Sunteți pe pagina 1din 5

Anti-PUE attack base on the transmitter fingerprint

identification in cognitive radio



Caidan Zhao, Wumei Wang, Lianfen Huang, Yan Yao
Dept. of Communication Engineering
Xiamen University
Xiamen, China
zcd@xmu.edu.cn







AbstractCognitive Radio (CR) is regarded as one of the best
options to solve the problem of low spectrum utilization.
However, information security of CR limits its wide application.
Most of the known security schemes are aiming at the location
verification for incumbent transmitter, but it is not available for
Ad hoc. In this paper, a new security scenario in physical layer is
proposed. It takes advantage of the fingerprint verification of
the transmitter against primary user emulation (PUE) attacks.
The phase noise of the noisy carrier is extracted from the
received modulated signal and directly applied to identify the
transmitter.
Keywords-Cognitive Radio; Fingerprint; Phase noise; Primary
User Emulation Attack
I. INTRODUCTION
In a CR network, secondary users (SUs) are only permitted
to operate in the licensed bands on a non-interference basis to
primary users. Since the primary users (PUs) usage of
licensed spectrum bands may be sporadic, SUs should always
inspect the presence of incumbent signals over the operating
band and candidate bands. Two results may take place. First, if
a SU detects the presence of incumbent signals over current
band, it must immediately switch to one of the fallow
candidate bands. Second, if the SU detects the presence of an
unlicensed user, it invokes a coexistence mechanism [1] to
share the spectrum resources.
The above scenarios highlight that it is important for a CR
to distinguish the primary user signals from the secondary user
signals. Distinguishing the two signals is non-trivial, but it
becomes much difficult when the CRs are operating in hostile
environments. In a hostile environment, an attacker may
modify the air interface of a CR to mimic the characteristics of
incumbent signals, and cause legitimate secondary users to
erroneously identify the attacker as a primary user, which is
called PUE attack. There is a realistic possibility of PUE
attacks since CRs are easy to be reconfigured due to their
software-based air interface [2]. The task of defending the
PUE attacks by distinguishing the legitimate transmitter from
the fake becomes a great challenge when considering the
requirement described in FCCs NPRM 03-322 [3], which
states that no modification to the incumbent system is required
to accommodate opportunistic use of the spectrum by
secondary users. For this reason, conventional approaches,
such as embedding a signature in a primary users signal or
employing an interactive protocol between an incumbent
signal transmitter and a verifier, are not available.
To thwart the PUE attack, a transmitter verification scheme
based on location verification was proposed. They proposed
two alternative techniques that are at the heart of the location
verification scheme. The first technique is called the Distance
Ratio Test (DRT), which uses received signal strength (RSS)
measurements obtained from a pair of verifiers to determine
the transmitters location. The second technique is called
Distance Difference Test (DDT), which utilizes the phase
difference of the primary users signal observed at a pair of
verifiers to verify the transmitters location [4]. For a stable
transmitter (e.g. TV tower), this scheme can enhance the
trustworthiness of spectrum sensing mechanism. However, for
the distributed networks (e.g. Ad hoc), a new transmitter
identification scheme is needed.
The phase noise of Local Oscillator may exhibit the
characteristics of a transmitter as the human fingerprint, with
properties of universality, uniqueness and permanent. The
human fingerprint is important for human identification,
therefore, the phase noise can be used as basic information for
transmitter identification. Previously, a lot of radio
identifications were also using fingerprints of signals, such
as the type of modulation, difference in accuracy of carrier
frequency and in spurious output, the signal bandwidth,
transfer rate and so on. Some of these parameters, such as
modulation type, signal bandwidth and information transfer
rate, which can be copied easily, have weak defense against
PUE attacks. The others need some interactive priori
knowledge of the transmitter signal, which are not available
for the requirement of non-interaction described in FCCs
NPRM 03-322 [3]. All received signals are modulated, we
erase the modulation to get the carrier with phase noise. The
phase noise for each transmitter is random but unique. We use
it as the basis of transmitter identification to defend PUE
attack and obtain good result.
The rest of the paper is organized as follows. In section,
we describe the overall diagram of the experimental system.
Experiments and results are given in Section. In Section,
we show the conclusions and the future work.
This research was supported in part by Tsinghua-Qualcomm joint research
center.
978-1-4244-3693-4/09/$25.00 2009 IEEE
Authorized licensed use limited to: UNIV OF ENGINEERING AND TECHNOLOGY LAHORE. Downloaded on June 12,2010 at 16:52:13 UTC from IEEE Xplore. Restrictions apply.
II. THE EXPERIMENTAL DIAGRAM
Due to the impact of phase noise, the carrier spectrum is no
longer a standard line spectrum but with spectrum spread and
deformation. For the uniqueness of phase noise in each LO, if
we extract the noisy carrier from the received modulated
signal, then apply wavelet and higher-order statistics analysis,
the fake transmitters will be identified. Figure 1 shows the
overall experimental system. The block diagram of RF
receiver is shown in Figure2 and the signal processing module
out of RF receiver at PC is shown in Figure3.
RF receiver receives 802.11b wireless signals separately,
which are transported to the PC through AD acquisition card.
The PC processes the data and then gets the fingerprint
of the noisy carrier, which is the basis for distinguishing the
legitimate incumbent user from the emulated one.
In Figure 2, the IF signal from the first frequency mixer is
marked as the first IF. After IF filtering and amplifying,
quadrature demodulation to output IQ signal (we call it the
second IF) is performed. The frequency of the first and second
IF can be controlled by the frequency controlling module of
the PC.
In Figure 3, the first step is to erase modulation. We do
square (for BPSK) or biquadrate (for QPSK) computing to
erase the modulation and get the noisy carrier, which is

Figure 1. The overall diagram of transmitter fingerprint identification

Figure 2. The specific diagram of RF receiver module.

Figure 3. The procedures of signal processing at PC.
different for each transmitter. We apply the wavelet
analysis to the noisy carrier and then get the feature vectors,
which are the input to the artificial neural network identifier to
obtain transmitter identification.
III. THE EXPERIMENTS AND RESULTS
A. The carrier signal as input and the results from Spectrum
Analyzer
In the first experiment, we prepare two RF receivers with
the same type of components (Logo for the machine1 and
machine2). Because the receiver module has the component of
local oscillator, thus we use the signal generator in place of
wireless transmitter and put the LO of the receiver as the tested
fingerprint, as shown in Figure4.
A single-frequency signal at 2.45GHz is generated as the
input, and we use the spectrum analyzer to observe the first IF
output (frequency=140MHz). When the frequency span is
equal to 10 KHz, the scanning bandwidth is (RBW) 10Hz,
Figure5 and Figure6 show the spectrum of IF output of
machine1 and machine2 respectively. Because the signal
generator is with low phase noise, the spectrums of the two IF
output basically represent the spectrums of the signal from the
LO. We notice that the envelopes of the noisy carrier are
different in the two figures. For machine1, there are a number
of intensive side lobes at -60dbm~-50dbm, while there are just
two obvious side lobes for machine2. In order to verify the
invariance of the fingerprint, we shut down the two
machines and reboot again an hour later, then test their
envelopes of the phase noise at the same frequency span and
scanning bandwidth. The results are the same.

Figure 4. Block diagram for pre-experiment.

A
1 AP
CLRWR
Ref -10 dBm Att 20 dB
Center 140.00324 MHz Span 10 kHz 1 kHz/
* RBW 10 Hz
VBW 30 Hz
SWT 100 s
SGL
-110
-100
-90
-80
-70
-60
-50
-40
-30
-20
-10
1
Marker 1 [T1 ]
-22.29 dBm
140.003196000 MHz

Figure 5. IF output of machine1 (IF=140MHz, Span=10KHz,RBW=10Hz).
Authorized licensed use limited to: UNIV OF ENGINEERING AND TECHNOLOGY LAHORE. Downloaded on June 12,2010 at 16:52:13 UTC from IEEE Xplore. Restrictions apply.
A
1 AP
CLRWR
Att 20 dB Ref -10 dBm
Center 140.003796 MHz Span 10 kHz 1 kHz/
* RBW 10 Hz
VBW 30 Hz
SWT 100 s
SGL
-110
-100
-90
-80
-70
-60
-50
-40
-30
-20
-10
1
Marker 1 [T1 ]
-35.89 dBm
140.003796000 MHz

Figure 6. IF output of machine2 (IF=140MHz, Span=10KHz,RBW=10Hz).
In order to get the meticulous spectrum, we change the
frequency span to 1 KHz, and scanning bandwidth
RBW=10Hz, and obtain the fingerprints of phase noise from
two machines, as shown in Figure7 and Figure8 respectively.
Their corresponding parameters are shown in tableand table
. Spectrum graph and parameters table show the different
phase noise characteristics (fingerprints of the LO) of the two
machines.
Ref 1 dBm Att 40 dB
1 AP
CLRWR
A
SGL
Center 140.00321 MHz Span 1 kHz 100 Hz/
* RBW 10 Hz
VBW 30 Hz
SWT 10 s
-90
-80
-70
-60
-50
-40
-30
-20
-10
0
1
Marker 1 [T1 ]
-22.23 dBm
140.003202000 MHz

Figure 7. IF output of machine1 (IF=140MHz, Span=1KHz,RBW=10Hz).
TABLE I. PARAMETERS OF IF OUTPUT FOR MACHINE1
Center frequency 140.003202MHz Amplitude -22.23dBm
Width of main lobe 46Hz Noises of
main lobe
none
Numbers of
unilateral side
lobes
5-70dBm-50dBm


Width and
amplitude of single
side lobes
Side
lobes 1
32Hz Amplitude -54.27dBm
Side
lobes 2
34Hz Amplitude -55.40dBm
Side
lobes 3
30Hz Amplitude -59.87dBm
Side
lobes 4
20Hz Amplitude -65.81dBm
Side
lobes 5
32Hz Amplitude -60.02dBm
The envelope of
basement noise
See Figure5

Ref 1 dBm Att 40 dB
1 AP
CLRWR
A
Center 140.00386 MHz Span 1 kHz 100 Hz/
* RBW 10 Hz
VBW 30 Hz
SWT 10 s
SGL
-90
-80
-70
-60
-50
-40
-30
-20
-10
0
1
Marker 1 [T1 ]
-77.21 dBm
140.004158000 MHz

Figure 8. IF output of machine2 (IF=140MHz, Span=1KHz,RBW=10Hz).
TABLE II. PARAMETERS OF IF OUTPUT FOR MACHINE2
Center frequency 140.003820MHz Amplitude -23.41dBm
Width of main
lobe
46Hz Noises of
main lobe
none
Numbers of
unilateral side
lobes
4 -70dBm-60dBm
Width and
amplitude of
single side lobes
Side
lobes 1
30Hz Amplitude -60.97dBm
Side
lobes 2
30Hz Amplitude -64.12dBm
Side
lobes 3
26Hz Amplitude -69.34dBm
Side
lobes 4
24Hz Amplitude -68.79dBm
The envelope of
basement noise
See Figure6

B. The carrier signal as input and the results from PC
processing
In the experiment, we control the frequency and set the
second IF to output a 1MHz signal. After the A/D (sampling
rate=40Ms/s) and signal processing modules, the spectrum are
shown in Figure9 and Figure10 respectively. Because the
phase noise is the combination of the phase noise from the first
and second local oscillator, it is can be seen from the spectra
that the two machines have different Fingerprints.

Figure 9. the second IF output of machine1 (IF=1MHz)
Authorized licensed use limited to: UNIV OF ENGINEERING AND TECHNOLOGY LAHORE. Downloaded on June 12,2010 at 16:52:13 UTC from IEEE Xplore. Restrictions apply.

Figure 10. the second IF output of machine2 (IF=1MHz)
According to the wavelet analysis with the date of Figure9
and Figure10, we get the wavelet decomposition of the IF
output for the machine1 and machine2 at 1MHz. With the
original signal, the approximation and the detail components of
the wavelet decomposition for the layer5 are shown in
Figure11 and Figure12, The amplified approximation
components are shown in Figure13 and Figure14. We can see
clearly the differences of the fingerprint of the transmitter.
Table is the statistical analysis of the wavelet coefficients
for all layers, including the mean, standard deviation and
variance[5], which will be the input for identification.

Figure 11. the layer5 componets of IF output for machine1

Figure 12. the layer5 componets of IF output for machine2

Figure 13. the amplifying of a5 for machine1

Figure 14. the amplifying of a5 for machine2

Figure 15. modulated spectrum of machine2
C. The modulated signal as input and the results from PC
processing
In the experiment, signal generator is used as the wireless
transmitter, input BPSK modulated signal and its parameters
are defined as follows: Mode Type: BPSK; Symbol Rate:
24.3ksps; Filter: RNYQ (alpha=0); Data=PN15. We change
the frequency of the second IF to output at 1MHz and use the
way of square to erase modulation. Figure15 and Figure16
show the modulated and modulation-erased spectrum of
machine2, respectively. Also, we improve the frequency
resolution and compare the modulation-erased spectrum with
the single-frequency carrier at 1M in Exp2. As shown in
Figure17 and Figure18, their main lobe and surroundings are
similar, which proves that this method can be used to erase the
TABLE III. THE STATISTICAL ANALYSIS FOR THE
MACHINE1,MACHINE2(
3
10

)
Mean

Standard
Deviation
Variance Mean Standard
Deviation
Variance
d1 -0.002 0.144 0.144 -0.002 0.086 0.086
d2 0.009 0.291 0.291 -0.017 0.268 0.268
d3 -0.009 3.139 3.138 0.155 2.756 2.756
d4 0.024 81.541 81.540 0.031 73.312 73.312
d5 0.009 622.731 622.673 3.362 570.042 569.991
a5 2.351 42.469 40.799 -5.458 42.121 40.489


Figure 16. modulation-erased of machine2

Figure 17. modulation-erased of machine2
Authorized licensed use limited to: UNIV OF ENGINEERING AND TECHNOLOGY LAHORE. Downloaded on June 12,2010 at 16:52:13 UTC from IEEE Xplore. Restrictions apply.

Figure 18. The noisy carrier of the second IF output of machine2

Figure 19. modulation-erased of machine1 (higher frequency resolution)
single-frequency carrier at 1M in Exp2. As shown in Figure17
and Figure18, their main lobe and surroundings are similar,
which proves that this method can be used to erase modulation
and extract the noisy carrier.Figure19 is the result of BPSK
modulation-erased signal for machine1, it can be seen that the
surroundings of the main lobe are significant different
compared with those in Figure17. It further proves that phase
noise of the local oscillators from two machines has different
fingerprints.
IV. CONCLUSIONS AND FUTURE WORKS
In this paper, we proposed a new method to defense the
PUE attack in the cognitive radio networks. We identify the
transmitter according to uniqueness feature of the phase noise
of Local Oscillator, in order to distinguish the legitimate
primary users from the emulated ones. In the experiments, we
use one transmitter and two receivers with same LOs. The
results prove that the phase noise of the LO in the two
receivers are different. It indicates that this method is feasible
for transmitter identification and PUE attack defense. In the
future work, we will remove the LO from the receiver and use
the signal generator with low phase noise to replace it. Our
goal is to use a number of 802.11b transmitters, extract their
phase noises and then do transmitter identification to defend
PUE attack. Further, wavelet and high-order statistical
analysis can be applied to improve the efficiency for
transmitter verification.
REFERENCES
[1] S. Capkun, M. Cagalj, and M. Srivastava, Secure localization with
hidden and mobile base stations, IEEE Infocom 2006.
[2] S. Haykin, Cognitive radio: brain-empowered wireless
communications, IEEE Journal on Selected Areas in Communications,
Vol 23 (2), Feb. 2005, pp.201-220.
[3] Federal Communication Commission, Notice for Proposed
Rulemaking (NPRM 03-322): Facilitating Opportunities for Flexible
Efficient, and Reliable Spectrum Use Employing Cognitive Radio
Technologies, ET Docket, No.03-108, Dec.2003.
[4] Ruiliang Chen and Jung-Min Park, Ensuring Trustworthy Spectrum
Sensing in Cognitive Radio Networks, Networking Technologies for
Software Defined Radio Networks, 2006. SDR 06.1
st
IEEE Workshop
on 25-27 Sept. 2006 Pages(s):110-119.
[5] Howard C. Choe, Clark E. Poole, Andrea M. Yu and Harold H. Szu,
Novel identification of intercepted signals from unknown radio
transmitters (have not published).
Authorized licensed use limited to: UNIV OF ENGINEERING AND TECHNOLOGY LAHORE. Downloaded on June 12,2010 at 16:52:13 UTC from IEEE Xplore. Restrictions apply.