Rose Qingyang Hu, PhD, IEEE Fellow Professor, Electrical and Computer Engineering Department Associate Dean for Research, College of Engineering AI/ML in 5G Spectrum Sharing Security
Rose Qingyang Hu, PhD, IEEE FellowProfessor, Electrical and Computer Engineering DepartmentAssociate Dean for Research, College of Engineering
AI/ML in 5G Spectrum
Sharing Security
5G spectrum sharing paradigms
• Cognitive radio network (CRN)
• Sensing before access by exploring the ‘spectrum hole’
• Opportunistic spectrum access
• Licensed shared access (LSA) system/spectrum access system (SAS)
• Database assisted spectrum sharing
• Licensed band (3.5 GHz).
• LTE in unlicensed band (LTE-U)/ LTE license assisted access (LTE-LAA)
• Duty cycle based/ Listen before talk
• Coexist with the WiFi system
• Ambient backscatter communication (AmBC)
• Use surrounding signals broadcast from ambient RF sources to communicate with each other.
• Symbiotic with the exist system by modulating and reflecting surrounding ambient signal.
Key Steps in Spectrum Sharing
• Spectrum awareness• Sensing: Detect the unused spectrum and to find the possible opportunities for SUs.
• Database and policy:
• Spectrum allocation: • Help SU to choose the best available channel.
• Spectrum access:• Provide the fair spectrum scheduling and resource allocation method among
coexisting.
• Spectrum mobility:• When PU reappears, SU must perform the handoff via spectrum mobility function to
switch to another available channel or to wait until the channel becomes idle again. .
Challenges in Spectrum Sharing
• Lack of ownership of the spectrum for SUs
• Sensitive information of PUs
• The dynamic spectrum availability and distributed network structures.
• Wireless broadcast nature
• Complexity of the sharing environment
Spectrum sharing adds functionality and complexity that raises
additional security concerns.
Security and Privacy Issues in Spectrum Sharing
• Spectrum sensing attacks• Primary User Emulation (PUE) Attack.
• Spectrum Sensing Data Falsification (SSDF) Attack.
• Spectrum information database inference attack (DIA)
• Spectrum access denial-of-service (DoS) attacks• Jamming
• Eavesdropping
Primary User Emulation (PUE) Attack
• An attacker sends PU like signals during the spectrum sensing period which will exclude the legitimate SU access to the channels.
• It will cause service degradation, deny of service (DoS), connection unreliability, and waste of the bandwidth.
• Harm security requirements such as availability, authentication, non-reputation, compliance, and access control.
• The main defense method is to detect the malicious attacker and then exclude the signal from it. Yang Li and Q. Peng, "Achieving secure spectrum sensing in presence of malicious
attacks utilizing unsupervised machine learning,“ 2016 IEEE Military Communications
Conference, Baltimore, MD, 2016
Spectrum Sensing Data Falsification (SSDF) Attack
• SSDF is most common attack in CSS. By sending the falsified sensing data to the FC, it will mislead a wrong fusion result and case the interference to PU or DoS to SUs. SSDF attackers can be Classified into three types:
• Selfish SSDF (SSU), aims to gain exclusive access to the target spectrum. It falsely reports the existence of a relatively high PU energy while the PU does not exist so that other SUs will not use the spectrum.
• Interference SSDF (ISU), falsely reports a low PU energy which leads other SUs to wrongly conclude that there is no PU existence and they will use the spectrum. This type of attack aims to either cause the inference to the PU or inhibit the communication of the other SUs.
• Confusing SSDF (CSU):disturb the SUs to prevent them from reaching the consensus by randomly reporting the true or false value of the PU energy.
• To defend the SSDF, the most important thing is to differentiate the attackers from legacy SUs.
• Outlier method: make the judgment based on the current spectrum sensing data.
• Reputation based method: using the historical spectrum sensing data to update sensors' reputation
“A Survey on Security Threats and Detection Techniques in Cognitive Radio
Networks”, A. G. Fragkiadakis, E. Z. Tragos, I. G. Askoxylakis, IEEE
COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 1, 2013
Spectrum information database inference attack (DIA)
• In a database inference attack, malicious SUs can obtain knowledge beyond that revealed directly by the database’s query replies by using sophisticated inference techniques.
• DIA harm for the users’ privacy especially in some database-driven spectrum sharing system, malicious attackers can collect sensitive operational data of both incumbent users (IUs) and SUs, which makes privacy protection critical in this paradigm.
• DIA can also use to attack the distribute machine learning methods.
• To defend against the inference attack, one viable approach is to obfuscate the information revealed by the database, different privacy-preserving strategies have been proposed.
Spectrum access denial-of-service (DoS) attack
• Jamming• The attackers transmit signals to interfere with the victims' communications intend to cause a denial of
services and compromise the availability of the communication links. Traditional anti-jamming methods with fix patterns are unable to deal with the dynamic jamming attack and cause low efficiency of the spectrum. The SS techniques enable flexible access to different channels, it allows the users to avoid the attackers by exploiting such flexibility.
• The ML techniques provide more adaptive channel selection ability to the systems to avoid the jamming attack, it also provides the ability to the system to learn and predict the actions of the jammer to increase the efficiency of anti-jamming channel selection.
• Eavesdropping• The eavesdrop is the other common attack in wireless communications. Due to the broadcast nature of radio
propagation, any active transmissions operated over the shared spectrum by different wireless networks are extremely vulnerable to eavesdropping. It is therefore of importance to investigate the confidentiality protection of SS communications against eavesdropping attack.
• Cryptographic techniques: require encryption and decryption of the information at the transmitter and receiver sides
• Physical layer security: the secrecy rate can be achieved by the mutual information difference between the legitimate user and the eavesdropper.
AI/ML in spectrum sharing
Xiangwei Zhou, Mingxuan Sun, Geoffrey Ye Li, Biing-HwangJuang, “Intelligent Wireless Communications Enabled by Cognitive Radio and
Machine Learning”, China Communications Vol. 15 Issue (12): 16-48, 2018.
AI/ML in Spectrum Sharing
- Model Free Reinforced Learning
Y. Zhou, F. Zhou, Y. Wu, R. Q. Hu and Y. Wang, "Subcarrier Assignment Schemes Based on Q-Learning in Wideband Cognitive Radio Networks," in IEEE Transactions on Vehicular Technology, vol. 69, no. 1, pp. 1168-1172, Jan. 2020.
Independent Q-learning-based schemeCollaborative Q-learning-based scheme
PN
PBS
. . . . .
CRN
CBS
. . . .
Transmission of a feedback bit
An attempt to transmit a data packet
PN
PBSCRN
CBS
Broadcasting of the channel state vector
An attempt to transmit a data packet
. . . . .. . . .
Q-learning
❖ Agent
Secondary users (SU)
❖ State
The channel that the SU attempted to occupy in the previous frame
❖ Action
The channel that the SU decides to occupy in this frame
❖ Policy
❖ Reward
Action
Reward
Observation
(state)
Agent Environment
Independent scheme
❖ Initialization
Q-values are set to zeroEach SU randomly selects an action
❖ Updating
Getting a one bit feedback message from CBS Updating the Q-values by
❖ Making decision
SU selects an action by
0 0 0. . .
1st frame
M Subchannels
0 0 0. . .
1 2 M
0 -0.1 0. . .
0 -0.1 0. . . 0 -0.1 0.1. . .
0.1 -0.1 0. . .
2nd frame 3rd frame
. . . .
. . . .
CBS
transmission success
transmission failure
transmission attempt
Collaborative scheme
❖ Initialization
Q-values are set to zeroEach SU randomly selects an action
❖ Updating
The current frame is an information exchange frame
Getting a M-bit feedback message from CBS Updating the Q-values by
❖ Making decision
SU selects an action by
0 0 0. . .
1st frame
M Subchannels
0 0 0. . .
1 2 M
0 0 0. . .
0 0 0. . . -0.1 0 0.1. . .
0.1 0 -0.1. . .
2nd frame 3rd frame
. . . .
. . . .
CBS
Transmission success
Transmission failure
Transmission attempt
Broadcasting . . .
AI/ML in Spectrum Sharing
- Model Free Reinforced Learning
❖ Independent Q-learning-based scheme: SUs cannot exchange information.
❖ Collaborative Q-learning-based scheme: Information can be exchange among SUs.
❖ Δ is the information exchange interval.
Normalized throughput versus the
number of SUs
Number of accessing SUs versus the
numbers of SUs
AI/ML in Spectrum Sharing Security and Privacy
• AI/ML in defending security and privacy
• AI/ML in attacking security and privacy
• Distributed AI/ML in protecting privacy
Defending security and privacy
• The idea of defense methods mainly consists of attackers' detection and defense strategies selection.
• Detection for different attacks:
• PUE: differentiate the emulated PU from real PU.• SSDF: detect the attackers among SUs.• Jamming: detect and deferential the interference signal.• Detect the attackers’ signal is basic a classification problem.
• Defense for different attacks:
• PUE: omit the attacker’s signal.• SSDF: omit the sensing results of malicious users or lower the reputation degree of those users.• Jamming: avoid the attacker by channel selection.• Eavesdropping: increase the difference between the legal receivers and eavesdroppers.• Defense the attack is the strategy selection problems based on the states of the network
environment.
Machine learning Based Detection
An ensemble ML (EML) based robust CSS framework in full-duplex CRNs (FD-CRNs) is considered in [1].
Self-interference and co-channel interference in the FD-CRNs as well as the presence of malicious attacks such as PUE and SSDF attacks complicated the sensing environment.
An EML framework is developed to provide robust and accurate fusion performance against malicious attacks and interference.
[1] Y. Zhang, Q. Wu and M. R. Shikh-Bahaei, "On Ensemble Learning-Based Secure Fusion Strategy for Robust Cooperative
Sensing in Full-Duplex Cognitive Radio Networks," in IEEE Transactions on Communications, vol. 68, no. 10, pp. 6086-6100,
Oct. 2020.
EML Framework
The base learner level consists of multiple different machine learning methods,
which aims at extracting latent representations from different aspects
Temporal Convolutional Recurrent Neural Network (TCRNN) learns the
temporal correlation between previous and current slots since the proposed
problem includes multiple temporal aspects
SVM (Support Vector Machine) extracts high dimensional nonlinear
representations between SUs’ local results and has been proven to outperform
other conventional machine learning methods for solving cooperative sensing
result fusion problem
Reputation based Weighted Majority Vote (RWMV) is a commonly used
efficient fusion method that directly learns the explicit linear relationships based
on their reputations.
Then a Logistic Regression (LR) meta learner is trained to assign weights to
each base learner’s prediction.
Bayesian hyperparameter tuning method is adopted with cross-validation to
efficiently search for the best hyperparameters.
Results
Detection probability, false-alarm probability and Inference time comparison for different
fusion methods
Machine Learning Based Defense: System Model
[1] N. Van Huynh, D. N. Nguyen, D. T. Hoang and E. Dutkiewicz, "Jam Me If You Can: Defeating Jammer With Deep Dueling Neural
Network Architecture and Ambient Backscattering Augmented Communications," in IEEE Journal on Selected Areas in
Communications, vol. 37, no. 11, pp. 2603-2620, Nov. 2019.
The transmitter is equipped with a data buffer, an
energy harvesting circuit (EHC), and energy
storage.
EHC is used to harvest energy from surrounding
signals and stored in the energy storage for
future use.
An ambient RF source is located near the system,
and thus the transmitter can harvest energy from
the RF energy source when the source is active.
The transmitter has a backscatter that can
modulate and reflect the ambient RF signals or
the jamming signals by using the load modulator.
A smart and reactive jammer with self-
interference suppression (SiS) capability, the
jammer can “listen” to the channel while jamming.
Machine learning based jamming defense model [1].
System Operations
State space (S)
Action space (A)
Reward
DQN vs. DDN
The convergence rate of the DQN is limited. Deep dueling network (DDN) divides the DNN into two sequences
to separately estimate the values of states and advantages of actions. The values and advantages are then
combined at the output layer.
Machine Learning Based Defense
Machine Learning Based Attack Methods
Understanding the optimal attacking strategies help to quantify the severeness or impact of an attacker on the system and shed light on the design of defending strategies.
Attack the user: ML can be exploited to find the best strategies to block the spectrum access or transmission.❖ Game theory: attack-defense game with users❖ Reinforcement learning: choose the channel to attack based on users’ behaviors.❖ Deep learning: predict the activity of users.❖ Deep reinforcement learning: choose the best attack strategies.
Attack the machine learning model: Attackers can launch the attacks based on the workflow of machine learning, i.e., poison the training data. There are three type of such attacks.
❖ Exploratory/inference attack: understand how the underlying ML works for an application (e.g., inferring sensitive and/or proprietary information).
❖ Evasion attack: fool the ML algorithm into making a wrong decision (e.g., fooling a security algorithm into accepting an adversary as legitimate).
❖ Poisoning/causative attack: provide incorrect information such as training data to ML.
Data
Training
Evaluation
Spectrum data poisoning with ADL
The application of adversarial deep learning (ADL) to launch an exploratory attack on CRN [1]. ❖ SU builds a DNN model to predict the busy and
idle states of the channel. The training data includes time-series of spectrum sensing results as features, and channel idle/busy status based on PU’s state.
❖ Then the model is used by SU to make transmit decisions. If a transmission is successful, the receiver sends an acknowledgment (ACK) to SU, which can also be overheard by adversary user (AU) .
❖ AU also builds a DNN classifier that can predict the outcome of transmissions, i.e., whether there will be an ACK or not if no attack.
❖ AU then predicts when the transmitter will have a successful transmission (if no attack) and transmits to change the channel status in order to falsify SU’s input (spectrum sensing data) to the ML algorithm.
[1] Y. Shi, T. Erpek, Y. E. Sagduyu and J. H. Li, "Spectrum Data Poisoning with Adversarial Deep Learning," MILCOM 2018 -
2018 IEEE Military Communications Conference (MILCOM), Los Angeles, CA, 2018, pp. 407-412.
Spectrum data poisoning with ADL
Normalized
throughput
Success
ratio
All transmission
ratio
no
attack
98.96% 96.94% 19.60%
with
attack
3.13% 75.00% 0.80%
• A new type of attack motivated by adversarial machine learning.
• Its purpose is not to degrade the data transmission received (as typically assumed in denial-of-service attacks) but it aims to manipulate the spectrum sensing data collected so that wrong transmit decisions are made by using the unreliable spectrum sensing results.
• This attack differs from the SSDF attack, since the adversary does not participate in cooperative spectrum sensing and does not try to change channel labels directly as in the SSDF attack. Instead, the adversary injects adversarial perturbation to the channel in order to fool the transmitter into making wrong transmit decisions.
• This type of attack is hard to detect since it does not directly jam the transmitter’s signal but it changes the input data to the decision mechanism so that the transmitter chooses not to transmit when the channel is indeed idle. Moreover, this attack is energy efficient since the adversary makes a very short transmission in the sensing period.
• It raises the need of new defense mechanisms to protect wireless communications against intelligent attacks based on adversarial machine learning.
Federated Machine Learning
• The hybrid spectrum access needs collaborative and more autonomous spectrum sharing strategies that are adapted to the environment and applications in 5G networks.
• The high-resolution spectrum utilization data of all radios may be required, which may not be easy to share because of privacy and bandwidth concerns.
• Making inference on such huge amounts of data requires enormous processing power and large scale optimization that would be computationally prohibitive
• Centralized strategies, where spectrum usage information is gathered in a spectrum access database, may not always be appropriate
• Therefore, the future of spectrum autonomy likely depends on crowd-sourced and decentralized intelligent radio networks where spectrum sharing is performed collaboratively.
• Federated ML, where each radio transfers its local spectrum utilization model, can be leveraged to address these issues. The aggregator utilizes the local spectrum utilization model parameters to update a global model which is eventually fed back to the individual radios for spectrum access decision.
• PU has sensitive data, Different type of users coexist, Distributed structure spectrum sharing network. ML requires a lot of data to training the model. S. Niknam; H. S. Dhillon; J. H. Reed, “Federated Learning for Wireless Communications:
Motivation, Opportunities and Challenges”, IEEE Communications Magazine, Volume: 58, Issue: 6,
June 2020.
System Model
Haijian Sun, Xiang Ma, Rose Q. Hu, “Adaptive Federated Learning with Gradient Compression in Uplink NOMA”,
IEEE Transactions on Vehicular Technology, 2020.
Xiang Ma, Haijian Sun, Rose Q. Hu, Scheduling Policy and Power Allocation for Federated Learning in NOMA
Based MEC”, In Proc. IEEE Globecom 2020.
NOMA for uplink model update
Adaptive model compression
Problem formulation
FL model update scheduling
Power Control
Simulation results
Privacy in Federated LearningFL enables a multitude of participants to construct a joint ML model without exposing their private training data. FL protocol designs may contain vulnerabilities for
Insider attacks:
• Malicious server observe individual updates over time, tamper with the training process and control the view of the participants on the global parameters;
• Malicious participant observe the global parameter and control its parameter uploads.
Outsider attacks:
• Eavesdroppers on the communication channel between participants and the FL server
• Malicious users can obtain the final FL model when it is deployed as a service.
Lyu, Lingjuan, Han Yu, and Qiang Yang. "Threats to federated learning: A survey." arXiv preprint arXiv:2003.02133 (2020).
Privacy issues meet federate learning
The three main strategies in privacy-preserving ML:
❖ Differential privacy: A randomized mechanism is differentially private if the change of one input element will not result in too much difference in the output distribution; this means that one cannot draw any conclusions about whether or not a specific sample is used in the learning process.
❖ Homomorphic encryption: Operate on encrypted data, can be used to secure the learning process by computing on encrypted data.
❖ Secure function evaluation (SFE)/ secure multiparty computation (SMC): When the user-generated data are distributed across different data owners, SFE can enable multiple parties to collaboratively compute an agreed-upon function without leaking input information from any party except for what can be inferred from the output.
A compressed sensing (CS)-based federated learning framework to achieve IU detection for improving communication efficiency while protecting the privacy of training samples.
Local learning models transmit the updating parameters instead of the raw spectrum data to the central server.
These parameters are aggregated based on a multiple measurement vector (MMV) CS model.
The central server can gain a global learning model based on the aggregation of the parameters and get the updating of global parameters back to the local learning models to achieve federated learning.
Based on this framework, the detection performance is as good as the scheme under the raw training samples, and the communication and training efficiency can be significantly improved.
Privacy preserved spectrum sensing method
[1] Wang, Ning, et al. "Privacy Protection and Efficient Incumbent Detection in Spectrum Sharing Based on Federated Learning." 2020
IEEE Conference on Communications and Network Security (CNS). IEEE, 2020.
Spectrum sharing using the ESC scheme (the central
server has been compromised) [1].
Wang, Ning, et al. "Privacy Protection and Efficient Incumbent Detection in Spectrum Sharing Based on Federated Learning."
2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020.
Conclusions
• Spectrum sharing adds functionality and complexity that raises additional security concerns.
• AI/ML can be used effectively to defend security and privacy in spectrum sharing
• AI/ML can also used in attacking security and privacy - new defense mechanisms are needed
• Federated learning can be further used to protect privacy in spectrum sharing although new privacy/security mechanisms are still needed.
Thanks!
Q&A