Dynamic Spectrum Access Security Issues

1. Dynamic Spectrum Access Security Issues Timothy R. Newman, Ph.D. Virginia Tech

2. Dynamic Spectrum Access • What is DSA? • Dynamically changing channel in response to environmental stimuli • Why do we want DSA? • Commercial: Inefficient spectrum usage • Military: Ease spectrum management tasks avoid jamming

3. DSA Current State • Where is DSA technology currently at? • DARPA XG radio program has come and gone • WNaN program now pushing SOME development • No REAL deployment of these radios yet • Commercial companies now involved • Microsoft, Google, Dell HP, Intel, Philips, Samsung, …. • First “white space” network in Oct. 2009, Claudville, VA. • No adaptation but it’s a first step • Estimate at least 7-9 solid prototype DSA systems exist

4. DSA Current State • Where is DSA technology currently at? (cont..) • Majority of the current prototype devices using energy detection techniques for signal detection • Final consensus – TRL 6 • What’s next for DSA? • Army purchase WNaN radios for deployment? • SSC integrating DSA technology with ARGON’s HyNET wireless mesh network system (US Army) • Ultimate white space network deployed for WORLDWIDE broadband access!!!

5. Cognitive Radio and DSA Security • CR security is slowly coming into focus for academia and industry • SDR Forum session devoted to CR/SDR security • Publications with CR/SDR security topics are on the rise • Two DARPA programs on CR/SDR security proposed • Security research for CR/SDR is still largely overlooked • XG program had NO output related to security of DSA protocols • None of the current prototypes have any DSA specific security features

6. DSA Radio Security Analysis • What are the primary DSA security issues? • Primary User Emulation • Spoofing the intended primary user • Spectral Honey Pot threats • Forcing the victim DSA radio to operate on a specific channel • DSA DoS threats • “I can sense and hop faster than you!”– PHY level threat • LPD jamming – Waveform level threat

7. Primary User Emulation • PUE threat is the baseline for many other DSA related attacks • Once you can manipulate the radio the floodgates are open, you’ve got root!! • Classifiers and Detectors are all over and have been for a long time • DSA brings a new twist – Detection/Classification affects communication parameters • Energy Detection is usually “settled” for to gain low complexity and processing speed • Problem now: Any error is a possible hole

8. Primary User Emulation

9. Primary User Emulation

10. Primary User Emulation Remember XG Moto: “No Harm” This can guarantee no interference but can not guarantee security of DSA system • DSA algorithms commonly focus on maximizing Pd • Pd is probability the PU is detected when it is there • Pd = 100% is still not secure!! • This is what REALLY gets overlooked

11. Spectral Honeypot Objective is to manipulate a signal into a specific channel in order to have a better chance of exploitation Simplistic approach will simple emulate a primary user until the user jumps to the target channel Advanced approaches take advantage of the DSA algorithm by manipulating other portions of the environment

12. DSA Denial of Service • Straightforward DSA DoS – Sense and Hop faster than the receivers • DSA radio networks must rendezvous on another channel if a PU appears • What if a PU appears before network can rendezvous? • Waveform level • Commonly DSA algorithm interleave the sensing and communication • Synchronize and jam only the communication time blocks

13. Analyzing a Real Radio! • Shared Spectrum DSA2100 – WiMAX DSA Radio • Phase 3 contractor for DARPA XG Program • Interesting Radio Characteristics • Wavesat chipset: 802.16-2004 • Agility - 138 MHz – 3 GHz • Bandwidth - 1.75 MHz, 3.5 MHz, or 7 MHz • Tuning speed – 300 μs • TX spur level - -60 dBc • DSA Channel Selection Algorithms • Least occupied • Least energy • Random

14. Analyzing a Real Radio! ** Non-occupancy period – Time a channel should be “blocked out” if a PU signal is detected • DSA Specific Parameters • Co-channel sample rate: 10 Hz • Non-occupancy period: 5 sec • Detection Algorithm: Energy detection • Freq. Range for analysis: 350 – 450 MHz, 400 – 480 MHz

15. SSC Radio Tests • Analysis focused on DSA DoS and spectral honeypot • PUE was a gimme! • How much QoS is degraded? • How fast can they be manipulated? • High Performance Tests • Done with a signal generator (Agilent) • Restricted to sweeping-type tests • Practical Tests • Done with GNUradio and USRP (RFX400) • SDR enabled “smarter” tests

16. DSA Denial of Service • DSA DoS = Never able to rendezvous • Signal generator parameters • Pulse sweep time - Amount of time pulse dwells in a channel before going to channel + 1 • Signal Power – Is the detection threshold really enforced? • Channel Step Size – 1 MHz (2 MHz probably would’ve been better)

17. DSA Denial of Service Non-Occupancy Period = 5 sec 50 % Channels BLOCKED Spectrum Range = 100 MHz Sweep Rate = 100 ms

18. DSA Denial of Service • Adding a bit of intelligence (sensing) • Using GNUradio we can easily put together a waveform that can sense the location of the signal and send a pulse • Pulse power only needs to be just above detection threshold • What happens if DSA radio ALWAYS sees a PU?

19. DSA Denial of Service ** Optimal = largest block size • Sweeper • Pulse < 50ms: pulse is going to fast • Theoretical optimal pulse sweep time = • Smarter Jamming • ~92% packet loss • !100% because radio isn’t perfect

20. Spectral Honeypot • Goal is to manipulate radio into using a specific channel • Signal Generator Sweep Method • Notch out a channel from the sweep list

21. Spectral Honeypot Timing results for sweeper method

22. Spectral Honeypot Timing results for sense and pulse

23. Security Analysis - Take Aways • What do we get from this analysis? • Motto of this specific DSA technology is “No Harm” • Focus is on existing systems QoS, not their own • No Harm to existing systems may mean ZERO communication for the DSA radios • Manipulation is possible when radios use an unauthenticated environment when making decisions • Non-occupancy period is a critical hole

24. DSA Security Mitigation • Primary User Emulation Denial • Signal Detection != Signal Classification • Robust classification is the objective • Unique feature selection is critical • Embed signatures • Watermarking techniques • Non-Occupancy Period • Randomize in order to create “holes” in the jamming block • Embedding “common sense” • Integrate security cognition into the system to filter for obvious malicious acts

25. Future Generation of CR Threats • Cognitive Radio technology is adding more autonomous operating into the wireless device • Increased exposure to possible threats • Threats to this technology is analogous to social networking attacks rather than traditional network attacks • Sensory Manipulation (DSA) • Belief Manipulation (Learning Attacks) • Cognitive Radio Viruses (Learning Network Attacks) • ETA until radios are using advanced AI: long…

26. Other SDR/CR related items at VT

27. Cognitive Radio Network Testbed • Defense University Research Instrumentation Program (DURIP) grant for CR testbed equipment. • Physical testbed deployed throughout a new campus building • Total size of testbed is 48 nodes • 12 nodes per floor • No restrictions on other wireless systems inside building • Reservation System for Nodes

28. CR Testbed Hardware Custom RF Daughterboard Host PC Servers • Motorola RFIC4 • 100 MHz – 4 GHz • 20 MHz instantaneous bw • Highly variable receive gain • 25 dB – 50 dB • Multiple TX (3) and RX (5) paths • Sideband Rejection • 40 dB - 60 dB • Intel Xeon Quadcore 2.13 GHz • 6 GB RAM, Gigabit Ethernet • Upgradable to Intel Nehalem for future • Much different from existing testbeds

29. Cognitive Radio Network Testbed • Power and network installed throughout building • Server’s are racked and ready • Waiting on USRP2’s to be delivered • Management back-end is being developed • Current Testbed Status • 5 PC nodes with USRP and RFX400 daughterboard

30. Cognitive Radio Open Source System • Application simply links to library to access system • Modular System • Cognitive Engines can be swapped in and out • Optional components • Policy Engine • Service Management Layer For more information: http://cornet.wireless.vt.edu Open Source Cognitive Engine System API Current reference implementation uses a Case-Based Reasoning Cognitive Engine Radio Configuration described in XML

31. Modular architecture provides mechanism to simply “plug-in” components on remote systems where higher quality resources may be available Cognitive Engine developers can now focus on specific cognition algorithms No more worrying about physical layer hardware issues Cognitive Radio Testbed Resource Rich Testbed Remote Access

32. Cognitive Radio Open Source System • Mission 2: Covert Jam Signals • Signal Classifications • Optimize Power for jamming • Jam signal • Monitor for resurgence on multiple channels • Mission 1: Jam all enemy signals • Detect signals • Enemy using Wifi? • Detect wifi channel • Jam Wifi • Integrated into both OSSIE and GNUradio for intelligent control of waveforms and applications • Demonstrated DSA application with “hot-swappable” cognitive engine • Service Management Layer component provides the service oriented architecture support • Manages services and capabilities provided to the cognitive radio by components • Translates radio missions into operations and instructions for CROSS components