Mitigating Primary User Emulation Attacks in Dynamic
Spectrum Access Networks using Hypothesis Testing
∗
Z. Jin S. Anand K. P. Subbalakshmi
zjin@stevens.edu asanthan@stevens.edu ksubbala@stevens.edu
Department of Electrical and Computer Engineering
Stevens Institute of Technology, Hoboken, New Jersey, USA
We present a Neyman-Pearson composite hypothesis test (NPCHT) and a Wald’s sequential
probability ratio test (WSPRT) to detect primary user emulation attacks (PUEA) in cogni-
tive radio networks. Most approaches in the literature on PUEA assume the presence of
underlying sensor networks for localization of the malicious nodes. There are no analyti-
cal studies available in the literature to study PUEA in the presence of multiple malicious
users in fading wireless environments. We present an NPCHT and WSPRT based analysis
to detect PUEA in fading wireless channels in the presence of multiple randomly located
malicious users. We show that there is a range of network radii in which PUEA are most
successful. Results also show that for the same desired threshold on the probability of miss-
ing the primary, WSPRT can achieve a probability of successful PUEA 50% less than that
obtained by NPCHT.
I. Introduction
Traditionally, radio spectrum bands have been as-
signed to license holders or services on a long term ba-
sis for large geographical regions. This fixed spectrum
assignment policy has led to under-utilization of the
available spectrum. The inefficiency in spectrum us-
age and the limited availability of spectrum have given
rise to cognitive radio enabled dynamic spectrum ac-
cess (DSA) as a new communication paradigm [1],
[2], [3]. “Secondary” nodes in a DSA networks can
use the licensed spectrum bands when it is idle, under
the condition that they vacate it upon the return of the
“primary” licensed users (incumbent, primary users).
In the rest of the paper, we use the term primary or
incumbent to refer to the licensed, high priority user
and the term secondary to denote the unlicensed users.
One example of cognitive radio networks (CRN) is the
usage of unused spectrum in the TV band. The TV
transmitter and receivers are primary users who are li-
censed to use these bands. Other users who access the
white spaces in the TV band on an ad-hoc basis are
termed secondary users. The IEEE 802.22 working
group on wireless regional area networks [4] provides
the physical layer and medium access control specifi-
cations for usage of the TV white spaces.
The FCC’s mandated spectrum policy reform [5]
has resulted in a great deal of research activities
on various aspects of CRN including spectrum sens-
∗
This work was supported in part by NSF Cyber Trust Grant
No. 0627688.
ing and management, network architectures, capac-
ity, codes, transmission techniques, spectrum etiquette
and evacuation protocols as well as test-bed develop-
ment. Standardization efforts for DSA networks in-
clude the IEEE Standards Coordinating Committee 41
(IEEE SCC41)’s sponsored projects as well as IEEE
802.22 [6].
Spectrum sensing in DSA is essential both for iden-
tification of empty spectral bands (white spaces) as
well as for prompt evacuation upon the return of in-
cumbent. Protocols for sensing primary transmission
and spectrum evacuation can be found in [7], [8].
Primary transmitter detection techniques include en-
ergy detection, cyclostationary feature detection and
matched filter detection [3]. Among these, energy
based detection is generally more popular due to ease
of implementation.
Despite the body of work on other aspects of CRN,
research on security issues is still in its nascence [9]-
[17]. In the particular case of DSA networks, it can be
argued that in order to stage a denial-of-service (DoS)
attack at the sensing level, it is necessary to affect the
decision on primary activity during the sensing phase.
This can be done in one of the following ways: (a)
some malicious nodes can transmit spurious signals
that emulate the primary user – primary user emu-
lation attacks (PUEA) [11], [12], [16], [17]; (b) the
spectrum sensing nodes can lie about the spectrum
data (Byzantine attack) [13]; (c) by making use of the
weaknesses of existing protocols for evacuation [9] or
(d) by modifying messages passed between the sens-
ing nodes and the centralized decision maker [10].
In this paper we study DoS attacks via primary user
emulation. In this type of attacks, a set of “malicious”
secondary users could forge the essential characteris-
tics of the primary signal transmission to make other
“good” secondary users believe that the primary user
is present when it is not. The secondary users fol-
lowing normal spectrum evacuation process (the good
users) will vacate the spectrum unnecessarily, result-
ing in what are known as the primary user emulation
attacks (PUEA). PUEA become easier when energy
detection based mechanisms are used for identifica-
tion of primary activity, since the detector only checks
received energy against a threshold rather than look
for particular signal characteristics.
Chen et al [11] propose two mechanisms to detect
PUEA: distance ratio test and distance difference test
based on the correlation between the length of wire-
less link and the received signal strength. They con-
sider a single malicious user in a non-fading wireless
environment and detect PUEA using the ratio and the
difference, respectively, of the distances from primary
transmitter and the malicious user, to the secondary
users equipped with global positioning system (GPS).
In [12], Chen et al discuss defense against PUEA by
localization of the suspect transmission via an under-
lying sensor network and comparing it with the known
location of the primary transmitter. A mitigation tech-
nique for DoS attacks arising from fraudulent report-
ing of sensing results by malicious nodes is studied
in [13]. The PUEA methods described thus far do
not take into account, the fading characteristics of the
wireless environment and require estimation of the lo-
cation of the malicious users via either a dedicated
sensor network or via significant enhancement of the
secondary nodes themselves.
The first analytical expression for the probability of
successful PUEA based on energy detection was de-
rived in [16], where we modeled the received power
at a secondary user as a log-normally distributed ran-
dom variable and used Fenton’s approximation to de-
termine the mean and the variance of this distribu-
tion. This was then used to determine, a lower bound
on the probability of successful PUEA using Markov
inequality. In this paper, we propose a Neyman-
Pearson composite hypothesis test (NPCHT) and a
Wald’s sequential probability ratio test (WSPRT) to
detect PUEA in fading wireless environments, without
assuming additional features to the secondary nodes
or the presence of dedicated sensor nodes to assist in
gathering information about the direction of received
signal. Fenton’s approximation is used to model the
received power at the secondary user from the trans-
mission of the malicious users. Simulations con-
firm the theoretical result that NPCHT allows the sec-
ondary user to keep the probability of missing the pri-
mary around a desired threshold while trying to min-
imize the probability of successful PUEA. Since the
NPCHT cannot simultaneously provide a cap on the
probability of missing the primary as well as the prob-
ability of a successful PUEA, we develop the WSPRT,
which will allow us this flexibility in return for some
added time complexity, in terms of number of obser-
vations needed to arrive at a decision. We show that
with modest increase in computation, it is possible to
mitigate PUEA significantly even when using only the
energy based detection.
The rest of the paper is organized as follows. Sec-
tion II presents the system model and the assumptions
made to formulate the problem. The NPCHT as well
as the WSPRT are formulated and solved in Section
III. In Section IV, we provide the simulation results
and discussion. Section V presents the conclusion.
II. System Model
In our model all secondary and malicious users are
distributed in a circular grid of radius R as shown
in Fig. 1. A primary user is located at a distance
of at least d
p
from all other users. We consider en-
ergy based mechanisms to detect the presence of the
primary. Typical energy based detection methods as-
sume that the primary is present if the received sig-
nal strength is -93dBm [4]. Such a sensing technique
will cause serious security issues if malicious users
exist in the network. As described earlier, this de-
tection method is susceptible to PUEA. In order to
mitigate this threat, we devise two hypothesis based
testing mechanisms to decide if the primary is trans-
mitting or if an attack is in progress. The assumptions
and mathematical terminologies needed to derive the
hypothesis tests are listed below.
1. There is no communication or co-operation be-
tween the secondary users. The PUEA on each
secondary user can be analyzed independent of
each other.
2. There are M malicious users in the system. M is
a geometrically distributed random variable with
the mean E[M] known to the secondary users.
3. The primary transmitter is at a minimum distance
of d
p
from all the users.
4. The positions of the secondary and the malicious
users are uniformly distributed in the circular
gird of radius R, and their positions are statis-
tically independent of each other.
5. For the secondary user fixed at polar co-ordinates
(r
0
, θ
0
), no malicious users are present within
a circle of radius R
0
centered at (r
0
, θ
0
). We
call R
0
the “exclusive distance from the sec-
ondary user”. Without this restriction, the power
received due to transmission from any subset
of malicious users present within this grid will
be much larger than that due to a transmission
from a primary transmitter thus resulting in failed
PUEA all the time [16]. We use the polar co-
ordinate system for the rest of the paper.
6. The co-ordinates of the primary transmitter are
known to all the users in the system.
d
p
R
0
R
Good Secondary User
Malicious Secondary User
Primary
Transmitter
Figure 1: A typical cognitive radio network in a cir-
cular grid of radius R consisting of good secondary
users and malicious secondary users. No malicious
users are present within a radius R
0
about each good
secondary user. A primary transmitter is located at a
distance of at least d
p
from all other users.
7. The primary transmits at a power P
t
and the ma-
licious at a power P
m
. Malicious nodes do not
use power control.
8. The RF signals from the primary transmitter and
the malicious users undergo path loss and log-
normal shadowing. The Rayleigh fading is as-
sumed to be averaged out and can hence be ig-
nored. This is because, the probabilities scale
linearly with the mean of the Rayleigh fading,
∆, (as shown in [16]) and ∆ = 1 in most cases
[18].
9. The shadowing loss (expressed in dB) at any
secondary user both from the primary transmit-
ter and from any malicious user is normally dis-
tributed with mean 0 and variance σ
2
p
and σ
2
m
,
respectively.
10. We consider a free space propagation model for
the signal from the primary transmitter and a
two-ray ground model for the signal from the
malicious users thus resulting in a path loss ex-
ponent of 2 for the propagation from the primary
transmitter and a path loss exponent of 4 for the
propagation from the malicious users. This is be-
cause, the primary transmitter is so far away from
the secondary and malicious users that the sig-
nal due to multi-path can be neglected. However,
the distances from malicious users are not large
enough to ignore the effects of multi-path [16].
III. Analytical Model
Since there is no co-operation between the secondary
users, the probability of PUEA on any user is the
same as that on any other user. Hence, without loss
of generality, we analyze the probability density func-
tion (pdf) of the received signal at one secondary user.
We transform the co-ordinates of all malicious users
such that the secondary user of interest lies at the ori-
gin (i.e., at (0, 0)). The transformed co-ordinates of
the primary will then be (d
p
, θ
p
). Note that the trans-
formed co-ordinates of the primary will depend on the
actual location of the secondary user of interest and
will not be (d
p
, θ
p
) for all the secondary users. How-
ever, typically, d
p
>> R and hence it is justified to
approximate the co-ordinates of the primary user to
be (d
p
, θ
p
) irrespective of which secondary user we
consider for the analysis. The scenario with the trans-
formed co-ordinates is shown in Fig. 2. By assump-
tions 4. and 5. in Section II, all malicious nodes are
uniformly distributed in the annular region with radii
R
0
and R.
In order to obtain a hypothesis test using NPCHT
and WSPRT, it is essential to obtain the pdf of the re-
ceived signal at the secondary user due to transmission
by the primary and the malicious users. We first de-
scribe the analysis to obtain the pdf in Section III.A.
d
p
R
0
R
Good Secondary User
Malicious Secondary User
Primary
Transmitter
Figure 2: Scenario with transformed co-ordinates.
The secondary user of interest is at (0,0). Malicious
users are uniformly distributed in the annular region
(R
0
, R). The primary is at (d
p
, θ
p
).
III.A. Probability Density Function of
the Received Signal
Consider M malicious users located at co-ordinates
(r
j
, θ
j
) 1 ≤ j ≤ M, where M is a geometrically dis-
tributed random variable. The probability mass func-
tion (pmf) of M, P r{M = k} is therefore given by
P r{M = k} = (1 − p)
k−1
p k = 1, 2, ..., (1)
where p =
1
E[M ]
. From assumptions 4. and 5. in
Section II, the position of the j
th
malicious user is
uniformly distributed in the annular region between
R
0
and R. Also, r
j
and θ
j
are statistically independent
∀ j. The pdf of r
j
, p(r
j
) is therefore given by
p(r
j
) =
(
2r
j
R
2
−R
2
0
r
j
∈ [R
0
, R]
0 otherwise,
(2)
while θ
j
is uniformly distributed in (−π, π) ∀ j.
The received power at the secondary user from the
primary transmitter, P
(p)
r
, is given by
P
(p)
r
= P
t
d
−2
p
G
2
p
, (3)
where G
2
p
= 10
ξ
p
10
and ξ
p
∼N (0, σ
2
p
) as mentioned in
Section II. Since P
t
and d
p
are fixed, the pdf of P
(p)
r
,
p
(P r)
(γ), follows a log-normal distribution and can be
written as
p
(P r)
(γ) =
1
Aσ
p
√
2πγ
exp
−
(10 log
10
γ −µ
p
)
2
2σ
2
p
, (4)
where A =
ln 10
10
and
µ
p
= 10 log
10
P
t
− 20 log
10
d
p
. (5)
The total received power at the secondary node
from all M malicious users is given by
P
(m)
r
=
M
X
j=1
P
m
d
−4
j
G
2
j
, (6)
where d
j
is the distance between the j
th
malicious
user and the secondary user and G
2
j
is the shadow-
ing between the j
th
malicious user and the secondary
user. As mentioned in Section II, G
2
j
= 10
ξ
j
10
, where
ξ
j
∼N (0, σ
2
m
). Conditioned on the positions of all
the malicious users, each term in the summation in
the right hand side of Eqn. (6) is a log-normally dis-
tributed random variable of the form 10
ω
j
10
, where
ω
j
∼N (µ
j
, σ
2
m
), where
µ
j
= 10 log
10
P
m
− 40 log
10
d
j
. (7)
As we had explained in [16], conditioned on the posi-
tions of all the malicious users, P
(m)
r
can be approx-
imated as a log-normally distributed random variable
whose mean and variance can be obtained by using
Fenton’s method [19].
The pdf of P
(m)
r
conditioned on the positions of all
M malicious users, p
(m)
χ|r
(χ|r), can be written as
p
(m)
χ|r
(χ|r) =
1
Aˆσ
M
√
2πχ
exp
−
(10 log
10
χ − ˆµ
M
)
2
2ˆσ
2
M
, (8)
where r is the vector with elements r
1
· · · r
M
and ˆσ
2
M
and ˆµ
M
are given by
1
ˆσ
2
M
=
1
A
2
ln
1 +
(e
A
2
σ
2
m
− 1)
P
M
j=1
e
2Aµ
j
(
P
M
j=1
e
Aµ
j
)
2
(9)
and
ˆµ
M
=
1
A
ln
M
X
j=1
e
Aµ
j
−
A
2
(ˆσ
2
M
− σ
2
m
), (10)
respectively. The pdf of the received power from all
M malicious users, p
(m)
(χ), can then be obtained by
averaging Eqn. (8) over r
1
, r
2
, · · · r
M
and can be
written as
2
p
(m)
(χ) =
∞
X
k=1
"
Z
[R
0
,R]
M
p
(m)
χ|r
(χ|r)p(r|M)dr
#
P {M = k}, (11)
where p(r|M) =
M
Y
j=1
p(r
j
), and p(r
j
) can be obtained
from Eqn. (2).
Evaluating Eqn. (11) is very complex. However,
Eqn. (11) is an integral which can be looked upon as
a weighted sum of conditional pdf’s, each of which is
log-normal. Therefore, applying Fenton’s approxima-
tion for the weighted sum, the expression for the pdf
p
(m)
(χ) in Eqn. (11) can be approximated as a log-
normal distribution with parameters µ
χ
and σ
2
χ
of the
form
p
(m)
(χ) =
1
Aσ
χ
√
2πχ
exp
−
(10 log
10
χ − µ
χ
)
2
2σ
2
χ
. (12)
If P
(m)
r
is a log-normally distributed random vari-
able with pdf given in Eqn. (12), σ
2
χ
and µ
χ
can be
1
The expressions in Eqns. (9) and (10) can be obtained by
following the steps specified in the Appendix in [16].
2
The expressions in Eqns. (8) and (11) should also be con-
ditioned and averaged over the co-ordinates (and hence have in-
tegrations over) θ
1
, θ
2
, ···, θ
M
. However, from Eqns. (7), (9)
and (10), it is observed that the expressions are independent of
θ
1
, θ
2
, ···, θ
M
. Therefore, it is sufficient if the averaging (and
integrations) are performed over r
1
, r
2
, ···, r
M
.
obtained as in [20]
σ
2
χ
=
1
A
2
ln
V ar
³
P
(m)
r
´
+ E
2
h
P
(m)
r
i
E
2
h
P
(m)
r
i
(13)
and
µ
χ
=
1
A
ln
2
6
4
E
2
h
P
(m)
r
i
V ar
P
(m)
r
+ E
2
h
P
(m)
r
i
1
2
3
7
5
. (14)
From Eqn. (8), the expectation of P
(m)
r
condi-
tioned on M , E
h
P
(m)
r
|M
i
, and the variance of
P
(m)
r
, V ar
³
P
(m)
r
|M
´
, can be obtained by averaging
E
h
P
(m)
r
|r
i
and V ar
³
P
(m)
r
|r
´
over r
1
, r
2
, · · · , r
M
and can be obtained in closed-form as
E
h
P
(m)
r
|M
i
=
MP
m
R
2
0
R
2
e
1
2
A
2
σ
2
m
, (15)
and
V ar
P
(m)
r
|M
=
MP
2
m
e
A
2
σ
2
m
3R
6
0
R
6
"
R
6
− R
6
0
R
2
− R
2
0
!
e
A
2
σ
2
m
− 3R
2
0
R
2
#
. (16)
Therefore, E
h
P
(m)
r
i
and V ar
³
P
(m)
r
´
can be cal-
culated as
E
h
P
(m)
r
i
= E
h
E
h
P
(m)
r
|M
ii
, (17)
and
V ar
P
(m)
r
= E
h
V ar
P
(m)
r
|M
i
+ V ar
E
h
P
(m)
r
|M
i
. (18)
Substituting the above expressions in Eqns. (13) and
(14), we evaluate σ
2
χ
and µ
χ
, which, in turn, can be
substituted in Eqn. (12) to evaluate the pdf p
(m)
(χ).
III.B. Neyman-Pearson Composite Hy-
pothesis Test to detect PUEA
The Neyman-Pearson composite hypothesis test can
be used to distinguish between two hypotheses, given
some constraints on the miss probability. In our case,
the two hypotheses are:
H
1
: Primary transmission in progress
H
2
: Emulation attack in progress.
(19)
The observation space is the sample space of received
power measured at the secondary user. It is observed
that there are two kinds of risks incurred by a sec-
ondary user in this hypothesis test.
• False Alarm: When the actual transmission is
made by malicious users but the secondary de-
cides that the transmission is due to the primary.
In our case, this is also the probability of a suc-
cessful PUEA.
• Miss: When the actual transmission is made by
the primary transmitter but the secondary de-
cides that the transmission is due to the malicious
users. This is a serious concern if the good sec-
ondary does not wish to violate the spectrum eti-
quette.
The Neyman-Pearson criterion allows the sec-
ondary to minimize the probability of successful
PUEA while fixing the probability of missing the pri-
mary user at a desired threshold, α. The decision vari-
able, Λ, is given by
Λ =
p
(m)
(x)
p
(P r)
(x)
, (20)
where x is the measured power of the received signal.
In the above, p
(P r)
(x) and p
(m)
(x) are given by Eqns.
(4) and (12), respectively. The decision is then made
based on the following criterion:
Λ ≤ λ D
1
: Primary transmission
Λ ≥ λ D
2
: PUEA in progress,
(21)
where λ satisfies the constraint that miss probability,
P r{D
2
|H
1
}, is fixed at α, i.e.,
P r{D
2
|H
1
} =
Z
Λ≥λ
p
(P r)
(x)dx = α. (22)
The probability of successful PUEA can be written as
P r{D
1
|H
2
} =
Z
Λ≤λ
p
(m)
(x)dx. (23)
We can also represent the above detection statistic in
shorthand notation as
Λ
D
2
≷
D
1
λ. (24)
Let the received power in dB be denoted by y and
let
a =
1
2σ
2
p
−
1
2σ
2
χ
b =
µ
χ
σ
2
χ
−
µ
p
σ
2
p
(25)
c =
µ
2
p
2σ
2
p
−
µ
2
χ
2σ
2
χ
+ ln σ
p
− ln σ
χ
− ln λ,
