Explore Recurrent Neural Network for PUE Attack Detection in Practical CRN Models

Explore Recurrent Neural Network for PUE Attack Detection in Practical CRN Models

Qi Dong, Yu Chen, Xiaohua Li, Kai Zeng E-mail: {qdong3, ychen, xli}@binghamton.edu, kzeng2@gmu.edu Dept. of Electrical and Computing Engineering, Binghamton University, SUNY, Binghamton, NY 13902, USA
Electrical and Computing Engineering Department, George Mason University, Fairfax, VA 22030, USA

The proliferation of the Internet of Things (IoTs) and pervasive use of many different types of mobile computing devices make wireless communication spectrum a precious resource. In order to accommodate the still fast increasing number of devices requesting wireless connection, more efficient, fine-grained spectrum allocation and sharing schemes are badly in need. Cognitive radio networks (CRNs) have been widely recognized as one promising solution, in which the secondary users (SUs) are allowed to share channels with licensed primary users (PUs) as long as bringing no interference to the normal operations of the PUs. However, malicious attackers or selfish SUs may mimic the behavior of PUs to occupy the channels illegally. It is nontrivial to accurately, timely detect such kind of primary user emulation (PUE) attacks. In this paper, an efficient PUE attacked detection method is introduced leveraging the recurrent neural network (RNN). After a fundamental algorithm using basic RNN, an advanced version taking advantage of long-short-term-memory (LSTM) is proposed, which is more efficient on processing time series with long term memory. The experimental study has provided deeper insights about the different performances the RNNs achieved and validated the effectiveness of the proposed detectors.

Cognitive Radio Networks (CRNs), Primary User Emulation (PUE) Attacks, Recurrent Neural Network (RNN), Long-Short-Term-Memory (LSTM).

I Introduction

The rigid spectrum allocation scheme regulated by governmental agencies leads to great deficit on spectrum band resources. Under the current policies, wireless channels are assigned to fixed users for exclusive use. Such a static spectrum access technology results in a low efficient utility of wireless spectrum resources due to the fact that the frequency bands are scarcely used with geographical discrepancy. The emergence of new intelligent spectrum allocation/re-allocation schemes, especially cognitive radio networks (CRNs), are studied elaborately in the last decade, under the growing pressure from the ever-increasing wireless applications. Cognitive radio (CR), or known as secondary user (SU) in CRNs, is a technology that allows wireless devices (unlicensed users) access spectrum resources adaptively without introducing major interference to licensed primary users (PUs).

Basically, a well-designed CRN aims to serve for two purposes [2]: to maximize the usage of spare spectrum resource as well as to protect the incumbent primary system from secondary network interference. Since it is required to SUs that they shall not interfere the normal operations of the PU functionalities, SUs should adapt their behavior in accordance to PU activities. In most cases, knowing PU activities is essentially critical for cognitive radios to share the spectrum resource with legitimate users. One of the effortless ways to acquire PU activity information is that PUs are able to notify SUs their spectrum usage status; or there exist a third party as an inquiry center that knows what PUs will do in the near future. An alternative solution, which is the widely accepted one, is to develop robust and efficient spectrum sensing technique to acquire knowledge on PU activities.

Spectrum sensing allows CRs acquire real-time spectrum occupation information such that interweaving communications shared by PUs and SUs become feasible. Generally, spectrum sensing requires CRN participators to scan the desired spectrum band in a proper manner. In many CRN deployment models, especially interweave model, spectrum sensing is one of the most important procedure on exploring white spectrum space for use while imposing little interference to PUs [3]. Because of the limited computational capacity and energy resources of SUs, in many recent spectrum sensing and spectrum measurement studies, researchers had conducted intensive discussions on many practical implementations, such as sensing complexity, power consumption, sensing period, and so on [4].

In practical CRN implementations, one of the major challenges of spectrum sensing is to detect PU signals with high accuracy while maintaining a low false alarm rate in the open and versatile radio environment, with limited SU resources. Also, the spectrum sharing efficiency greatly depends on a secure CR operating environment. In interweave spectrum sharing models, due to the opportunistic spectrum access (OSA) nature, CR systems encounter several CR-specified security problems. In contaminated radio environments, the false detection rate of spectrum sensing may become extraordinarily high, especially when a primary user emulation (PUE) attack happens. A PUE attack is that the malicious entities mimic PU signals in order to either occupy spectrum resource selfishly or conduct Denial of Service (DoS) attacks. PUE attacks can be easily implemented in CRNs. It introduces great overhead on cognitive radio communication and causes chaos in dynamic spectrum sensing. However, defense against the PUE attacks is nontrivial as traditional authentication and authorization (AA) methods are no longer applicable to CR systems, because no obligation should be imposed on PUs. More adaptive and practical PUE attack detection techniques are highly desired.

In general, PUE attack detection techniques are divided into two broad categories: fingerprint/radiometric based detection and activity pattern based detection. For the first category, the detection methods usually probe either a). the transmitter’s intrinsic features such as pulse shape [16], transient [20], b). the propagation channel features [15], or c). geographical informations [8]. These fingerprint/radiometric based detection approaches all have restricted deployment due to particular limitations. For example, detection transmitter features are usually computing intensive, and some features are prone to be overwhelmed over long distance propagation. In addition, propagation channels are usually not static, and sometimes suffer from great fluctuation over short distances [6]. Also, geographical feature based detections usually require some critical prior informations, such as sensing nodes’ location, PU propagation power, and stable propagation channel [8]. Furthermore, they are likely influenced by mobile PUs [29].

On the other hand, activity pattern based methods have been discussed in several literatures [23, 27, 24, 11]. The fundamental idea is based on the assumption that PUs’ activities can be generalized by some proper activity models or a combinations of a set of proper hyperplanes. When malicious nodes conduct PUE attacks, the sensed signal activities will show noticeable discrepancy from normal PU behaviors in compromised spectrum channels. Since attackers will inevitably generate excessive signal activities, activity pattern based detection methods are promising for development, due to the low computation burden and flexible deployment.

In most of the activity pattern based PUE attack detection studies, an un-intermittent spectrum scanning manner is assumed for each sensing SU, although intermittent spectrum sensing schemes are preferable in recently spectrum sensing studies, in seek of energy efficiency and processing efficiency [9, 28, 4]. In intermittent spectrum sensing, the sensing nodes scan the desired channel with a proper observation period to maintain a reasonable Resolution Bandwidth (RBW), and then sit back for a sensing interval to preserve energy and computation resource. Such kind of spectrum sensing schemes only allow CRN to obtain partial channel information, which brings great difficulties on detection of activity patterns.

When explore signal activity patterns, it is reasonable to assume that there are some “features” inherited into signal sequence. On the other hand, with an intermittent spectrum sensing, the channel status is not independent to previous status. Thus, the signal activity patterns can be regarded as the possible sequence which relates to some “features” of the channel and the previous internal states (memory). In this work, we proposed a recurrent neural network (RNN) based PUE attack detection method leveraging the energy-and-computation-efficient intermittent spectrum sensing technology. Further, a more advanced RNN techniques, called long short-term memory (LSTM), is studied for the detection.

The rest of this paper is organized as follows. Section II provides the background knowledge that motivated this work, it also discusses some related work on state-of-art spectrum sensing techniques and PUE attack detection approaches. Section III presents a practical PU activity model and briefly introduces the PUE attack detection process. The proposed RNN-based and LSTM-based PUE attack detection methods are introduced in Section IV. Section V reports our experimental evaluation on three different PUE attack detectors in two PU activity models. Finally, Section VI concludes this paper along with a brief discussion about our on-going efforts.

Ii Related Work

It is proven by many spectrum measurement campaigns around the world that the spectrum occupancy of PU channels shows noticeable statistic features, which can be described by some statistical models [7]. Figure 1 shows a rational and practical way for spectrum sensing, which allows CRs measure a channel’s state during a short observation time and wait for a revisiting time until next spectrum sensing action. Based on such an intermittent spectrum sensing manner, there are two ways to improve the efficiency of CRNs. The CRs can either save energy during period of sleep, or they are able to perform wideband spectrum sensing by sensing other bands during period of scanning. However, because CRs only collect intermittent channel information, many signal patterns become untraceable. It is more advantageous for malicious parties to apply various attacks, especially the PUE attacks.

Fig. 1: Practical CR spectrum sensing pattern.

In CR systems, since no obligation is imposed on PUs according to Federal Communications Commission (FCC) [1], it is necessary to distinguish attacker signals from PU signals while SUs actively sense the channel. Otherwise, PUE attacks will cause severe problems on the efficiency of spectrum utility [12]. As discussed before, in PUE attack detection, the fingerprint/radiometric based detection methods have restricted deployment, because they are either resource intensive, or only applicable under certain conditions. In comparison, activity pattern based detection methods attract more attention in broader application scenarios.

Some literatures have explored different ways using activity pattern for PUE attack detection. One of the recent work explored a cooperative spectrum sensing method on detection of PUE attack [24]. The author considered the most common spectrum sensing approach, energy detection, and find the optimal detection threshold of the aggregated sensing samples from all CRs by using numerical method. The proposed approach is easy to be implemented for its low cost, and it is also compatible to practical spectrum sensing process. However, the proposal is weak in several aspects: a) to find the optimal detection threshold, the prior probabilities of attack are assumed known; b) the sensed samples are assumed to follow the Gaussian distribution, which is not proven; and c) the attackers in the model are assumed too passive to adjust their behavior, such as attack strength, attack probability and attack timing. As a matter of fact, a smart attacker will easily deceive such detector.

In 2014, a signal activity pattern (SAP) based PUE attack detection method was proposed [27]. The main idea is that the PU signal activities can be well reconstructed by some sparse combination of a set of feature vector bases, while attack activities can not be sparsely reconstructed by such bases. Besides a lengthy training process, the proposal may suffer from two practical issues. Firstly, it requires a consecutive long enough observation duration to preserve ON/OFF features of the signal activities (30 ON/OFF periods in the literature). Secondly, it is expensive to find an optimal solution of the signal reconstruction problem by solving a convex optimization problem for each detection, which consumes a great amount of resources. Although the proposed SAP based PUE attack detection is theoretically sound, it is not advantageous in practical implementation.

Detection of PUE attacks greatly depends on the spectrum sensing manner. As discussed in many literatures, an efficient spectrum sensing method usually leverages only a short observation time on collecting signal samples [17, 9, 28, 10]. The basis to find optimal spectrum sensing interval in CRN is that PU activities usually follow some activity models [22, 7, 14]. In most of such activity models, each user request arrival is assumed independent, thus the state holding time or sojourn time is modeled as exponentially distributed [28, 21]. However, in practice, it was found that more complex distribution models are needed to better describe the state holding times, such as means of generalized Pareto or Hyper-Erlang distributions [19, 13].

To model a PU activity in spectrum sensing, various Markov models are preferably in many studies. A comprehensive study of the PU activity modeling by using first order Markov models can be found in [22]. Although the first order Markov models may perform well for simple PU activity models, say exponentially distributed model, they are not adequate to model complicated, real-world PU activity models. Other studies, inspired by the great capability of artificial neural networks, made some trials on modeling PU activities using different neural networks (NN). For example, a plain feed-forward neural network (FNN) was used for spectrum prediction in [26]. A simple FNN shows some merits on predicting spectrum status, but it omits one important fact. Similar to the first order Markov models, the next channel states are not only related to the current states, but also related to a possibly longer history of channel states. Recently, a trial by using a recurrent neural network (RNN) to predict spectrum slots is proposed [25]. A RNN is a neural network structure that makes use of sequential information by using its “memory” of previous states. It is naturally efficient on modeling the patterns of temporal dependency of time series [30].

While using the intermittent spectrum sensing approach, some critical PU activities information will get lost, such as channel holding time by PU. As a result, a smart attacker is able to conduct short impulse denial-of-service (DoS) attack to cause intensive PUE attacks as shown in Fig. 2. To overcome the partial information problem, in our proposal, we will explore the “memory” feature of the RNN to model the PU signal patterns of a spectrum channel, by which to detect the PUE attack in such channel.

Fig. 2: Short impulse PUE attack in CRN which uses intermittent spectrum sensing.

Iii System model

In CRNs, the typical OSA is usually conducted by the following four steps:

  1. apply spectrum sensing and analysis on wide spectrum band, and determine the proper bands for secondary use;

  2. access a proper spectrum band for propagation while it is in idle state;

  3. apply intermittent spectrum sensing for consistent spectrum band monitoring, to avoid causing severe interference to PUs; and

  4. switch to another proper spectrum band if current band is occupied.

Fig. 3: Two-state ON/OFF PU activity model.

As illustrated in Fig. 1, the PU activity in a channel can be described with a two-state ON/OFF model. In Fig. 3, denotes the transition probability from ON state to OFF state, and denotes the transition probability from OFF state to ON state. stands for the sojourn time in ON state and denotes the OFF duration. The probability density functions (p.d.f) of and are denoted as and , respectively.

For SUs using intermittent spectrum sensing, as discussed in previous section, CRs measure a channel’s state during a short observation time and wait for a revisiting time until next spectrum sensing action. During , the SU can either put itself to sleep or sense other spectrum bands. One major problem with intermittent spectrum sensing is that the observation only reflects partial spectrum information. It senses ON or OFF at certain period, but missing some other critical information of the PU signals, such as the starting and ending moment of the ON and OFF period, and the exact length of ON and OFF period. Such an incomplete spectrum sensing measure makes it harder to detect malicious activities, especially the PUE attacks.

Fortunately, the PU activities are not totally random. It preserve some patterns and features. The involvement of the PUE attacks will inevitably introduce some “other” features. If we are able to learn the PU activity patterns from initial spectrum sensing and analysis stage, it is possible to distinguish exotic PUE activities from normal PU activities. We assume the PU ON/OFF activities follow Hyper-Erlang distributions, which have been proven as an effective PU activity model [13]. It is worthy to note that in practical spectrum prediction and abnormal detection, the PU activity model is unknown, and may follow other distributions. We will not make any strong assumptions about PU activity model’s distribution function in our detection process. It means that we will not use the assumed Hyper-Erlang distribution model in our detection models. Instead, the Hyper-Erlang distribution model is used to simulate actual PU activities, where the and are defined as :


where and , , are shape parameters, are scale parameters.

The expectations of and can be computed by:


In our detection model, the PUE attack detection process is briefly described in four steps:

  1. The SUs will follow the typical OSA intermittent spectrum sensing process by first determining an appropriate spectrum channel by collecting a sensed time sequence , where it is composed by and ; the represents busy state of the channel, and represents idle state of the channel;

  2. Based on the sequence , SUs can learn the signal activity patterns of the channel to construct a PUE attack detector ;

  3. While sharing the channel with PUs, SUs shall still apply intermittent spectrum sensing with the same manner to generate testing time sequence , in order to avoid interference with PUs and to detect malicious signal activities; and

  4. Use the current state series with length as the detector ’s input, and compare the output series with the next state series with length to determine the abnormity.

Iv RNN based Detection

For activity pattern based PUE attack detection, the essential rationale is to extract or model the patterns of the normal signal traffic. With partial information series generated by intermittent spectrum sensing, the general idea of the detection becomes to determine whether or not the received series falls into the normal series set. Since the attacker can produce various PUE attacks, it is hard to define the attacker behavior, i.e. abnormal series set. A dilemma in such a situation is that it is not practical to construct a normal series set based on discrete sensing series whereas lacking of abnormal signal patterns. Because the longer series we use to construct the normal series set, the better to include more comprehensive normal behavior series in the set, while exclude the possible abnormal behavior series. The problems is, however, it will cause the constructed normal series set grows exponentially as the length of series grows. Another problem is that even if we can construct a normal series set, it still omits the internal connection between series states. For example, some behaviors of the series might be considered normal in some situations, while they are actually abnormal in different context.

Thus, traditional approaches such as the signal decomposition, i.e. principal component analysis (PCA), or traditional classification techniques, i.e. vector machines and logistic regression, are not adequate to resolve PUE attack detection problem in this case. A more appropriate approach is to identify a relatively small normal series set, given a long history of previous behavior of series. For different history of series, the normal set shall change in a proper way. Therefore, a appropriate PUE attack detector with intermittent spectrum sensing should be: 1) not computational and memory expensive; 2) effective to preserve the PU activity patterns without any prior model information; and 3) normal pattern behavior is adaptive to a long history of behavior by seeking temporal domain information.

Iv-a RNN-based PUE Attack Detector

Recurrent neural network (RNN), a feed-forward neural network (FNN) with decoupling temporal relationships and information, is a promising technique for the PUE attack detection. Similar to FNNs, the RNN is benefited from the adaptive structure that is able to model some complex nonlinear functions. In addition, RNN not only learns the network structure to fit the series model, but also preserve it cell states, which is comparable to the “memory” of the series while detecting. The current “memory” will be used along with the input series to predict the next step states.

Figures 4 and 5 show the different architectures of the basic FNN and RNN. In a FNN, the network only uses current time series to generate the output. The actual information used by the network only depends on the length of the input. It is problematic in series prediction, specifically in PUE attack detection. Because such a network structure generates uncertainty of which portion of the input information is more important and which portion is relatively trivial. Also it requires a large data set for training, since the input length is required to be sufficiently long. The RNN, on the other hand, not only uses current input series information, but also uses its memory of earlier time series in a recurrent way. Given a input series , the RNN computes the hidden state sequence , as well as the output sequence iteratively using the following set of equations, where with length , , and with length :

Fig. 4: A simple feedforward neural network.
Fig. 5: A simple recurrent neural network that unfolded across time steps. At each time step, the network uses both current input series and its cell states to generate the output.

In Eq. 5 and Eq. 6, is the matrix of conventional weights between the input and the hidden layer, is the matrix of recurrent weights between the hidden layer and itself at adjacent time steps, and is the hidden-output weight matrix. and are bias of the hidden layer and the output layer, respectively [18]. is the activation function used in the hidden layer, and is the activation function used in the output layer.

In CRNs, during the initial spectrum sensing stage, the normal PU activity series can be used to train the RNN model at either SUs side or at a fusion center if a non-distributed CRN is adopted. While sharing the spectrum channel with PUs, the SUs can constantly inspect the signal activity behaviors, by applying the trained RNN as the PUE attack detector.

However, while training the RNN to learn PU activity patterns, we actually do not use any series with PUE attacks. The RNN can only learn the normal features. Thus, it is not able to classify the incoming activity series as either PU activity or attacker activity. We need to transform the trained RNN to an efficient RNN based detector . Since the RNN is modeling the features of the series composed by and , the detector is designed to detect the difference between the predicted and the real received series with length , given some input series with length and previous historical series. Actually, we do not expect the trained RNN to predict the exact output series. Instead, the series with length is mapped to a “label” domain with elements. For example, a series with length can be mapped to the “label” domain with elements, . The RNN is trained to predict the likelihood of each different labels. Such that we are able to map the actually received series to the element in the “label” domain. Then compute the mean square error (MSE) as the loss, by comparing predicted likelihoods of each labels and the real received series:


where denotes the label corresponding to the received series, denotes the output likelihood of label .

Iv-B LSTM based detector architecture

The basic RNN is not efficient in processing series with long temporal dependency, due to the well known gradient vanishing problem [5]. The gradient vanishing problem makes RNN prone to forget long term information, which mean if some pattern happens long before current input series, RNN will not be able to use such pattern. In order to overcome this shortcoming, several other recurrent network structures were introduced. Long short-term memory (LSTM) is one of the important developments of RNN, in which the ordinary node in the hidden layer is replaced by a memory cell and several gates, shown in Fig. 6. Each LSTM cell has two internal states: hidden state and cell state. In our case, given a input series , and previous hidden state , compute the forget gate as:

Fig. 6: Structure of a Long Short-Term Memory cell.

The output of Eq. 8 is a matrix with elements between and . It is used to decide what “memory” (cell state) is forgotten and what is kept, where means the memory is completely kept, and means the memory is totally forgotten. Further, the input gate in Fig. 6 is computed as:


The output of Eq. 9 is another matrix with elements between and . It used to decide what input information should be used to update the “memory” (cell state), where stands for using the entire input information, and stands for not using the input information. The LSTM will process the input information as:


With computed , and , the new “memory” (cell state) is updated as:


where means element-wise multiplication, and means element-wise addition. Another gate called output gate is used to decide what information should be used in new cell state as the output of this LSTM cell. The output gate is computed as:


The new hidden state as well as the output of this LSTM is computed as:


The hidden state of this LSTM cell, or the hidden state of the last LSTM cell for multi-layer LSTM, is fed into another activation function for final classification:


where is the activation function for classification. In Eq. 8 to 14, are weight matrices, and are bias vectors.

By applying above techniques in LSTM cell, the LSTM based PUE attack detector is theoretically more adaptive to both long term and short term of PU activity patterns than RNN based PUE attack detector.

In addition, the single layer LSTM can be extended with deeper structures, such as multi-layer LSTM. Theoretically, a multi-layer LSTM is able to learn more comprehensive PU activity patterns.

V Experimental Study

In this section, we will compare the performances of the basic RNN based detector, the LSTM based detector and the multi-layer LSTM based detector on PUE attack detections.

V-a Evaluation using a simple PU activity model

We first evaluate the detectors performance using a relatively simple Hyper-Erlang distribution to model the PU activity. The parameters defined in Eq. 1 and Eq. 2 are shown in Table I.

Hyper-Erlang (ON) Hyper-Erlang (OFF)
TABLE I: Parameters for simple PU activity model

The expectation of and can be computed as second and seconds respectively. We tentatively used a intermittent spectrum sensing interval second and observation time second for spectrum sensing. In the contaminated PU activity, the attacker will deploy short impulse PUE attack with probability of at any particular time slot .

Table II shows the loss of using different RNN on predicting both normal series and abnormal series. The loss function is defined in Eq. 7. The statistic shows that the average loss on the attack series is much higher than the average loss on normal series.

Method Average loss for normal series Average loss for contaminated series
Basic RNN
Single layer LSTM
Three layer LSTM
TABLE II: Average loss for different detector in simple PU activity model

Figures 7, 8, and 9 provide a closer look at how does the loss distributed, showing the loss distribution along a short period of time steps. All three figure show that the prediction loss on PUE attack contaminated series is almost always greater than the prediction loss on normal series. While using the contaminated series for prediction, on one hand, the output is highly unpredictable because the input series pattern may never be trained by the network; on the other hand, the correlation between the input series and real received series is obscure to the trained network. These two reasons cause the high loss of the contaminated series.

Further, we use the output loss to plot the receiver operating characteristic (ROC) curve if use it for detection, shown in Fig. 10. It shows that the three layer LSTM based PUE attack detector has the best detection performance, while the single layer LSTM based detector has the worst performance. It happens might because the our designed single layer LSTM is not able to learn the comlex feature with adequate capability, due to its shallow structure, while basic RNN only learns the short term features with better performance. The three layer LSTM detector achieves the optima performance because it is able to learn complex features as well as to preserve long term historical behaviors.

Fig. 7: Sample of prediction loss using basic RNN in simple PU activity case.
Fig. 8: Sample of prediction loss using single layer LSTM in simple PU activity case.
Fig. 9: Sample of prediction loss using three layer LSTM in simple PU activity case.
Fig. 10: ROC curve of PUE attack detection in simple PU activity case.

V-B Evaluation using a complex PU activity model

In this subsection, we model the PU activity with a more complex form. The parameters are shown in Table. III. In this case, the expectation of and can be computed as second and seconds respectively. We tentatively used a intermittent spectrum sensing interval second and observation time second for spectrum sensing. In contaminated PU activity, we also set the attacker will deploy short impulse PUE attack with probability of .

Hyper-Erlang (ON) Hyper-Erlang (OFF)
TABLE III: Parameters for complex PU activity model
Method Average loss for normal series Average loss for contaminated series
Basic RNN
Single layer LSTM
Three layer LSTM
TABLE IV: Average loss for different detector in complex PU activity model

Figures 11, 12, and 13 show the loss distribution along a period time steps. And Fig. 14 shows the ROC curve of different PUE attack detectors. Similar to the performance on simple PU activity model, the 3 layer LSTM based PUE attack detector has the best detection performance, while the single layer LSTM based detector has the worst performance.

If compare the performance of trained networks working in two different PU activity models, we will notice that both basic RNN based approach and single layer LSTM perform worse in complex PU activity model case (larger loss for normal series and smaller loss for contaminated series), while the three layer LSTM performs almost equally well in both cases. It proves that multi-layer LSTM can learn the complex PU activity features and utilize historical behaviors, thus performs better detection on PUE attack.

Fig. 11: Sample of prediction loss using basic RNN in complex PU activity case.
Fig. 12: Sample of prediction loss using single layer LSTM in complex PU activity case.
Fig. 13: Sample of prediction loss using three layer LSTM in complex PU activity case.
Fig. 14: ROC curve of PUE attack detection in simple PU activity case.

Vi Conclusion and Future Work

This work aims at an effective PUE attack detection scheme. We first discussed the problem of PUE attack detection following a practical intermittent spectrum sensing approach. In order to achieve a better PUE attack detection rate on top of the partial information of the sensing series, a RNN based detection method is proposed, which is able to exploit temporal dependency of series for better series prediction and abnormal activity detection. Further, to overcome the gradient vanishing problem existing in the basic RNNs, we proposed a LSTM based detection method that can use longer terms of series pattern for better performance. Our experimental results shows that a multi-layer LSTM based PUE attack detector has achieved a superior performance.

In our experimental study, we tentatively chose some spectrum sensing intervals based on the expectation of and . Although there are reported studies that discussed how to select an optimal interval to maximize the SUs benefits, it is advantageous to discuss the optimal sensing interval considering both SUs propagation as well as anomaly detection. Our experimental results showed that the single layer LSTM based detector performs not as good as the multi-layer LSTM based detector or even the basic RNN. It worthy a trail to develop more advanced LSTM based detectors. Newer LSTMs such as peephole LSTM, Gated Recurrent Units (GRU), might gain more efficiency on learning and show better performance on detection. Furthermore, we hope our work can be extended to use in real CRNs. Part of our on-going efforts also include identifying more real-world scenarios to deploy our proposed RNN based PUE attack detectors.


Q. Dong, Y. Chen and X. Li are supported by the NSF via grant CNS-1443885. K. Zeng is partially supported by the NSF under grant No. CNS-1502584 and CNS-1464487.


  • [1] Federal Communications Commission. Facilitating opportunities for flexible, efficient, and reliable spectrum use employing spectrum agile radio technologies, Et et docket (03-108) ed., December 2003.
  • [2] F. Adelantado and C. Verikoukis, “Detection of malicious users in cognitive radio ad hoc networks: A non-parametric statistical approach,” Ad Hoc Networks, 2013.
  • [3] F. Akhtar, M. H. Rehmani, and M. Reisslein, “White space: Definitional perspectives and their role in exploiting spectrum opportunities,” Telecommunications Policy, vol. 40, no. 4, pp. 319–331 2016.
  • [4] A. Ali and W. Hamouda, “Advances on spectrum sensing for cognitive radio networks: Theory and applications,” IEEE Communications Surveys & Tutorials, vol. 19, no. 2, pp. 1277–1304
  • [5] Y. Bengio, P. Simard, and P. Frasconi, “Learning long-term dependencies with gradient descent is difficult,” IEEE transactions on neural networks, vol. 5, no. 2, pp. 157–166
  • [6] R. Chen, J.-M. Park, and J. H. Reed, “Defense against primary user emulation attacks in cognitive radio networks,” Selected Areas in Communications, IEEE Journal on, vol. 26, no. 1, pp. 25–37 2008.
  • [7] Y. Chen and H.-S. Oh, “A survey of measurement-based spectrum occupancy modeling for cognitive radios,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 848–859
  • [8] Z. Chen, T. Cooklev, C. Chen, and C. Pomalaza-Ráez, “Modeling primary user emulation attacks and defenses in cognitive radio networks,” in Performance Computing and Communications Conference (IPCCC), 2009 IEEE 28th International.    IEEE, 2009, pp. 208–215
  • [9] J.-K. Choi and S.-J. Yoo, “Optimal sensing interval considering per-primary transmission protection in cognitive radio networks,” Wireless personal communications, vol. 78, no. 4, pp. 1891–1903
  • [10] K. Cichoń, A. Kliks, and H. Bogucka, “Energy-efficient cooperative spectrum sensing: A survey,” IEEE Communications Surveys & Tutorials, vol. 18, no. 3, pp. 1861–1886
  • [11] Q. Dong, Z. Yang, Y. Chen, X. Li, and K. Zeng, Anomaly Detection in Cognitive Radio Networks Exploiting Singular Spectrum Analysis.    Springer, 2017.
  • [12] ——, “Exploration of singular spectrum analysis for online anomaly detection in crns,” EAI Endorsed Transactions on Security and Safety, vol. 4, no. 12, p. e3, 2017.
  • [13] Y. Fang, “Hyper-erlang distribution model and its application in wireless mobile networks,” Wireless Networks, vol. 7, no. 3, pp. 211–219 1022–0038, 2001.
  • [14] M. Höyhtyä, A. Mämmelä, M. Eskola, M. Matinmikko, J. Kalliovaara, J. Ojaniemi, J. Suutala, R. Ekman, R. Bacchus, and D. Roberson, “Spectrum occupancy measurements: A survey and use of interference maps,” IEEE Communications Surveys & Tutorials, vol. 18, no. 4, pp. 2386–2414
  • [15] L. Huang, L. Xie, H. Yu, W. Wang, and Y. Yao, Anti-PUE attack based on joint position verification in cognitive radio networks.    IEEE, 2010, vol. 2.
  • [16] A. Kawalec and R. Owczarek, “Specific emitter identification using intrapulse data,” in Radar Conference, 2004. EURAD. First European.    IEEE, 2004, pp. 249–252
  • [17] H. Kim and K. G. Shin, “In-band spectrum sensing in cognitive radio networks: energy detection or feature detection?” in Proceedings of the 14th ACM international conference on Mobile computing and networking.    ACM, 2008, pp. 14–25
  • [18] Z. C. Lipton, J. Berkowitz, and C. Elkan, “A critical review of recurrent neural networks for sequence learning,” arXiv preprint arXiv:1506.00019, 2015.
  • [19] M. Lopez-Benitez and F. Casadevall, “Empirical time-dimension model of spectrum use based on a discrete-time markov chain with deterministic and stochastic duty cycle models,” IEEE Transactions on Vehicular Technology, vol. 60, no. 6, pp. 2519–2533
  • [20] K. B. Rasmussen and S. Capkun, “Implications of radio fingerprinting on the security of sensor networks,” in Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on.    IEEE, 2007, pp. 331–340
  • [21] M. H. Rehmani, A. C. Viana, H. Khalife, and S. Fdida, “Surf: A distributed channel selection strategy for data dissemination in multi-hop cognitive radio networks,” Computer Communications, vol. 36, no. 10, pp. 1172–1185
  • [22] Y. Saleem and M. H. Rehmani, “Primary radio user activity models for cognitive radio networks: A survey,” Journal of Network and Computer Applications, vol. 43, pp. 1–16
  • [23] W. Shan-Shan, L. Xing-Guo, and L. Bai-Nan, “Primary user emulation attacks analysis for cognitive radio networks communication,” Indonesian Journal of Electrical Engineering and Computer Science, vol. 11, no. 7, pp. 3905–3914
  • [24] A. A. Sharifi, M. Sharifi, and M. J. M. Niya, “Secure cooperative spectrum sensing under primary user emulation attack in cognitive radio networks: Attack-aware threshold selection approach,” AEU-International Journal of Electronics and Communications, vol. 70, no. 1, pp. 95–104 1434–8411, 2016.
  • [25] Z.-l. Tang and S.-m. Li, “Deep recurrent neural network for multiple time slot frequency spectrum predictions of cognitive radio,” KSII Transactions on Internet and Information Systems (TIIS), vol. 11, no. 6, pp. 3029–3045
  • [26] V. K. Tumuluru, P. Wang, and D. Niyato, A neural network based spectrum prediction scheme for cognitive radio.    IEEE, 2010.
  • [27] C. Xin and M. Song, “Detection of pue attacks in cognitive radio networks based on signal activity pattern,” IEEE transactions on mobile computing, vol. 13, no. 5, pp. 1022–1034
  • [28] X. Xing, T. Jing, H. Li, Y. Huo, X. Cheng, and T. Znati, “Optimal spectrum sensing interval in cognitive radio networks,” IEEE Transactions on parallel and Distributed Systems, vol. 25, no. 9, pp. 2408–2417 1045–9219, 2014.
  • [29] R. Yu, Y. Zhang, Y. Liu, S. Gjessing, and M. Guizani, “Securing cognitive radio networks against primary user emulation attacks,” IEEE Network, vol. 29, no. 4, pp. 68–74
  • [30] J. Zheng, C. Xu, Z. Zhang, and X. Li, Electric load forecasting in smart grids using long-short-term-memory based recurrent neural network.    IEEE, 2017.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description