted if we reduce our interest only to the wireless
configurations that the incumbent nodes have. In this case, if the eavesdropper
is a node with the same hardware than the rest of the nodes, it will have the
same wireless configurations. Moreover, if the eavesdropper is a node with higher
resources than a CWSN node, for example, an USRP [107], it can adapt its radio
interface to emulate any protocol. In the other cases, the attacker will have fewer
wireless configurations than the incumbent nodes.
The behavior of the eavesdropper nodes is a collaborative spectrum sensing,
where they collaborate. Each one listen in a band during a time looking for
communications. If this task is successful, it will maintain listening in the same
band. The communication between eavesdroppers is a real assumptions taking into
3.4. Strategy 2: Artificial Noise generation approach
101
account that the attackers network could be a cognitive network with a VCC, as the
incumbent network.
If we assume that eavesdropper nodes have cognitive features, they can follow
multiple intelligent strategies. In this work, three eavesdropping strategies have
been developed. In the first one (ES0) the eavesdroppers change their channel
randomly. This strategy has been taken as the reference to compare the next
strategies. The second (ES1) and third (ES2) strategies include spectrum sensing
information to obtain better results. In the ES1 the eavesdroppers move to the
channel with the higher signal level. Finally, in the ES2 the eavesdroppers changes
to the channel with less signal level, discarding the empty channels. These strategies
try to cover the scenarios where the jammers transmit with higher power levels than
secondary emitters and vice versa. This enable the analysis of the impact of different
attacker approaches in the network.
3.4.3.
Cooperative artificial noise countermeasure
The key idea in this strategy is that a transmitter, in cooperation with helper
nodes, can artificially generate noise to conceal the secret message that it is
transmitting. The noise is generated in such a way that only the eavesdropper
is affected but the intended receiver is not because noise is generated in an
orthogonal channel or modulation. This technique creates a difficulty in obtaining
real information and also in the decryption process in the worst case, when the
eavesdropper senses real packets.
CWSNs avoid one of the main constraints when using artificial noise injection
techniques, the knowledge of the channel state information (CSI). In this approach,
otherwise inactive nodes in the relay network can be used as cooperative artificial
noise sources to confuse the eavesdropper and provide better performance in terms
of security. In addition, we allow non colluding eavesdroppers (E) to individually
overhear the communication between S and D without any central processing.
102
C HAPTER 3. Proposed security strategies
Based on [108] idea, adapting these concepts to new CWSNs scenarios, a formal
modelling is presented. Zhou and McKay present the base of this modelling in a
multiantenna scenario. In this work, the scenario is formally modelled based on
this mathematical base and adapted to a cognitive scenario, where the collaboration
and the spectrum sensing can be used to improve the technique. Moreover, in [108]
there are no relay nodes; the nodes can transmit at the same time for more than
one antenna and there is not any presented optimization according the spectrum
saturation or the energy consumption.
We denote the possible wireless configurations between S and D and between S
and E as h and g, respectively, both of which are 1 × NW vectors, where NW is the
number of different wireless configurations in:
h ={h1 , ..., hNW }
(3.12)
g ={g1 , ..., gNK , ..., gNW }
The elements of h and g are independent and identically distributed complex
Gaussian random variables. In the eavesdropping nodes has fewer wireless
configurations than S or D, the parameters (gNK , ...gNW ) will be 0.
1
hi , gi = hi (t), gi (t) = √ e−t/2σ
σ 2π
(3.13)
Knowledge of h is obtained using spectrum sensing capabilities. We assume
that the knowledge of h and g is available at E, which makes the secrecy of
the communication independent of the wireless configuration and the channel. S
utilizes multiple wireless configurations to transmit the information-bearing signal
into the receiver’s channel, while simultaneously generating a noise-like signal into
the null space of the receiver’s channel. We let an NW × NW matrix W = [w1 W2 ] be
an orthonormal basis of CNW , where w1 = h/ k h k and W2 , is orthonormal to h. The
transmitted symbol vector at S is given by x = w1 u + W2 v, where the variance of
the information symbol u is σu2 and the Nw − 1 elements of v are independent and
3.4. Strategy 2: Artificial Noise generation approach
103
identically distributed complex Gaussian random variables, each with a variance of
σv2 . The information-bearing signal is represented by u and v represents the artificial
noise. Therefore, the received symbols at D and E are given, respectively, by
yD = hx + n = hw1 u + hW2 v + n =k h k2 u + n
(3.14)
yE = Gx + e = Gw1 u + Gw2 v + e
(3.15)
where n and e are the additive white Gaussian noises (AWGN) in D and E with
variances of σn2 and σe2 , respectively. G is a matrix NE × NW , where the NE is the
number of eavesdroppers. We see in 3.14 that w1 spans the null space of h; hence
the artificial noise does not affect the received signal at D.
However, the received signal in E is a combination of two unknown Gaussian
distributions. Even though E knows h and channel affection, it does not know the
weights W , so it is impossible for it to distinguish the signal and the noise v. We
consider a total power per transmission denoted by P :
P = σu2 + (NW − 1)σv2
(3.16)
We refer to P/σn2 as the transmission signal-to-noise ratio (SNR). As an important
characteristic of this scheme and a conclusion of the model, the artificial noise is
always generated in the orthonormal channels of the information. Therefore, we
assume that the noise does not affect the legitimate transmissions.
3.4.4.
Side effects analysis
Once the technique has been designed and after its evaluation for security
reasons, the optimization and the impact in energy consumption and spectrum
saturation should be analyzed. Despite in Section 3.3.6 we explain different side
effects, the differences between the attackers and the strategies proposed makes
that side effects such as the movement of the nodes or the spectrum data errors do
104
C HAPTER 3. Proposed security strategies
not have influence in the artificial noise approach. For example, in this strategy the
attacker is passive, so, the spectrum sensing is not taken into account in security
tasks. The movement of the nodes is independent of the artificial noise because
the same reason. The attacker is passive, so, its position does not affect to the
strategy. On the other hand, the position of the SUs only has a minimum impact
in the strategy. The SUs have to collaborate in order to create noise in all bands.
Taking into account the reduced size of the scenarios and the redundancy of nodes,
their position is not relevant for the distribution of transmit frequencies among the
nodes.
However, the artificial noise strategy has a cost in terms of energy consumption
and spectrum occupancy which should be analyzed. The transmission of a higher
number of packets in the network and the use of more transmit power introduce
a disadvantage in this strategy. However, the optimization of the parameters can
considerably increase the security controlling the energy consumption and the
spectrum saturation.
3.4.4.1.
Energy consumption
This second strategy is based in the generation of controlled artificial noise in
order to avoid that an eavesdropper can intercept the communications. However,
any additional transmission have an extra cost in terms of energy consumption. The
wireless interfaces are the main source of energy consumption in a CWSN node. For
this reason, it is important to optimize this security strategy using two policies, the
energy consumption and the security.
We expect that the highest the number of nodes that generates noise and
the energy consumed the highest the security level. However, it might be that
depending on the scenario parameters, the security level saturates even if the nodes
send more packets or use higher transmit power. The following analysis in Section
5.4.0.1, tries to find the optimum values depending on the goals of the network.
3.5. Conclusions
3.4.4.2.
105
Spectrum occupancy
The second side effect of the artificial noise strategy is the higher use of the
spectrum. This usage is directly proportional to the number of packets that the
network uses in order to generate the artificial noise. The goal of this security
countermeasure is to reduce the information captured by the eavesdropper but it
should also be the control of the spectrum usage. The cognitive radio should to use
the spectrum efficiently, for instance, this strategy should to balance the security
and the spectrum saturation policies.
As in the previous section, the first idea is that there will exist an optimum point
where the security level reaches an accepted value and saturates even if the number
of packets and the spectrum usage increases.
3.5.
Conclusions
In this section two security strategies have been proposed: the anomaly
detection against PUE attacks and the artificial noise against Eavesdropping attacks.
Both strategies have been introduced and described in detail. The correspondents
attacks have been also described and finally the side effects produced by these
security mechanisms have been presented.
The two strategies are completely different but have some characteristics in
common: the use of the new cognitive features in order to improve the security and
the use against specific attacks of cognitive radio or attacks which have a special
impact in these networks.
The development of these strategies requires a framework where the scenarios
can be performed and the results acquired in order to validate these proposed
countermeasures. As section 1.5.4 explained, the development of new cognitive
tools, explained in next section, is the next step in order to evaluate the
contributions.
Chapter 4
Tools for CWSNs
Technology is nothing. What’s important is that you
have a faith in people, that they’re basically good and
smart, and if you give them tools, they’ll do wonderful
things with them.
Steve Jobs
4.1.
Introduction
As Section 1.5.4 explains, there are no developed tools for CR, never
mind for CWSNs. The development of the security strategies has required the
implementation of these tools.
The cognitive features added to the WSN ones can not be tested in any
existing complete framework. For example, the use of multi antenna devices is not
supported in the presented works of section 2.4. Other example is the definition
of the spectrum sensing that is ignored or limited on current simulation tools. In
addition, the new threads such as PUE attack or the SSDF attack have not been
used previously in the existing frameworks.
107
108
C HAPTER 4. Tools for CWSNs
Figure 4.1: Project development lifecycle.
A complete framework for the development of a new technology involves
different systems for different parts in the research cycle. For example, earlier
phases of the research have benefited of the development of new cognitive
simulator. Simulation tools allow faster tests over iterative changes in the
algorithms. Moreover, the results are obtained in a manageable format.
However, later implementation stages require real devices where the algorithms
can be tested. This kind of result can be obtained creating a real test-bed, where the
deployment scenario can be recreated.
4.2.
Cognitive simulator
There are a lot of simulators for WSN but a complete CWSN simulator does
not exist. Therefore, in this thesis we have developed a new framework for CWSN
development which consists in a complete CWSN simulator based on Castalia [109].
The CWSN simulator described in this section is based on the Castalia simulator.
As it could be seen in section 2.4, the amount of WSN simulators is very large.
That, along with the fact that attempts to create a cognitive simulator have not
reached a decent level of development, have led us to create our own simulator
based on a WSN simulator. The decision about which simulator was better was
4.2. Cognitive simulator
109
made according to these reasons:
The Castalia simulator is focused on WSN. This feature is very important
because of the scope of the simulator. Despite Cognitive Radio Networks
(CRNs) having multiple applications and scenarios, this work is focused on
CWSN.
The Castalia simulator is based on OMNET++, which has a modular and
simple implementation. If the goal of this work is to develop a cognitive
architecture inside the simulator, new modules and interfaces will be included.
OMNET++ makes these additions very easy.
Castalia and OMNET++ development was very active with releases every few
months until 2013. After that, the development was stopped. However, the
advances in these tools were enough to mantain the same platform. The work
is based on Castalia and OMNET++ in order to create a usable tool for any
cognitive project. The other important simulator for cognitive scenarios, NS-2,
has not received a new release since November, 2011 and one before that was
in 2009. NS-3 is a new promised simulator but it had in an early stage when
this decission was made.
Castalia includes a resource manager module in order to monitor parameters
such as energy or memory consumption in the nodes.
Castalia physical layer and radio models are one of the most realistic models
that any researcher can find in the simulator area. As Cognitive radio is based
on spectrum sensing, a realistic physical layer is an important advantage.
Emphasizing the physical and radio layer, Castalia offers multiple characteristics
such as path loss, mobility in the nodes, simple interferences, multiple modulations
and sleep states. These features are necessaries in order to simulate realistic
scenarios of CWSNs. For example, these networks have mobile nodes and changing
110
C HAPTER 4. Tools for CWSNs
environment. The cognitive simulator can use all of these features in order to create
more realistic scenarios.
Having chosen the simulator, the next step is to define the requirements needed
by the cognitive simulator, to offer enough features for future works.
4.2.1.
Requirements
The three main characteristics of cognitive radio are environment awareness,
learning, and acting capacity. All the requirements imposed on this simulator try to
implement or to improve these characteristics.
Spectrum sensing. If the cognitive nodes have to be aware of the context, they
need to extract that information from the spectrum.
Multiple frequencies, channels and modulations. An essential characteristic
needed to reach the flexibility of a cognitive network is to introduce
the possibility of changing between multiple frequencies, channels and
modulations.
Sharing information. The nodes have to share the information acquired from
the spectrum sensing in order to improve the decision taken by the network.
Primary and secondary users. The two roles present in cognitive networks
have to be implemented in the simulator.
Information storage and learning. The cognitive nodes have to learn from the
captured information.
Results and data representation. They are essential for the analysis of the
results.
Although the Castalia simulator’s physical layer is one of the best compared
with other simulators, the sensing block is critical for cognitive networks.
Consequently, some changes need to be made to improve the sensing stage.
4.2. Cognitive simulator
111
The Castalia simulator supports most common modulations but it is also
prepared to include new ones. Moreover, some typical radios for WSN are included,
such as CC1010 or CC2430. Interferences are another important aspect of the
sensing module. Noise detected in the spectrum can affect network behavior. For
that reason, the interference model should be very precise.
Section 2.4 has shown some attempts to implement multiple radios and multiple
channels in simulators. There can be no doubt about the importance of supporting
different real wireless radios interfaces in each node allowing for changes in
all parameters: modulation, transmission power, consumption, frequency, etc.
Cognitive networks can be distinguished from other types of networks due to
the adaptation of their parameters according to the information gathered on the
environment. Although the Castalia simulator presents the opportunity of limited
spectrum sensing, is not enough for a cognitive network. Multiple changes are
necessary in Castalia, starting from a complete spectrum sensing, followed by the
storing of this information and concluding with the spread of the information which
is an important feature of cognitive networks. A Virtual Control Channel (VCC) has
been implemented for that purpose.
Normally, WSN simulators make differences in the nodes only when the
technology imposes this on them. For example, coordinators and end nodes on
the IEEE 802.15.4 standard [110]. In these cases, the differences are related to the
functionality of the network. However, the cognitive networks introduce two roles
for all the CRN: PUs and SUs.
Finally, when the simulator executes an application or scenario, the developer
needs a simple way to extract the results. Moreover, the number of parameters that
the developer can monitor needs to be the highest possible. For this requirement,
changes in the resource manager block are necessary.
Once the requirements have been explained, the CWSN simulator is going to be
described in detail.
112
C HAPTER 4. Tools for CWSNs
4.2.2.
Cognitive Radio extension for Castalia
In this work, the structure of Castalia has been modified in order to provide
the simulator with Cognitive Radio support. Figures 4.2 and 4.4 show the new
simulator structure. Previous implementation can be observed in Figure 4.3. The
code has been modified as little as possible in order to introduce the minimum
changes to third-party applications and module implementations.
Figure 4.2: Castalia network architecture adapted to Cognitive Radio
In the new model, the nodes have multiple communication modules which can
be configured with different parameters. They simulate the multiple interfaces of
a wireless node. Every interface is connected with the application module and
the wireless channel. The new simulator provides the developer with functions to
change the default interface used to send data. It provides complete backwards
compatibility so previous non-cognitive samples and modules do not have to be
modified.
A node with multiple interfaces brings flexibility to the network in a lot
of aspects: comparison of performance and consumption between technologies,
protocols and modulations, cognitive strategies that imply two or more radios, and
freedom to change the parameters of each interface independently.
The existing differences in the scenario configuration file of a multiple interface
experiment can be seen in the following code:
4.2. Cognitive simulator
113
1
SN . numIFaces = 2
2
...
3
SN . node [*]. Communication [0]. Radio . R a di o Pa r a me t er s F il e = " CC2420 . txt "
4
SN . node [*]. Communication [1]. Radio . R a di o Pa r a me t er s F il e = " ZigBee . txt "
5
...
According to these lines, the nodes would have two interfaces. The first one
is a CC2420 node and the second one is a generic ZigBeeTM node. Each one, can
have a different transmission power, different carrier frequencies or a different
modulation.
The parameter numIFaces indicates the number of interfaces per node. By
default, this parameter is one due to backwards compatibility. Since it is possible
to manage more than one communication simultaneously, developers must specify
the interface they are referring to.
Figure 4.3: Castalia node modules before the changes.
The Radio module of each communication module provides new API methods
for changing the active channel. This change lets developers perform spectrum
scans and hops among channels easily. The channel changing feature completes
a set of modifications in order to increase the flexibility of the network but also to
complete wireless protocols such as WiFi or ZigBeeTM , where nodes have multiple
channels.
114
C HAPTER 4. Tools for CWSNs
Figure 4.4: Castalia inner blocks adapted to Cognitive Radio.
Another implemented change in the simulator is the creation of PUs and SUs.
Most cognitive applications have both roles, where the PUs have preference in the
use of the spectrum and the SUs try to take advantage of the spectrum holes. The
application layer is responsible for providing this feature.
The new functionalities have been carried out with the minimum number of
modifications to the public API of Castalia, so developers can keep on using the
same experiments without changing a large amount of code.
These changes transform Castalia into a simulator capable of running Cognitive
Radio experiments, although it still lacks any cognitive capabilities. In order to turn
Castalia into a real cognitive simulator it has been equipped with a new module
which includes all the cognitive features of the nodes.
The CRModule structure is shown in Figure 4.5. Such a module is composed
of the following elements, which define the CB architecture. This architecture,
explained in Section 3.2 has been adopted in this thesis. The modules defined here
are the same than in the published work [97]. These modules have been adapted
to the existing Castalia structure and have brought just as many possibilities for
different scenarios to the developer. Therefore, multiple interactions between the
following modules exist.
4.2. Cognitive simulator
115
Figure 4.5: Cognitive Radio Module structure.
Repository An essential requirement for effective cooperation and collaboration is
that the cognitive nodes make the learned information, the decisions made and the
current state, available to all interested parties. These neighbours may be secondary
users that cooperate in order to take better decisions or to optimize some policies.
This is enabled through a distributed repository structure. The nodes store the
information they capture in the repository and eventually information from other
nodes when they need it. Each node publishes part of its own repository to the
network, making it public through VCC. When a node requires information from
another node repository, it sends a request packet through the VCC channel. If the
information is available and it is public, the access will be granted.
The kind of information stored depends on the context and the requirements
of the system. Some modules that feed the repository with information are:
communication modules, application, resource manager and optimizer. The
repository complements the resource manager module. Whereas the resource
manager stores information about general characteristics of the nodes and the
network such as power and memory consumption. The repository inside the CR
module saves information related to cognitive features such as sensing, learning
or strategies. The repository is the backbone of the CR module framework and
116
C HAPTER 4. Tools for CWSNs
the fundamental component that enables cooperation and dynamic information
exchange among cognitive wireless technologies.
An example of the use of the repository could be a collaboration strategy where
the nodes learn about the use of multiple interfaces and frequency bands. When
this learning is complete, nodes can use this information to transmit over empty
channels saving energy and improving communications.
Access Information stored in the repository can be an important source for
malicious intentions. For this reason, or simply because of the general goal of the
network, the access module does not let all nodes access the repositories. The access
module controls which part of the repository and other modules is public and
which nodes are allowed to access it.
As we have said before, security is completely associated with access module.
An example is an application where the nodes store behavioral reputation. If the
attacker accesses the repository and increases its reputation, the attack can affect
the behavior of the network.
Policy This module enforces the requirements for the global system depending
on several factors: power consumption, interferences or noise, quality of service
or security. Simplifying, the policy module is a set of weighting parameters that
control the priority of the different network goals. The nodes act according to the
final composition of services and weights. These policies and weights may vary
dynamically and the nodes should be consistent with these variations.
For example, a CWSN can be responsible for monitoring a large forest area. The
first policy could be low power consumption, but the moment a fire is detected, the
policy changes to offer the best QoS to transmit the alarm.
Optimizer This module processes the repository information bearing in mind the
requirements imposed by the policy module. Decisions regarding the behavior of
4.2. Cognitive simulator
117
the local node are the results of processing. They are stored in the repository and
evaluated by the executor module. To summarize, the optimizer makes decisions
according to the stored information.
Probably, the optimizer is the most complex submodule of the CR module.
To understand how it works, an example is presented. In a CWSN scenario
where security is the predominant policy and the secondary policy the energy
consumption, there will be a moment where the battery life reach the limit. The
Optimizer should take into account the two policies in order to take the better
decisions that maintains an acceptable level of security increasing the network life.
Executor The decisions made by the executor need to be distributed to the modules
responsible for modifying the parameters. The executor usually sends orders to the
communication module, where the radio parameters can be changed or the routing
protocol can be modified.
Virtual Control Channel This channel is a new method for sharing cognitive
information among the CR modules of the nodes. The virtual channel has been
included in the cognitive architecture. CR modules can access exported information
of remote repositories through this channel. VCC allows CR modules to be aware
of their surroundings and, even, of the whole network. VCC gives the nodes
a common interface to communicate among them, ignoring the details of how
the data is delivered, and the precise nature and location of the communication
partners.
Since all the elements are developed as Castalia modules, they communicate and
access each other via the OMNET++ message system. The modularity of OMNET++
and its high level portable language make this architecture very easily transferred to
a real device. Usually, the standard protocols of WSN for real devices have resources
to create these modules. For example, the repository message can be implemented
in the stack of multiple protocols, such as ZigBeeTM . The definition of different
118
C HAPTER 4. Tools for CWSNs
interfaces dificults the integration work but it is completely possible.
4.2.3.
Changes in radio module
Most of the work in the project is focused on developing the cognitive radio
module that introduces cognitive behaviors into the simulator. However, the
Castalia simulator has some characteristics that can be improved.
As we said before, the Castalia simulator only supports one radio interface per
node. Nodes can implement different MAC layers that Castalia includes: 802.15.4,
tunable MAC, etc. However, none of these MACs implement different channels.
Depending on the interface, it would have a different channel bandwidth, first and
last frequencies and number of available channels. By combining multiple channels
and multiple interfaces, scenarios are very realistic.
Spectrum sensing is a key factor in cognitive radio. Nodes must analyze
the spectrum to detect primary users or to find the best medium to share the
information with other secondary users. The decision about which channels or
interfaces are the best each time should be based on realistic and plentiful data.
For this reason the interference model on the Castalia simulator has been changed.
Before these changes, a node only detected the packet if the transmitter operated in
the exact same carrier frequency as the receiver. If the frequencies were different,
the packet was dropped and it did not create any interferences. Now, the model
is more realistic and the packets create interferences if they are within the signal
bandwidth. These interferences are proportional to the distance between carriers
and are related to the modulation.
Finally, minimum changes have been made to the resource manager block.
Explained in section 4.2.2, the resource manager controls the node parameters such
as the energy spent or the memory occupied. In accordance with the idea of having
the least possible parameters changed in the simulator, changes to control the power
consumption of multiple interfaces have been made.
4.2. Cognitive simulator
4.2.4.
119
Graphical configuration interface
Graphical User Interfaces (GUIs) make possible the interaction between the
users and the electronic devices through a graphical representation of the
application. These GUIs improve the learning phase of the tools and make faster
and intuitive some included features.
Castalia scenarios are generated using a file called "omnetpp.ini". This file has
the instructions that defines all the parameters of the network and the nodes. For
example, it defines the number the nodes in the network, the number of interfaces
or the transmission parameters.
When a strategy is tested in the simulator requires more than one configuration,
in order to vary some parameters that affect to the results. The creation of this
configuration is costly in terms of time. This has led us to develop a graphical
interface that makes easier this preparation task.
The development of this graphical interface has been made in GTK [111], which
is a multi-platform toolkit for creating graphical user interfaces.
The graphical interface, showed in Figure 4.6, has several functionalities that
improve the definition of scenarios. The first one is the creation of a new definition
scenario file. The GUI allows including any parameter that developer wants ans
its value. For example, the user can configure the number of nodes, the number of
wireless interfaces, the routing protocol or the physical layer parameters.
The GUI also support the creation of different configurations in the same file.
This is very useful when a set of scenarios where a parameter varies between two
values is needed.
Finally, the last feature allows the reading of the "omnetpp.ini"file and the
recognition of the defined parameters. The GUI imports the defined paremeters
from the file and shows them in a table. Then, the developer can change any of
them or can add more.
When the definition has finished, the graphical interface allow the extraction of
120
C HAPTER 4. Tools for CWSNs
the new file correctly formatted.
Figure 4.6: Cognitive simulator configuration interface.
In the future, the graphical interface is going to be prepared in order to represent
the position of the nodes during the simulation and to show the results when
simulation is finished.
4.3.
Cognitive New Generation Device
Attending the need for devices that enable and promote CWSNs investigation,
this section describes the implementation and operation of the Cognitive Next
Generation Device (cNGD), a platform for CWSN development. This platform
includes features and capabilities not found on current devices. cNGD arises as
a testbed platform for CWSNs allowing developers to test new strategies and
improving the research process.
4.3. Cognitive New Generation Device
4.3.1.
121
cNGD Requirements
The requirements of the new device are imposed by the necessity to test security
strategies in a real scenario.
Communication possibilities, at least, over two ISM bands (868 MHz and
2.4 GHz). Having, as far as possible, fully-configurable transceivers. This
requirement is one of the most important because allows the spectrum sensing
in different radio spectrum bands and the adaptation.
Modularity. A framework for research purposes should be modular in order
to allow developers the inclusion of new hardware resources or software
features.
IEEE 802.11 standard inter-operation possibilities. The CWSNs coexist with
the WiFi technology in a lot of scenarios. A communication with this kind of
networks would be very useful. For example, the network would have higher
coverage, communication with other networks or access to Internet.
External pluggable antenna possibilities. Despite the PCB antennas are
valid for CWSNs, the use of external antennas allows better transmission
characteristics.
Development-oriented. Comprising debugging tools. The approaches tested
in this platform will be in an early stage and will need a debugging process.
Working under a single development framework. This requirement makes
easy the development process because the users only have to program in a
single environment.
Useful and powered to try concepts referred to optimization strategies for
security which is the objective of this thesis.
122
C HAPTER 4. Tools for CWSNs
Remote application-loader. If the framework is going to be deployed in a wide
area or in many rooms, the remote programming reduce the time and cost of
changing the node’s behavior.
Reduced size. This requirement is inherent to WSNs, where the node should
be small.
4.3.2.
Hardware description
The whole system is thought as a teaser consisting of different nestable modules
that give flexibility to the scheme. The main module, cNGD, is the cornerstone.
cNGD composes the main platform of the design. It hosts the power supply
system, provides the possibility to embed up to three Radio Interface (RI)s, posses
a control core unit, and offers other interfacing possibilities that are discussed later
in this thesis. As part of this modular design, the interfaces that cNGD hosts open
possibilities to new extension board implementations through a pair of headers.
Following popular terminology, these attachable boards will be referred to as
shields.
Offering the chance of embedding up to three RIs, the device could access
three different frequency bands over the spectrum, and fulfills one of the desired
requirements described in Section 4.3.1. The chosen operation frequencies in our
design are 434 MHz, 868 MHz, and 2.4 GHz, coupling the ISM bands in most part
of Europe. These bands are preferred for WSN due to the data-rate, transmission
power, and transmission range parameters they offer for no cost. This configuration
places the device in the bounds of complexity and cost. At the same time, this
feature is essential for a CWSN proper investigation, giving radio communication
opportunities not provided by any other similar device so far. Moreover, a full
exploitation of the firmware can be done, since it offers an integrated MiWiT M stack
for three RIs.
The three RI are based on the IEEE 802.15.4 standard for WPANs, commonly
4.3. Cognitive New Generation Device
123
used in WSN. Specifically, the set of interfaces will operate under the MiWiT M or
MiWiT M P2P protocol. They both are proprietary protocols designed by Microchip
Technology that uses small, low-power digital radios. They are an open source
option designed for low data transmission rates (up to 250 Kbit/s) and short
distance (up to 100 without obstacles), cost constrained networks. The main
difference between MiWiT M and ZigBeeT M is complexity. MiWiT M offers a much
more simple operation, resulting in a lighter implementation. The size required
for the MiWiT M stack is 3-10 KB on the ROM (depending on the node role) while
ZigBeeT M takes 20-40 KB. MiWiT M is free of charge and it does not require a license
acquisition as long as Microchip components are used. In fact, Microchip requires
the use of MiWiT M for its products. The global design becomes simpler and more
homogeneous, sharing a common communication protocol for all the RIs.
Since compatible and suitable size commercial options for the 434 MHz band
were not found, a custom full implementation of this interface was required. This
implementation is based on the MRF49XA transceiver, which can operate also at 868
MHz. In order to provide homogeneity, (and since it does not suppose a great extra
effort), the new RI design will be used for both 434 and 868 MHz bands. These RI
will be called µTrans 434/868 from now on. The option at 2.4 GHz is a MRF24J40MA
module.
The chosen firmware for our platform gives support for MRF49XA modules
over 434 MHz and 868 MHz bands. Specifically, the modules used during the
firmware development were the MRF49XA PICtailT M Daughter Board. This board
is a demonstration and development daughter board for the MRF49XA ISM band
sub-GHz RF transceiver. The board can be plugged into a suitable header, which
makes it unsuitable for a reduced size and robust WSN design. It either accepts
connection to external antennas, which is a desirable requirement.
MRF49XA is a low-power fully integrated Sub-GHz RF transceiver. An ideal
choice for low-cost, high-volume, low data rate (<256 Kbps), two-way, short range
124
C HAPTER 4. Tools for CWSNs
rs232SHIELD
Expansion Headers
chargerSHIELD
WakeOnShield
cNGD
SensorShield
μTrans
868
μTrans
434
Figure 4.7: Global hardware modules of the platform developed.
wireless applications. It can operate in the unlicensed 434, 868 and 915 MHz
frequency bands. The transceiver is integrated with different sleep modes and
an internal wake-up timer to reduce the overall current consumption. The device
operates in the low-voltage range of 2.2 to 3.8 V, and in Sleep mode, it operates at a
very low-current state, typically 0.3 µA.
cNGD forms the main part of the design. It hosts main capabilities for
computation, power supply, and connectivity for the platform. It has being
designed seeking simplicity and functionality.
The
computation
unit
is
located
at
the
Microcontroller
(MCU), a PIC32MX675F256L, taking control over the other modules and running
the software. This MCU can be programmed through its PGE port thanks to a PGE
module that interfaces it.
As part of the main goal, a new firmware reviewed has been developed.
It supposes an approach to the achieve requirements since it gives support for
three interfaces, it supposes a reduction on the computation load and therefore,
on the needed resources and power consumption. Moreover, it will facilitate
the development, offering a stable firmware version to work over and avoiding
4.3. Cognitive New Generation Device
125
(a) Top view.
(b) Bottom view.
Figure 4.8: Detailed view of the µTrans module.
software development tasks. This fact will force the design to keep one architecture
compatible with the firmware, hence a 32-bit Microchip PIC is required as
microcontroller.
Communication and control over the RIs is made through Serial Peripheral
Interface (SPI)s and a few more control signal later described.
Power supply will be able to take place through three ways, a µUSB, a block
terminal and a DC connector. The two first options will accept a 5 V supply, whereas
the third one will take 3.3-3.6 V. This last option is thought to be supplied by a
battery. µUSB option serves as serial communication chance, and since Universal
Serial Bus (USB) provides 5 V power supply, this is employed. A second 5 V
supplying connector opens possibilities to any external power supply source. A
software-driven power supply system to the RIs allows the application to control
126
C HAPTER 4. Tools for CWSNs
the power supplied to these modules.
(a) Top view.
(b) Bottom view.
Figure 4.9: Detailed view of the cNGD module.
The device offers serial communication through the already named µUSB
options. On the other hand, the device gives access to different peripherals
through a pair of 20-pin headers. The list of approachable peripherals and pins
covers battery connection (for charging purposes), General Purpose Input-Output
(GPIO)s, Master Clear (MCLR) pin, external interruptions, analogue inputs, USB,
Ethernet module, Inter-Integrated Circuit (I 2 C) bus, Universal Asynchronous
Receiver-Transmitter (UART)s and SPIs. These option gives flexibility, modularity
and versatility to the device. It provides possibilities for multiple kind of
applications and opens the design to new implementations and extensions for
particular applications. In addition, three Light-Emitting Diode (LED)s and two
4.3. Cognitive New Generation Device
127
push buttons give chance to the user to control the application if required.
Finally, serial communication board sets serial communication between the
MCU and a PC over a RS232 protocol. It supposes an alternative wired serial
communication way for the included USB option, which progressively has become
more popular. Including RS232 serial communication produces an increase of the
cost, size, and power consumption. For this reason, it was chosen not to embed this
module over the cNGD, but rather create an expansion module.
This technology could be useful for old machines, low-resources researches,
or for debugging purposes during the platform development until the USB
communication is fully operative. This communication way posses a simpler
operation mode than USB.
The modular board allow the implementation of future shields boards such as a
battery charger, sensing module or an Ethernet gateway.
(a) Top view.
(b) Bottom view.
Figure 4.10: Detailed view of the rs232SHIELD module.
4.3.3.
Software description
In this chapter, the cNGD software design is presented. Taking into account
the hardware selected, the software was divided in two sections that, after their
128
C HAPTER 4. Tools for CWSNs
(a) Top view.
(b) Bottom view.
Figure 4.11: Detailed view of the chargerSHIELD module.
implementation, were integrated:
MiWi Firmware
Cognitive Radio Module
The reasons for the division were the workload of the project, the attempt to
reduce the complexity of the software and the idea to follow the same design rules
in the cNGD and the simulator.
4.3.3.1.
Firmware
In order to integrate the three MiWi interfaces, an analysis of the main block that
make up the Microchip protocol stack for P2P and MiWi protocols has been made.
Physical and link layer blocks Starting in the lower level, the MiWi transceiver
needed to be replicated in order to operate in different frequency bands. In addition,
the use of two kinds of transceivers: the MRF49XA in 434 and 868 MHz bands and
the MRF24J40 in GHz implies that some software elements can not be shared.
Each transceiver has its own status. Each wireless interface also needs to store
the information that is going to be transmitted through itself, therefore each
4.3. Cognitive New Generation Device
Figure 4.12: Global software structure and firmware inclusion.
129
130
C HAPTER 4. Tools for CWSNs
interface should have a dedicated transmission buffer. For the same reason, but
in reception mode, each transceiver have a dedicated reception buffer.
On the other hand, the security and encryption mechanisms can be shared. Each
transceiver can support a set of options but this service is global for the Microchip
transceivers.
The link layer in Microchip is a formal block that define the interface
between levels. Its adaptation has been simple because does not implement any
functionality.
Network and application interface blocks In these layers there are more functional
blocks, but not all of them are defined for all the protocols. For example, the P2P
protocol does not include the routing table or the broadcast register. The timing
block is special because it does not depend on the protocol or the transceiver. It just
gives support to the stack.
As in the physical layer, there are specific blocks for each radio interface and
their adaptation implies the modification of the stack. An example is the status and
variables of each interface and the reserved space for the received packets that the
application have to read.
The routing table adaptation is difficult because it stores different network
addresses (one for each interface), and share it can increase the routing failures.
However, the connection table can be shared because the long address is unique for
all the interfaces.
Finally, the application interface and the stack maintenances are the blocks that
have direct communication with the application. Both elements have been adapted
in order to obtain the coexistence of three interfaces.
4.3. Cognitive New Generation Device
4.3.3.2.
131
Cognitive Radio Module
The development of this software has been focused in to create a general
architecture with all Connectivity Brokerage modules as a part of the Cognitive
Radio Module (CRModule). Moreover, the needed function has been added to each
one in order to allow the development of a future test-bed where the security
strategies will be tested. The requirements of this architecture are:
Follow the Connectivity Brokerage architecture and the CRModule definition
in the simulator described in section 4.2.
Scalabity. It would be desirable that the software accepts new modules in the
future without mayor changes.
Testable. This software should be implemented in a real device where the
debugging are more difficult. Therefore, the implementation may take into
account the simplicity of the code and their tests.
Transparent to the application. The goal of the cognitive strategies is
to improve different aspects of the communication (security, energy
consumption, etc.) independently of the application details.
Before the design of the submodules that perform the specific cognitive tasks,
the CRModule general architecture was designed. This model must meet the
requirements previously mentioned.
For this reason, if the CRModule must be true to the Connectivity Brokerage
architecture, the CRModule should include only six submodules: Repository,
Discovery, Optimizer, Executive, Access Control and Policy Support.
However, a new submodule called Messenger has been included in the
CRModule in order to improve the scalability and the usability. This module
acts as a gateway for the communications among the submodules. Moreover, the
Messenger submodule unifies the interactions and provides a simple interface
132
C HAPTER 4. Tools for CWSNs
Figure 4.13: CRModule architecture including the new Messenger submodule.
to the programmer in order to implement these interactions adding the desire
parameters.
On the other hand, the emission and reception of messages among modules of
different nodes have been implemented in order to make testable the architecture.
These messages are called “control messages” because of their purpose. A new
module called VCC has been added in order to implement this task.
These modifications can be showed in Figure 4.13, where the new CRModule of
the CAgents is presented.
Chapter 5
Results
I’ve always believed that if you put in the work, the
results will come.
Michael Jordan
5.1.
Introduction
According to the methodology presented in Section 1.5, last step in the cycle is
the presentation of the results and the evaluation. This section is going to present
this phase of the thesis, showing a complete inform of the results and a discussion
about the performance of the solutions. Also, the side effects of these contributions
are going to be discussed.
The organization of this chapter is as follows. First, Section 5.2 analyzes the
performance of the tools presented in Chapter 4 in order to check the validity of
these tools for the PhD results. After that, Section 5.3 presents the results obtained
applying the anomaly detection against PUE attack. Finally, Section 5.4 shows the
results of the countermeasures in attacks against secrecy.
133
134
C HAPTER 5. Results
5.2.
Cognitive tools
Cognitive tools are divided in two parts: cognitive simulator and cognitive testbed. However, at the moment of the presentation of this thesis, the development of
the cognitive test-bed, explained in Section 4.3 is a work in progress and has been
not tested totally.
5.2.1.
Cognitive Simulator
This section presents different proof of concepts in order to validate the
performance of the new cognitive module in Castalia and the new simulator
features.
Castalia simulations have two different parts: the scenario definition and the
node application. The scenario definition on the Castalia simulator is defined in a
single file. It contains the number of nodes in the network, the routing protocol, the
MAC layer used by the nodes, the scenario dimensions, etc. The structure of the
file has not changed after the inclusion of the new cognitive features. However, we
need to define new parameters such as the number of radio interfaces per node.
The node application defines the behavior of each node in the network. The
application is based on events and is controlled by defining different timers. For
example, we can define a periodical timer for the information transmissions. As for
the scenario definition, the application structure has not changed with the cognitive
features. In conclusion, developers would be able to define new cognitive scenarios
in the same way as for traditional WSN applications.
The presented architecture allows for the simulation of complete cognitive
scenarios with the following characteristics:
Scalable cognitive networks with numerous sensors.
Multiple interfaces and channels in the nodes at the same time.
5.2. Cognitive tools
135
Node mobility.
Resource control such as battery energy.
Spectrum sensing for multiple channels and interfaces.
Control communication and collaboration among nodes.
Knowledge database.
Learning in execution time.
Application of multiple policies.
Three different scenarios have been developed in order to test the new cognitive
features. The first scenario demonstrates the new concept of multiple interfaces
and channels. Moreover, the new interference model including the bandwidth
and modulation of each channel is tested too. The second scenario simulates an
application where power optimization is the main policy. Finally, the third scenario
shows how the spectrum sensing, the repository and the VCC can be used to
implement complex cognitive simulations.
5.2.1.1.
Scenario 1: multiple channels and interfaces
The first scenario tries to test one of the most important new feature of the
cognitive simulator: the possibility to have more than one wireless interface in a
node and to control which one is active and the transmission parameters.
The scenario includes three nodes defined by ID #0, #1, #2. Node #0 is the sink
of all the information and nodes #1 and #2 send the information. This topology
represents a typical real scenario where a coordinator receives traffic from its end
devices, usually end nodes. Nodes #1 and #2 are static in positions (50,50) and
(150,150) in a simulating area of 200x200. Node #0 starts moving from the origin
(0,0) to (200,200) at a regular speed.
136
C HAPTER 5. Results
Each node has two interfaces, each of them with three operative channels.
Interface 1 of each node operates in 2.4GHz and Interface 2 operates in a frequency
far away from the first one, at 2.35GHz. All nodes change their active interfaces
at the same time but node #1 changes its channel slowly, every five seconds, as
compared to other nodes that do this change every three seconds. As the channels
are very close, transmissions on a channel can produce some interference in the
signal of the ones nearest each other.
12000
throughput (bps)
10000
8000
6000
4000
2000
0
20
40
60
80
100
time (s)
Figure 5.1: Throughput received by node 0.
When node #0 is near node #1, an event that happens at second 18, and their
corresponding active interfaces and channels are the same, node #0 starts to receive
packets. When the interface or the channel are different it does not receive them.
Between second 50-58 and 85-91 node #0 is near node #2, which changes interface
and channels at the same time as node #0.
Table 5.1 shows the packets received in node #0. As we can see some packets´
transmissions failed because of interferences. The failed packets represent the
failures because of differences in the frequency transmission or the state of the
radio. The interference column represents the packets affected by interferences. The
sensitivity column below indicates the packets that have been received below the
sensitivity of the node. This happens when the transmitters are far away. Finally, the
received packets are indicated in the last column. As it can be seen, a lot of packets
5.2. Cognitive tools
137
produce interferences because they are transmitted over three close channels (5
MHz). However, when the interfaces are different, the frequency difference is
higher (50 MHz) and interference is not produced.
Interface 0
Interface 1
Failed
5
34
Interference
63
38
Below sensitivity
42
0
Received
34
60
Table 5.1: Packets received by two interfaces in node #0
As a summary, this scenario shows the implementation of multiple interfaces
and channels at the same time in the nodes. The control of this new feature has been
very important in order to implement security strategies in this thesis. Moreover,
the movement of the nodes and the inclusion of a new interference model have
been showed in scenario 1.
5.2.1.2.
Scenario 2: power optimization
The second scenario shows how cognitive capabilities can optimize some
parameters of the network. In this case, reducing power consumption is the goal
of the demonstration and the most important policy. The exchange of important
information for the optimization goal is made using the new VCC.
The simulation includes two nodes. Node #1 is the transmitter and node #0
receives the packets. Both nodes have two interfaces:
Interface 0: 802.11 protocol and radio MRF24 from Microchip
Interface 1: 802.15.4 protocol and radio CC2420 from Texas Instruments
Packet rate starts from the highest value and slowly decreases. At first, interface
0 is active and packets are sent through it. When node #1 detects that packet rate is
low enough to transmit with the 802.15.4 interface, it activates it and turns off the
802.11 interface. In this moment, node #1 sends a VCC message to the rest of nodes,
notifying the interface change. The CR module of node #0 processes the message
and decides to change its interface as well, in order to continue the communication.
138
C HAPTER 5. Results
0.45
16
0.4
14
0.35
12
0.3
energy (J)
energy (J)
10
0.25
0.2
8
6
0.15
4
0.1
2
0.05
0
0
0
10
20
30
40
50
time (s)
60
70
80
90
(a) Instantaneous energy consumption.
100
0
20
40
60
80
100
time (s)
(b) Accumulative energy consumption.
Figure 5.2: Results of the power optimization scenario.
Figures 5.2a and 5.2b show the results of node #1 consumption in scenario 2.
At first, the energy consumption of node #1 is high. When node #1 changes to the
802.15.4 interface (in second 50), an important reduction in consumption can be
noticed.
Power optimization is also the goal of the following simulation where two
nodes share information about their location through VCC and change their power
transmission according to this.
The nodes start at a distance of 30 meters and transmit with the highest possible
power, 0 dBm. Node #0 is mobile, and periodically sends its position to node #1
through VCC channel. Node #1 sends data to the receiver. When node #1 considers
that node #0 is near enough, it reduces the transmission power.
As we can see in figure 5.3 the accumulative consumption is lower in the middle
of the simulation time, where nodes are closer. The power consumption decreases
nearly 33 % in some instants.
The second scenario has tested the communication through the VCC channel,
the mobility of the nodes, the resource manager and the application of the power
optimization policy.
5.2. Cognitive tools
139
0.07
0.065
energy (J)
0.06
0.055
0.05
0.045
0.04
0
10
20
30
40
50
60
70
time (s)
Figure 5.3: Comparison of power consumption with and without CR optimization.
5.2.1.3.
Scenario 3: spectrum sensing, history learning and anomaly detection
This is a demonstration of a complex cognitive application where all the
cognitive features implemented in the simulator are used to detect anomalies such
as broken nodes or intruders. From the data acquisition using spectrum sensing to
the collaboration among nodes, this last scenario use all the new features needed in
this thesis.
The simulation consists of 50 nodes with different roles. The server receives
information periodically from multiple sensors. The sensors are PUs if they have
preference or SUs if they do not. Moreover, the SUs collaborate in order to detect
anomalies in node’s behavior. More specifically, they detect these anomalies by
sensing the spectrum and learning about the received power from each node.
During the first 10 seconds of the simulation the nodes learn about the
received power: number of transmissions, average and standard deviations of the
received power. This information is stored in the repository inside the cognitive
module. After these seconds, the nodes start to detect differences in this learned
parameter. The optimizer notifies the application if some anomaly happens, and the
140
C HAPTER 5. Results
(a) Sensing power and learning average.
(b) Learning power variance.
Figure 5.4: Results of scenario 3 with spectrum sensing, learning and anomaly detection.
application, after multiple warnings, retransmits the alarm to the rest of the nodes.
When a fixed number of nodes agree on the anomaly of some node, it is marked as
an abnormal node and it cannot participate in the working of the network.
Therefore, the spectrum sensing allows the nodes to detect and to analyze the
received power, the repository allows for the storing of all the learned information,
the optimizer analyzes the data according to some policy and finally, the nodes
collaborate using the VCC.
The results of a network with 50 nodes are shown in figure 5.4a and 5.4b. Figure
5.4a represents how a SU learns about the transmission power of another node
which has an abnormal operation. Sensing power is the power received by the node
when it receives a new packet and the learning average is the average of all the
packets received by this node. The x axis represents the number of packets that the
node has received since the beginning of the simulation.
As we can see, the average is stable with a few samples. The top limit and the
bottom limit form a range where the sensing data is considered normal. When the
data is out of the limits, the node interprets it as an anomaly.
In figure 5.4b, we can observe how fast the system learns. With a few samples,
the variance fluctuates. The cause of this fluctiation is the lower number of samples
received. When this happens, a new sample with an enough different value to the
5.3. Strategy 1: anomaly detection approach
141
learned average has the weight in order to change a lot the standard deviation.
However, when the node has more information the variance stabilizes over 1 %.
The last scenario shows the scalability of the solution with 50 nodes in the same
network. Moreover, it shows some of the most important features such as spectrum
sensing, learning and knowledge storage in the repository.
Once the new features of the simulator has been tested, the development of
security strategies can be implemented in it. In the next sections, the results of
the anomaly detection and the artificial noise countermeasures are presented and
evaluated.
5.3.
Strategy 1: anomaly detection approach
This section presents the results of the anomaly detection strategies in order to
detect and mitigate the PUE attack. First, the different algorithms are evaluated.
Then, the side effects which can affect to the optimum performance of these
strategies are presented. The goal is to demonstrate that the anomaly detection
strategies are valid in order to detect a PUE attack in a CWSN. The limitations of
these networks, the results of the algorithms and the side effects caused by them
will be discussed in order to present the conclusions in the next chapter.
5.3.1.
CUSUM algorithm
CUSUM algorithm is implemented in order to detect and isolate PUE attacks.
The operation of this approach has been explained in Section 3.3.4: the algorithm
tries to find anomalies in some of the transmission parameters. In this case, CUSUM
algorithm is focused in the received power. When an anomaly is detected, an
anomaly alarm is sent to the rest of the network in order to corroborate this decision
in a collaborative process. Now, the scenario of the simulations is going to be
described.
As Section 3.3.2 explains, the PUE attack is implemented as one or more SUs
142
C HAPTER 5. Results
that changes their behavior in a precise moment acting like a PU. The attacker will
try to adapt all radio parameters according to the PU behavior. Some of them, such
as modulation, encoding or carrier frequency probably is exactly like the ones of
a PU for two reasons. The attackers and the PUs usually have the same hardware
characteristics, therefore the attackers can imitate the PU. The second reason is that
the attackers do not need to change these parameters to reach their possible goals:
to use more spectrum, to transmit information to other destinations or to prevent
SUs transmissions.
According to that, it is reasonable to restrict the parameters that the attackers
change to transmitted power and occupied spectrum bandwidth. In this approach
the received power has been used to detect anomalies, like a PUE attack in the
network.
Setting this parameter to a similar value to those used by a real PU we can check
how precise the algorithm is in detecting this kind of attacks. This is the worst case,
where the variations between a real PU and the atackers are minimum. In order to
test the presented solution, when an attacker changes its behavior, the maximum
allowed change in transmitted power is 1dBm. This restriction is imposed by the
transmit models in the simulator and also because the real CWSN devices has a
minimum step of 1dBm between transmission modes.
Several simulations have been executed in the simulator in order to extract
results and to draw conclusions from the work. The scenarios have some common
characteristics:
The scenario area is a 30m x 30m square. This represents a common scenario
of WSN, for example, a home, a small industrial area or a research lab. WSNs
have potential to cover higher areas, but an intermediate area size covers most
applications. Moreover, this area can be taken as a simplification of a large
area. In fact, there is not restriction for the scenario size.
The complete simulation time is 500 seconds. Obviously, the WSNs are
5.3. Strategy 1: anomaly detection approach
143
developed in order to have a long time duration of years. However, the
strategy has to be tested in a reduced time that can be simulated. Moreover,
in a real application, the attack will produce in a random moment. Therefore,
the simulation needs to cover some time before the attack and the needed time
after the attack in order to analyze the effect of the countermeasure.
The number of nodes in the simulation varies between 50 and 200, including
one server, 6 PUs and a variable number of attackers. Despite the solutions
implemented here are scalable, this number of nodes represent a common
scenario of a real system. Moreover, there are a lot of applications that have
less than 50 nodes, such as a home domotic system or a health monitoring
system.
The learning stage covers the first 60 seconds. This is a normal set up time
used by a lot of systems or networks to calibrate themselves.
The attacks start at second 100. The attack can start at any time. In these
simulations second 100 has been chosen randomly but allowing the easy
visualization of the results.
The SUs and PUs send information to the sink, but the SUs only send the
information when the channel is not being used by any PU. This behavior
follows the definition of SUs and PUs presented in Section 3.1.
The system has shown a very good behavior detecting the attackers, with a
detection rate average of 99 % in all simulations. In fact, the system has reach the
100 % of detection in most of the simulations presented in this chapter. Figure 5.5
presents the detection rate when the SUs strongly filter the alarms that they detect.
This is the worst case for the detection rate. In this simulation, SUs have to detect
10 anomalies in less than 2 seconds in order to send an alarm to the rest of the
nodes. As we can see in the figure, the detection rate is always 100 % except when
the allowed standard deviations are over 1,9 and the collaborative nodes are over
144
C HAPTER 5. Results
22 %. In this situation, the anomalies produced by the attackers are filtered by the
system in a 5-15 %. There could be different reasons. First one i that the distance
among SUs makes that their radio spectrum perception will be different. Another is
that the allowed standard deviations in order to label a data as normal will be too
high. Taking into account the transmit power difference between a PU and a PUE
attacker of only 1dBm most of the sensed packet, malicious or incumbent, are inside
the allowed thresholds.
Figure 5.5: PUE attack detection rate with 50 nodes and 5 PUE attackers.
For the rest of simulations that we have done, the system has reach even better
detection results. Therefore, the conclusion is that the CUSUM algorithm detects the
PUE attack if the parameters are well configured. For example, it is important that
the allowed margin of standard deviations is below 2. The number of collaborative
nodes is an important parameter too. If the number of collaborative nodes is lower,
less than 15 % of total nodes in the network, the system start to have some problems
which we explain below. If the number of collaborative nodes increase a lot, the
system start earlier to have false negatives. This is produces because of the distance
of the nodes. If a high percent of nodes has to agree a decision, for example a 40 %,
5.3. Strategy 1: anomaly detection approach
145
and their vision of the spectrum is different, this decision has never been supported
by the necessary number of nodes.
As we have pointed out in the previous paragraph, for some combination of
parameters, some regular nodes are detected as attackers. This is the main problem
that we have detected for the CUSUM algorithm. In the next figures, the false
positive parameter is analyzed.
In Figure 5.6 we can see the results of a simulation with 50 nodes, including
5 PUE attackers, 6 PUs, 1 sink and 38 SUs. In this situation the decisions
taken individually by each node are complemented by the collaboration between
nodes. Each line represents a different scenario where the percentage of SUs that
collaborate in the detection changes. The x axis represents the number of standard
deviations that a sensing power measure can deviate from the learning average to
be considered as a normal value. Finally, the y axis represents the false positive
percentage.
Figure 5.6: PUE attack detection results with 50 nodes.
As we can appreciate, the percentage of collaborative nodes is essential in the
PUE detection. For a percentage of around 20 % of collaborating nodes the results
146
C HAPTER 5. Results
are very good, with a false positive rate under 10 % with a margin of one standard
deviation for anomaly warnings regarding the average in the profile. If we increase
the parameter to 1.3 the results are very satisfactory with false positive and false
negative rates near 0 %. The acceptable value for the false positive rate could
be different depending on the application. For example, for a temperature home
monitoring is not important if some data is lost if the attackers are always detected.
However, in a fire detection application, it is very important that no correct data are
excluded.
Figure 5.7: PUE attack detection results without filtering in the nodes.
The Figure 5.7 shows another scenario with worse conditions than the previous
one. In this case, the nodes send worse information than in the previous scenario
to the other nodes. This is because the node’s CR module does not filter the
information received from the optimizer, as section VI.B explains, and sends too
many anomaly warnings through the VCC.
For example, comparing the two previous figures and 5.7, we can appreciate that
5.3. Strategy 1: anomaly detection approach
147
in figure 5.6 the false positives dissapear for in any case if the standard deviations
are greater than 1.3. However, in the second case, the standard deviations should
be greater than 1.7 and the percetange of collaborative nodes increase an average
of 10 %. However, if the margin of standard deviations is increased to 1.5 and the
number of collaborative nodes is over 30 % the results are good enough.
On the other hand, if the collaboration between nodes is eliminated and the
filter in the nodes is improved the system has showed bad results. The system is
not capable of discriminating between the PUEs and a normal behavior.
In order to prove the proper working of the system in larger networks, we
have simulated a new scenario with 200 nodes. The Figure 5.8 shows that if the
percentage of collaborating nodes is the same, the system keeps differentiating
the PUE attack in almost every simulation but the results get a bit worse. This is
because more nodes in the same scenario space can produce more anomalies such
as collisions, interference, higher noise level or retransmissions.
Figure 5.8: PUE attack detection results in a network with 200 nodes.
As another interesting result, in the Figure 5.9 the behavior of the system can
be observed against a multiple PUE attack, where 10 malicious nodes attack the
148
C HAPTER 5. Results
system after the learning time. In this case, where 25 % of the nodes are attackers,
the system behavior gets worse. But, even in this case, if the number of collaborative
nodes is over 20 % the results are satisfactory.
Figure 5.9: PUE attack detection results in a multiple attack.
The results conclude that the most important parameter to improve the PUE
detection is the number of collaborative nodes. Other parameters, such as the
application algorithm or filter and the margin to mark a data as anomaly affect
the results but to a lesser extend.
The same analysis has been studied using the occupied bandwidth by the nodes
as the anomaly parameter. In this case, the results are not good enough. The reason
for the bad results is the behavior of the secondary users. As we have explained
before, the secondary nodes only send packets when the channel is free, so the
occupied bandwidth has a greater variance than in the power detection based
scenarios. The PUE attack has been impossible to detect with a good precision using
the occupied bandwidth. The cause of this problem is the SUs defined behavior.
The SUs only transmit when the channel is empty. Therefore, the time between
their transmission is variable. If the algorithm learns that this variation in the
time between packers is normal, then it is very difficult to detect changes in this
5.3. Strategy 1: anomaly detection approach
149
parameter when the PUE attack happens.
5.3.2.
Clustering algorithm
The data clustering algorithm resolves the problem of using multiple features at
the same time. Combining two features, the power received and the time between
packets, the data clustering algorithm aims to detect the PUE attack with a lower
false positive rate. The following figures summarize the results obtained with
this approach. The simulations represent the same scenario as the one of the
CUSUM algorithm. In this algorithm the detection rate is even better than with
the CUSUM algorithm. As we can see in the following figures, the false positive
rates is still a problem. However, adapting some parameters such as the percentage
of collaborative nodes and the clustering radius, the false positives disappear
maintaining the detection rate.
Figure 5.10: Clustering detection rate with 50 nodes and 5 PUE attackers.
In Figure 5.10 is presented the detection rate of the clustering algorithm in the
scenario of 50 nodes and 5 PUE attackers. As we can see, the detection rate is always
over 99 %. It has been detected that some values on the number of anomalies that a
150
C HAPTER 5. Results
node has to detect in a certain time makes worst the detection rate. For example, if
the node has to detect m ore than 10 anomalies in 2 seconds the detection rate make
worse than we can see in Figure 5.11. In this simulation, if the nodes filters the
alarms and the collaborative nodes increase over the 20 %, the system starts to fail.
As in the CUSUM algorithm, this could be because of the distance between nodes.
If we try that nodes in different areas collaborates in order to detect something that
only affect to some nodes, the decision will be erroneous.
Figure 5.11: Clustering detection rate with not recommended parameters.
However, if the parameters maintains the same values that we indicated for the
CUSUM algorithm the detection rates reach always values over 99 %. The only new
parameter is the initial cluster radius which is the variable parameter is the rest
of simulations. These values range from 0.1 to 1 over the normalized value of the
centroid. This parameter directly affects the false positive rate as we can see in figure
5.12. The smaller the radius the greater the demand for grouping data.
As we can see in Figure 5.13, the algorithm obtains satisfactory results when
the initial radius is higher than 0.3. These results have been obtained simulating
multiple scenarios and setups. The number of setups for the same scenario has been
5.3. Strategy 1: anomaly detection approach
151
initial cluster radius = 0.1
initial cluster radius = 0.3
2
2
1.5
1.5
1
1
0.5
0.5
0
0
-0.5
-0.5
-1
-1
-1.5
-1.5
-2
-2
-3
-2
-1
0
1
2
3
cluster
anomalies
-3
-2
-1
0
1
2
3
cluster
anomalies
Figure 5.12: Generated clusters depending on the initial radius.
between 20 and 50. The reason to repeat each scenarios is to get results statistically
valid, avoiding spurious. The number of collaborating nodes is also important in
the data clustering algorithm, but to a lesser degree in the CUSUM case. Here, even
with 14 % of the SUs collaborating, the results are acceptable.
A new scenario with 10 PUE attackers is presented in Figure 5.14 in order to test
the second algorithm in a more complex situation. Here, the 20 % of the network
nodes are malicious. The results are a bit worse than in the previous scenario, but
really good for a radius greater than 0.3. In this situation, the false positive rate is
under 2 % and the detection rate over 99 %.
All presented results until this point have been implemented in the cognitive
simulator. As an additional and interesting test, the clustering algorithm has been
implemented in the cNGD nodes. These experiments are very values in order to
extract real results and compare with the simulated ones. The real characteristics,
the performance of the nodes, or the information feed back for the simulator are
152
C HAPTER 5. Results
30
25
false positives (%)
20
15
10
5
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
initial cluster radius
Collaborative nodes (%)
14,00%
16,00%
18,00%
20,00%
22,00%
24,00%
Figure 5.13: PUE attack detection results with clustering algorithm and one malicious node.
80
70
false positives (%)
60
50
40
30
20
10
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
initial cluster radius
Collaborative nodes (%)
14,00%
16,00%
18,00%
20,00%
22,00%
24,00%
Figure 5.14: PUE attack detection results with clustering algorithm and ten malicious nodes.
5.3. Strategy 1: anomaly detection approach
153
some of the results which are going to be presented and discussed in the next
paragraphs.
Figure 5.15: cNGD nodes and the ICD3 debugger from Microchip used in the real tests.
The real scenario, which can be see in Figure 5.15, has been implemented in
a simplified mode only with two cNGD nodes. The reason for this simplification
is the lack of complete operatives cNGDs. As the cognitive test-bed is a work in
progress there are some problems that have not been debugged yet. However, this
simplified scenario allow us to implement some tests that are presented now.
The first node, hereinafter called Node A, is responsible to create one network
in each ISM frequency band (433 MHz, 868 MHz and 2.4 GHz). These networks can
be created with P2P and MiWi protocols. Both protocols have been tested and the
same results have been obtained. When the Node A is prepared, the second node,
hereinafter called Node B, joins in the three networks and starts to send application
packets. The application sends messages from node B to node A with an initial
packet rate of 1 packet/s and a transmit power of -4.9dBm.
When the node A receives the first application packet, it starts the learning
phase, where the repository saves the spectrum sensing information and the
optimizer creates the clusters. Once the learning phase is finished, the node A starts
to compare the new samples with the created clusters. At a certain moment, node
B changes some of its transmission parameters and the node A must detect this
154
C HAPTER 5. Results
anomaly.
In the first scenario, presented in Figure 5.16, the attacker changes its transmit
power from -4.9 dBm to -3.7 dBm. The difference of 1.2 dB is similar to the difference
of 1 dB applied in the simulated scenarios. This is the worst case because the valid
packets and the malicious ones are very similar. Node A spends 30 seconds in the
learning phase and the initial cluster radius is 0.1.
Figure 5.16: Generated clusters by a cNGD node and classification of the samples. PUEA
varies its transmit power from -4.9dBm to -3.7dBm.
Node A has created 10 clusters but, finally, the most important is the one which
was its center in [0,0]. This cluster has growth during the learning phase because
most of the samples have been included inside it. The valid samples are represented
in green color. These samples are those which node B sends before start the attack
and node A has labelled as normal. False positives appear in red color. As we can see
in Figure 5.16, for these parameters are some false positives but they represents only
a 10 % of the samples. Finally, the anomalies detected correctly are represented in
orange. These samples are labelled as anomalies correctly by the algorithm, despite
their similarity with the valid samples.
Figure 5.17 shows a new scenario where the learning time has been increased
5.3. Strategy 1: anomaly detection approach
155
Figure 5.17: Generated clusters by a cNGD node and classification of the samples. Initial
cluster radius is 0.5 and learning phase lasts 60 seconds.
to 60 seconds and the initial cluster radius is 0.5. When the initial cluster radius is
higher and the learning time increases the final clusters are higher. In fact, in this
situation, node A only creates one cluster with center in [0,0]. In this case, the false
positive disappear but there are false negatives. Despite the anomalies are detected,
some samples from the attacker are labelled as valid. Comparing these scenarios
with the simulations, we can observe that the false negatives are more frequent in
real scenarios. The same conclusion is going to be extracted when the results of
apply side effects in the simulator will be presented in Section 5.3.4.
Other interesting result is presented in Figure 5.18. In this test, the initial cluster
radius has been increased to 1. This provokes that the main cluster, which has the
center in [0,0], has a final radius of 5. In this situation, all the samples in the detection
phase are inside the cluster and the attack is not detected. The high growth of this
cluster is a result which is contrasted with the results of the simulations. In a real
scenario, which is more variable, if the initial cluster radius is high, there exists an
important risk of an uncontrollable growth of the clusters.
The fourth figure 5.19 represents a scenario where the attacker modifies its
156
C HAPTER 5. Results
Figure 5.18: Generated clusters by a cNGD node and classification of the samples. Initial
cluster radius is 1 and learning phase lasts 60 seconds.
Figure 5.19: Generated clusters by a cNGD node and classification of the samples. PUEA
varies its data rate from 1 packet/s to 0.66 packets/s.
5.3. Strategy 1: anomaly detection approach
157
transmission data rate from 1 packet/s to 0.66 packets/s. In this case, node A learns
during 30 seconds and the initial cluster radius is 0.2. As in the Figure 5.17, the
chosen values make that the algorithm has a good performance. Only one false
positive is present and the anomaly is detected.
Figure 5.20: Generated clusters by a cNGD node and classification of the samples. The initial
cluster radius is 0.02.
Finally, Figure 5.20 presents a scenario where the initial cluster radius is 0.02.
This experiment tries to understand how the system works when the initial cluster
radius is very small. The main conclusion is that the initial cluster radius does
not affect almost to the final result. Only when a high value is selected the results
have been erroneous. However, for values under 0.5 the cluster with center in [0,0]
growths to a similar size.
The earlier stage of the cognitive test-bed has difficult these experiments.
The number of completely operative cNGDs is very reduced and the software
stack and the cognitive module requires a complete revision. However, these
preliminary results have helped to verify the viability of the solution in real nodes,
to understand the added problem of a real environment and to detect the differences
with the simulator. Other aspects, such as the collaboration, could not be tested, but
158
C HAPTER 5. Results
it should be analyzed in the future.
As a general conclusions, the real transmission produces higher randomness in
the receive information. This situation has produced that the first created cluster
increases its size and the rest of the clusters only contain one sample, maintaining
their initial radius. This behavior provokes that the area covered by the clusters is
worse adapted to the samples than in the simulated scenarios. The data clustering
algorithm has detected the attack with transmit power and data rate changes. The
algorithm has been able to detect the attack even in the worst case, when the
difference between a normal node and the attacker is the minimum allowed by
the hardware.
Other conclusion is that the parameters affect in different way than in simulated
scenarios. For example, the initial cluster radius affects changes the results only
when is very high. In this situation, the attack is not detected. The learning
time between 30 and 60 seconds produces the same results. That means that the
algorithm converges quickly. Finally, the nodes have executed the algorithm with
no problems. Therefore, the cNGD nodes have enough computational and memory
resources. More results will be presented in section 5.3.3, but the main conclusion is
that the cNGD nodes can execute the data clustering algorithm.
In order to conclude this section, both algorithms, CUSUM and data clustering,
have demonstrated the ability to detect anomalies caused by PUE attacks. In the
previous figures, the optimal parameters have been presented. Following these
results, the next section shows a comparison between both algorithms in terms of
learning and detection time, scalability, resources and scenario dependency.
5.3.3.
Anomaly detection algorithms comparison
Figures 5.22 and 5.21 represent the results for multiple scenarios with a
variable learning time. As we can see, the CUSUM algorithm obtains bad results
for any simulated learning time between 10 and 60 seconds. As the previous
5.3. Strategy 1: anomaly detection approach
159
section showed, the CUSUM algorithm obtains good results from 100 seconds
on. Meanwhile, the data clustering approach starts to obtain good results from
30 seconds on. This indicates that the data clustering approach is best suited for
dynamic networks in which the learning time can be a critical feature.
100
false positives (%)
80
60
40
20
0
1
1,1
1,2
1,3
1,4
1,5
1,6
1,7
1,8
1,9
standard deviations
learning time (s)
10
20
30
40
50
60
Figure 5.21: False positives rate depending on the standard deviations allowed and the
learning period time.
Detection time is another important characteristic. This is the interval between
the beginning of the attack and the warning emission. Here, the simplicity of
the CUSUM algorithm makes it faster. The time needed to detect the anomaly is
between 0,5 seconds and 1 seconds. However, the data clustering algorithm takes
from 3 to 5 seconds. The results presented here do no include the delay for the
collaboration. However, this delay can be ignored if we take in account two factors:
the ideal implementation of the VCC channel and the redundacy of the WSNs. In
these simulations, more than 50 nodes are presented in a small area of 30x30m. This
indicates, that each sensor detects almost the same packets and, for instance, they
transmmit the same alarms at a similar time. However, the collaboration continues
being necessary in order to eliminate misleading data.
160
C HAPTER 5. Results
100
false positives (%)
80
60
40
20
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
initial cluster radius
learning time (s)
10
20
30
40
50
60
Figure 5.22: False positives rate depending on the initial cluster radius and the learning
period time.
100
false positives (%)
80
60
40
20
0
1
1,1
1,2
1,3
1,4
1,5
1,6
1,7
1,8
1,9
standard deviations
Collaborative nodes (%)
14,00%
16,00%
18,00%
20,00%
22,00%
24,00%
Figure 5.23: False positive rate using CUSUM algorithm in a 200 nodes network.
2
5.3. Strategy 1: anomaly detection approach
161
50
false positives (%)
40
30
20
10
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
initial cluster radius
Collaborative nodes (%)
14,00%
16,00%
18,00%
20,00%
22,00%
24,00%
Figure 5.24: False positive rate using clustering algorithm in a 200 nodes network.
In order to prove the smooth operation of the system on larger networks, we
have simulated a new scenario with 200 nodes. Figure 5.23 shows the results for
the CUSUM algorithm. If the percentage of collaborating nodes is the same, the
system still differentiates the PUE attack in almost every simulation but the results
become slightly worse. This is because more nodes in the same scenario space
can produce more anomalies such as collisions, interference, higher noise level or
retransmissions.
The main difference in the data clustering scenario, represented in Figure 5.24, is
the independence of the results from the number of collaborating nodes. The false
positives rate is under 2 % for most setups.
The comparison between CUSUM and data clustering in terms of resources is
very clear. In this case, the CUSUM approach needs less memory and computational
resources. It saves just one table with only five parameters that represent the
transmissions of each node. However, the data clustering algorithm needs the same
table and an additional one with the cluster information. Each row in the table
represents a cluster with its centroid, its radius and the number of nodes inside
162
C HAPTER 5. Results
it. The learning and detecting stages also need more computational resources in
order to implement the algorithm. For these reasons, the CUSUM algorithm is
recommended for power saving applications or extremely simple nodes.
In Figure 5.25 we can observe the memory and CPU time used by each algorithm
in a PC.
Figure 5.25: A comparison of the CPU time and memory usage in a PC by the anomaly
detection algorithms.
The algorithms have been isolated from the rest of the functionality in order to
measure correctly the overloading produced by them. Moreover, the algorithms
have been run in a PC (Intel Core i7) and in the cNGD nodes, which form the
cognitive testbed. These results have been obtained using the C library and the
massif Valgrind tool.
As we can appreciate, the CUSUM algorithm consumes less CPU time and
dynamic memory than the data clustering algorithm. The memory usage is 3 times
lower and the CPU usage during the learning phase is 7 times lower for the CUSUM
algorithm.
Finally, as a general conclusion, the CUSUM algorithm performance depends
5.3. Strategy 1: anomaly detection approach
163
considerably on the simulated scenario and the parameters applied to it, such
as learning time, number of attackers, etc. However, the clustering approach
maintains a stable and good performance for most scenarios. However, this good
performance in the data clustering algorithm have an extra cost in terms of resource
consumption. This additional use of the resources depends on the initial parameters
of the algorithm. In order to illustrate this situation, Figure 5.26 represents the
CPU time spent in each iteration of the learning phase for the clustering algorithm.
Also, we can observe the number of clusters created by this algorithm for different
initial cluster radius. If the limitations or requirements in terms of resources are not
critical, the data clustering algorithm is recommended.
Figure 5.26: CPU spent time and number of clustering created depending on the initial
cluster radius in a PC.
The same experiments have been implemented in the cNGD platform, explained
in Section 4.3. This platform is controlled by a PIC32 which has lower resources.
The maximum CPU speed is 80MHz and only 512 KB of program memory. The
164
C HAPTER 5. Results
PC
cNGD
CUSUM
0,12 us
29 us
Data clustering
0,87 us
225 us
Table 5.2: CPU spent time for anomaly detection algorithms
comparison between both algorithm in a PC and the cNGD platform is resume in
Table 5.2. As we can see, the CPU spent time in the cNGD is 250 time higher than
in a PC, but it is a logic results taking into account the difference in processing
resources. Finally, Figure 5.27 shows the influence of the initial cluster radius in the
PIC32 CPU spent time.
Figure 5.27: CPU spent time depending on the initial cluster radius in a cNGD node.
5.3.4.
Side effect analysis
As we presented in Section 3.3.6 the anomaly detection techniques have a lateral
impact in the network. As section 3.3.6 said, there are six main aspects that should
be studied: the mobility of the nodes, the wireless path loss, new nodes in the
5.3. Strategy 1: anomaly detection approach
165
network, the VCC imperfections, the spectrum sensing data errors and the attacks
in the learning phase.
Several simulations have been executed in the simulator to extract results and
to draw conclusions from the work. The higher amount of simulations is because
we want to test how different parameters affect to the simulations and to avoid
spurious results. The scenarios have some common characteristics.
Each scenario has been run 10 times in order to add randomness. The scenario
area is a 50 m x 50 m square. The complete simulation time is 300 s. The number
of nodes in the simulation is 29, including one server, three PUs, one attacker and
24 SUs. The learning stage covers the first 50 s in the data clustering algorithm. The
SUs and PUs send information to the sink, but the SUs only send the information
when the channel is not being used by any PU. The location of the nodes follows
a uniform distribution, which improves the testing scenarios. The PUs packet
transmission rate is 2 packets/s, and their transmission power is -5 dBm in all cases.
The PUE attackers packet rate is 3 packets/s. The transmission power is -4 dBm. The
attacks start between the 50 and 60 second marks, depending on the scenario. The
maximum node-level alarm is 5 (malicious packet detected). Finally, the window
time for clearing the alarms is 2 s in the clustering algorithm.
The scenarios presented here are a summary of the most representative results
obtained during this work. The scenarios have some variable parameters in order
to test the most important cases. The number of collaborative nodes and the initial
cluster radius always varies. The collaborative nodes vary between 1 and 10 and
the initial cluster radius between 0.1 and 1 in a standardized data scenario.
First of all, a reference scenario has been simulated and presented in Figures
5.28 and 5.29. These results serve as a reference in order to detect the effect of
each parameter. This reference scenario has the same parameters than the worst
case presented in Figure 5.11 where the detection rate start to decrease because of a
wrong parameters selection.
166
C HAPTER 5. Results
Figure 5.28: False negatives in the reference scenario with no anomaly effects.
Figure 5.29: False positives in the reference scenario with no anomaly effects.
5.3. Strategy 1: anomaly detection approach
167
As we can appreciate, in an ideal scenario, when the number of collaborative
nodes is between 2 (8,3 % of SUs) and 8 (33 % of SUs) the system eliminates the
false positives and false negatives.
Next sections show how the side effects reduce the optimal parametric space
where the algorithm has an optimal behavior.
5.3.4.1.
Mobile nodes
In this case, 15 different scenarios have been proposed for each kind of
movement. Each scenario varies the number of mobile nodes: 1, 5, 10, 20 and the
PUE attacker; and the node´s speed: 0.6, 1 and 2 m/s. These speeds cover the range
from a person walking very slowly to another one running slowly. The movement
is continuous during the simulation.
Figure 5.30: False negatives with 20 mobile nodes with a linear trajectory.
The effect of multiple SUs in a linear movement can be appreciated in Figures
5.30 and 5.31. While the false positives remain unchanged or they even decrease,
the false negative rate increases. This means that more packets from the malicious
node are marked as valid. The reason is that the learning stage is affected by the
variations in the received power and received packet rate. The variations cause that
the learned node´s profile, represented by a set of clusters, are not as accurate as in
a real scenario. The variations in the spectrum sensing data are higher and involve
168
C HAPTER 5. Results
Figure 5.31: False positives with 20 mobile nodes with a linear trajectory.
higher clusters and a higher spatial dispersion of them.
The negative effect of the movement increases when the PUE attacker is the
mobile node. Even if the attacker is the only mobile node, the effect in the false
negatives increases.
Figure 5.32: False negatives with the PUE node moving in a linear trajectory.
In Figure 5.32 we can observe the effect of the PUE movement. As we have
explained before, the influence of the attacker movement is even worse than the
movement of almost all the SUs in the network. This is because the anomaly
detection tries to separate the behavior of PUs and SUs in the network and
the malicious nodes. In the movement of PUEA implies an erratic reception of
5.3. Strategy 1: anomaly detection approach
169
the learned features, the algorithm is not able to distinguish between them and
therefore, the results are worse.
Figures 5.33 and 5.34 represents the effect of 20 mobile nodes, as in Figures 5.30
and 5.31. However, in these scenarios the movement is random. In this situation,
the results indicate that the algorithm incurs in more false negatives and fewer false
positives. The learning phase creates higher radius clusters because of the greater
randomness and more data are labeled as normal in the detection phase.
Figure 5.33: False negatives with 20 mobile nodes with a random trajectory.
Figure 5.34: False positives with 20 mobile nodes with a random trajectory.
170
C HAPTER 5. Results
5.3.4.2.
Wireless path loss
The side effect of the wireless path loss model over anomaly detection
techniques has been tested with three different scenarios. In them, the Xσ = 9
parameter varies between 0.5 and 9. The worst case, which represents a hostile
indoor environment, is showed in Figure5.35. As we can appreciate, the effect is
very similar to the one resulting from the linear movement. Changes in the path
loss parameters also affect the variations in the learned node profiles.
Figure 5.35: False negatives with Xσ = 9.
5.3.4.3.
New nodes
In this case, represented in Figure 5.36, the new nodes in the network do not
affect to the false positive and negative rates. The anomaly detection technique
contemplates this situation and the new SUs start to learn if they join the network
before the end of the learning phase. If the nodes join in the detection phase, the
effect is a little worse, as we can appreciate in Figure 5.37, because they cannot use
the clustering map created by the rest of the nodes. However, although this feature
is not implemented in this specific technique, CWSNs can address this need and
share the clustering map through the VCC.
5.3. Strategy 1: anomaly detection approach
Figure 5.36: False negatives including five new nodes during the learning phase.
Figure 5.37: False negatives including five new nodes during the detecting phase.
171
172
C HAPTER 5. Results
5.3.4.4.
Virtual Control Channel imperfections
As we have explained in Section 3.3.6.4 the errors in the VCC do not only affect
the sensing parameters but also the information generated in the nodes. If this
information, which is the key for the technique, is corrupted or lost the detection
performance decreases. In fact, if we compare Figures 5.38 and 5.39 with the figures
of the path loss exponent variations in sub-section 5.3.4.2 the effect of randomness
in the VCC is worse than in the rest of the channels.
Figure 5.38: False negatives with Xσ = 9 in the VCC
Figure 5.39: False positives with Xσ = 9 in the VCC
5.3. Strategy 1: anomaly detection approach
5.3.4.5.
173
Spectrum sensing data errors
In order to test the effect of errors in the spectrum sensing data, we have
proposed two kinds of scenarios. The first one covers random errors greater than
the average. In this situation the nodes send information with an error than can be
approximated by a Gaussian distribution. The second one represents the situation
of a node being out of calibration and sending erroneous data. The effect in both
cases is hardly visible, increasing the false negative and false positive rates in less
than 5 %.
Figure 5.40: False negatives with an error of N(0, 20) dBm
Figure 5.41: False negatives with an error of N(20, 0) dBm
174
C HAPTER 5. Results
5.3.4.6.
Attacks in the learning phase
The influence of an attacker in the learning phase has been evaluated in different
scenarios, where the initial time when the attacker starts the attack is the variable
parameter.
Figure 5.42: False negatives when the attack starts in the learning phase
Figure 5.43: False positives when the attack starts in the learning phase
As we can see in Figures 5.42 and 5.43, this side effect does not let the use of
this strategy. The influence of the attacker in the learning phase is very high. Figure
5.44 represent the false negatives for different initial times of the attack taking into
account that the learning phase is 50 seconds. One of the reason for this high impact
is the small difference between the PU and PUEA behavior. If this difference would
5.3. Strategy 1: anomaly detection approach
175
be higher, the impact of this side effect will be reduced.
Figure 5.44: False negatives for different initial times of the attack
The solution in order to mitigate this problem should be based in the
modification of the strategy design. In this situation, the behavior of each node
should be compared with each other. Using this strategy, it is possible to classify
the nodes of the network in groups depending on their behavior. If a node can not
be classified neither as PU nor as SU, it will be marked as an attacker. However, this
solution implied deep changes in our design and it would need to be evaluated in
scenarios where each node has a different behavior.
Although all side effects have an impact in the false negative rate, none of them
increase the false positive percentage. The reason for this is that all these studied
characteristics are taking into account in the learning phase. When the scenario
is worse, the anomaly detection technique learns that this is the normal situation
and adapts itself in order to cover a higher space in which the data are labeled as
valid. If the system learns in an ideal situation and then, in the detection phase the
parameters change, the false positive rate increases as Figures 5.45 shows.
In order to summarize the results obtained from the scenarios it has been created
the Figure 5.46. As we can appreciate some parameters, such as mobility of the
nodes or VCC errors have an important effect in the false negative rate. However,
176
C HAPTER 5. Results
Figure 5.45: False positives with 20 mobile nodes with a random trajectory only in the
detection phase.
other parameters have a small impact in the system performance.
Even in the worst cases, if the system is calibrated correctly, the false negatives
and false positives can be almost eliminated.
The false positives can be appreciate in figure 5.47. As we have commented
previously, the studied parameters reduce the false positives. In this case, the VCC
errors produce a reduction of 50 % in false positives when there is not collaboration.
In all cases, when the number of collaborative nodes increase to five, the false
positives disappear.
Finally, Figure 5.48 represents the optimum points of collaboratives nodes,
depending on the effect that affects our network. For example, without effects the
optimum point is around 8 collaborative nodes. In this situation the false positives
and false negatives dissapear. For the other two effects, it is possible to find an
optimum depending on if we can eliminate the false positives or the false negatives.
However, they can not be eliminated both at the same time. For example, when the
PUE attacker is mobile, the false positive and false negative curves cut between 4
and 5 collaborative nodes. In this point, the metrics have a value of 8 %.
5.3. Strategy 1: anomaly detection approach
177
Figure 5.46: Comparison of false negatives percentage for different side effects (initial
cluster radius = 0.5).
Figure 5.47: Comparison of false positives percentage for different side effects (initial cluster
radius = 0.5).
178
C HAPTER 5. Results
Figure 5.48: Optimum points for different side effects
5.4.
Strategy 2: artificial noise generation approach
Second proposed strategy, explained in Section 3.4 use the artificial noise
generation in order to avoid attacks against privacy such as eavesdropping attack.
This noise is generated in such a way that only affect to the channel between the
sender (S) and the eavesdropper (E). However, the channel between S and the
destination (D) maintains its characteristics.
In order to compare the security using this cooperative artificial noise
technique with systems without physical-layer security strategies, metrics are
necessary. For this purpose the secrecy rate and the secrecy outage probability
are defined. The secrecy rate is the rate of transmission on the main channel that
remains undecodable to the eavesdropper. When larger networks with multiple
transmitters/receivers/eavesdroppers, as well as additional nodes such as relays
are considered, we can define the corresponding secrecy rate regions, or the
aggregate secrecy sum rate.
A performance metric suitable for non-ergodic channels is the secrecy outage
probability (SOP), which describes the probability that a target secrecy rate is
not achieved. The SOP characterizes the likelihood of simultaneously reliable and
5.4. Strategy 2: artificial noise generation approach
179
secure data transmission.
The efficacy of this scheme for different example scenarios using this metric is
presented. In order to simulate the attacks and the countermeasures the CWSN
simulator has been used.
Ten scenarios have been executed in the simulator to extract results and to draw
conclusions from the work. The scenarios have some common characteristics:
The scenario area is a 50m x 50m square. This represents a common scenario
of WSN, for example, a home, a small industrial area or a research lab. WSNs
have potential to cover higher areas, but an intermediate area size covers the
most of the applications. Moreover, this area can be taken as a simplification
of a large area.
The complete simulation time is 100 seconds. Obviously, the WSNs are
developed in order to have a long time duration of years. However, the
strategy has to be tested in a reduced time that can be simulated. Moreover,
in a real application, the attack will produce in a random moment. Therefore,
the simulation needs to cover some time before the attack and the needed time
after the attack in order to analyze the effect of the countermeasure.
The number of nodes in the simulation varies between 4 and 53, including
one emitter node (S), one destination node (D), one eavesdropper attacker (E)
and a variable number of secondary users that implement the relay and the
jamming functions (R).
The emitter node sends 1 packet/s. This is a normal throughput in some
WSNs, where the sensors monitors parameters that do not change constantly.
The attack starts at the beginning of the simulation.
The eavesdropper nodes sense each channel for 50ms. If in this time they do
not detect a signal, they change to the next channel. However, if a signal is
detected the eavesdropper will listen to the same channel for five seconds.
180
C HAPTER 5. Results
The variable parameters in the scenarios are:
The number of relay nodes (R).
The power transmission of the relay nodes (R).
The power transmission of the emitter node (S).
We have drawn some graphics that summarize the results. In Figure 5.49.
SOP for different emitter and noise power is presented. The number of nodes
in the simulation is 8, including one source user, one destination node and one
eavesdropper in a 50x50 meters scenario. As we can see in the graph, there is a zone
that provides the optimal relation between security SOP metric and noise power.
Less noise power implies higher SOP rates. More noise power does not improve
the security enough, and it affects the energy consumption and the spectrum
performance.
Figure 5.49: SOP for different emitter and noise power with 5 jamming nodes.
5.4. Strategy 2: artificial noise generation approach
181
In order to determine the influence of collaboration nodes over the network
behavior, a new scenario has been simulated. Using the same 50x50 meters zone,
the number of nodes in the simulation is 23, including one source user, emitting 1
packet/s, one destination, and one eavesdropper with 20 jamming nodes, emitting
a rate between 1 and 1.1 packet/s. The shape in Figure 5.50 is similar to the one
in the previous scenario. For high noise power the SOP level is lower than the one
with 5 jamming nodes, between 2 and 5 %, depending on the transmission power.
This SOP is maintained for very low noise power, beyond 0.1 mW. There is also a
zone where the relation between emission and noise power is optimal. This zone is
shown in Figure 5.50.
Figure 5.50: SOP for different emitter and noise power with 20 jamming nodes.
5.4.0.1.
Cognitive eavesdropping strategies
This section presents the evaluation of multiple cognitive techniques for the
eavesdropper nodes and cognitive countermeasures to improve the artificial noise
182
C HAPTER 5. Results
techniques. This way, the eavesdropper and jammer nodes becomes cognitive
introducing new possibilities to these scenarios.
The new model of eavesdropping attacker, presented in this section, where the
malicious nodes are not passive, makes the security of this scenario a challenge.
This eavesdropping attack implements cognitive features in order to increase the
captured data rate.
We define the behavior of the eavesdroppers, represented in Figure 5.51,
according to these assumptions:
The eavesdroppers have cognitive capabilities, such as multiple interfaces or
spectrum sensing.
The eavesdroppers sense the available channels and interfaces during a period
of time. If they do not locate any signal, they change to the next interface.
If an eavesdropper detects a signal, it will execute the channel selection
strategy and keep listen during a period of time in the selected channel.
Figure 5.51: Cognitive eavesdropping attack flow chart.
In this thesis, three eavesdropping strategies have been developed. In the first
one (ES0) the eavesdroppers change their channel randomly. This strategy has been
taken as the reference to compare the next strategies. The second (ES1) and third
(ES2) strategies include spectrum sensing information to obtain better results. In the
5.4. Strategy 2: artificial noise generation approach
183
ES1 the eavesdroppers move to the channel with the higher signal level. Finally, in
the ES2 the eavesdroppers changes to the channel with less signal level, discarding
the empty channels. These strategies try to cover the scenarios where the jammers
transmit with higher power levels than secondary emitters and vice versa. This
enables the analysis of the impact of different attacker approaches in the network.
Twenty scenarios have been executed in the simulator to extract results and to
draw conclusions from the work. The scenarios have some common characteristics.
Each scenario has been run 100 times.
The variable parameters in the scenarios are as follows:
the number of relay nodes (R).
the number of eavesdropper nodes (E).
the transmit power of the relay nodes (R).
the number of channels.
the strategy followed by eavesdropper nodes (E) and relay nodes (R).
The following figures summarize the study that demonstrate our premises. First,
the use of artificial noise against eavesdropping attacks is a good solution by itself or
as an additional strategy to upper-layer strategies, such as cryptography. Second, an
active eavesdropper using cognitive features implies a higher risk than a traditional
passive eavesdropper. Thirdly, the collaboration among relays improve the security
and the collaboration among malicious nodes improves the attack effects.
In addition to the security results, the figures 5.55 and 5.56 are presented in order
to analyzes the impact of these strategies in the power consumption and spectrum
utilization. These scenarios include low resources nodes. Hence it is very important
to take these aspects into account. This is done varying the noise power and the
number of jamming nodes.
184
C HAPTER 5. Results
Figure 5.52: SOP for different noise power and two channels in each interface.
Figure 5.52 and 5.53 are focused on the analysis of the eavesdropping strategies.
In Figure 5.52, the SOP for different noise power levels in a scenario with two
channels in each interface is presented. The three eavesdropping strategies are
presented including the results without noise inclusion and including a random
noise in the channels. As can be appreciated on the figure, ES2 has better results
than others. Even in the scenario with 20 jamming nodes, the ES2 is better than ES1
without jamming, obtaining a 25 % higher SOP.
Figure 5.53: SOP for different noise power and ten channels in each interface.
5.4. Strategy 2: artificial noise generation approach
185
Figure 5.53 shows the same scenario but, in this case, with ten channels
per interface. This scenario is more realistic than the previous one because real
technologies have similar number of channels. ES2 continues to obtain the best
results, but in this case, the SOP is reduced to levels below 15 % for artificial noise
levels above -15dBm.
Figure 5.54: Effects of noise strategies against three different eavesdropping strategies.
Figure 5.54 shows the results extracted from the application of our three different
noise strategies against the three eavesdropping strategies. Figure 5.54a represents
the ES2, figure 5.54b the ES1 and figure 5.54c the ES0.
The ES2 is affected by the JS2 but it benefits from JS1. ES2 tries to find the channel
with a lower signal level, discarding the empty channels. In this scenario, if all
relay nodes send the same signal level as the emitter, the eavesdroppers have more
186
C HAPTER 5. Results
difficulties to find the correct channel. However, if the relays implement the JS1,
where the noise level is the same in each channel except in the one used by emitter,
it is easier to detect the correct channel.
The ES1 is more affected by JS1 because attackers try to find the most used
channel. If the noise is distributed evenly and jammer nodes transmit with a higher
packet rate or more transmit power than that of the secondary emitter, the attackers
cannot find the correct channel.
Figure 5.54c indicates that the ES0 is affected in the same way by all noise
approaches.
Figure 5.55: Effects of collaboration in multiple eavesdroppers scenarios.
Figure 5.55 shows the results when more than one eavesdropper implementing
ES2. Firstly, an scenario without collaboration between attackers has been run and
after that, the same scenario is simulated using collaboration.
As we can see, collaboration between attackers improves the results. In the case
of 2 eavesdroppers, an improvement over previous rates of about 5 % is obtained.
In the case of 4 eavesdroppers the improvement increases to 12 %.
Finally, figure 5.56 is presented in order to show that the artificial noise scheme
can be optimized in order to avoid high power consumption. The chart represents
5.4. Strategy 2: artificial noise generation approach
187
Figure 5.56: Limitations in the number of jammer nodes related to the SOP obtained.
the SOP obtained as a function of the number of jammer nodes in the scenario.
As can be appreciated, the graph starts to stabilize with five jammer nodes. This
indicates that, no matter how many nodes are introduced once there are more than
five, the results will be very similar but the power consumption and spectrum
occupancy will increase. In Figure 5.56, it could already be seen that noise power is
optimizable too. The SOP stops to decrease when the jamming nodes transmit more
than -10dBm, indicating than power consumption can be also optimized.
5.4.1.
Side effects analysis
5.4.1.1.
Energy consumption
Once the technique has been validated for security reasons and the results have
been analyzed, the optimization and the impact in energy consumption should be
analyzed. The next results show the energy optimization that consists of searching
for the minimum resource utilization in order to achieve the security goals.
Figure 5.57 represents the additional power consumption that the jamming
nodes introduce into the network. As we can see, there is almost no dependence
between the emitter power and the power consumption of the jamming nodes.
188
C HAPTER 5. Results
Figure 5.57: Additional power consumption in the network with 20 jamming nodes.
The quadratic form of the curve is derived from the omnidirectional antenna that
simulates the nodes, with a circular range. The number of nodes affected by the
transmissions of the others increases with r2 . In Figure 5.57 it can be appreciated
that the network without using the noise technique has an energy consumption
over 65 joules. This value can be increased to 250 Jules if the sensors that emit noise
transmitted 1mW. This is an additional energy consumption of more than 350 %.
If we can weigh the security and the consumption of the system, a formula
similar to the next one will be a good solution:
F (SOP, P OW ) = A · SOP + B · P OW
(5.1)
where POW is the additional consumption pondered to 100 like the SOP. A and
B are the weights that the designer can control to give more importance to the
security or the power consumption. Depending on these weights, Figure 5.58 has a
different minimum. Figure 5.58 represents the formula 5.1 with A=1 and B=1. Table
3 summarizes some optimum results for different values of A and B. As we can
appreciate, using a power noise transmission of 0,07 mW, the SOP can be reduced
5.4. Strategy 2: artificial noise generation approach
A
1
1
1
3
10
B
3
2
1
1
1
Pjamming
0.01 mW
0.04 mW
0.07 mW
0.1 mW
0.19 mW
SOP
48.8-23.76 %
22.6-11.73 %
11-4.5 %
8.1-4 %
5.6-3 %
189
Power
69J
77J
95J
100J
128J
Table 5.3: Optimum values for different weigths
to 4,5 % in the best case.
Figure 5.58: Jamming power variable. Function of the SOP and additional power with A=1
and B=1.
A different approach is to modify the number of jamming nodes keeping the
jamming power constant. Figure 5.59 shows the SOP for different simulations with
a variable number of jamming nodes, from 1 to 19. As in the previous simulations,
there is a zone where the SOP is very high, when the number of jamming nodes is
low, and a zone where the SOP does not decrease a lot, with more than 5 nodes.
The additional power consumption has a quadratic form, similar to that in
Figure 5.57. It increases with the number of jamming nodes. If we create the same
190
C HAPTER 5. Results
Figure 5.59: SOP for different number of jamming nodes.
Figure 5.60: Number of jamming nodes variable. Function of SOP and additional power
with A=1 and B=1.
5.4. Strategy 2: artificial noise generation approach
191
formula as in the first experiments the results are shown in Figure 5.60.
A conclusion extracted from Figure 5.60 is that the use of more than 5 jamming
nodes does not provide improvements in the optimizer function.
Figure 5.61: Number of jamming nodes variable and emitter power 0dBm. Function of SOP
and additional power with different values of A and B.
Figure 5.61 represents the curves for different values of A and B when we select
a constant emitter power of 0dBm. It can be seen that if the security (A) has more
weight in the formula than the consumption (B) the minimum solution requires
a higher number of jamming nodes. It can be observed that the optimal solutions
for the weights represented in Figure 5.61 are between 3 to 7 jamming nodes. This
indicates that increasing the number of jamming nodes make the network consumes
more energy without benefits in security.
Finally, to complete the analysis with power consumption, we have simulated
a new scenario in order to analyze the behavior of the system when spectrum
saturation is higher. In this case, the simulation has 10 emitter nodes transmitting
10 packets/s. This is at least 100 times more traffic than in the previous simulations,
192
C HAPTER 5. Results
Figure 5.62: SOP for different emitter and jamming rates.
without the additional retransmissions. We have observed that the results have
a similar distribution with the difference that in this case the SOP decreases
drastically. However, this is due to the attack model in which the listening time
in a channel with signal is much longer than the sensing time for each channel.
This is an important result because spectrum efficiency is the most important goal
of cognitive radio. If this approach significantly affects the spectrum occupancy, it
would not be feasible.
5.4.1.2.
Spectrum occupancy
A similar analysis has been made with spectrum utilization. This is an important
resource that cognitive radio tries to use in a more efficient way. Therefore, this
approach should be analyzed in order to have the minimum possible affect.
Figure 5.62 shows the SOP results for a variable jamming and emission rate.
As we can appreciate, for low jamming rates (<0.2 packets/s) the SOP decreases
quickly, but for higher values (>0.4 packets/s) the SOP is constant. This indicates
5.4. Strategy 2: artificial noise generation approach
193
Figure 5.63: SOP for different emitter and jamming rates.
Figure 5.64: Function of SOP and jamming rate with different values of A and B and emitter
rate 0,1 packets/s.
194
C HAPTER 5. Results
A
1
1
1
2
3
B
3
2
1
1
1
JammingRate
0.05pps
0.25pps
0.25pps
0.35pps
0.45pps
SOP
62.8-41.6 %
19.6-11 %
19.6-11 %
12.8-8.2 %
9.35-7.75 %
Table 5.4: Optimum values for different weights with jamming rate variable
that the optimum value in order to preserve the spectrum will be between 0.20.4packets/s.
Figure 5.63 shows the conclusions specified before. Here, as in the power
consumption experiments, an objective function is represented by the equation 5.2.
The figure shows that the optimal jamming rate for all the simulated scenarios is
between 0.20 and 0.30 packets/s when A=B=1. To increase the jamming rate above
0.30 packet/s costs more spectrum saturation than security benefits.
F (SOP, BW ) = A · SOP + B · BW
(5.2)
Finally, Figure 5.64 and Table 5.4 show the optimum values for the objective
function when the emission rate is constant and the weights A and B change. Low
packet rates have been analyzed, under 1 packet/s. The SOP rates are under 10 %
with a jamming rate over 0.45 packet/s.
Chapter 6
Conclusions
Man is too quick at forming conclusions.
Edward E. Barnard
6.1.
Conclusions
The growing sector of WSNs has its origin in the good features that they provide
to implement services and applications. These features are their low price, their
low deployment cost, their adaptation, the diversity of commercial solutions, and
their simplicity. These features could be the key factor by which more applications
migrate everyday to WSN solutions. Included in these applications are critical
applications such as healthcare, industrial monitoring, or structural maintenance.
This increment of WSN solutions operating in the same bands requires paying
special attention to the radio spectrum usage that is beginning to be overcrowded.
Cognitive wireless sensor networks are the union of WSNs with cognitive
features such as spectrum sensing, adaptation, and collaboration. Although these
new features resolve some problems, they also present new challenges. For
195
196
C HAPTER 6. Conclusions
example, the energy consumption of CWSNs increases and there are new security
threats.
As Section 1.3 shows, security in CWSNs is an important field that should
be considered if these networks are going to be part of critical applications such
as e-health, military scenarios, or infrastructure monitoring. The communication
improvements that cognitive networks bring to these applications cannot be
compromised by a fault of security. Nevertheless, the same cognitive features such
as spectrum sensing, collaboration, and adaptations could be used to improve the
security.
The related work in security for CWSNs has been studied in Chapter 2. As
this chapter showed, security in CWSNs is a new area that has not been deeply
investigated. New threats such as the PUE attack, policy attacks, or attacks against
privacy require more attention if these networks are going to control critical
systems. The development of new frameworks, the study of the restrictions and
side effects, and the research in new security strategies are some aspects that this
thesis emphasizes for the future of the CWSNs.
In this thesis, we have proposed two strategies in order to mitigate the PUE
attack and the eavesdropping attack. The first strategy, a new approach for
detecting PUE attacks on CWSNs has been described in Section 3.3. The strategy
is based on anomaly detection and cognitive features such as sensing, learning
and collaboration. A cognitive simulator and a cognitive testbed have been used to
develop the scenarios that prove that collaboration is essential for good anomaly
detection. The results have been presented in Sections 5.3.1 and 5.3.2. Different
layers of cognitive architecture implement the tasks needed to achieve the final
objective: PUE detection. Cognitive nodes sense the spectrum and create neighbor
profiles in order to model their behavior. The information stored on the repository
module is used to warn other nodes about anomalous data. The optimizer module
is responsible for filtering the information and collaborating with other nodes. If
6.1. Conclusions
197
the collaborative nodes are over 20 % of the total, the PUE attack detection has
satisfactory results with 99 % of attacks being detected and a false positive rate near
0 % (independently of the number of nodes in the scenario).
Two algorithms have been implemented in a CWSN: CUSUM and data
clustering. Of the two, CUSUM is the simplest one and uses fewer resources.
However, data clustering is more suitable for dynamic or complex scenarios. Both
have been demonstrated to be valid in order to detect PUE attack anomalies.
On the other hand, in this thesis the effect of some common features of CWSNs
in the anomaly detection techniques for PUE attacks has been studied. This thesis
describes the most important side effects provoked by the node’s mobility, the
wireless path loss, the addition of nodes to the network, VCC imperfections, and
spectrum sensing data errors, and how they can affect the detection of PUE attacks.
In order to complete this study, we have developed multiple scenarios to be
tested in the cognitive simulator and the cognitive test-bed. Both the simulated
and real test indicate that the algorithms are capable to detect the PUE attack.
However, there are some differences in the results that has been analyzed for
the data clustering algorithm in Section 5.3.2. The results of Section 5.3.4 indicate
that some features of the network significantly affect the performance of anomaly
detection algorithms. Node mobility, specifically in the PUE attacker, along with
losses in the VCC produce the worst effects in anomaly detection techniques. On
the other hand, the algorithm can tolerate errors in the spectrum sensing data.
Primary user emulation detection using anomaly detection strategies and
cognitive features has been demonstrated, but some problems remain. For example,
the limitations in battery life and processing resources make these strategies
possible. However, in extreme scenarios with a lot of mobility, noise, or changes in
the environment, more robust strategies are needed. These results can be useful for
many tasks such as calibrating the parameters of the anomaly detection techniques
in CWSNs or designing a real security mechanism in a real application.
198
C HAPTER 6. Conclusions
The
second
strategy
consists
of
the
evaluation, energy consumption optimization, and spectrum scarcity analysis of
a cooperative artificial noise injection strategy for physical-layer security in multiuser CWSNs. This strategy is designed as a supplement to encryption at higher
layers. The generation of artificial noise makes the extraction of information from
the spectrum difficult, and it complements the upper layer security mechanisms,
such as cryptography. Thus, it makes the decryption process of a noisy signal more
difficult.
According to the CWSN scenario, it is necessary to optimize the noise
generation. Because of the nature of a CWSN, noise affects its power consumption
and spectrum occupancy. Cooperative artificial noise strategies with assistance
from external helpers or inactive neighboring nodes are seen to be highly effective
for increasing the secrecy of the transmitted data. Of course, a trade-off between
energy consumption (additional sensor power consumption spent on transmission
of noise), spectrum scarcity, and security level is necessary.
A cognitive simulation framework has been used to simulate the different
scenarios. The eavesdropper attack model has always been the same. The work is
focused on the artificial noise strategy and on energy optimization, but it will be
interesting to conduct a study with different attack models in the future.
From the simulation results, we have shown that there are different optimum
solutions according to an objective function with different weights for energy
consumption, spectrum scarcity, and security.
As noted in the introduction, the development of a cognitive framework for
CWSNs is essential for the improvement of CWSNs. Chapter 4 The framework has
two parts: the simulator for CWSNs and the cognitive new generation device. The
simulator is based on Castalia but several parts have been changed to incorporate
new cognitive capabilities. It is important to enhance the new cognitive radio
module, which implements the most important cognitive features such as learning
6.1. Conclusions
199
or adaptation. The radio layer has been improved to allow multiple interfaces and
channels in the nodes and to improve spectrum sensing. However, application level
and scenario definitions continue with the same structure to make the development
of cognitive networks easier.
Three scenarios have been implemented as proofs of concept about new
cognitive features, such as multiple interfaces and channels in nodes, interference
depending on the bandwidth, optimization, learning, and collaboration. The first
scenario validates the mobility of the nodes, the use of multiple interfaces and
channels, and the interferences. The second scenario represents how a policy affects
the behavior and how the nodes use the VCC to share information. The third
scenario is a complex simulation where all the cognitive features of the simulator
are used. The results show how new concepts have been integrated in the simulator
with good results.
The presented cNGD supposes a versatile platform to work over the CWSN
development and deployment. Combining hardware and software modules, it
offers a flexible modular design that is widely adaptable over the range of CWSNs
applications. The sort of device shown here features some novel properties with
respect to other current CWSN devices, such as its capability to communicate over
three different ISM RF bands.
The hardware fits the conditions and requirements of CWSN environments. Low
power consumption, size, and cost limitations are taken into account in order to
achieve real test-benching purposes, application development, or even complete
implementations.
In conclusion, we can say that the presented strategies to improve the security
in CWSNs using new cognitive features have been validated in this thesis. This was
the main objective that we defined in Section 1.4. The development of the cognitive
tools is a secondary contribution that has been necessary in order to get the results
presented in Section 5.
200
C HAPTER 6. Conclusions
The complete research performed in this thesis has been influenced by the
limitations of WSNs and the acquired cognitive features. The improvement of
security in CWSNs in the future will be marked by the growth of this sector,
improvements in processing resources in the wireless platforms, and the longest
battery life. If such predictions hold true, the security of CWSNs will be improved
considerably.
The development of better cognitive tools will be first real step in order to use
these networks in more real applications. Without this development, the research
society could not improve the cognitive solutions. The future solutions described in
Section 2.5 could be developed into better frameworks with higher resources and
fewer limitations.
6.2.
Future work
This thesis has proposed the first step in security for CWSNs. Because this field is
interesting and necessary for their use in critical applications, future research lines
should be considered.
The first one, and the most important one, is the development and testing of
these strategies in a real environment. The cognitive simulator implemented in this
thesis is the first cognitive tool and makes the first step of the research project
possible. However, the cognitive platform has only been used to test a limited
scenario of PUE attack detection as explained in Sections 5.3.2 and 5.3.3. Future
tests would bring results that feed back to the simulator and the countermeasures
design.
The most important restriction in a real environment is energy consumption. The
use of complex applications, the cognitive layer, and above all, the use of multiple
wireless interfaces render the energy saving policy very important. Therefore, the
improvement of the policy and optimizer modules is an interesting future work.
The combination of multiple policies such as security and energy saving will change
6.2. Future work
201
the behavior of the system as we have introduced in Section 5.4.1. But the energy
saving policy is not the only interesting restriction for security purposes. The
spectrum use and the application are also very important.
Finally, the development of new promising security strategies is proposed as
a future work. As we have explained in Section 2.5.3, the game theory is one of
the most promising approaches for security in other cognitive radio fields. Some
security attacks and countermeasures could be formulated as a game and the
complete optimizer module could be a general game. For example, a good security
strategy against DoS attacks could be formulated with the game theory. This game
would take into account the cost to change the channel or the retransmissions. Our
second approach, the artificial noise strategy, could be formulated as a game where
the cost to inject noise, the security level, and the energy consumption would be the
parameters that define the equilibrium.
References
[1] C. S. Inc, “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast
Update, 2013-2018,” tech. rep., 2014.
[2] I. Howitt and J. Gutierrez, “IEEE 802.15.4 low rate - wireless personal
area network coexistence issues,” in 2003 IEEE Wireless Communications and
Networking, 2003. WCNC 2003., vol. 3, pp. 1481–1486, IEEE, 2003.
[3] D. Cavalcanti, R. Schmitt, and A. Soomro, “Achieving Energy Efficiency
and QoS for Low-Rate Applications with 802.11e,” in 2007 IEEE Wireless
Communications and Networking Conference, pp. 2143–2148, IEEE, 2007.
[4] IEEE, “IEEE Draft Standard for Local and Metropolitan Area Networks
- Specific Requirements - Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) Specifications - Amendment 3:
Enhancements for Very High Throughput in the 60 GHz Band,” 2012.
[5] C. Evans-Pughe, “Bzzzz zzz [ZigBee wireless standard],” IEE Review, vol. 49,
pp. 28–31, mar 2003.
[6] FCC, “Memorandum Opinion and Order for the use of white space for
unlicensed wireless devices,” tech. rep., 2010.
[7] T. Yucek and H. Arslan, “A survey of spectrum sensing algorithms for
cognitive radio applications,” IEEE Communications Surveys & Tutorials,
vol. 11, no. 1, pp. 116–130, 2009.
203
204
R EFERENCES
[8] D. Cavalcanti, S. Das, and K. Challapali, “Cognitive Radio Based Wireless
Sensor Networks,” in 2008 Proceedings of 17th International Conference on
Computer Communications and Networks, pp. 1–6, IEEE, aug 2008.
[9] T. Lu, X. Guo, Y. Li, Y. Peng, X. Zhang, F. Xie, and Y. Gao, “Cyberphysical
Security for Industrial Control Systems Based on Wireless Sensor Networks,”
International Journal of Distributed Sensor Networks, vol. 2014, pp. 1–17, 2014.
[10] Enisa, “Protecting Industrial Control Systems,” p. 81, 2011.
[11] P. Kumar and H.-J. Lee, “Security Issues in Healthcare Applications Using
Wireless Medical Sensor Networks: A Survey,” Sensors, vol. 12, no. 1, pp. 55–
91, 2011.
[12] “Horizon 2020 - work programme 2014-2015,” tech. rep., European
Commission, 2014.
[13] “Internet of Things: The Future of Business Technology,” tech. rep., European
Commision, 2014.
[14] S. S. Al-Wakeel and S. a. AL-Swailem, “PRSA: A Path Redundancy Based
Security Algorithm for Wireless Sensor Networks,” in 2007 IEEE Wireless
Communications and Networking Conference, pp. 4156–4160, IEEE, 2007.
[15] S. M. Mishra, A. Sahai, and R. W. Brodersen, “Cooperative Sensing among
Cognitive Radios,” vol. 00, no. c, pp. 1658–1663, 2006.
[16] Centers for Medicare & Medicaid Services, “Selecting a development
approach,” Centers for Medicare & Medicaid Services, pp. 1–10, 2008.
[17] Y.-S. Shiu, S. Chang, H.-C. Wu, S. Huang, and H.-H. Chen, “Physical layer
security in wireless networks: a tutorial,” IEEE Wireless Communications,
vol. 18, pp. 66–74, apr 2011.
R EFERENCES
205
[18] J. L. Burbank, “Security in Cognitive Radio Networks: The Required
Evolution in Approaches to Wireless Network Security,” in 2008 3rd
International Conference on Cognitive Radio Oriented Wireless Networks and
Communications (CrownCom 2008), no. Reference 2, pp. 1–7, IEEE, may 2008.
[19] A. S. Zahmati, S. Hussain, X. Fernando, and A. Grami, “Cognitive Wireless
Sensor Networks: Emerging topics and recent challenges,” in 2009 IEEE
Toronto International Conference Science and Technology for Humanity (TIC-STH),
pp. 593–596, IEEE, sep 2009.
[20] T. C. Clancy and N. Goergen, “Security in Cognitive Radio Networks:
Threats and Mitigation,” in 2008 3rd International Conference on Cognitive Radio
Oriented Wireless Networks and Communications (CrownCom 2008), pp. 1–8,
IEEE, may 2008.
[21] Y. Zhang, G. Xu, and X. Geng, “Security Threats in Cognitive Radio
Networks,” in 2008 10th IEEE International Conference on High Performance
Computing and Communications, pp. 1036–1041, IEEE, sep 2008.
[22] D. R. Raymond, R. C. Marchany, and S. F. Midkiff, “Scalable, Cluster-based
Anti-replay Protection for Wireless Sensor Networks,” in 2007 IEEE SMC
Information Assurance and Security Workshop, pp. 127–134, IEEE, jun 2007.
[23] H.-M. Sun, S.-P. Hsu, and C.-M. Chen, “Mobile Jamming Attack and
its Countermeasure in Wireless Sensor Networks,” in 21st International
Conference on Advanced Information Networking and Applications Workshops
(AINAW’07), vol. 1, pp. 457–462, IEEE, 2007.
[24] S. Prasad and D. J. Thuente, “Jamming attacks in 802.11g - A cognitive radio
based approach,” 2011 - MILCOM 2011 Military Communications Conference,
pp. 1219–1224, nov 2011.
[25] Q. Peng, P. C. Cosman, and L. B. Milstein, “Spoofing or jamming: Performance
206
R EFERENCES
analysis of a tactical cognitive radio adversary,” IEEE Journal on Selected Areas
in Communications, vol. 29, pp. 903–911, apr 2011.
[26] Y. Tan, S. Sengupta, and K. P. Subbalakshmi, “Analysis of coordinated denialof-service attacks in IEEE 802.22 networks,” IEEE Journal on Selected Areas in
Communications, vol. 29, pp. 890–902, apr 2011.
[27] R. C. R. Chen, J.-M. P. J.-M. Park, Y. Hou, and J. Reed, “Toward
secure distributed spectrum sensing in cognitive radio networks,” IEEE
Communications Magazine, vol. 46, pp. 50–55, apr 2008.
[28] P. Reindl, K. Nygard, and X. Du, “Defending malicious collision attacks in
wireless sensor networks,” in Proceedings - IEEE/IFIP International Conference
on Embedded and Ubiquitous Computing, EUC 2010, pp. 771–776, IEEE, dec 2010.
[29] R. Chen and J.-M. Park, “Ensuring Trustworthy Spectrum Sensing in
Cognitive Radio Networks,” 2006 1st IEEE Workshop on Networking
Technologies for Software Defined Radio Networks, pp. 110–119, sep 2006.
[30] B. Naqvi, I. Rashid, F. Riaz, and B. Aslam, “Primary user emulation attack
and their mitigation strategies: A survey,” in Conference Proceedings - 2013
2nd National Conference on Information Assurance, NCIA 2013, no. 2, pp. 95–100,
IEEE, dec 2013.
[31] Z. Jin, S. Anand, and K. P. Subbalakshmi, “Detecting Primary User Emulation
Attacks in Dynamic Spectrum Access Networks,” in 2009 IEEE International
Conference on Communications, vol. 60, pp. 1–5, IEEE, jun 2009.
[32] X. Luo, X. Ji, and M.-S. Park, “Location Privacy against Traffic Analysis
Attacks in Wireless Sensor Networks,” Information Science and Applications
(ICISA), 2010 International Conference on, pp. 1–6, 2010.
[33] Z. Shu, Y. Qian, and S. Ci, “On physical layer security for cognitive radio
networks,” IEEE Network, vol. 27, pp. 28–33, may 2013.
R EFERENCES
207
[34] V. C. Manju, S. L. Senthil Lekha, and M. Sasi Kumar, “Mechanisms
for detecting and preventing denial of sleep attacks on wireless sensor
networks,” in 2013 IEEE CONFERENCE ON INFORMATION AND
COMMUNICATION TECHNOLOGIES, no. Ict, pp. 74–77, IEEE, apr 2013.
[35] G. Baldini, V. Rakovic, V. Atanasovski, and L. Gavrilovska, “Security aspects
of policy controlled cognitive radio,” in 2012 5th International Conference on
New Technologies, Mobility and Security - Proceedings of NTMS 2012 Conference
and Workshops, pp. 1–5, Ieee, may 2012.
[36] S. Haykin, “Cognitive radio: Brain-empowered wireless communications,”
IEEE Journal on Selected Areas in Communications, vol. 23, pp. 201–220, feb 2005.
[37] A. Wyner, “The wire-tap channel,” Bell System Technical Journal, The, 1975.
[38] S. Leung-Yan-Cheong and M. Hellman, “The Gaussian wire-tap channel,”
IEEE Transactions on Information Theory, vol. 24, pp. 451–456, jul 1978.
[39] I. Csiszar and J. Korner, “Broadcast channels with confidential messages,”
IEEE Transactions on Information Theory, vol. 24, pp. 339–348, may 1978.
[40] J. Barros and M. D. Rodrigues, “Secrecy Capacity of Wireless Channels,” in
2006 IEEE International Symposium on Information Theory, pp. 356–360, IEEE,
jul 2006.
[41] Y. Pei, Y.-c. Liang, L. Zhang, K. Teh, and K. Li, “Secure communication
over MISO cognitive radio channels,” IEEE Transactions on Wireless
Communications, vol. 9, pp. 1494–1502, apr 2010.
[42] C. Zhao, W. Wang, L. Huang, and Y. Yao, “Anti-PUE Attack Base on
the Transmitter Fingerprint Identification in Cognitive Radio,” in 2009 5th
International Conference on Wireless Communications, Networking and Mobile
Computing, pp. 1–5, IEEE, sep 2009.
208
R EFERENCES
[43] N. T. Nguyen, R. Zheng, and Z. Han, “On Identifying Primary User
Emulation Attacks in Cognitive Radio Systems Using Nonparametric
Bayesian Classification,” IEEE Transactions on Signal Processing, vol. 60,
pp. 1432–1445, mar 2012.
[44] C. Coghill, S. U. Rehman, and K. W. Sowerby, “Radio-frequency
fingerprinting for mitigating primary user emulation attack in low-end
cognitive radios,” IET Communications, vol. 8, pp. 1274–1284, may 2014.
[45] W. C. S. II, M. A. Temple, M. J. Mendenhall, and R. F. Mills, “Radio frequency
fingerprinting commercial communication devices to enhance electronic
security,” International Journal of Electronic Security and Digital Forensics, vol. 1,
p. 301, oct 2008.
[46] X. Li and E. Ratazzi, “MIMO transmissions with information-theoretic secrecy
for secret-key agreement in wireless networks,” Military Communications
Conference, 2005. . . . , pp. 1–7, 2005.
[47] C. R. Aguayo Gonzalez and J. H. Reed, “Detecting unauthorized software
execution in SDR using power fingerprinting,” in Proceedings - IEEE Military
Communications Conference MILCOM, pp. 2211–2216, Ieee, oct 2010.
[48] C. N. Mathur and K. P. Subbalakshmi, “Digital signatures for centralized DSA
networks,” in 2007 4th Annual IEEE Consumer Communications and Networking
Conference, CCNC 2007, pp. 1037–1041, Ieee, jan 2007.
[49] Y. Hwang and H. Papadopoulos, “Physical-Layer Secrecy in AWGN via a
Class of Chaotic DS/SS Systems: Analysis and Design,” IEEE Transactions on
Signal Processing, vol. 52, pp. 2637–2649, sep 2004.
[50] T.-H. Chang, Y.-W. P. Hong, and C.-Y. Chi, “Training Signal Design for
Discriminatory Channel Estimation,” in GLOBECOM 2009 - 2009 IEEE Global
Telecommunications Conference, pp. 1–6, IEEE, nov 2009.
R EFERENCES
209
[51] A. Petropulu and H. Poor, “Improving Wireless Physical Layer Security via
Cooperating Relays,” IEEE Transactions on Signal Processing, vol. 58, pp. 1875–
1888, mar 2010.
[52] Yongle Wu, K. J. R. Liu, and Y. Wu, “An Information Secrecy Game in
Cognitive Radio Networks,” IEEE Transactions on Information Forensics and
Security, vol. 6, pp. 831–842, sep 2011.
[53] L. Zhu and H. Mao, “Research on Authentication Mechanism of Cognitive
Radio Networks Based on Certification Authority,” in 2010 International
Conference on Computational Intelligence and Software Engineering, pp. 1–5, IEEE,
dec 2010.
[54] W. Alhakami, A. Mansour, G. A. Safdar, and S. Albermany, “A secure MAC
protocol for Cognitive Radio Networks (SMCRN),” in Science and Information
Conference (SAI), pp. 796–803, 2013.
[55] G. A. Safdar and M. OÑeill, “Common Control Channel Security Framework
for Cognitive Radio Networks,” in VTC Spring 2009 - IEEE 69th Vehicular
Technology Conference, pp. 1–5, IEEE, apr 2009.
[56] S. Parvin and F. K. Hussain, “Digital Signature-Based Secure Communication
in Cognitive Radio Networks,” 2011 International Conference on Broadband and
Wireless Computing, Communication and Applications, pp. 230–235, oct 2011.
[57] S. Parvin, S. Han, B. Tian, and F. K. Hussain, “Trust-Based Authentication
for Secure Communication in Cognitive Radio Networks,” 2010 IEEE/IFIP
International Conference on Embedded and Ubiquitous Computing, pp. 589–596,
dec 2010.
[58] R. Shaukat, S. A. Khan, and A. Ahmed, “Augmented Security in IEEE
802.22 MAC Layer Protocol,” 2008 4th International Conference on Wireless
Communications, Networking and Mobile Computing, pp. 1–4, oct 2008.
210
R EFERENCES
[59] H. Wu, N. Hui, X. Zhou, and B. Bai, “Puzzle-based selfish behavior
punishment mechanism of MAC layer in cognitive radio networks,” Wireless,
Mobile and Multimedia Networks (ICWMNN 2010), IET 3rd International
Conference on, pp. 213 – 216, 2010.
[60] T. Aura, P. Nikander, and J. Leiwo, “DOS-resistant authentication with client
puzzles,” in Security Protocols, pp. 170–177, 2001.
[61] M. A. Shah, G. A. Safdar, and C. Maple, “DDH-MAC: A novel Dynamic DeCentralized Hybrid MAC protocol for Cognitive Radio Networks,” in 2011
RoEduNet International Conference 10th Edition: Networking in Education and
Research, pp. 1–6, IEEE, jun 2011.
[62] R. Chen, J.-M. Park, and J. Reed, “Defense against Primary User Emulation
Attacks in Cognitive Radio Networks,” IEEE Journal on Selected Areas in
Communications, vol. 26, pp. 25–37, jan 2008.
[63] Z. Chen, T. Cooklev, and C. Pomalaza-Raez, “Modeling primary user
emulation attacks and defenses in cognitive radio networks,” in 2009
IEEE 28th International Performance Computing and Communications Conference,
pp. 208–215, IEEE, dec 2009.
[64] Z. Yuan, D. Niyato, H. Li, and Z. Han, “Defense against primary user
emulation attacks using belief propagation of location information in
cognitive radio networks,” in 2011 IEEE Wireless Communications and
Networking Conference, pp. 599–604, IEEE, mar 2011.
[65] L. Huang, L. Xie, H. Yu, W. Wang, and Y. Yao, “Anti-PUE Attack Based on
Joint Position Verification in Cognitive Radio Networks,” 2010 International
Conference on Communications and Mobile Computing, pp. 169–173, apr 2010.
[66] T.-W. Wu, Y.-E. Lin, and H.-Y. Hsieh, “Modeling and Comparison of
Primary User Detection Techniques in Cognitive Radio Networks,” in IEEE
R EFERENCES
211
GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference, pp. 1–5,
IEEE, 2008.
[67] Z. M. Fadlullah, H. Nishiyama, N. Kato, and M. M. Fouda, “Intrusion
detection system (IDS) for combating attacks against cognitive radio
networks,” IEEE Network, vol. 27, pp. 51–56, may 2013.
[68] H. Yu, Z. Shen, and C. Miao, “A survey of trust and reputation management
systems in wireless communications,” Proceedings of the . . . , vol. 98, no. 10,
pp. 1755–1772, 2010.
[69] T. Zhang, R. Safavi-Naini, and Z. Li, “ReDiSen: Reputation-based secure
cooperative sensing in distributed cognitive radio networks,” Communications
(ICC), 2013 . . . , pp. 2601–2605, 2013.
[70] D. Du, “Soft Reputation-Based Secure Cooperative Spectrum Sensing,” 2012
International Conference on Computer Science and Electronics Engineering, vol. 0,
pp. 463–467, mar 2012.
[71] T. Qin, H. Yu, C. Leung, Z. Shen, and C. Miao, “Towards a trust aware
cognitive radio architecture,” ACM SIGMOBILE Mobile . . . , vol. 13, no. 2, 2009.
[72] R. B. Myerson, Game theory. Analysis of conflict. Harvard University Press,
1997.
[73] M. Yan, L. Du, L. Huang, L. Xiao, and J. Tang, “Game-Theoretic Approach
against Selfish Attacks in Cognitive Radio Networks,” 2011 10th IEEE/ACIS
International Conference on Computer and Information Science, pp. 58–61, may
2011.
[74] Quanyan Zhu, Ju Bin Song, and T. Basar, “Dynamic Secure Routing
Game in Distributed Cognitive Radio Networks,” in 2011 IEEE Global
Telecommunications Conference - GLOBECOM 2011, pp. 1–6, IEEE, dec 2011.
212
R EFERENCES
[75] Y. Tan, S. Sengupta, and K. Subbalakshmi, “Primary user emulation attack
in dynamic spectrum access networks: a game-theoretic approach,” IET
Communications, vol. 6, no. 8, p. 964, 2012.
[76] S. Alrabaee, A. Agarwal, D. Anand, and M. Khasawneh, “Game Theory
for Security in Cognitive Radio Networks,” 2012 International Conference on
Advances in Mobile Network, Communication and Its Applications, pp. 60–63, aug
2012.
[77] Y. Xue, S. L. Ho, M. Yang, P. Kumarawadu, H. H. Ghenniwa, and W. Shen,
“Performance evaluation of NS-2 simulator for wireless sensor networks,”
Canadian Conference on Electrical and Computer Engineering, pp. 1372–1375,
2007.
[78] E. Weingartner, H. vom Lehn, and K. Wehrle, “A Performance Comparison
of Recent Network Simulators,” in 2009 IEEE International Conference on
Communications, pp. 1–5, IEEE, jun 2009.
[79] A. Al-Ali and K. Chowdhury, “Simulating dynamic spectrum access using ns3 for wireless networks in smart environments,” in 2014 Eleventh Annual IEEE
International Conference on Sensing, Communication, and Networking Workshops
(SECON Workshops), no. iv, pp. 28–33, IEEE, jun 2014.
[80] P. Levis, N. Lee, M. Welsh, and D. Culler, “TOSSIM: accurate and scalable
simulation of entire TinyOS applications,” in Proceedings of the 1st international
conference on Embedded networked sensor systems, pp. 126–137, 2003.
[81] L. Girod, N. Ramanathan, J. Elson, T. Stathopoulos, M. Lukac, and
D. Estrin, “Emstar: A software environment for developing and deploying
heterogeneous sensor-actuator networks,” 2007.
[82] G. Pongor, “OMNeT: Objective Modular Network Testbed,” pp. 323–326, jan
1993.
R EFERENCES
213
[83] X. Xian, W. Shi, and H. Huang, “Comparison of OMNET++ and other
simulator for WSN simulation,” in 2008 3rd IEEE Conference on Industrial
Electronics and Applications, ICIEA 2008, pp. 1439–1443, 2008.
[84] M. Imran, A. M. Said, and H. Hasbullah, “A survey of simulators, emulators
and testbeds for wireless sensor networks,” Proceedings 2010 International
Symposium on Information Technology - Engineering Technology, ITSim’10, vol. 2,
pp. 897–902, 2010.
[85] P. Lee and G. Wei, “NS2 Model for Cognitive Radio Networks Routing,” in
2009 International Symposium on Computer Network and Multimedia Technology,
pp. 1–4, IEEE, dec 2009.
[86] C. T. Chigan, “Cognitive Radio Cognitive Network Simulator,” 2008.
[87] N. Uchida, G. Sato, K. Takahata, and Y. Shibata, “Optimal route selection
method with Satellite System for Cognitive Wireless Network in Disaster
Information Network,” Proceedings - International Conference on Advanced
Information Networking and Applications, AINA, pp. 23–29, 2011.
[88] S. Y. Hung, Y. C. Cheng, E. H. K. Wu, and G. H. Chen, “An opportunistic
cognitive MAC protocol for coexistence with WLAN,” IEEE International
Conference on Communications, pp. 4059–4063, 2008.
[89] X. Tian, T. Tian, and S. Li, “A Network Simulation Platform for Hierarchical
Spectrum Sharing Based Cognitive Radio Network,” 2010 International
Conference on Computational and Information Sciences, no. 2008, pp. 613–617,
2010.
[90] M. Zhan, P. Ren, and M. Gong, “An Open Software Simulation Platform for
Cognitive Radio,” WiCOM, pp. 1–4, 2010.
[91] S. Wang, H. Liu, L. Xie, and W. Hu, “Cognitive radio simulation environment
realization based on autonomic communication,” 2011 IEEE 3rd International
214
R EFERENCES
Conference on Communication Software and Networks, ICCSN 2011, pp. 402–407,
2011.
[92] V. Handziski, A. Köpke, A. Willig, and A. Wolisz, “TWIST: A Scalable
and Reconfigurable Testbed for Wireless Indoor Experiments with Sensor
Networks,” Proceedings of the 2nd international workshop on Multi-hop ad hoc
networks: from theory to reality (REALMAN 2006), pp. 63–70, 2006.
[93] T. R. Newman, A. He, J. Gaeddert, B. Hilburn, T. Bose, and J. H. Reed,
“Virginia tech cognitive radio network testbed and open source cognitive
radio framework,” T5th International Conference on Testbeds and Research
Infrastructures for the Development of Networks & Communities and Workshops,
2009. TridentCom 2009., pp. 1–3, 2009.
[94] L. A. Da Silva, L. Doyle, D. Finn, J. Tallon, I. Moerman, and S. Bouckaer,
“CREW: Building a Cognitive Radio Federation,” in IC0902, 2010.
[95] D. Raychaudhuri, I. Seskar, M. Ott, S. Ganu, K. Ramachandran, H. Kremo,
R. Siracusa, H. Liu, and M. Singh, “Overview of the ORBIT radio grid testbed
for evaluation of next-generation wireless network protocols,” IEEE Wireless
Communications and Networking Conference, 2005, vol. 3, pp. 1664–1669, 2005.
[96] T. Rault, A. Bouabdallah, and Y. Challal, “Energy efficiency in wireless sensor
networks: A top-down survey,” Computer Networks, vol. 67, pp. 104–122, 2014.
[97] A. Parsa, A. O. Ercan, P. Malagon, F. Burghardt, J. M. Rabaey, and A. Wolisz,
“Connectivity brokerage: From coexistence to collaboration,” in 2010 IEEE
Radio and Wireless Symposium, RWW 2010 - Paper Digest, pp. 488–491, 2010.
[98] S. J. C. Y.-K. L. Tran Van Phuong Le Xuan Hung, S. J. C. Y.-K. L. Tran
Van Phuong Le Xuan Hung, S. Lee, and S. Lee, “An Anomaly Detection
Algorithm for Detecting Attacks in Wireless Sensor Networks,” in Intelligence
and Security Informatics, vol. 3975, pp. 735–736, 2006.
R EFERENCES
215
[99] S. Rajasegarar, C. Leckie, and M. Palaniswami, “Anomaly detection in
wireless sensor networks,” IEEE Wireless Communications, vol. 15, pp. 34–40,
aug 2008.
[100] S. Boriah, V. Chandola, and V. Kumar, “Similarity measures for categorical
data: A comparative evaluation,” International Conference on Data Mining,
pp. 243–254, 2008.
[101] Y. Sani, A. Mohamedou, K. Ali, A. Farjamfar, M. Azman, and S. Shamsuddin,
“An overview of neural networks use in anomaly intrusion detection
systems,” in SCOReD2009 - Proceedings of 2009 IEEE Student Conference on
Research and Development, no. SCOReD, pp. 89–92, 2009.
[102] Z. Banković, J. Moya, and Á. Araujo, “Distributed intrusion detection system
for wireless sensor networks based on a reputation system coupled with
kernel self-organizing maps,” Integrated Computer- . . . , vol. 17, pp. 87–102,
2010.
[103] M. G. M. Gao and J. T. J. Tian, “Wireless Sensor Network for Community
Intrusion Detection System Based on Improved Genetic Algorithm Neural
Network,” 2009 International Conference on Industrial and Information Systems,
pp. 201–204, 2009.
[104] A. K. Jain, M. N. Murty, and P. J. Flynn, “Data clustering: a review,” ACM
Computing Surveys, vol. 31, pp. 264–323, sep 1999.
[105] M. Inaba, N. Katoh, and H. Imai, “Applications of weighted Voronoi
diagrams and randomization to variance-based k -clustering,” in Proceedings
of the tenth annual symposium on Computational geometry - SCG ’94, (New York,
New York, USA), pp. 332–339, ACM Press, 1994.
[106] Theodore S. Rappaport, Wireless Communications: Principles and Practice.
Prentice Hall, 1996.
216
R EFERENCES
[107] D. C. Tucker and G. A. Tagliarini, “Prototyping with GNU radio and the USRP
- where to begin,” in IEEE Southeastcon 2009, pp. 50–54, IEEE, mar 2009.
[108] X. Zhou and M. R. McKay, “Secure Transmission With Artificial Noise Over
Fading Channels: Achievable Rate and Optimal Power Allocation,” IEEE
Transactions on Vehicular Technology, vol. 59, pp. 3831–3842, oct 2010.
[109] J. Blesa, E. Romero, J. C. Vallejo, D. Villanueva and A. Araujo, “A cognitive
simulator for wireless sensor networks,” in 5th Internation Symposium of
Ubiquitous Computing and Ambient Intelligence (UCAMI ’11), 2011.
[110] “IEEE Standard for Local and metropolitan area networks, IEEE 802.15.4,”
2011.
[111] M. Ilavsky and R. Jaksa, “Interactive evolution of graphical user
interface with GTK toolkit,” 2011 2nd International Conference on Cognitive
Infocommunications (CogInfoCom), pp. 1–6, 2011.
List of Acronyms
BS Base Station.
CAgent Connectivity Agent.
CCC Common Control Channel.
cNGD Cognitive Next Generation Device.
CPS Ciberphysical System.
CR Cognitive Radio.
CRN Cognitive Radio Network.
CSI Channel State Information.
CUSUM Cumulative Sum.
CWSN Cognitive Wireless Sensor Network.
DoS Denial of Service.
ENISA European Network and Information Security Agency.
FCC Federal Communications Commission.
GPIO General Purpose Input-Output.
GUI Graphical User Interface.
217
218
I 2 C Inter-Integrated Circuit.
ICS Industrial Control System.
IEEE Institute of Electrical and Electronics Engineers.
ISM Industrial, Scientific and Medical.
LED Light-Emitting Diode.
M2M Machine-to-machine.
MAC Medium Access Control.
MCLR Master Clear.
MCU Microcontroller.
MIMO Multiple-Input Multiple-Output.
PU Primary User.
PUE Primary User Emulator.
PUEA Primary User Emulation Attack.
QoS Quality of Service.
RF Radio Frequency.
RI Radio Interface.
RSSI Received Signal Strength Indication.
SCADA Supervisory Control and Data Acquisition.
SDR Software-Defined Radio.
SNR Signal to Noise Ratio.
L IST OF A CRONYMS
L IST OF A CRONYMS
SPI Serial Peripheral Interface.
SSDF Spectrum Sensing Data Falsification.
SU Secondary User.
TUL Total Utility Loss.
UART Universal Asynchronous Receiver-Transmitter.
USB Universal Serial Bus.
USRP Universal Software Radio Peripheral.
VCC Virtual Control Channel.
WLAN Wireless Local Area Network.
WPAN Wireless Personal Area Network.
WRAN Wireless Regional Area Network.
WSN Wireless Sensor Network.
219