Cognitive strategies for security in wireless sensor networks

Texto completo

(1)U NIVERSIDAD P OLITÉCNICA DE M ADRID E SCUELA T ÉCNICA S UPERIOR DE I NGENIEROS DE T ELECOMUNICACIÓN. DOCTORAL THESIS. C OGNITIVE STRATEGIES FOR SECURITY IN W IRELESS S ENSOR N ETWORKS. Javier Blesa Martínez 2015.

(2)

(3) U NIVERSIDAD P OLITÉCNICA DE M ADRID E SCUELA T ÉCNICA S UPERIOR DE I NGENIEROS DE T ELECOMUNICACIÓN. DOCTORAL THESIS. C OGNITIVE STRATEGIES FOR SECURITY IN W IRELESS S ENSOR N ETWORKS. Author: Javier Blesa Martínez Advisor: Alvaro Araujo Pinto 2015.

(4)

(5) Resumen Las redes de sensores inalámbricas son uno de los sectores con más crecimiento dentro de las redes inalámbricas. La rápida adopción de estas redes como solución para muchas nuevas aplicaciones ha llevado a un creciente tráfico en el espectro radioeléctrico. Debido a que las redes inalámbricas de sensores operan en las bandas libres Industrial, Scientific and Medical (ISM) se ha producido una saturación del espectro que en pocos años no permitirá un buen funcionamiento. Con el objetivo de solucionar este tipo de problemas ha aparecido el paradigma de Radio Cognitiva (CR). La introducción de las capacidades cognitivas en las redes inalámbricas de sensores permite utilizar estas redes para aplicaciones con unos requisitos más estrictos respecto a fiabilidad, cobertura o calidad de servicio. Estas redes que aúnan todas estas características son llamadas redes de sensores inalámbricas cognitivas (CWSNs). La mejora en prestaciones de las CWSNs permite su utilización en aplicaciones críticas donde antes no podían ser utilizadas como monitorización de estructuras, de servicios médicos, en entornos militares o de vigilancia. Sin embargo, estas aplicaciones también requieren de otras características que la radio cognitiva no nos ofrece directamente como, por ejemplo, la seguridad. La seguridad en CWSNs es un aspecto poco desarrollado al ser una característica no esencial para su funcionamiento, como pueden serlo el sensado del espectro o la colaboración. Sin embargo, su estudio y mejora es esencial de cara al crecimiento de las CWSNs. Por tanto, esta tesis tiene como objetivo implementar contramedidas usando V.

(6) R ESUMEN. VI. las nuevas capacidades cognitivas, especialmente en la capa física, teniendo en cuenta las limitaciones con las que cuentan las WSNs. En el ciclo de trabajo de esta tesis se han desarrollado dos estrategias de seguridad contra ataques de especial importancia en redes cognitivas: el ataque de simulación de usuario primario (PUE) y el ataque contra la privacidad eavesdropping. Para mitigar el ataque PUE se ha desarrollado una contramedida basada en la detección de anomalías. Se han implementado dos algoritmos diferentes para detectar este ataque: el algoritmo de Cumulative Sum y el algoritmo de Data Clustering. Una vez comprobado su validez se han comparado entre sí y se han investigado los efectos que pueden afectar al funcionamiento de los mismos. Para combatir el ataque de eavesdropping se ha desarrollado una contramedida basada en la inyección de ruido artificial de manera que el atacante no distinga las señales con información del ruido sin verse afectada la comunicación que nos interesa. También se ha estudiado el impacto que tiene esta contramedida en los recursos de la red. Como resultado paralelo se ha desarrollado un marco de pruebas para CWSNs que consta de un simulador y de una red de nodos cognitivos reales. Estas herramientas han sido esenciales para la implementación y extracción de resultados de la tesis.. PALABRAS CLAVE: redes cognitivas, radio cognitiva, redes de sensores inalámbricas, redes de sensores inalámbricas cognitivas, seguridad, cumulative sum, data clustering..

(7) Abstract Wireless Sensor Networks (WSNs) are one of the fastest growing sectors in wireless networks. The fast introduction of these networks as a solution in many new applications has increased the traffic in the radio spectrum. Due to the operation of WSNs in the free industrial, scientific, and medical (ISM) bands, saturation has ocurred in these frequencies that will make the same operation methods impossible in the future. Cognitive radio (CR) has appeared as a solution for this problem. The networks that join all the mentioned features together are called cognitive wireless sensor networks (CWSNs). The adoption of cognitive features in WSNs allows the use of these networks in applications with higher reliability, coverage, or quality of service requirements. The improvement of the performance of CWSNs allows their use in critical applications where they could not be used before such as structural monitoring, medical care, military scenarios, or security monitoring systems. Nevertheless, these applications also need other features that cognitive radio does not add directly, such as security. The security in CWSNs has not yet been explored fully because it is not necessary field for the main performance of these networks. Instead, other fields like spectrum sensing or collaboration have been explored deeply. However, the study of security in CWSNs is essential for their growth. Therefore, the main objective of this thesis is to study the impact of some cognitive radio attacks in CWSNs and to implement countermeasures using VII.

(8) VIII. A BSTRACT. new cognitive capabilities, especially in the physical layer and considering the limitations of WSNs. Inside the work cycle of this thesis, security strategies against two important kinds of attacks in cognitive networks have been developed. These attacks are the primary user emulator (PUE) attack and the eavesdropping attack. A countermeasure against the PUE attack based on anomaly detection has been developed. Two different algorithms have been implemented: the cumulative sum algorithm and the data clustering algorithm. After the verification of these solutions, they have been compared and the side effects that can disturb their performance have been analyzed. The developed approach against the eavesdropping attack is based on the generation of artificial noise to conceal information messages. The impact of this countermeasure on network resources has also been studied. As a parallel result, a new framework for CWSNs has been developed. This includes a simulator and a real network with cognitive nodes. This framework has been crucial for the implementation and extraction of the results presented in this thesis.. KEY WORDS: cognitive networks, cognitive radio, wireless sensor network, cognitive wireless sensor network, security, cumulative sum, data clustering..

(9) A mi familia.

(10)

(11) Acknowledgements ¡Creo que cuando la gente lea esto pesaré 100 kilos menos que cuando lo estoy escribiendo! ¡Qué peso me quito de encima! Tras años y años de buenos y malos momentos, de planificaciones incumplidas y de papers con diversa suerte aquí está: mi tesis. Si me paro a recordar todo el camino hasta aquí podría decir sin duda alguna que ha sido genial. El B105 tiene gran parte de la culpa, pero todo me ha aportado para que esto, además de terminar con éxito, haya sido divertido. Partidas de futbolín, gordos suppliers, los cafés hobbits o cañas after lunch han sido momentos irrepetibles. Solo hay algo que no me ha gustado durante esta tesis. Si tuviera que destacar algo negativo sería que mientras dedicaba horas y horas a esta tesis, han pasado muchos momentos en los que me hubiera gustado estar y que ya no va a poder ser. Los primeros meses de los pequeños Pablo, Sandra y Blanca, las cañas de los viernes en el Santa Elena, las cenas de navidad, los viajes para ver a los europeos, los festivales, las mañanas de piscina, o esos planes de viajes. Muchas son las personas a las que he tenido en un segundo lugar durante todo este viaje, y a ellas, como una pequeña compensación, les quiero dedicar esta tesis. A Bea, Mario, Gloria y Borja, por tenerme siempre en cuenta para esas partidas que tanto nos animan. A Cris y a Javi, que a pesar de no vernos mucho siempre los tenemos en la mente. A Laura y Nacho, por ser la chispa de locura que todo el mundo necesita. XI.

(12) A CKNOWLEDGEMENTS. XII. A mi grupo de vicalvareños, ¡tan grande como siempre! Me acuerdo de esas casi doctoras, Diana y Zaida, que pronto se unirán a este club de sufridores. A Vike, un hermano desde que nos conocimos. A Esther, una valiente que se añora. A esos pedazo de padres, Cris y Felipe, por ser un ejemplo para todos. A Tamara, Noe, Ana, todas un apoyo siempre que lo he necesitado. A Maribel, Dani, Arantxa y Jose, por seguir ahí tras tanto tiempo ¡Vivan los vicalvareños! A mis telecos del alma. Repartidos por el mundo, pero siempre como una piña. A Raúl, por ser durante tanto años el cemento de este grupo y a Cris, un fichaje de élite! A Mila, la mujer incansable que aparece siempre que necesitas ayuda. A Maca, ¡desde el principio de teleco urdiendo escapadas a la cafetería! y a Rober por unirse a esta aventura. A Lore, la monitora del grupo, creadora de planes. A los recientes esposos Ally y Pablo. A Melenas, por ser un confidente para mí. A Diego y Paula, por ser una pareja 10. A Mario, por unirse a la resitencia sureña. A Borja y Fani, los master barbecue parties! A Toni e Isa, unos papis muy enrollaos. Y a Nacho, Miguel y todos los que han estado ahí desde que entré en esa aula HP. ¡Al B105! Mi segunda casa, donde están las personas que más horas han sufrido mis penurias y alegrías. A Alvaro, por ser ese tutor que te imaginas de pequeño cuando con cinco años dices: ojalá mi tutor de tesis fuera así. Por guiarme a través de algo que no pensaba que podría acabar. A Octavio, el boss, por buscar siempre lo mejor para el B105. A Elena, siempre ahí desde que llegué, ayudando en todo lo posible e imposible. A Paco, presi de Quintanar y de B105 kinball club. A Alba, por mantener Twitter online y Bender lleno. A Rami y Rober, yestis de vocación que tan buenos momentos nos hacen pasar. A Mariano y a Curro, churreros de vocación. Y a todos lo que siguen o han sido tan importantes para mí como para mi tesis: Josem, Dani, Juancar, Pedro, Marina, Elfo, Patri, Fer, Esther, César, Elena, Juan, y todos esos rookies que me hicieron pasar por debajo y me vengué tras 15 temporadas. A mi familia. Porque cuando buscas en Wikipedia familia de verdad debería aparecer su foto. A mis padres, que tanto me han dado y que se merecen todo.

(13) A CKNOWLEDGEMENTS. XIII. lo bueno que les pase. A mis hermanos, dos de golpe que han llenado más mi vida y mi habitación, literalmente... A mis abuelos, que son lo más grande y un espejo donde mirarse. ¡De mayor quiero ser como mi abuelo! A mi abuela Luci, por sus sopas, por sus partidas de cartas, por cuidarme y aconsejarme. A mi abuela Dolores, siempre serás ese genio danzarín para mí. A Fidel, todavía me acuerdo de ese verano en Calpe contigo. Y mi nueva familia que me ha tratado como si fuera uno más, ¡includo cuando éramos sin techo! ¡Y a tí! Mi golpe de suerte, la que cambió todo, la que ha dado sentido a tantas cosas en 10 años y la que siempre me acompaña cuando me imagino el futuro. Si tuviera que agradecerte todo lo que has hecho por mí durante esta tesis debería escribir otras 230 páginas u otras 98 razones :) Pero me voy a quedar aquí, porque ya sabes que esto es tan tuyo como mío. Gracias a todos vosotros, por haberme apoyado. Os lo dedico y sabéis que siempre podréis gritar eso de: ¿Hay algún doctor en la sala? ¡Allí estaré!.

(14)

(15) Index Resumen. V. Abstract. VII. Acknowledgements. XI. 1. Introduction 1.1. Wireless Sensor Networks . . . . . . . . 1.2. Cognitive Wireless Sensor Networks . . 1.3. Motivation: the security in CWSN . . . 1.4. Objectives . . . . . . . . . . . . . . . . . 1.5. Methodology . . . . . . . . . . . . . . . 1.5.1. Previous analysis . . . . . . . . . 1.5.2. Strategy design . . . . . . . . . . 1.5.3. Implementation of the strategies 1.5.4. Cognitive tools . . . . . . . . . . 1.5.4.1. Results and evaluation 1.6. Organization . . . . . . . . . . . . . . . . 1.7. Publications . . . . . . . . . . . . . . . .. . . . . . . . . . . . .. 1 1 3 7 10 12 12 14 15 15 16 17 17. . . . . . . . . . . .. 21 21 24 26 32 33 34 34 35 36 37 38. . . . . . . . . . . . .. . . . . . . . . . . . .. 2. Related work 2.1. Security in Cognitive Radio . . . . . . . . . 2.2. Threats in CWSN . . . . . . . . . . . . . . . 2.2.1. Communication attacks . . . . . . . 2.2.2. Against privacy attacks . . . . . . . 2.2.3. Node targeted attacks . . . . . . . . 2.2.4. Power consumption attacks . . . . . 2.2.5. Policy attacks . . . . . . . . . . . . . 2.2.6. Cryptographic attacks . . . . . . . . 2.3. Security approaches . . . . . . . . . . . . . . 2.3.1. Physical layer . . . . . . . . . . . . . 2.3.1.1. Theoretical secure capacity. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . .. XV.

(16) I NDEX. XVI. 2.3.1.2. Channel approaches . . . . . . . . . . . . 2.3.1.3. Code approaches . . . . . . . . . . . . . . 2.3.1.4. Power approaches . . . . . . . . . . . . . 2.3.2. MAC layer . . . . . . . . . . . . . . . . . . . . . . . 2.3.2.1. Authentication/Identifying approaches 2.3.2.2. Other secure MAC approaches . . . . . . 2.3.3. Other security approaches . . . . . . . . . . . . . . 2.3.3.1. Geolocation approaches . . . . . . . . . . 2.3.3.2. Based on behavior . . . . . . . . . . . . . 2.3.3.3. Trust and reputation approaches . . . . . 2.3.3.4. Game theory approaches . . . . . . . . . 2.4. Cognitive frameworks . . . . . . . . . . . . . . . . . . . . 2.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1. Cognitive frameworks . . . . . . . . . . . . . . . . 2.5.2. Side effects . . . . . . . . . . . . . . . . . . . . . . . 2.5.3. Future solutions . . . . . . . . . . . . . . . . . . . . 2.5.4. Summary . . . . . . . . . . . . . . . . . . . . . . . 3. Proposed security strategies 3.1. Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2. System architecture . . . . . . . . . . . . . . . . . . . . . 3.3. Strategy 1: Anomaly Detection approach . . . . . . . . . 3.3.1. Introduction to Anomaly Detection . . . . . . . 3.3.2. PUE attack description . . . . . . . . . . . . . . . 3.3.3. Anomaly detection design and characteristics . 3.3.4. CUSUM algorithm . . . . . . . . . . . . . . . . . 3.3.5. Data Clustering algorithm . . . . . . . . . . . . . 3.3.6. Side effects analysis . . . . . . . . . . . . . . . . 3.3.6.1. Mobile nodes . . . . . . . . . . . . . . . 3.3.6.2. Wireless path loss . . . . . . . . . . . . 3.3.6.3. Adding nodes to the network . . . . . 3.3.6.4. Virtual Control Channel imperfections 3.3.6.5. Spectrum data errors . . . . . . . . . . 3.3.6.6. Attack in the learning phase . . . . . . 3.4. Strategy 2: Artificial Noise generation approach . . . . 3.4.1. Introduction to Artificial Noise . . . . . . . . . . 3.4.2. Eavesdropping attack description . . . . . . . . 3.4.3. Cooperative artificial noise countermeasure . . 3.4.4. Side effects analysis . . . . . . . . . . . . . . . . 3.4.4.1. Energy consumption . . . . . . . . . . 3.4.4.2. Spectrum occupancy . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. 40 42 43 45 45 46 48 48 49 50 51 52 61 61 62 64 67. . . . . . . . . . . . . . . . . . . . . . .. 69 69 72 76 76 78 81 85 89 92 92 96 96 97 97 98 98 98 99 101 103 104 105.

(17) I NDEX. XVII. 3.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4. Tools for CWSNs 4.1. Introduction . . . . . . . . . . . . . . . . . . . . 4.2. Cognitive simulator . . . . . . . . . . . . . . . . 4.2.1. Requirements . . . . . . . . . . . . . . . 4.2.2. Cognitive Radio extension for Castalia 4.2.3. Changes in radio module . . . . . . . . 4.2.4. Graphical configuration interface . . . . 4.3. Cognitive New Generation Device . . . . . . . 4.3.1. cNGD Requirements . . . . . . . . . . . 4.3.2. Hardware description . . . . . . . . . . 4.3.3. Software description . . . . . . . . . . . 4.3.3.1. Firmware . . . . . . . . . . . . 4.3.3.2. Cognitive Radio Module . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. 107 107 108 110 112 118 119 120 121 122 127 128 131. 5. Results 5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2. Cognitive tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1. Cognitive Simulator . . . . . . . . . . . . . . . . . . . . . . . . 5.2.1.1. Scenario 1: multiple channels and interfaces . . . . . 5.2.1.2. Scenario 2: power optimization . . . . . . . . . . . . 5.2.1.3. Scenario 3: spectrum sensing, history learning and anomaly detection . . . . . . . . . . . . . . . . . . . . 5.3. Strategy 1: anomaly detection approach . . . . . . . . . . . . . . . . . 5.3.1. CUSUM algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.2. Clustering algorithm . . . . . . . . . . . . . . . . . . . . . . . . 5.3.3. Anomaly detection algorithms comparison . . . . . . . . . . . 5.3.4. Side effect analysis . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.4.1. Mobile nodes . . . . . . . . . . . . . . . . . . . . . . . 5.3.4.2. Wireless path loss . . . . . . . . . . . . . . . . . . . . 5.3.4.3. New nodes . . . . . . . . . . . . . . . . . . . . . . . . 5.3.4.4. Virtual Control Channel imperfections . . . . . . . . 5.3.4.5. Spectrum sensing data errors . . . . . . . . . . . . . . 5.3.4.6. Attacks in the learning phase . . . . . . . . . . . . . . 5.4. Strategy 2: artificial noise generation approach . . . . . . . . . . . . . 5.4.0.1. Cognitive eavesdropping strategies . . . . . . . . . . 5.4.1. Side effects analysis . . . . . . . . . . . . . . . . . . . . . . . . 5.4.1.1. Energy consumption . . . . . . . . . . . . . . . . . . 5.4.1.2. Spectrum occupancy . . . . . . . . . . . . . . . . . .. 133 133 134 134 135 137 139 141 141 149 158 164 167 170 170 172 173 174 178 181 187 187 192. 6. Conclusions. 195.

(18) XVIII. I NDEX. 6.1. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 6.2. Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 References. 203. List of Acronyms. 217.

(19) List of Figures 1.1. ISM bands in Europe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2. United states frequency allocations. http://www.nasa.gov . . . . . . 1.3. An example of how multiple CR networks coexists in the same frequency region. http://personal.ee.surrey.ac.uk/Personal/Tinghuai.Wang/ . . . . . 1.4. Opportunities in the frequency and time domain. . . . . . . . . . . . 1.5. Scheme of the methodology followed in this thesis. . . . . . . . . . . 1.6. Iterative scheme of the methodology applied to multiple thesis contributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . .. . . . . . . .. . . . . . . .. . . . . . . .. 3 4 5 6 13 13. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7.. Taxonomy of attacks in CWSN. . . . . . . . . . . . . . . . Security approaches and attacks . . . . . . . . . . . . . . . Reference scenario for theoretical secure approaches . . . Building blocks of the cognitive radio extension for NS-3. CREW project scheme overview. . . . . . . . . . . . . . . TWIST: functionality overview. . . . . . . . . . . . . . . . VT-CORNET scheme overview. . . . . . . . . . . . . . . .. . . . . . . .. . . . . . . .. 25 37 39 54 58 59 59. 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. 3.8. 3.9. 3.10. 3.11. 3.12.. Virginia tech CR architecture. . . . . . . . . . . . . . . . . . . . . . . Connectivity Brokerage agent modules. . . . . . . . . . . . . . . . . Representation of a data set with 3 possible anomalies. . . . . . . . Anomaly detection scenario. . . . . . . . . . . . . . . . . . . . . . . . Cognitive features and modules responsible of them. . . . . . . . . Anomaly detection using CUSUM and the received power average. Representation of the two phases in CUSUM algorithm. . . . . . . . Modules involved in the CUSUM algorithm and interactions. . . . Grouping the data set in clusters. . . . . . . . . . . . . . . . . . . . . Linear and random movement. . . . . . . . . . . . . . . . . . . . . . Random movement effect example. . . . . . . . . . . . . . . . . . . . Artificial noise and eavesdropping scenario. . . . . . . . . . . . . .. . . . . . . . . . . . .. 73 74 76 82 83 86 88 89 90 93 95 99. 4.1. Project development lifecycle. . . . . . . . . . . . . . . . . . . . . . . . 108 4.2. Castalia network architecture adapted to Cognitive Radio . . . . . . . 112 XIX.

(20) L IST OF F IGURES. XX. 4.3. 4.4. 4.5. 4.6. 4.7. 4.8. 4.9. 4.10. 4.11. 4.12. 4.13.. Castalia node modules before the changes. . . . . . . . . . . . . . Castalia inner blocks adapted to Cognitive Radio. . . . . . . . . . Cognitive Radio Module structure. . . . . . . . . . . . . . . . . . . Cognitive simulator configuration interface. . . . . . . . . . . . . . Global hardware modules of the platform developed. . . . . . . . Detailed view of the µTrans module. . . . . . . . . . . . . . . . . . Detailed view of the cNGD module. . . . . . . . . . . . . . . . . . Detailed view of the rs232SHIELD module. . . . . . . . . . . . . . Detailed view of the chargerSHIELD module. . . . . . . . . . . . . Global software structure and firmware inclusion. . . . . . . . . . CRModule architecture including the new Messenger submodule.. 5.1. 5.2. 5.3. 5.4.. Throughput received by node 0. . . . . . . . . . . . . . . . . . . . . . . 136 Results of the power optimization scenario. . . . . . . . . . . . . . . . 138 Comparison of power consumption with and without CR optimization.139 Results of scenario 3 with spectrum sensing, learning and anomaly detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 PUE attack detection rate with 50 nodes and 5 PUE attackers. . . . . 144 PUE attack detection results with 50 nodes. . . . . . . . . . . . . . . . 145 PUE attack detection results without filtering in the nodes. . . . . . . 146 PUE attack detection results in a network with 200 nodes. . . . . . . . 147 PUE attack detection results in a multiple attack. . . . . . . . . . . . . 148 Clustering detection rate with 50 nodes and 5 PUE attackers. . . . . . 149 Clustering detection rate with not recommended parameters. . . . . 150 Generated clusters depending on the initial radius. . . . . . . . . . . 151 PUE attack detection results with clustering algorithm and one malicious node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 PUE attack detection results with clustering algorithm and ten malicious nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 cNGD nodes and the ICD3 debugger from Microchip used in the real tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Generated clusters by a cNGD node and classification of the samples. PUEA varies its transmit power from -4.9dBm to -3.7dBm. . . . . . . 154 Generated clusters by a cNGD node and classification of the samples. Initial cluster radius is 0.5 and learning phase lasts 60 seconds. . . . . 155 Generated clusters by a cNGD node and classification of the samples. Initial cluster radius is 1 and learning phase lasts 60 seconds. . . . . . 156 Generated clusters by a cNGD node and classification of the samples. PUEA varies its data rate from 1 packet/s to 0.66 packets/s. . . . . . 156 Generated clusters by a cNGD node and classification of the samples. The initial cluster radius is 0.02. . . . . . . . . . . . . . . . . . . . . . . 157. 5.5. 5.6. 5.7. 5.8. 5.9. 5.10. 5.11. 5.12. 5.13. 5.14. 5.15. 5.16. 5.17. 5.18. 5.19. 5.20.. . . . . . . . . . . .. . . . . . . . . . . .. 113 114 115 120 124 125 126 127 128 129 132.

(21) L IST OF F IGURES. 5.21. False positives rate depending on the standard deviations allowed and the learning period time. . . . . . . . . . . . . . . . . . . . . . . . 5.22. False positives rate depending on the initial cluster radius and the learning period time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.23. False positive rate using CUSUM algorithm in a 200 nodes network. 5.24. False positive rate using clustering algorithm in a 200 nodes network. 5.25. A comparison of the CPU time and memory usage in a PC by the anomaly detection algorithms. . . . . . . . . . . . . . . . . . . . . . . 5.26. CPU spent time and number of clustering created depending on the initial cluster radius in a PC. . . . . . . . . . . . . . . . . . . . . . . . . 5.27. CPU spent time depending on the initial cluster radius in a cNGD node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.28. False negatives in the reference scenario with no anomaly effects. . . 5.29. False positives in the reference scenario with no anomaly effects. . . 5.30. False negatives with 20 mobile nodes with a linear trajectory. . . . . . 5.31. False positives with 20 mobile nodes with a linear trajectory. . . . . . 5.32. False negatives with the PUE node moving in a linear trajectory. . . . 5.33. False negatives with 20 mobile nodes with a random trajectory. . . . 5.34. False positives with 20 mobile nodes with a random trajectory. . . . . 5.35. False negatives with Xσ = 9. . . . . . . . . . . . . . . . . . . . . . . . . 5.36. False negatives including five new nodes during the learning phase. 5.37. False negatives including five new nodes during the detecting phase. 5.38. False negatives with Xσ = 9 in the VCC . . . . . . . . . . . . . . . . . 5.39. False positives with Xσ = 9 in the VCC . . . . . . . . . . . . . . . . . 5.40. False negatives with an error of N(0, 20) dBm . . . . . . . . . . . . . . 5.41. False negatives with an error of N(20, 0) dBm . . . . . . . . . . . . . . 5.42. False negatives when the attack starts in the learning phase . . . . . . 5.43. False positives when the attack starts in the learning phase . . . . . . 5.44. False negatives for different initial times of the attack . . . . . . . . . 5.45. False positives with 20 mobile nodes with a random trajectory only in the detection phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.46. Comparison of false negatives percentage for different side effects (initial cluster radius = 0.5). . . . . . . . . . . . . . . . . . . . . . . . . 5.47. Comparison of false positives percentage for different side effects (initial cluster radius = 0.5). . . . . . . . . . . . . . . . . . . . . . . . . 5.48. Optimum points for different side effects . . . . . . . . . . . . . . . . 5.49. SOP for different emitter and noise power with 5 jamming nodes. . . 5.50. SOP for different emitter and noise power with 20 jamming nodes. . 5.51. Cognitive eavesdropping attack flow chart. . . . . . . . . . . . . . . . 5.52. SOP for different noise power and two channels in each interface. . . 5.53. SOP for different noise power and ten channels in each interface. . .. XXI. 159 160 160 161 162 163 164 166 166 167 168 168 169 169 170 171 171 172 172 173 173 174 174 175 176 177 177 178 180 181 182 184 184.

(22) XXII. L IST OF F IGURES. 5.54. Effects of noise strategies against three different eavesdropping strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 5.55. Effects of collaboration in multiple eavesdroppers scenarios. . . . . . 186 5.56. Limitations in the number of jammer nodes related to the SOP obtained.187 5.57. Additional power consumption in the network with 20 jamming nodes.188 5.58. Jamming power variable. Function of the SOP and additional power with A=1 and B=1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 5.59. SOP for different number of jamming nodes. . . . . . . . . . . . . . . 190 5.60. Number of jamming nodes variable. Function of SOP and additional power with A=1 and B=1. . . . . . . . . . . . . . . . . . . . . . . . . . 190 5.61. Number of jamming nodes variable and emitter power 0dBm. Function of SOP and additional power with different values of A and B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 5.62. SOP for different emitter and jamming rates. . . . . . . . . . . . . . . 192 5.63. SOP for different emitter and jamming rates. . . . . . . . . . . . . . . 193 5.64. Function of SOP and jamming rate with different values of A and B and emitter rate 0,1 packets/s. . . . . . . . . . . . . . . . . . . . . . . . 193.

(23) List of Tables 1.1. Most important ICS incidents in the last five years . . . . . . . . . . .. 8. 2.1. Comparison between NS-2 and NS-3 simulators. http://wrcejust.org/crn/images/Tutorials/ns2vsns3.pdf . . . . . . . . . . . . .. 53. 3.1. Anomaly detection techniques . . . . . . . . . . . . . . . . . . . . . . 3.2. Typical values of sigma parameter . . . . . . . . . . . . . . . . . . . .. 77 96. 5.1. 5.2. 5.3. 5.4.. Packets received by two interfaces in node #0 . . . . . . . . . . . . CPU spent time for anomaly detection algorithms . . . . . . . . . Optimum values for different weigths . . . . . . . . . . . . . . . . Optimum values for different weights with jamming rate variable. . . . .. . . . .. 137 164 189 194. XXIII.

(24)

(25) Chapter 1. Introduction Once you replace negative thoughts with positive ones, you’ll start having positive results. Willie Nelson. 1.1.. Wireless Sensor Networks. Global data traffic in telecommunications has an annual growth rate of over 50 % [1]. While the growth in traffic is stunning, both the rapid adoption of wireless technology over the globe and its penetration through all layers of society are even more amazing. Over the span of 20 years, wireless subscription has risen to 100 % of the world populations, and by 2018, there will be 1.4 mobile devices per capita. Overall, mobile data traffic is expected to grow to 15 exabytes per month by 2018, an 11-fold increase over 2013. Recently, wireless and mobile communications have increasingly become popular with consumers. The mentioned Cisco report indicates that there will be over a 10 billion mobile-connected devices by 2018, including Machine-to-machine (M2M) modules. 1.

(26) 2. C HAPTER 1. Introduction. One of the fastest growing sectors in recent years has been undoubtedly that of Wireless Sensor Networks (WSNs). WSNs consist of spatially distributed autonomous sensors that monitor a wide range of ambient conditions and cooperate to share data across the network. These networks are increasingly being introduced into our daily lives. Potential fields of applications for WSNs range from the military to the home to commerce or industry. The emergence of new wireless technologies such as ZigBeeTM or IEEE 802.15.4 have allowed for the development of interoperability among commercial products, which is important for ensuring scalability and low cost. The growth of the WSNs is amplified by the recent emergence of new scenarios where these networks are very important: health monitoring, the Internet of Things (IoT), smart grids, or smart cities. Their reduced cost, easy installation, and adaptability make WSNs one of the fundamental solutions for present and future challenges. Most WSN solutions operate in unlicensed frequency bands. In general, they use ISM bands. These bands are reserved bands for a non-commercial radio frequency use in the industrial, scientific, and medical areas. All the systems that fill in these areas can operate in the ISM bands. In Europe, the ISM bands in WSNs use the most are 433 MHz, 868, MHz and 2.4 GHz (Figure 1.1). Other ISM bands, such as 5.8 GHz, are used on a limited basis by WSNs due to the power consumption limitation. Currently, the ISM bands are very popular for Wireless Personal Area Networks (WPANs) and Wireless Local Area Networks (WLANs). Their free use has resulted in the emergence of many technologies that operate in these bands. For example, Wi-Fi, Bluetooth, and ZigBeeTM technologies coexist in the 2.4 GHz band. For this reason, unlicensed spectrum bands are becoming overcrowded with the increasing use of WSN-based systems. As a result, coexistence issues in unlicensed bands have been the subject of extensive research [2, 3]. In particular, it has been shown that IEEE 802.11 [4] networks can significantly degrade the performance of.

(27) 1.2. Cognitive Wireless Sensor Networks. 3. ZigBeeTM /802.15.4 [5] networks when operating in overlapping frequency bands.. Figure 1.1: ISM bands in Europe.. The coexistence problem of multiple communication networks with a huge number of devices transmitting in the same frequencies has become a challenge in spectrum allocation. This problem is going to become more acute with the continuous growth of WSNs. These networks usually have a large number of nodes that transmit at the same time in a limited area. Therefore, new collaborative strategies to share the spectrum are needed.. 1.2.. Cognitive Wireless Sensor Networks. As we have introduced in Section 1.1, the increasing demand for wireless communication presents a challenge for the efficient use of the spectrum. To address this challenge, cognitive radio has emerged as the key paradigm that enables opportunistic access to the spectrum. A Cognitive Radio (CR) is an intelligent wireless communication system that is aware of its surrounding environment, and adapts its internal parameters to achieve reliable and efficient communication. CR allows the coexistence of multiple users and networks in the same frequency band as shown in Figure 1.3. These new networks have many applications such as the cognitive use of the TV white space spectrum defined in [6]. Due to the strict regulation of the radio spectrum (Figure 1.2), some overcrowded frequencies and other frequencies with spectral holes can be used by other users. Another CR application is the efficient routing of emergency.

(28) 4. C HAPTER 1. Introduction. Figure 1.2: United states frequency allocations. http://www.nasa.gov. calls in hostile environments such during as a natural disaster or a global energy network breakdown. In order to create these new applications, CR differentiates between two kinds of users: (a) the Primary Users (PUs) who are the licensed users that can use the spectrum when they need it, and (b) the Secondary Users (SUs) who try to use the same bands when they detect a spectral hole, as Figure 1.4 shows. That means, that the SUs only transmit when none of the PUs are transmitting. In a CWSN, we assume a different behavior for SUs and PUs because of the nature of these networks. For example, CWSNs usually operate on ISM bands where anyone can transmit without a license. Because of this feature, the definitions of PUs and SUs are different. In a CWSN, the differences between PUs and SUs are based on the priority of their functionality. For example, in a domotic service, a fire sensor would have more priority than a temperature sensor. While PUs take preference because they are responsible for critical sensors and information, SUs.

(29) 1.2. Cognitive Wireless Sensor Networks. 5. Figure 1.3: An example of how multiple CR networks coexists in the same frequency region. http://personal.ee.surrey.ac.uk/Personal/Tinghuai.Wang/. only send information when the channel is free. In order to detect when it is possible to transmit, cognitive users have to implement a new feature called spectrum sensing [7]. Spectrum sensing is the task of obtaining awareness about the spectrum usage and the existence of PUs in a geographical area. This task consumes the time and resources of the SUs. For this reason, new strategies have been studied such as cooperative sensing. In order to implement these kinds of strategies, communication among nodes is mandatory. The cognitive scenarios usually assume the existence of a control channel through which SUs collaborate. Adding cognition to the existing WSN infrastructure brings about many benefits. In fact, WSNs form one of the areas with the highest demand for cognitive networking because CR can mitigate the limitations of these networks such as energy consumption, security, coverage, or Quality of Service (QoS). The use of cognitive features allows the control of critical applications with WSNs. For example, in WSNs, the node resources are constrained in terms of battery.

(30) 6. C HAPTER 1. Introduction. Figure 1.4: Opportunities in the frequency and time domain.. power, computational power, and spectrum availability. In contrast, with cognitive capabilities, a CWSN can find a free channel in unlicensed or licensed bands in which it can transmit. In addition, the cognitive technology does not only provide access to a new spectrum; it also provides better propagation characteristics. By adaptively changing system parameters like modulation schemes, transmit power, carrier frequency, and constellation size, a wide variety of data rates can be achieved. This improves the power consumption, network life, and reliability of a WSN. Cognitive Wireless Sensor Networks (CWSNs) are a new concept in many respects [8], as they: Have a higher transmission range. Require fewer sensor nodes to cover a specific area. Make better use of the spectrum..

(31) 1.3. Motivation: the security in CWSN. 7. Have better communication quality. Have lower delays. Have better data reliability. When added to WSNs, these new features can improve the performance of the WSNs in many areas such as energy consumption, quality of communications, new routing opportunities, or higher level security. Also, these features allow the use of WSNs in new applications with higher requirements.. 1.3.. Motivation: the security in CWSN. One of the largest growing sectors for CWSNs are the Cyberphysical Systems (CPSs), which are the union of cyber technologies and physical processes [9]. WSNs play a fundamental role in CPSs by acquiring a huge amount of information. One of the most representative examples of a CPS is the Industrial Control System (ICS), which is included in applications of critical infrastructure monitoring, smart grids, chemical processing, and healthcare. The integration of these control systems in an interconnected world increases the risk of intrusions or attacks against these critical systems. In the past, the Supervisory Control and Data Acquisition (SCADA) systems were not connected to any other systems. However, today, Internet of Things (IoT) applications and the new possibilities of CWSNs make interconnections between SCADA systems and other systems a common scenario. The authors of [9] include a table of the most relevant incidents related to ICS security in the last years. In Table 1.1, we list the most recent attacks. In 2011, the European Network and Information Security Agency (ENISA) published a study on ICS security, which is an important reference in this area [10]. This document indicates that ICS applications require security because of their characteristics. First, these systems are becoming more accessible and connected to the internet. Second, these systems imply a much broader scope and impact.

(32) 8. C HAPTER 1. Introduction Date 2013. Location South Korea and Japan. 2012. Global incident. 2012. Moddle East. 2011. Global incident. 2011. U.S.. 2011. Japan. 2010. Global incident. Details Icefog is a small yet energetic APT group, who maintain a foothold in corporate and governmental networks to smuggle out sensitive information. Elderwood attack, spear phishing emails, watering hole, and zero-day exploits are always used. Flame is being used for targeted cyberespionage inMiddle Eastern countries. Duqu virus was found, a complex attack tool specifically for critical infrastructure. Hackers attacked the control systems of water supply facilities in Illinois. Hackers invaded the control and management system of Shinkansen in Japan. Stuxnet virus was found. Iran is the most serious that the generation of its nuclear power plant was delayed.. Table 1.1: Most important ICS incidents in the last five years. than traditional information processing systems. Therefore, ENISA indicates that security in wireless networks is an important future research line. Another critical area that has been enhanced with CWSNs is healthcare. The use of new technologies and wireless communications within these systems opens up a new problem related to security and privacy: the monitoring and acting system controls the users health. Therefore, any attack on these systems should be avoided in order to eliminate any risk to patient health. On the other hand, the information obtained by these monitoring networks is sensitive, so the privacy of this data must be guaranteed. These risks come together with the increased number of sick and aging people. The authors of [11] indicate that the number of aging people in 2040 is expected to be 1.3 billion (14 % of the total world population). All these applications and the need for security can be also found in the Work Programme for Information and Communication Technologies 2014-2015 published by the European Commission under the Horizon 2020 programme [12]. The new document for the next two years has been not published yet, but the IoT and ICS security will be included as the European Commission indicates in this document.

(33) 1.3. Motivation: the security in CWSN. 9. [13]. Hence, as we can observe, security in CWSNs is a fundamental challenge. Their large, dynamic, and adaptive nature presents significant challenges in designing security schemes. A CWSN has many constraints and many different features compared to traditional WSNs. These differences and constraints obviously affect their security. While security challenges have been widely tackled in traditional networks, this is a novel area in CWSNs. A wireless medium is inherently less secure than a wired one because its broadcasting nature makes eavesdropping simple. Any transmission can be easily intercepted, altered, or replayed by an adversary. The wireless medium allows an attacker to intercept valid packets easily and also to inject malicious ones easily. The task of SUs is to distinguish between incumbent and malicious signals. However, this task is complicated because of the limitations of CWSNs and the complex scenarios where they are deployed. A PUE attack takes advantage of this situation in order to transmit as it desires. Moreover, the quality of the service of SUs is degraded. Furthermore, the hostile environment in which cognitive sensor nodes work with the possibility of the destruction or capture of them, the extreme resource limitations of CWSN devices, the scale of these networks, and the goal of reliable communications are threads or challenges for cognitive security. In this context, it is important to understand that ensuring the security of CWSNs is crucial to its development and growth. Therefore, it is important to analyze, design, and test the security of these kinds of networks against any potential threats. Despite the research interest in CWSN, security aspects have not yet been fully explored even though security will likely play a key role in the long-term commercial viability of the technology. The security paradigms are often inherited from WSNs and do not fit with the specifications of cognitive radio networks. Looking at previous works related to CR, security researchers have appreciated that cognitive radio has special characteristics, such as new attacks, the spectrum.

(34) 10. C HAPTER 1. Introduction. sensing information, or collaboration. These characteristics make CR security an interesting research field, because more chances are given to attackers by CR technology compared to general wireless networks. This thesis deals with the CWSN security problem. This hardly studied field should be analyzed focusing on the new specific cognitive attacks, modeling their behavior, and creating efficient countermeasures.. 1.4.. Objectives. The main objective of this thesis is to study the impact of some CR attacks in CWSNs and to implement countermeasures using their new cognitive capabilities, especially in the physical layer and considering the limitations of WSNs. The impact of these solutions will be evaluated in order to validate their use in low resource wireless devices. The main objective can be divided into two sub-objectives. The first subobjective is the evaluation of the impact of the attacks. This step is crucial in order to understand how CWSNs actually behave under these attacks. The evaluation of the impact or the attack complexity are important conclusions for the future development of these networks in real scenarios. The second sub-objective is the implementation of security strategies thanks to CWSN features such as spectrum sensing, collaboration, learning, redundancy, and adaptation. These strategies should be based on the features that CWSNs provide. The mix of new cognitive capabilities with the inherited ones of WSNs is a possible solution to improve the security in CWSN scenarios. The four main features on which our security approaches are based are: Redundancy. A CWSN usually has a high degree of spatial redundancy [14] (many sensors that should provide coherent data), and temporal redundancy (habits, periodic behaviors, causal dependences). Both types of redundancy.

(35) 1.4. Objectives. 11. can be used effectively to detect and isolate faulty or compromised nodes. Spectrum aware. The key of the opportunistic access is that all the nodes involved in this technique are aware of the spectrum situation [7]. Nodes should be analyzing the spectrum to detect incumbent users or the best medium to share the information with other users. For that purpose, the nodes should make spectrum sensing. This collected information could be transmitted to other nodes or simply used to create a knowledge database. The node behavior can be modelled in order to detect and isolate malicious attacks thanks to this valuable information. Collaboration strategies. These strategies are a common solution in other cognitive areas like spectrum sensing. For example, in [15], authors present collaborative strategies as a solution for multipath and shadowing. This way, cooperative spectrum sensing can mitigate the sensitivity requirements on individual radios. The same approach can be applied to security in order to improve attack detection. Adaptation. This is one of the main characteristics of CR. A cognitive node is spectrum-aware and adapts its internal states to statistical variations in the incoming RF stimuli by making corresponding changes in certain operating parameters (e.g., transmit power, carrier frequency, and modulation strategy) in real time with several primary objectives in mind: • Reliable communications. • Efficient utilization of the radio spectrum. • Low power consumption. • QoS. • High availability. Most cognitive attacks and countermeasures can be executed because of this feature. A cognitive node has usually multiple radio interfaces, channels or.

(36) 12. C HAPTER 1. Introduction. transmission parameters that can be changed according to the necessities or the goals of the network.. 1.5.. Methodology. We have studied the features of CWSNs mentioned in Section 1.4 in order to verify if they can be useful for the proposed security mechanisms. This section describes the methodology followed in the development of this thesis to achieve the goals presented in Section 1.4. The methodology followed is based on an iterative prototyping approach where small-scale mock-ups of the system are developed following an iterative modification and evaluation process until the system evolves to meet the requirements [16]. The selection of this methodology is based on its adaptation to a research work. For example, it is especially useful for resolving unclear or novelty objectives, developing and validating the requirements, and experimenting with or comparing various design solutions. Each contribution of this thesis followed the four-phase process represented in Figure 1.5: (a) strategy design, (b) implementation of these strategies, (c) cognitive tools development, and (d) results and evaluation. This cycle was performed until the contribution satisfied the objectives of the thesis. When a cycle was finished, a new one started with the previous acquired knowledge as shown in Figure 1.6. In the next subsections, each phase of the process is presented in more detail. 1.5.1.. Previous analysis. In the previous analysis phase, the effort is focused on the analysis of new CWSN scenarios. Considering that the CWSN is a new paradigm, it is very important to analyze all the parameters completely to facilitate the next work steps. The CWSN merges two technologies into a different state of development. The first technology, the WSN, is a mature technology, and extensive research has been.

(37) 1.5. Methodology. 13. Figure 1.5: Scheme of the methodology followed in this thesis.. Figure 1.6: Iterative scheme of the methodology applied to multiple thesis contributions..

(38) 14. C HAPTER 1. Introduction. conducted on it over the last 20 years. However, the second technology, CR, is an emerging topic in an early state. As we will explain in Section 2, all the researches on security in CR only span the design phase. This thesis merges these two technologies. The new cognitive capabilities of CWSNs will be exploited to improve and resolve the limitations of WSN security. The analysis will be done according to this schema: Analysis of current scenarios. The first part of the analysis consists of the study of the present scenarios on WSN security. The results of this step are a list of constraints, strengths, and weaknesses in CWSNs. Examination of new opportunities and challenges in CWSNs. The inclusion of cognitive capabilities in WSNs creates good opportunities to improve the security. Perspective of new scenarios. When all the characteristics of CWSNs are clear, the definition and parameter setting of future scenarios will be the next step. All the new roles, functions, and strategies will be quite clear after this section. Extraction of conclusions. The comprehensive analysis of CWSN scenarios brings a complete vision to the in-depth study of security issues. 1.5.2.. Strategy design. Cognitive wireless sensor networks face a dangerous problem in security. Several attacks could be adapted from WSNs to the new paradigm of cognitive networks. In the last ten years, some researches related to security on CR networks have appeared. The researchers relate specific attacks against these networks, but they propose few countermeasures. The related work chapter (Chapter 2) will discuss the most studied attacks on WSNs and CWSNs. In order to improve the defenses in a CWSN, we need to study the attacks in detail. For example, a PUE attack is always a reference in security, but this.

(39) 1.5. Methodology. 15. thesis faces a new scenario where the PUE attack exhibits different behavior. The characteristics of wireless scenarios such as mobility and adaptation affect both the attackers and the defenses. Therefore, first, the defining and the modeling of the attacks should be done. After the design of the attack model, the development of countermeasures is the main task. The design should take into account the objectives of the thesis defined in Section 1.4, the attack characteristics, and the features that the CWSNs provide. The countermeasures in CWSNs are an unexplored field, but it is easy to deduce that cognitive behaviors such as collaboration, spectrum sensing, learning, and reconfiguration will improve security in these networks.. 1.5.3.. Implementation of the strategies. Once the attack has been parametrized, the next step is to define the interesting scenarios and to implement them. These scenarios should be realistic but also sufficiently general in order to cover all the possibilities that the strategy can deal with. After this study, modeling, and implementation of the attack, the next step is the implementation of collaborative security strategies in CWSNs in order to understand which ones are usable. The implementation can be done in a simulated or real scenario. Both of them must use the same parameters and model in order to compare the results. The simulated strategies allow for a faster development of the contributions while the real scenario contributes real results that are fed back to the model.. 1.5.4.. Cognitive tools. Because the CWSN is a new paradigm, appropriate tools for its development are not available. Therefore, the design of new tools is an important task of this thesis. As in common WSNs, the first investigations in CR are usually implemented in.

(40) 16. C HAPTER 1. Introduction. a WSN simulator. Simulators help developers avoid possible failures in hardware. Cost and time reduction is another advantage of simulators. This advantage is emphasized in CWSNs, where the needed increase of the radio interfaces and the complexity of the software are higher. Moreover, real cognitive wireless devices hardly exist, so the implementation cost of a new scenario is very high. However, it is important to remember that these strategies would be implemented in real devices in the future. The information obtained from a real scenario is the most valuable result. The development of the simulation and the implementation tools has been a continuous task in this thesis. The requirements of the security strategies have defined changes in these tools.. 1.5.4.1.. Results and evaluation. One of the requirements imposed on the cognitive tools is the fast and complete presentation of the results. These results have been analyzed in order to evaluate the attack impact, the countermeasure effectiveness, and the lateral effects that these solutions provoke in the system. The evaluation can produce three kinds of decisions: (a) the modification of the approach, (b) the modification of the tools, or (c) the validation of the contribution. The modification of the approach occurs when the results indicate that there have been wrong assumptions or definitions. Modifications of the tools have been made when the evaluation indicates that a new feature is required for the good performance of the approach or when the tools are the cause of a failure. Finally, regarding the validation of the contribution, the iterative cycle is closed only if the results indicate that the approach fills the objectives of the thesis..

(41) 1.6. Organization. 1.6.. 17. Organization. The thesis starts with an extensive and thorough review of the related work about security in cognitive networks. The related work is presented in Section 2 in the form of two subsections. The first subsection shows the most relevant attacks in CWSNs that take advantage of CWSN vulnerabilities. The second subsection analyzes the existing security mechanism for the mentioned threats. Section 3 presents the analyzed threats and the proposed security strategies implemented in the thesis. The starting point of this work opens this section. Then, the architecture adopted in this work is detailed. Finally, we explain the design and implementation of the scenarios and security strategies. In order to develop new security strategies for CWSN, specific tools are necessary. Section 4 shows the developed tools for this thesis that include a WSN simulator with cognitive capabilities and a real hardware platform for CWSN. Both tools integrate a complete framework for cognitive strategies in WSN. Section 5 presents the results obtained in this thesis. All the information obtained from the experiments is analyzed. A discussion about the viability of the solutions, the security level obtained, and the impact of these solutions in other aspects of the network is discussed. Finally, the conclusions obtained and the proposed future research directions are showed in Section 6.. 1.7.. Publications. This is a list of the published works related to this thesis: J. Blesa, E. Romero, A. Rozas, and A. Araujo, “PUE attack detection in CWSNs using anomaly detection techniques”, EURASIP J. Wirel. Commun. Netw., vol. 2013, no. 1, p. 215, Aug. 2013. J. Blesa, A. Araujo, E. Romero, and O. Nieto-Taladriz, “Evaluation, Energy.

(42) 18. C HAPTER 1. Introduction. Optimization, and Spectrum Analysis of an Artificial Noise Technique to Improve CWSN Security”, Int. J. Distrib. Sens. Networks, vol. 2013, pp. 1-8, 2013. J. Blesa, E. Romero, A. Rozas, A. Araujo, and O. Nieto-Taladriz, “PUE Attack Detection in CWSN Using Collaboration and Learning Behavior”, Int. J. Distrib. Sens. Networks, vol. 2013, pp. 1-8, 2013. E. Romero, A. Mouradian, J. Blesa, J.M. Moya, and A. Araujo, “Simulation framework for security threats in cognitive radio networks”, in Communications, IET, vol.6, no.8, pp. 984-990, 2012. J. Blesa, E. Romero, D. Villanueva, A. Araujo, “A Cognitive Simulator for Wireless Sensor Networks”, in UCAMI 2011 - 5th International Symposium on Ubiquitous Computing and Ambient Intelligence, pp. 21-32, 2011. E. Romero, J. Blesa, A. Tena, G. Jara, J. Domingo, and A. Araujo, “Cognitive test-bed for wireless sensor networks”, in 2014 IEEE International Symposium on Dynamic Spectrum Access Networks, DYSPAN 2014, pp. 346-349, 2014. A. Araujo, J. Blesa, E. Romero, and D. Villanueva, “Security in cognitive wireless sensor networks. Challenges and open problems”, EURASIP J. Wirel. Commun. Netw., vol. 2012, no. 1, p. 48, Feb. 2012. A. Araujo, J. Blesa, E. Romero, and O. Nieto-Taladriz, “Artificial noise scheme to ensure secure communications in CWSN”, in IWCMC 2012 - 8th International Wireless Communications and Mobile Computing Conference, 2012, pp. 1023-1027. A. Araujo, J. Blesa, E. Romero and O. Nieto, “Cooperative jam Technique to Increase Physical layer Security in CWSN”, in COCORA 2012 - 2th International Conference on Advances in Cognitive Radio , pp. 11-14..

(43) 1.7. Publications. 19. E. Romero, J. Blesa, A. Araujo, and O. Nieto-Taladriz, “A game theory based strategy for reducing energy consumption in cognitive WSN”, Int. J. Distrib. Sens. Networks, vol. 2014, 2014. A. Araujo, E. Romero, J. Blesa, and O. Nieto-Taladriz, “A framework for the design, development and evaluation of Cognitive Wireless Sensor Networks”, Int. J. On Advances in Telecommunications, vol. 5, no.3&4, pp. 141-152, Dec. 2012. E. Romero, A. Araujo, J. Blesa and O. Nieto-Taladriz, “Developing Cognitive Strategies for Reducing Energy Consumption in Wireless Sensor Networks”, in COCORA 2012 - 2th International Conference on Advances in Cognitive Radio , pp. 63-66, 2012. A. Araujo, E. Romero, J. Blesa, O. Nieto-Taladriz, “Cognitive wireless sensor networks framework for green communications design”, in COCORA 2012 2th International Conference on Advances in Cognitive Radio , pp. 34-40, 2012. A. Araujo, J. García-Palacios, J. Blesa, F. Tirado, E. Romero, A. Samartín, and O. Nieto-Taladriz, “Wireless measurement system for structural health monitoring with high time-synchronization accuracy”, IEEE Trans. Instrum. Meas., vol. 61, no. 3, pp. 801-810, 2012. A. Araujo, F. Tirado, J. García-Palacios, and J. Blesa, “High precision structural health monitoring system using wireless sensor networks”, in IALCCE 2012 Third International Symposium on Life-Cycle Civil Engineering, 2012..

(44)

(45) Chapter 2. Related work The more I read, the more I acquire, the more certain I am that I know nothing. Voltaire. 2.1.. Security in Cognitive Radio. This first subsection tries to explain all the aspects related to the security in CWSNs that will be used in the analysis of previous works. For example, the influence of the new cognitive characteristics or the CWSNs principles. According to chapter 1 is very clear that CWSNs face a dangerous problem in security. The new cognitive features and the integration with WSNs ones becomes the security in these scenarios in a challenge unresolved. In addition to this, CWSNs are and will be used as a viable solution for critical applications, such as military scenarios, healthcare or structural monitoring. The security should be one of the most important aspects to take in account from the earlier stages of CWSNs development. 21.

(46) 22. C HAPTER 2. Related work. Despite the extensive volume of research results on WSN [17], the considerable amount of ongoing research efforts on CR networks [7], and the new interest in CWSN [8], security in CWSN is vastly unexplored field. The reason why security has no priority is that is not necessary for the development of the technology. Other features, such as spectrum sensing or communications are indispensable for CWSN functioning. The early stage of the technology has left the security in a secondary place. However, the security of CWSNs is a new paradigm that offers many research opportunities and it is essential for the future of critical applications. Several attacks could be adapted from WSNs to the new paradigm of cognitive networks. In the last ten years some researches related to security on Cognitive Radio Networks (CRNs) have appeared. They describe specific attacks against these networks, but few countermeasures are proposed. Most of first publications related to the security field in cognitive radio were developed specifically to analyze the effects produced by characteristics of cognitive radio in the security of the systems and how they could be used to mitigate the negative effects. The article of Jack L. Burbank [18] probably presents one of the most important works related to security in Cognitive Radio. In this paper, each characteristic and the attacks that could take advantage of it are analyzed. The authors indicate two differences between a traditional wireless sensor network and a CR network: 1. The potential far reach and long-lasting nature of an attack. CRNs perform tasks in order to acquire as much information as possible from the environment. For example, the wireless interfaces perform a periodic spectrum sensing that the nodes uses in order to create an image of the current state of the radio spectrum. If the attackers can create signals in order to modify the perception of the environment by cognitive network nodes, the decision taken by them will be wrong. Using this information, the CRN adapts its parameters. Some attackers can force a desire change modifying the.

(47) 2.1. Security in Cognitive Radio. 23. information. This way, the malicious attackers can control the behavior of the network. 2. The ability to have a profound effect on network performance and behavior through simple spectral manipulation. The decisions taken in the past improves the behavior in CRNs. That means, these networks reason and learn in order to reach a goal. If the decisions are based on altered information, the attack effect on the CRN continues during more time. Finally, the collaboration between nodes is an opportunity to propagate the attack through the network. These two differences are the consequences of how the malicious node takes advantage of the new characteristics. If the attacks are more dangerous in terms of affected area and time duration the security should obviously be improved. Maintains awareness of surrounding environment and internal state. It could be an opportunity for spoofing that send malicious data to the environment to provoke an erroneous perception. Adapts to its environment to meet requirements and goals. It is an opportunity to force desired changes in behaviour in the victim. Adapts to its environment to meet requirements and goals. It is an opportunity to force desired changes in behaviour in the victim. Reasons on observations to adjust adaptation goals. It could be an opportunity to influence fundamental behaviour of CRN. Learns from previous experiences to recognize conditions and enables faster reaction times. This could an opportunity to affect long-lasting impact on CR behaviour. Anticipates events in support of future decisions. It could be an opportunity for long-lasting impact due to an erroneous prediction..

(48) 24. C HAPTER 2. Related work. Collaborates with other devices to make decisions based on collective observations and knowledge. This is an opportunity to propagate an attack through network. Wireless communication. Data might be eavesdropped and altered without notice; and the channel might be jammed and overused by adversary. Access control, confidentiality, authentication and integrity must be guaranteed. On the other hand, CRN features also help to mitigate malicious manipulation using: The ability to collaborate for authentication of local observations that are used to form perceived environments. Collaboration can improve the results of any security mechanisms in long term. Moreover, it can improved the knowledge about the network of all nodes. The ability to learn from previous attacks. Some security approaches can use the experience in order to reduce the impact of future attacks. The ability to anticipate behaviours to prevent attacks. This is a further step towards the reduction of the attack influence. The ability to perform self-behaviour analysis. Shared knowledge is also useful in order to learn of the errors and correct them.. 2.2.. Threats in CWSN. As we showed in Section 2.1, CWSNs have special features that make security an important area to develop. However, security in CWSNs needs to be further studied by scientific community. In this section, a complete taxonomy of attacks for CWSNs is shown. We are going to compare the impact between these attacks in a traditional WSN and in a cognitive one..

(49) 2.2. Threats in CWSN. 25. Figure 2.1: Taxonomy of attacks in CWSN.. A taxonomy of attacks on CWSNs is very useful to design optimistic security mechanisms. There are several taxonomies of attacks on wireless networks [19] and focus on WSNs [8]. Moreover, some classifications of attacks in CR exist [3, 20, 21]. However, there is not a deep classification of attacks in CWSNs and study of attacks against cognitive WSNs does not exist. We have analyzed special network features that make CWSNs better against attacks: high transmission range, spectrum awareness, low delays, wireless adaptation and reliability of data. Their security is obviously endangered by the medium used, radio waves, but also by specific vulnerabilities of CWSNs like battery life or low computational resources. Considering these features, we propose a taxonomy which contains various attacks with different purposes, behaviours and targets. This helps researchers to better understand the principles of attacks in CWSNs, and further design more optimistic countermeasures for sensor networks. Figure 2.1 shows an outline of this CWSN taxonomy of attacks. CWSN attacks are divided into communications, against privacy, node-targeted, power consumption, policy and cryptographic attacks..

(50) 26. C HAPTER 2. Related work. 2.2.1.. Communication attacks. The first category of CWSN attacks is communication attacks. In this kind of attack, the attacker affects data transmissions between nodes with a concrete purpose either to isolate a node or to change the behavior of the whole network. Communication attacks can be classified into three different types according to the attack behaviour: replay attack, Denial of Service (DoS) attack and Sybil attack. A replay attack [22] consists of the replay of captured packets, possibly in a different time or location. For example, a message is directed to a node other than the intended one. This receiver node replays the message to the intended principle node and this receives the delayed message. This delay is fundamental to calculate network characteristics (channel, topology, routing, etc.). Cognitive wireless sensor networks could be affected by this delay more than regular WSNs because nodes share information about the environment. If a node receives the wrong information and then repeats it, network behavior could be affected drastically. If PU packets are repeated, SUs could have a wrong inference of the spectrum, too, avoiding the communications in frequencies or the protocols used by the attacker. There is no specific work about this kind of attack in a CN. However, it can be considered an important attack in this area with a special impact, as we have explained above. The second type of communication attack is DoS attack, which are characterized by an explicit attempt to prevent the legitimate use of a service. In this case, services are the spectrum or a special node, such as a proxy, a coordinator, or a router. Three kinds of DoS attacks related to CR require important attention, such as a jamming attack, a spoofing attack, or a Spectrum Sensing Data Falsification (SSDF) attack. However, there are more DoS, such as collision attack, routing ill-directing attack or flooding attack.. A jamming attack is the transmission of a radio signal that interferes with the radio frequencies used by nodes. The jamming attack is one of the most.

(51) 2.2. Threats in CWSN. 27. studied attacks against WSN [23]. In fact, cognitive features such as fast channel switching, software reconfigurability, and power transmission control can transform a normal node into an effective jammer like Prasad et al. show in [24]. The use of cognitive features reduces the limitation in the cost of large attacks, allowing the same impact with fewer devices. If an attacker node can cover multiple frequency channels, the number of malicious nodes required and the total cost decrease. Moreover, fast-switching channels and spectrum sensing benefit the attacks. The faster the switching channel is, the higher the jamming impact in the network because each individual node can interfere with more frequencies at the same time. On the other hand, the spectrum sensing channel increases the information the attackers has about the incumbent nodes: the transmission cycle, the most used channels, or the transmit power. With this information, the jammer can optimize the attack in terms of impact and energy saving. The work by Prasad et al.[24] is based on these ideas and they present simulation results about how a jamming attack affects the throughput. The studied parameters are the jamming period, the transmit rate, the packet size, and spectrum sensing information. The results indicate that an intelligent jammer can reduce the throughput of the network between five to seventeen times more than a non-cognitive jammer using between two to eight jamming signals less. The added value of this work is that it is one of the first security approaches characterized in terms of energy consumption. Another example of a specific jamming attack against cognitive networks is explained in [25]. In this work, Peng et al. use a two-step procedure using spoofing and jamming in order to minimize the SU’s throughput. A spoofing attack is when a malicious node impersonates other devices by falsifying data in order to launch an attack. For example, an attacker can supplant a real PU..

(52) 28. C HAPTER 2. Related work. On the other hand, a jamming attack occurs when a malicious node disrupts communications by transmitting a noise signal by the same transmission band. There is a difference between spoofing and jamming. Whereas spoofing happens in the sensing phase, jamming happens in the transmission phase. During the sensing intervals, the attackers emit spoofing signals in order to disturb the real vision of the spectrum. At the end of these intervals, some allowable bands are identified as busy. The empty bands are where the secondary nodes transmit. However, the second action of the attackers is to transmit a jamming signal in order to avoid the SU’s transmissions. The author analyzes the union of the spoofing and jamming attack and tries to reduce the computational cost. Complete results about the attack power consumption and SU throughput degradation are presented. The main two conclusions of this work are: 1. Spoofing capability increases when i) the number of allowable bands decreases; ii) the number of allowable bands required by the CRN increases; and iii) the integration-time-bandwidth product increases. 2. Jamming capability increases when i) the number of allowable bands decreases; and ii) the number of allowable bands required by the CRN decreases. The work presented in [26] is another example of how cognitive features increase the damage caused by the attack. Using a cooperative jamming attack, attackers achieve 10-15 % improvement compared with a non-cognitive attack. A discrete-time Markov chain is implemented in order to get the optimal number of malicious nodes that are needed to participate in the attack. Despite these examples, CWSN has great advantages to solve jamming. These advantages are explained in the following sections, but they can also have negative effects like energy consumption or communication failures. For example, the CWSN nodes have a very short battery life. The detection of a.

(53) 2.2. Threats in CWSN. 29. jamming attack implies continuous spectrum sensing with its associated high energy consumption. Probably, in other cognitive networks, this additional energy consumption is irrelevant, but in CWSNs, it is very important. Another aspect that benefits the jamming attack in CWSNs is the low transmit power and coverage of the nodes. The higher the relationship between jamming and the incumbent signal, the higher the consequences of the attack. However, as we have indicated before, other features in CWSNs can mitigate the attacks. For example, the spatial and temporal redundancy benefits communications even in hostile or noisy scenarios. A Spectrum Sensing Data Falsification (SSDF) attack [27] occurs when malicious users send wrong spectrum sensing information. For example, a malicious user can send information that a specific channel is always occupied in order to use it for the user’s own benefit. The consequence of this situation is the DoS of the affected nodes. This is one of the most dangerous attacks in CRNs because the network decisions depend on the spectrum sensing information. If the origin of this information is wrong or the data are falsified, the next decisions will be erroneous. A collision attack [28] consists of the intention of violate the communication protocol. This kind of attack does not consume much of the attacker’s energy, but it can cause many disruptions in the network operation. Due to the wireless broadcast nature, it is not trivial to identify the attacker. For example, the SUs have to share the spectrum. Therefore, the use of this type of attack is very efficient in order to disrupt SU communication. Nodes, detecting collisions, will relay the information, making communication very difficult. There is no specific previous work about this kind of attack in CR, but as in the replay attack case, problems in the transmission affect cognitive networks in a more profound way than traditional WSNs. In a routing ill-directing attack, a malicious node simply refuses to route.