Policy-based Privacy-preserving Dynamic Spectrum Access Divya Ramanujachari The Bradley Department of Electrical and Computer Engineering Virginia Polytechnic Institute and State University Blacksburg, United States of America
[email protected]
Abstract— Cognitive radios have received a lot of attention as next-generation dynamic spectrum sharing radios that possess the intelligence to learn from their environment and past experiences to adapt their configuration to deliver a high quality of experience. With architecture and protocol standardization in progress, it has become essential to consider security risks arising out of these functionalities and adapt security mechanisms to take advantage of the radio’s cognitive features. This study describes the privacy aspects of cognitive radio network operation and proposes a policy-based privacy-preserving approach to dynamic spectrum access. Two different formulations of this, first as a rule-based policy and then as an ontology-based policy have been presented. Keywords—cognitive radio security; policy-based privacy; rule-based policy; ontology-based policy
radio;
I. INTRODUCTION The cumulative effect of the diversification in wireless applications, data-intensive consumer demands, and exponential increase in the number of wireless devices has created a spectrum crisis. But while this is true of the spatial spectral allocation, a study of the temporal aspect has shown that portions of the licensed spectrum are severely underutilized, even in urban device-dense regions. In order to take advantage of these “spectrum-holes,” dynamic spectrum access schemes were formulated. These schemes implement spectrum sensing methods to determine the current state of the band of interest and if the licensed or primary user is not using the spectrum, the unlicensed or secondary users are allowed to transmit over them. Simultaneous developments in the radio architecture domain has marked a transition from traditional hardwarebased radios to software-defined radios. Software-defined radios implement most of their functionality in software. This allows the transceiver to adapt for operation in different spectrum bands, thus providing a way for implementing dynamic spectrum access technologies. The next innovation in radio technology are cognitive radios which are envisioned as intelligent radios, capable of learning from their environment and past experiences to adapt their configuration to deliver a high quality of experience. Current research indicates that cognitive radios will be key enablers for dynamic spectrum sharing and the basis for next-generation wireless devices. The unique nature of cognitive radios in terms of reconfigurability, adaptability, and intelligence has necessitated
a new set of standards to define the network architecture and related protocols. The most well-known among these is the IEEE 802.22 Cognitive Wireless RAN standard [4]. This standard sets out the Medium Access Control (MAC) and Physical Layer (PHY) specifications, policies, and procedures for operation in the TV bands. One of the aspects addressed in this is the security mechanism. According to the specification, privacy of the participating entities is guaranteed by two protocols: an encapsulation protocol for securing packet data over the air, and a secure key distribution and management protocol. While these protocols are undoubtedly essential for securing transmissions, privacy is not necessarily guaranteed by implementing them. This is because the concept of privacy is intrinsically contradictory to other security facets like authentication. While the notion of privacy stresses upon user control over the disclosure of personal information, authentication demands that a user identify himself/herself by disclosing their identity. Also, all the security mechanism proposed in the standard are based on existing cryptographic techniques and no attempt has been made to utilize the reasoning and adaptable nature of the cognitive radios to secure communications [3] [10]. Cognitive radios have an advantage over traditional radios in that they implement a cognitive engine. This engine, implemented using artificial intelligence and machine learning, can be taught to identify fellow nodes in terms of the role they play in a network and their trustworthiness using knowledge from other nodes and past experiences. The objective of this work is to analyze the privacy concerns that arise out of interactions in a cognitive radio network and explore the possibility of implementing privacy-preserving functions with the help of the policy interpreter and reasoner in the cognitive engine. I will be focusing on identifying the scenarios in which entity attributes are directly communicated and propose preventive or ex-ante solutions. The adversary is assumed to be a passive listener. The rest of the report is organized as follows. Part II describes the components of a cognitive radio and the most common configurations and operation of cognitive radio networks. The implications of interactions between the participants on the privacy of each entity is examined. The next section describes a policy-based radio and explains how policies can be applied to ensure privacy in dynamic spectrum access. A rule-based as well as an ontology-based representation of the proposed policy is provided.
II. BACKGROUND A. Components of a cognitive radio A cognitive radio can be thought of as having a softwaredefined radio architecture that operates in close collaboration with two other entities: a cognitive engine and a policy engine. The cognitive engine is the “brains” of the cognitive radio operation and it is responsible for coming up with the most appropriate response to an environmental stimulus. This functionality is implemented by using artificial intelligence to look up similar instances from past experiences stored in a knowledge base and by selecting the most appropriate response. This information is then verified to be a permitted action by checking with the rules about legal and regulatory policies stored in the policy engine. The cognitive engine also tailors the response to deliver optimal user-desired operation. B. Cognitive radio network architecture The basic infrastructure of a cognitive radio network is similar to that of a cellular network setup. There is a primary licensed user which is serviced by a base station associated with a specific service provider. The primary user can either be a cognitive or a non-cognitive radio. In addition to that, there are several secondary unlicensed cognitive users, which sense the spectrum and transmit when the licensed primary user is inactive. The objective in dynamic spectrum access is that secondary nodes should be able to utilize spectrum white spaces to the maximum potential while making sure that the primary nodes are not affected by any interference. The primary nodes must be oblivious to the presence of secondary nodes and no communication takes place between them. This is known as opportunistic access. Depending upon the mechanism using which the spectrum utilization is determined, cognitive radio networks are classified as being centralized or distributed. In the former case, information repositories like a geo-location database or a radio environment map are maintained by the base station that store information about a primary user’s characteristics like traffic pattern, location, and transmitter power. In distributed ad-hoc cognitive radio networks, each secondary node senses the spectrum by itself and arrives at a decision about the spectrum availability in a collaborative or non-collaborative manner. The operation of each of these network types is described in detail. 1) Centralized cognitive radio network operation Before starting transmission, the secondary user sends a query to the database with its location information to get a list of available whitespace channels based on geo-location. This query includes parameters like the secondary’s location, secondary’s locational accuracy, antenna information, and device identifier [1]. The database responds with information about the set of available whitespace channels, duration of allowed use of channels and the associated maximum power level [1]. This method takes a conservative approach to dynamic spectrum access and while it does ensure that the primary nodes are not affected, the efficiency of white space utilization is not as high as with distributed access. 2) Distributed cognitive radio network operation
Cooperative distributed spectrum sensing involves combining the sensing decision from nodes spread out over a region in order to improve sensing efficiency. This is performed by using a data fusion center that collects the sensing reports from the participating nodes and applies some algorithm to aggregate information and arrive at a decision about the spectrum state. The cooperative nature of operation provides a more accurate sensing decision as opposed to a single node’s sensing that is easily affected by hidden nodes, short sensing time, and hardware limitations. However this approach introduces cooperation overhead delay and might not perform optimally if the participating nodes are not spatially diverse. C. Privacy concerns in cognitive radio networks From the discussion in the previous section, we can identify the various privacy attributes revealed during the operation of cognitive radio networks. In the centralized architecture, the secondary cognitive radio reveals its location information in order to query the database. In turn, the reply from database reveals information about the primary user’s location and expected spectrum utilization. This information is publicly available in case the primary user is a well-known service, like a TV transmitters. However, if the primary users are federal agencies, this information is classified and should not be shared with all secondary nodes. Similarly in the distributed spectrum sensing scenario, sensing results from participating nodes are correlated to location and can be found by accessing the sensing reports. While the above mentioned information is accessible by passively observing the data traffic, a lot more information can be gathered by launching sophisticated attacks. These attacks typically require dedicated hardware like GPS and sensors, or use signal processing analysis techniques like the use of cyclostationary detection to find out the modulation schemes used by the primary. This information can help an adversary pretend to be the primary node, leading to primary user emulation attacks and communication disruption. Such active attacks are beyond the scope of this discussion. There have been several techniques proposed for privacy preservation [9] with most of them aiming to obscure the revealed information in some manner so as to confuse the adversary. a) Random perturbation: The original value is randomly modified to yield a transformed data value within some range b) Differential privacy: The database record is modified by the addition or deletion of records c) Anonymization: This refers to a decoupling between an entity’s identity and the information associated with it. d) Cryptographic methods: Cryptographic methods like zero-knowledge protocols are used to prove possession instead of revealing identifying attributes. While all of the above described methods aim to minimize the amount of private data that is revealed, none of them provide the means to completely eliminate the need to reveal personal information.
III. METHODOLOGY Cognitive radios are almost always coupled with policybased radios. The idea behind restricting radio operations to only those allowed by the policies is to ensure that the cognitive radio does not implement undesirable adaptations, which while optimal, would harm the operation of other nodes in the vicinity. These policies are formulated as rules, coded in machine language, and interpreted by the cognitive engine [2]. One of the advantages of policy-based implementation is that the rules need not be static and can be reconfigured as and when needed. They can be defined and implemented by device manufacturers, device users, and even by over-the-air control. Policies also provide a clear mapping between the requirement and radio operation and it is possible to trace the policy back to the entity enforcing this rule [7]. All of these features make it ideal to use a policy-based approach to ensuring that privacy is preserved over a cognitive radio network operation [8]. In this section, I will first describe a policy-based privacypreserving mechanism to allocate frequencies to secondary nodes interested in accessing spectrum holes. Then I will demonstrate how this policy can be implemented by using two different representations. The first is a representation using Boolean statements that can be parsed and processed as a multi terminal binary decision diagram similar to the approach taken in [1]. The second is a representation of the policy using an ontology-based approach as presented in [5][6]. A. Policy-based privacy-preserving spectrum access Any secondary cognitive radio desiring to participate in the contention for spectrum space sends an initialization request to its nearest base station. The base station queries the database to retrieve information about spectrum availability. With this information, the base station frames a policy for that device containing the transmission permissions. This includes a subset of retrieved frequency information along with the times of availability, maximum transmit power, and the range over which this applies. The policy is also associated with an expiration time after which it must contact the base station to obtain a new set of frequencies. The efficiency of spectrum utilization with this procedure depends on a well-designed scheduling mechanism. Implementing spectrum access using a policy-based approach provides the following advantages: 1) Location privacy-preservation: The secondary does not have to query the geo-location database by revealing its location nor does the database have to share primary user location. The region information simply delineates geographical limits and helps avoid primary location and exclusion zones. 2) Contextual privacy-preservation: No information about the primary user’s spectrum utilization or type of service is directly revealed. 3) Restricted spectrum access: Providing access to a restricted amount of spectrum hole obfuscates the direct inferences possible from knowing the free spectrum frequencies and timings. It also provides a way to track and limit the number of secondary nodes contending for each frequency.
4) Traceability: Because each secondary node is limited to transmission over a set of frequencies and this is also time bound, the base station would be able to able to keep track of secondary users to a certain extent. 5) Authentication: Policies can authenticated by using cryptographic mechanism like digital signatures. B. Rule-based policy representation Rule-based policies are framed as logical statements using Boolean operations Λ (OR operator) and V (AND operator) which can be simplified to get a TRUE or FALSE result. These outcomes correspond to ‘transmission allowed’ and ‘transmission prohibited’ respectively. Such a representation has low complexity and meets the real-time requirements of cognitive radio operations. The Boolean expression can be visualized using a multi terminal binary decision diagram. A policy reasoner is used to perform this conversion which is followed by operations using graph theoretic algorithms to check consistency across several applicable policies, aggregate policies, and check the validity of a transmission over this. The proposed spectrum access policy is framed as a permissive policy that lays down the conditions under which a device is allowed to transmit. This is a more conservative approach as opposed to prohibitive policies that define conditions under which device cannot transmit and any other configuration is considered to be allowed. In Figure 1, a sample policy imposed on a secondary user is given in words following by the Boolean expression and Figure 2 has the equivalent binary decision diagram. The solid line represents a ‘True’ state while the dashed line indicates ‘False.’ By parsing the expression or the tree, a policy engine is able to arrive at a decision about the validity of transmission. Fig. 1. Boolean representation of rule-policy
Fig. 2. Binary tree representation of rule-policy
Fig. 3. Ontology of entities participating in dynamic spectrum access
C. Ontology-based policy representation From the above rule-based policy some idea about the drawbacks associated with the approach can be obtained. The number and type of attributes that contribute to the decision are dependent on the base station implementation, which might not be consistent across the network. There might be other entities imposing policies that have different naming scheme which the reasoner is not able to infer and incorporate in its operation. Some of the constraints placed on transmission might not seem intuitive and it might be difficult to understand where and why this is being introduced. Ontology-based policies have been introduced as an alternative in the IEEE 802.5 Standard for Policy Language Requirements and System Architecture for DSA Systems for managing the functionality and behavior of dynamic spectrum access networks [1]. Ontology-based policies are formulated using descriptive logic languages, such as OWL. This representation is extremely intuitive as it mimics a real-world knowledge description. An ontology of a particular domain is organized into objects of interest called individuals. These individuals are associated with a set of properties and are organized into classes based on commonalities in attributes. There are also provisions to define relationships between individuals and formulate rules according to what is allowed and what is forbidden. An ontology of the entities involved in the proposed policy implementation is shown in Figure 3. The attributes and relationships shown here are minimalistic and correspond only to the scope of policy implementation. Knowledge bases like the geo-location database and the device registers are themselves treated as objects and entries are generated dynamically by instantiating as many times as required. The policies are framed in a conditional if-then OWL format. In the initialization phase, the ‘Base Station’ implements a policy called ‘registerDevice’. In this, the base station receives
a registration request from a valid ‘Device,’ retrieves spectrum information from ‘Location Table,’ logs the device along with permitted spectrum access in the ‘Device Register.’ If all of these attributes are true and the sub-rules are able to execute correctly, the ‘Base Station’ transmits this information to the ‘Device.’ This sequence of steps is encoded as a policy shown in Figure 4. Fig. 4. Device registration policy defined using ontology
Such policies can be parsed and processed by using a Javabased reasoner like BaseVisor that is capable to directly operating on OWL ontologies [6]. This approach to policy formulation provides a real-world design of the participating entities and leads to intuitive policy cases. However, due to requirements of consistency-checking across policies and the unification of several policies, this approach might not be able to meet the processing time limits in real applications. Still, ontology-based formulation appears to be the way forward and a standardization of the cognitive radio ontology will bring about a simple but powerful and robust policy development model. IV. CONCLUSION A policy-based privacy-preserving approach to dynamic spectrum access is proposed that provides location and contextual privacy to both the primary and secondary users.
The policy is represented using two different approaches – one as a Boolean expression along with its equivalent binary decision tree, and the other as an OWL policy defined on a cognitive radio ontology. REFERENCES [1] [2] [3]
[4]
Bahrak, Behnam. 2013. “Ex Ante Approaches for Security, Privacy, and Enforcement in Spectrum Sharing.” Brown, Timothy X., and Jon M. Peha. 2013. “Policy-Based Radios.” Hlavacek, Deanna, and J. Morris Chang. 2014. “A Layered Approach to Cognitive Radio Network Security: A Survey.” Computer Networks 75 (December): 414–36. doi:10.1016/j.comnet.2014.10.001. Institute of Electrical and Electronics Engineers, and IEEE-SA Standards Board. 2011. IEEE Standard for Information Technology-Telecommunications and Information Exchange between Systems-Wireless Regional Area Networks (WRAN)--Specific Requirements. Policies and Procedures for Operation in the TV Bands Part 22, Part 22,. New York: Institute of Electrical and Electronics Engineers.
Li, Shujun, Mieczyslaw M. Kokar, and David Brady. 2009. “Developing an Ontology for the Cognitive Radio: Issues and Decisions.” In PSDR Forum Technical Conference. [6] Li, Shujun, Mieczyslaw M. Kokar, and Jakub Moskal. 2008. “PolicyDriven Ontology-Based Radio: A Public Safety Use Case.” In Software Defined Radio Technical Conference SDR. Vol. 8. [7] Perich, Filip. 2007. “Policy-Based Network Management for next Generation Spectrum Access Control.” In New Frontiers in Dynamic Spectrum Access Networks, 2007. DySPAN 2007. 2nd IEEE International Symposium on, 496–506. IEEE. [8] Squicciarini, Anna C., Elisa Bertino, Elena Ferrari, and Indrakshi Ray. 2006. “Achieving Privacy in Trust Negotiations with an Ontology-Based Approach.” Dependable and Secure Computing, IEEE Transactions on 3 (1): 13–30. [9] Wang, Wei, and Qian Zhang. 2014. Location Privacy Preservation in Cognitive Radio Networks. SpringerBriefs in Computer Science. Cham: Springer International Publishing. [10] Yan, Qiben. 2014. “Security Enhanced Communications in Cognitive Networks.” [5]
