DISCUSSION

Security and Enforcement in Spectrum Sharing Jung-Min (Jerry) Park, Jeffrey H. Reed, A. A. (Louis) Beex,

T. Charles Clancy, Vireshwar Kumar, Behnam Bahrak Bradley Department of Electrical and Computer Engineering, Virginia Tech

Abstract—When different stakeholders share a common re- source, such as the case in spectrum sharing, security and enforcement become critical considerations that affect the welfare of all stakeholders. Recent advances in radio spectrum access technologies, such as cognitive radios, have made spectrum sharing a viable option for significantly improving spectrum utilization efficiency. However, those technologies have also con- tributed to exacerbating the difficult problems of security and enforcement. In this paper, we review some of the critical security and privacy threats that impact spectrum sharing. We propose a taxonomy for classifying the various threats, and describe representative examples for each threat category. We also discuss threat countermeasures and enforcement techniques, which are discussed in the context of two different approaches: ex ante (preventive) and ex post (punitive) enforcement.

I. INTRODUCTION

The role of spectrum as an important economic growth engine in the United States was brought forth in the National Broadband Plan (NBP) [1] and in the recent President’s Coun- cil of Advisors on Science and Technology (PCAST) report entitled “Realizing the Full Potential of Government-Held Spectrum to Spur Economic Growth” [2]. Recommendations in the PCAST report include sharing underutilized Federal government spectrum and identifying 1,000 MHz of Federal spectrum as part of an ambitious endeavor to create “the first shared-use spectrum superhighways”.

Regulatory bodies in other countries are also conducting studies, and, in some cases, have established regulations with the aim of improving spectrum utilization efficiency through shared spectrum access. These efforts include the studies and initiatives undertaken by the Office of Communications (Ofcom, a regulatory authority in the United Kingdom) [3], [4], Industry Canada [5], Infocomm Development Authority of Singapore (IDA) [6], Radio Spectrum Policy Group in Europe [7], [8], and the European Communications Office [9].

To realize this vision and meet the spectrum demands of future applications, we need to develop and employ innovative spectrum access technologies as well as adopt new regulatory rules and institutional frameworks that can maximize the effi- cacy of those technologies. Realizing the foresight described in the PCAST report will require the adoption of fundamentally new spectrum access paradigms, including dynamic spectrum access and spectrum sharing between heterogeneous wireless systems. In the spectrum sharing paradigm, a heterogeneous mix of wireless systems of differing access priorities, QoS requirements, and transmission characteristics need to coexist without causing harmful interference to each other. When different stakeholders share a common resource (such as the

case in spectrum sharing), security, privacy, and enforcement become critical considerations that are essential to the welfare of all stakeholders. Security and enforcement are especially paramount considerations related to the recent calls in the United States for sharing of federal government (including military) spectrum with non-government systems.

In this paper, we review the critical security and privacy threats in dynamic spectrum access and spectrum sharing. First, we describe a taxonomy for classifying the threats that have been discussed in the literature. The taxonomy considers the fundamental mechanism for enabling coexistence (i.e., spectrum sensing-driven vs. database-driven) as well as the point of attack with respect to the five-layer protocol stack. For each threat category, we describe representative security and privacy threats and their relation to other types of threats. We also discuss threat countermeasures and spectrum rule enforcement. The enforcement techniques are discussed in the context of two distinct approaches—ex ante and ex post enforcement. The former represents actions that are designed to “prevent” or reduce the likelihood of a potentially harmful interference event, while the latter denotes “punitive” measures designed to punish malicious or selfish behavior after a poten- tially harmful interference event has occurred. We conclude the paper by discussing the open problems and research challenges that need to be addressed to ensure security and privacy in spectrum sharing.

The rest of the paper is organized as follows. We discuss the spectrum sharing models and security requirements relevant to spectrum sharing in Section II. In Section III, we propose a taxonomy of security and privacy threats, and describe representative threats in each category. Threat countermeasures and spectrum enforcement techniques are discussed in Sec- tion IV. We discuss open research problems and challenges in Section V, and conclude the paper in VI.

II. TECHNICAL BACKGROUND A. Models of Shared Spectrum Access

Most of the security and privacy threats discussed in the literature are intrinsically linked to one of the two fundamental attributes of a spectrum sharing model: (1) spectrum access user model, and (2) mechanism for enabling the harmonious coexistence of wireless devices/systems. In Section III, we use these attributes to create a taxonomy of threats to spectrum sharing. Here, we briefly review these topics before discussing the threats in the next section.

In spectrum sharing, users of different access priorities share a common resource, viz spectrum, within a clearly-defined hi-

erarchy. Licensed Shared Access (LSA) is a two-tier spectrum sharing structure proposed by the European Commission to support the use of idle spectrum in Europe using cognitive radio technology [7]. In the two-tier user model, users are classified into two categories: incumbent/primary users (PUs) and secondary users (SUs). The PUs have access priority over the SUs, and may consist of federal government users, state/local government users, and licensed users. The SUs have secondary (i.e., subordinate) rights to spectrum, and typically consist of unlicensed opportunistic users. As described in the PCAST report [2] and the Federal Communications Commis- sion’s (FCC) Notice of Proposal Making (NPRM) for the 3.5 GHz band [10], a richer hierarchy of rights is possible with a three-tier user model. In the NPRM, three tiers of users are proposed: Incumbent Access users, Protected Access users, and General Authorized Access users.

Instead of access rights, SUs can be classified based on their capabilities—such as maximum transmit power, geo-location capability, ability to access a database, sensing ability, etc. For example, FCC has defined four classes of TV white space devices: Fixed, Portable mode II, Portable mode I, and Sensing only [11]. For details, the reader is referred to [11].

There are two different mechanisms for enabling the har- monious coexistence of heterogeneous wireless systems in a shared spectrum environment: geo-location databases and spectrum sensing. In a database-driven spectrum sharing sce- nario, the database provides spectrum availability information and may also prescribe rules for SUs to access the shared spectrum (e.g., transmit spectral mask) [12], [13]. SUs are required to access the database before accessing the spectrum. On the other hand, in a sensing-driven spectrum sharing ap- plication, SUs’ transmission behavior is dictated by spectrum sensing results, obtained through either stand-alone sensing or cooperative sensing [14], [15]. In sensing-driven spectrum sharing, the radios need to be cognizant of the surrounding radio frequency (RF) environment (through sensing), and need to have sufficient intelligence to use transmission parameters that are compliant with regulatory spectrum rules. Radios with such capabilities are often referred to as cognitive radios [16]. In most situations, both mechanisms are used to realize spectrum sharing.

B. Security and Enforcement Requirements

To protect all stakeholders and ensure the viability of spec- trum sharing, certain security and enforcement requirements must be met. Different spectrum sharing scenarios may have different requirements. Here, we briefly review some of the requirements common to most spectrum sharing scenarios [17], [18]. ● Confidentiality: Along with the data stored in the

database, the data communicated between the registered users and the database, and among users in the network should not get disclosed to unauthorized users.

● Integrity: The data stored in the database and communi- cated among users should be protected from malicious alteration, insertion, deletion or replay.

● Availability: The users should have access to the database and/or the spectrum when it is required.

● Authentication: The network components, including the database, and the mobile terminals should be able to establish and verify their identity.

● Non-repudiation: The users should not be able to deny either having received or sent a message. Also, they should not be able to deny having accessed the spectrum at a specified location and time.

● Compliance: The network should be able to detect non- compliant behavior causing harmful interference.

● Access control: No user should be able to access either the database or the spectrum without proper credentials.

● Privacy: Sensitive or private information of the users, both primary and secondary users, should be properly protected.

III. SECURITY AND PRIVACY THREATS

A. Taxonomy of Threats

In this section, we review some of the security and privacy issues that pose the greatest threats to spectrum sharing. To provide a more systematic discussion of the topic, we first propose a taxonomy that classifies the known threats into a number of categories. Through this taxonomy, our aim is to offer a clear picture of the known security and privacy issues and the related technical challenges. The taxonomy is illustrated in Figure 1.

All of the known threats (to spectrum sharing) exploit either one of the two mechanisms which enable different wireless systems to coexist—viz, spectrum sensing or geo-location databases. Therefore, all threats can first be classified into two broad categories: threats to sensing-driven spectrum sharing (denoted as class TS) and threats to database-driven spectrum sharing (denoted as class TD). Threats under class TS can be further classified into three subclasses based on which layer of the protocol stack a given threat affects: PHY-layer (class TS-1), MAC-layer (class TS-2), and cross-layer threats (class TS-3). On the other hand, threats in class TD can be further classified into two subclasses: Database inference attacks (class TD-1) and threats to database access protocols (class TD-2).

B. Threats to Sensing-Driven Spectrum Sharing

1) PHY-Layer Threats: Threats in class TS-1 directly im- pact the PHY-layer mechanisms in spectrum sharing, most notably spectrum sensing. Spectrum sensing by the SUs can be manipulated by a rogue transmitter in order to either hijack their spectrum or affect their spectrum sharing decisions, e.g., primary user emulation (PUE) attack [19], [20]. In a PUE attack, a malicious user emulates the PU’s signals and illegally forces the other SUs to vacate the spectrum. PUE attacks can also be used as a tool to carry out more sophisticated attacks [21].

If SUs fail to sense the presence of PUs’ signals in the spectrum of interest, they can cause harmful interference to the PUs. One approach for improving the accuracy of spectrum

Threats to

Spectrum Sharing

Threats to

Sensing-Driven

Spectrum Sharing

(TS)

Threats to

Database-Driven

Spectrum Sharing

(TD)

PHY-Layer

Threats

(TS-1)

MAC-Layer

Threats

(TS-2)

Cross-Layer

Threats

(TS-3)

Threats to Database

Access Protocols

(TD-2)

Database Inference

Attacks

(TD-1)

Threats to

Privacy of

Secondary Users

(TD-1-2)

Threats to

Privacy of

Primary Users

(TD-1-1)

Fig. 1: Taxonomy of threats to spectrum sharing.

sensing is to employ cooperative spectrum sensing and cen- tralized decision making. In this approach, a multiple number of users sense their RF environment and send their observa- tions to a fusion center. The fusion center then intelligently combines the reported information to make the final decision regarding the presence or absence of incumbent transmissions. An alternative approach is to employ cooperative spectrum sensing and distributed decision making. This approach avoids the problems that may arise when a fusion center makes erroneous decisions. In this approach, no fusion center is used, and instead each SU makes its decision based on its own observations and also on observations shared by other SUs. Both sensing approaches described above are vulnerable to spectrum sensing data falsification (SSDF) attacks in which one or more malicious SUs send false observations about the radio environment [22], [23]. A SSDF attack can cause a SU to acquire an incorrect perception of the radio environment leading to transmission decisions that cause harm to others.

2) MAC-Layer and Cross-Layer Threats: There are a num- ber of known attacks that disrupt the MAC-layer mechanisms of spectrum sharing. In a multi-hop cognitive radio network, a pre-defined frequency channel—called the cognitive con- trol channel (CCC)—is used by SUs to exchange control information, e.g., channel negotiation, spectrum hand-off, etc [24]. A rogue transmitter may corrupt the CCC leading to a denial of service (DoS) attack [25], [26]. Another method to enable coexistence of SUs and coordinate the use of channels among SUs is to use beacons. In this case, a malicious user can carry out a beacon falsification (BF) attack to disrupt vital network functions, such as inter-cell spectrum contention

and inter-cell synchronization [27]. The cognitive radios may also utilize a carrier sense multiple access with collision avoidance (CSMA/CA) protocol for spectrum access. In this protocol, after sensing, users back-off by a random time before transmission. If there is a collision of transmitted packets by any two users, the users double the back-off window and retransmit. However, a malicious user can use a small back-off window and gain priority over other users [28], [29]. This is called the small-back-off-window (SBW) attack.

A number of attacks can be conducted concurrently to exploit vulnerabilities in two or more layers of the protocol stack. These attacks are often referred to as cross-layer attacks. In a cognitive network utilizing the CSMA/CA protocol, a ma- licious user can conduct SSDF (PHY-layer) attack and SBW (MAC-layer) attack in a coordinated fashion [30]. Because of the coordination, it becomes difficult to detect either of the two attacks and hence this cross-layer attack is more effective than a single-layer attack in reducing the overall SUs’ channel utilization. The Lion attack is another example of a cross-layer attack that targets the PHY and transport layers of a cognitive radio network [31]. In a Lion attack, a malicious user launches a PUE attack to force the target nodes to carry out frequency hand-offs. Since the transmission control protocol (TCP) is sensitive to variations in delay and bandwidth, the transmission interruptions caused by the frequency hand-offs can lead to very poor throughput at the transport layer.

C. Threats to Database-Driven Spectrum Sharing

The threats discussed in this section exploit the security or privacy vulnerabilities inherent to employing geolocation

TABLE I: Mapping of threats to the security and privacy requirements.

Threat Class Confidentiality Integrity Availability Authentication Non-repudation Compliance Access Privacy Control

PUE [19], [20] TS-1 A A A A A SSDF [22], [23] TS-1 A A CCC [25], [26] TS-2 A A A A BF [27] TS-2 A A A A A A SBW [28], [29] TS-3 A A SULI [32] TD-1-2 A DAP [33] TD-2 A A A A A A

databases for spectrum sharing. 1) Threats to the Privacy of Primary Users: The FCC

ruling on TV white spaces proposes relying on a database of the incumbents’ spectrum usage information as the primary means of determining white space availability at any white space device (WSD) [34]. The database is required to house an up-to-date repository of incumbents including television stations, and in certain cases, wireless microphones, and use this information to determine white space availability at a white space device’s location. It has been shown that sensing- only devices do not generally utilize spectrum as efficiently as geolocation enabled devices, due to the large margins in incumbent detection thresholds that must be built into sensing-only devices [12]. Geolocation enabled devices have knowledge of the specific interference protection requirements of each licensed incumbent, which allows varying levels of protection to be applied, and thus maximize utilization of the spectrum.

Although using geolocation databases for spectrum sharing has many advantages, it poses a potentially serious privacy problem. For instance, SUs, through seemingly innocuous queries to the database, can determine the types and locations of incumbent systems operating in a given region of interest— we refer to this as the operational privacy of the incumbents. In other words, operational privacy of PUs is the confiden- tiality of information regarding the primary users’ operational characteristic. When the incumbent systems are commercial systems, such as the case in TV spectrum, this is not an issue. However, when the incumbents are federal government, possibly military, systems, then the information revealed by the databases may result in a serious breach of operational privacy. Moreover, there is the possibility that SUs can obtain knowledge beyond that revealed directly by the database’s query replies by using sophisticated inference techniques—we refer to this as a database inference attack.

The operational privacy of primary users is an especially critical concern related to the recent calls in the United States for sharing of federal government (including military) spectrum in the 3.5 GHz band with non-government systems.

Below, we list some of the operational attributes of in- cumbent transmitters that may need to be protected if those transmitters are being used in military or intelligence gathering applications. ● Transmitter identity (e.g., the Call Sign of the transmitter

in an FCC Consolidated Database System (CDBS))

● Geolocation (i.e., latitude and longitude) ● Antenna parameters (HAAT, etc) ● Power (Max EIRP, average operation power, etc.) ● Transmit protection contours (co-channel, adjacent chan-

nel, etc.) ● Times of operation The problem of operational privacy of PUs cannot be

addressed by tightly controlling access to the database, since all SUs need access to it to enable spectrum sharing. A more viable approach is to “obfuscate” the information revealed by the database in an intelligent manner such that a certain level of privacy is assured while supporting efficient use of the spectrum.

2) Threats to the Privacy of Secondary Users: Another privacy issue that arises as a result of using geolocation databases for spectrum sharing is the problem of location privacy of the secondary users.. Since the secondary users need to send their location information to the database to receive information on the set of available channels in their region, their location privacy may be threatened by an untrustworthy database. In [32], the authors present a new kind of location privacy attack, named the Spectrum Utilization based Location Inferring (SULI) attack, which allows an attacker to infer the location of an SU from the channels s/he has used.

3) Threats to the Database Access Protocol (DAP): In addition to the aforementioned privacy issues, there are other security concerns related to using a geolocation database for spectrum sharing. The latest Internet Engineering Task Force (IETF) draft of the protocol to access white space database (PAWS) contains a section that focuses on security issues [33]. Some of those security issues are listed below: ● Modifying a device to masquerade as another certified

device. Without suitable protection mechanisms, devices can listen to registration exchanges, and later register with the database by claiming the identity of another device.

● Spoofed database. Spoofing a database in order to provide malicious responses to a WSD (master device) is another type of attack that can be used to cause interference to the primary user of the spectrum.

● Modifying or jamming a query. If an attacker is able to change some of the information in the WSD’s query (e.g. the location of the device or its capabilities), the database responds with incorrect information about available spec- trum or maximum transmit power allowed which can result in interference to the primary user of the spectrum.

Also, jamming the queries may cause a denial of service to the master device if the attacker can prevent the query from reaching the database.

● Modifying or jamming a database response. An attacker may modify the available spectrum or power level infor- mation carried in the database response which can result in interference to the primary users.

● Malicious individual acts as a database to terminate or unfairly limit spectrum access of devices. If a database includes a mechanism by which spectrum allocated to a master device can be revoked by sending a revoke message, malicious users can pretend to be the database and send a revoke message to that device and cause a denial of service attack.

In Table I, we summarize the threats discussed in this section, and also map them to the security and enforcement requirements that they infringe.

IV. THREAT COUNTERMEASURES AND ENFORCEMENT

We classify attack countermeasures and spectrum rule en- forcement into two broad categories: ex ante (preventive) and ex post (punitive) enforcement. The objective of ex ante enforcement is to prevent or reduce the probability of harmful interference events. On the other hand, the objective of ex post enforcement is to identify and/or punish malicious or selfish users after an interference event has occurred.

A. Ex Ante (Preventive) Approaches

1) Preventive Measures for Rogue Transmissions: Enforc- ing spectrum access control in legacy radios (e.g., cellular phones) is relatively straightforward since the spectrum ac- cess policies are an inseparable part of the radio’s firmware and platform. Making controlled changes to a legacy radio’s transmission behavior would require an adversary to have very specialized expertise in the radio’s firmware and hardware, and would also require specialized equipment. Unfortunately, manipulating the transmission behavior of software defined radios (SDRs) and cognitive radios (CRs) is easier. The reconfigurability of a SDR/CR makes it vulnerable to unautho- rized modification. Such modifications can result in harmful interference. Illegally modified radios can even be used to launch very sophisticated jamming attacks, as shown in [35].

One approach for enforcing spectrum access control in spectrum sharing is to employ policy-based CRs. Policy-based cognitive radios cope with evolving spectrum access policies and constantly changing application requirements by decou- pling the policies from device-specific implementations and optimizations. These radios can invoke situation-appropriate adaptive actions based on policy specifications and the current spectrum environment [36]. Enforcing spectrum access poli- cies by mandating the use of policy-based CRs is one effective approach for mitigating rogue transmissions.

In order to regulate and enforce proper transmission behav- ior, policy-based CRs need mechanisms to enforce spectrum access policies. Most of these mechanisms are carried out by specialized software modules called policy conformance

Fig. 2: Ontology space. Ontology-based spectrum policies offer a number of significant advantages, including facilitat- ing the specification and management of complex spectrum policies, flexible knowledge representation, support for inter- operability, flexible querying and self-awareness [43].

components (PCCs) [37]. To enforce spectrum policies, the policies themselves first need to be interpreted, and then a CR’s transmission strategies need to be evaluated against those policies to determine the legality of the transmission strategies. Within a policy-based CR, the aforementioned tasks are carried out in real time by a software module called the policy reasoner.

Our previous work [38], [39] as well as that of others [37], [40], [41] has shown that rule-based policy reasoners can be used to enforce policy conformance in CRs. Rule- based policies use logic programming techniques to encode the axioms and rules in a straightforward way [42]. Using rule-based spectrum policies simplifies the design of the pol- icy reasoner because the reasoning complexity is sufficiently low in most applications to meet the real-time processing requirements of the radio. However, rule-based policies have a number of critical drawbacks. The most serious drawbacks are policy management overhead and limited interoperability. With rule-based policies, complex spectrum policies are difficult to specify and manage. Moreover, rule-based policies do not support the sharing of the policy structure among different policy authors (i.e., regulation authorities), and thus limits interoperability of the policy-based radios across different regulatory policy domains.

To overcome the limitations of rule-based spectrum policies, there is growing interest in using ontology-based policies for prescribing spectrum access rules [44]. In fact, the IEEE 1900.5 Standard, Standard for Policy Language Requirements and System Architectures for Dynamic Spectrum Access Sys- tems, published in 2012, prescribes the use of an ontology- based policy language for managing the functionality and behavior of dynamic spectrum access networks [45]. Using ontologies to support the formal representation of spectrum policies and its usage in dynamic spectrum access networks

is expected to benefit all stakeholders in this ever changing environment. In [43], we introduced an ontology-based policy reasoner to enforce ontology-based spectrum access policies in a policy-based cognitive radio. Figure 2 illustrates an ontology space for spectrum access policies.

In [46], the authors propose an ex ante enforcement tech- nique that is based on a Secure Radio Middleware (SRM) layer. This layer is implemented in software and resides between the operating system and the hardware. The SRM layer checks all software transmission requests that are sent to the hardware layer to make sure that configurations such as transmission power, frequency, type of modulation, etc. conform with policies in a policy database. Unlike a policy reasoner that provides feedback to the radio’s software, the SRM layer simply discards non-conforming requests.

Another ex ante approach is to use tamper resistance tech- niques to protect a radio’s software against unauthorized mod- ifications. Such a technique for protecting SDR/CR software is proposed in [47]. The proposed scheme is designed to thwart static attacks (i.e., static information extracted by examining the software code) and to protect partially against dynamic attacks (i.e., dynamic information extracted while the software code executes).

In [48], the authors proposed an ex ante approach that employs power fingerprinting to perform integrity assessment of a SDR. This mechanism is able to detect the execution of a tampered routine by closely monitoring the power consump- tion of the radio platform.

In [49], a hardware-based method is proposed to control the maximum transmission power of a SDR through a module implemented at the hardware of the SDR transceiver. This independent self-check module is designed to prevent trans- missions that cause harmful interference to primary users even if the radio’s software is compromised.

In terms of regulatory approaches, a simple ex ante approach is to employ exclusion zones [50]. An exclusion zone is a spatial region in which no in-band emissions from SUs would be permitted in its interior. To prevent interference to PUs, the PUs and SUs would agree on a spatial database that defines these exclusion zones.

2) Preventive Measures for Privacy Violations: As we men- tioned in Section III-C1, obfuscating the contents of the query replies from the geolocation database is one approach for preserving the privacy of primary users in spectrum sharing. Because privacy is an important concern in many database applications, privacy-preserving data management techniques [51] is an area of active research. Although there is very little, if any, existing work on privacy-preserving databases for spectrum sharing, there is an abundance of existing work on the topic in the context of other applications. In this subsection, we review some of the existing work on privacy-preserving databases, focusing on techniques that may have applications to database-driven spectrum sharing with some modifications.

Probably the most widely-used method for privacy- preserving databases is perturbation [52]. The perturbative masking method (a.k.a. randomization method) is a technique

for privacy-preserving databases that uses data distortion in order to mask the attribute values of records. In this method, sufficiently large noise is added to individual record values to prevent recovery of those values by an adversary. One key advantage of the randomization method is that it is relatively simple, and does not require knowledge of the distribution of other records in the data.

k-anonymity [53], l-diversity [54], and t-closeness [55] are other well-known privacy protection techniques that use methods such as generalization and suppression to reduce the granularity of data representation in order to keep the sensitive data private. The concept of k-anonymity was origi- nally introduced in the context of relational data privacy [56] to address the following problem: “How can a data holder release its private data with guarantees that the individual subjects of the data cannot be identified while the data remain practically useful?” [53]. The l-diversity model was designed to address the weaknesses in the k-anonymity model when there is homogeneity of sensitive values within a group [54]. The t-closeness model is a further enhancement on the concept of l-diversity [55].

Differential privacy [57] is another emerging privacy- preserving paradigm that has recently gained considerable attention. Unlike the aforementioned privacy-preserving tech- niques that use generalization (i.e., k-anonymity, l-diversity, and t-closeness) to provide a syntactic model, differential privacy provides a semantic privacy model with strong pro- tection guarantees. In other words, differential privacy is able to capture the amount of disclosure that occurs due to the publication of sensitive data in addition to mandating how the published data should look.

The vast majority of the existing literature on location privacy focuses on preserving the privacy of the users’ location from an untrusted database (or service provider) in location- based services. The location-based services rely on accurate, continuous, and real-time streams of the users’ location data. However, if such information is mishandled by the database, location-based services pose a significant privacy risk to the users. Techniques for mitigating such a risk include sending a space- or time-obfuscated version of the users’ actual locations [58], hiding some of the users’ locations by using mix zones [59], sending fake queries, indistinguishable from real queries, issued from fake locations to the database [60], and applying k-anonymity to location privacy [61].

In [32], a scheme called PriSpectrum is proposed that protects the secondary users’ location information in database- driven spectrum sharing. However, to the best of our knowl- edge, there is no existing work that addresses the problem of the primary users’ operational privacy in the context of database-driven spectrum sharing.

B. Ex Post (Punitive) Approaches

We define ex post enforcement as measures designed to remediate malicious or selfish behavior, after a potentially harmful interference event has occurred, by enacting punitive

actions. We divide the ex post enforcement process into three stages: identification, localization, and punishment.

1) Identification of Non-Compliant Transmitters: The log- ical first step in ex post enforcement is for a regulator (e.g., FCC’s Enforcement Bureau) to uniquely identify or authenticate malfunctioning or “rogue” transmitters. Ideally, the regulator would want to carry out the identification using some sort of a PHY-layer authentication procedure because it enables a receiver to quickly distinguish between compliant and rogue transmitters without having to complete unnecessary higher-layer processing. For this approach to be viable, all SU radios must be required to incorporate a mechanism for authenticating their waveforms and employ tamper resistant mechanisms to prevent hackers from circumventing the mech- anism.

PHY-layer authentication schemes can be broadly di- vided into two categories: intrinsic and extrinsic approaches. Schemes in the first category utilize the “intrinsic” charac- teristics of the waveform or communication medium (e.g., transmitter-unique RF signal characteristics) as unique signa- tures to authenticate/identify transmitters. They include RF fin- gerprinting, and electromagnetic signature identification [62]– [67]. Although these intrinsic approaches have been shown to work in controlled lab environments, their sensitivity to environmental factors—such as temperature changes, channel conditions, and interference—limit their efficacy in real-world scenarios. Moreover, they have been shown to be vulnerable to impersonation attacks [68].

Schemes in the second category enable a transmitter to “extrinsically” embed an authentication signal (e.g., message authentication code (MAC) or digital signature) in the message signal and enable a receiver to extract it. Such schemes include PHY-layer watermarking [69]–[72] and transmitter authentication [73]–[81].

Although extrinsic PHY-layer authentication looks promis- ing, some of its drawbacks need to be addressed before it can be considered a viable technique for ex post enforcement. Most of the schemes proposed in the literature for extrinsic PHY-layer authentication add the authentication signal to the message signal in such a way that the former is treated as noise by the latter and vice versa—this is referred to as “signal superposition” [71]. Hence, there is a fundamental, unavoid- able tradeoff between the message signal’s signal to noise ratio (SNR) and the authentication signal’s SNR. More importantly, this implies that signal superposition requires the transmitter to significantly increase its transmission power to achieve acceptable performance; however, this is a serious impediment to deployment in spectrum sharing environments because such an environment is severely interference constrained.

Another drawback of extrinsic PHY-layer authentication is that it requires the SNR at the receiver to be sufficiently high for correct demodulation and decoding of the authentication signal. In ex post enforcement scenarios, the regulator that is attempting to identify the non-compliant transmitter is not the intended receiver. This means that the regulator may be at a location where the SNR is very low with significant

multipath fading. Moreover, the regulator may not even know precisely the PHY-layer parameters needed to properly de- modulate and decode the detected signal. Because of these distinguishing challenges associated with ex post enforcement, we coin the term blind transmitter identification to denote the identification of non-compliant transmitters. Ideally, a scheme for blind transmitter identification should enable a regulator to uniquely identify (or authenticate) a transmitter under low SNR and high multipath fading conditions while not requiring the regulator to have complete knowledge of the PHY-layer transmission parameters.

2) Localization of Non-Compliant Transmitters: After the identification of the malfunctioning or rogue transmitter (by analyzing its signal), the logical next step in ex post en- forcement is to localize the non-compliant transmitter. The location of an authorized user who may be required to report its location, can be verified by the regulatory framework once its identity is established. On the other hand, a rogue transmitter may fake its location information. Hence, location verification could be used to differentiate among compliant and non-complaint transmitters. However, it is unlikely that the rogue transmitter would provide any cooperation for its location estimation. Thus, the localization in cognitive radio networks has to be achieved via a non-interactive technique, e.g., by measuring the received signal strength (RSS) [19], [82], [83]. The RSS is an indicator of the link distance between a transmitter and a receiver. Hence, the information about the distances measured between the rogue transmitter and a set of receivers through RSS measurements can be merged at the regulator to localize the rogue transmitter.

3) Punishment of Non-Compliant Transmitters: The aim of punishment/penalty is to impose a cost for the non-compliant behavior [84], [85]. Therefore, the efficacy of deterrence against rogue transmissions not only depends on the proba- bility of a bad actor getting caught, but also on the severity of punishment when the perpetrator is caught. To be effective, the penalty has to be sufficiently large to offset the benefits from non-compliance. We also need to ensure a proportional penalty for a harm caused due to non-compliance by measuring the cost of the harm. Additionally, we need to take into account the implications of imperfect enforcement as the risk of punishing compliant users may deter the prospects of spectrum sharing.

According to the literature, there are two methods for punishing non-compliant transmitters [84], [86]. ● No access to spectrum: The rogue transmitter is not

allowed to access the spectrum for an amount of time that is commensurate with the severity of the infraction. This can be achieved by revoking the license/permit of the rogue transmitter or modifying its operating rights.

● Economic penalties: The other way is to economically handle the punishment. Those causing the harm are charged commensurately with the severity of the harm. The collected amount can be paid to those who suffered due to the rogue transmitter. In this way, it can be observed as one of the benefits for compliant behavior by legitimate SUs.

In Table II, we summarize the countermeasures discussed in this section, and also map them to the security and enforce- ment threats that they counter.

V. OPEN PROBLEMS AND RESEARCH CHALLENGES

Traditional ex ante enforcement techniques for wireless systems relied on transmitter/receiver specifications and white spaces to prevent harmful interference. Transmission spec- ifications include transmission power and antenna param- eters, while receiver specifications include parameters like bandwidth and sensitivity. Also, most of these traditional approaches assume that transmitters are fixed, which makes punitive enforcement easier. For mobile systems, ex ante measures that are based on transmitter specifications are less effective [85]. Mobility also hinders ex post techniques such as detection and reputation-based enforcement.

The intelligence, efficiency, and programmability of software-defined and cognitive radios enable us to employ spectrum sharing to fundamentally improve the efficiency of spectrum utilization. However, these advantages also exacer- bate the enforcement problem. For example, dynamic spectrum access enhances the dynamic flexibility of radios, allowing them to have greater mobility. This increased mobility, how- ever, makes spectrum enforcement more challenging.

Another important open problem in spectrum enforcement is the development of a flexible and descriptive policy language, which can be used to specify spectrum access policies for dynamic spectrum access systems. Such a language can be used to not only prescribe the transmission behavior of an individual radio (which is a form of ex ante enforcement), but can also be used to manage the functionality and behavior of a dynamic spectrum access network.

There are a number of other challenges related to spectrum policies, including the development of advanced algorithms for executing policy inference and reasoning tasks carried out by policy-based cognitive radios. Despite the great potential of ontology-based spectrum policies, there is slow progress in integrating this concept into policy-based cognitive radios because of the complexity of policy inference and reasoning when the policies are ontology-based. The primary challenge in using ontology-based policies is meeting the real-time processing requirements of the radio. To date, ontology-based policies have been successfully applied to interactive, non- real-time applications, but not to real-time applications. Most of the policy inference and reasoning tasks carried out by a policy-based cognitive radio need to be executed within a very tight time window.

In ex post enforcement, locus of adjudication is another crit- ical problem that remains unaddressed [50]. The adjudicating entity must have jurisdiction to adjudicate interference events. At present, there is no clearly defined process for resolving certain types of interference events. For example, for an event that occurs in the 1695-1710 MHz band in the United States, a civil court may refer the matter to the FCC for resolution, but the FCC has no jurisdiction over federal bands and the

National Telecommunications and Information Administration (NTIA) is ill-equipped to deal with civil disputes.

Metrics can be an effective tool to discern the effective- ness of various components of a security system. Metrics can also help to identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions. However, defining meaningful metrics is very challenging. Some of the important metrics that need to be defined to quantify security/privacy in spectrum sharing include a metric for quantifying harmful interference, metrics for quantifying the operational privacy of PUs and SUs, and metrics for measuring spectrum utilization efficiency.

There is an interesting tradeoff between enforcement and privacy that exists in the context of shared spectrum access. The collaboration of wireless nodes to monitor and “tattle” about neighboring nodes can help detect regulation-violating transmitters as well as locate and punish those violators. However, privacy considerations need to be addressed before such solutions can be adopted.

There is a fundamental tradeoff between spectrum regula- tions and enforcement. Tighter regulations can reduce the need for enforcement, but such an approach incurs a significant cost—tighter regulations can create a regulatory environment that discourages investment in research and deployment of wireless innovation. Finding an optimal tradeoff between regulations and enforcement is a challenge that the regulatory community will need to struggle with over the coming years.

VI. CONCLUSION

In this paper, we focused on the engineering aspects of spectrum enforcement and security. However, as emphasized in [85], building an optimal enforcement framework will require a combination of ex ante and ex post, centralized and decentralized, and general and application-specific enforce- ment components that co-evolve with markets and regulatory policy frameworks within a complex ecosystem. Building such a complex enforcement framework will require a greater understanding of not only the engineering challenges, but also of the ramifications of the enforcement solutions in terms of legal, economic, and regulatory policy aspects.

VII. ACKNOWLEDGMENTS

This work was partially sponsored by the National Science Foundation through grants 0746925, 1314598, 1265886, and 1247928; by Motorola Solutions; and by the industry affiliates of the Broadband Wireless Access & Applications Center and the Wireless @ Virginia Tech group.

REFERENCES

[1] FCC, “National broadband plan: Connecting America,” available at http: //www.broadband.gov/plan/, 2010.

[2] PCAST, “Report to the president realizing the full potential of government-held spectrum to spur economic growth,” available at http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast spectrum report final july 20 2012.pdf, July 2012.

[3] Ofcom, “Geolocation for cognitive access: A discussion on using geolocation to enable license-exempt access to the interleaved spectrum,” July 2009.

TABLE II: Threat countermeasures and enforcement strategies.

Countermeasure Class PUE SSDF BF SBW SULI DAP Policy Reasoner [37]–[41] Ex ante ⊘ ⊘ Tamper Resistance [47] Ex ante ⊘ ⊘ ⊘ ⊘ Data Obfuscation [32], [51] Ex ante ⊘ Cryptographic Primitives [87] Ex ante ⊘ PHY-layer Authentication [69]–[81] Ex post ⊘ ⊘ Localization [19], [82], [83] Ex post ⊘ ⊘ Punishment [84] Ex post ⊘ ⊘ ⊘ ⊘

[4] ——, “Implementing geolocation, summary of consultation responses and next steps,” Sept. 2011.

[5] Industry Canada, “SMSE-012-11: Consultation on a policy and technical framework for the use of non-broadcasting applications in the television broadcasting bands below 698 MHz,” Aug. 2011.

[6] IDA, “Trial of white space technology accessing VHF and UHF bands in Singapore,” July 2010.

[7] European Parliament and Council, “Decision No 243/2012/EU of the European Parliament and of the Council of 14 March 2012 es- tablishing a multiannual radio spectrum policy programme,” avail- able at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX: 32012D0243:EN:NOT.

[8] European Commission, “2013/195/EU: Commission implementing De- cision of 23 April 2013 defining the practical arrangements, uniform formats and a methodology in relation to the radio spectrum inventory established by Decision No 243/2012/EU of the European Parliament and of the Council establishing a multiannual radio spectrum policy pro- gramme,” available at http://eur-lex.europa.eu/LexUriServ/LexUriServ. do?uri=CELEX:32013D0195:EN:NOT.

[9] ECC, “Technical and operational requirements for the possible operation of cognitive radio systems in the white spaces of the frequency band 470-790 MHz,” Jan. 2011.

[10] FCC, “Enabling innovative small cell use in 3.5 GHZ band NPRM & order (FCC 12-148),” Dec. 2012.

[11] T. Baykas et al, “Developing a standard for TV white space coexistence: Technical challenges and solution approaches,” IEEE Wireless Commun., vol. 19, no. 1, pp. 10–22, Feb. 2012.

[12] D. Gurney, G. Buchwald, L. Ecklund, S. Kuffner, and J. Grosspietsch, “Geo-location database techniques for incumbent protection in the TV white space,” in IEEE DySPAN, 2008, pp. 1–9.

[13] R. Murty, R. Chandra, T. Moscibroda, and P. Bahl, “Senseless: A database-driven white spaces network,” IEEE Trans on Mobile Com- puting, vol. 11, no. 2, pp. 189–203, 2012.

[14] D. Cabric, S. Mishra, and R. Brodersen, “Implementation issues in spectrum sensing for cognitive radios,” in Asilomar Conference on Signals, Systems and Computers, vol. 1, 2004, pp. 772–776.

[15] T. Yucek and H. Arslan, “A survey of spectrum sensing algorithms for cognitive radio applications,” IEEE Commun. Surveys Tutorials, vol. 11, no. 1, pp. 116–130, 2009.

[16] J. Mitola and J. Maguire, G.Q., “Cognitive radio: making software radios more personal,” IEEE Personal Commun., vol. 6, no. 4, pp. 13–18, 1999.

[17] G. Baldini, T. Sturman, A. Biswas, R. Leschhorn, G. Godor, and M. Street, “Security aspects in software defined radio and cognitive radio networks: A survey and a way ahead,” IEEE Commun. Surveys Tutorials, vol. 14, no. 2, pp. 355–379, 2012.

[18] S. Parvin, F. K. Hussain, O. K. Hussain, S. Han, B. Tian, and E. Chang, “Cognitive radio network security: A survey,” Journal of Network and Computer Applications, vol. 35, no. 6, pp. 1691–1708, 2012.

[19] R. Chen, J.-M. Park, and J. Reed, “Defense against primary user emulation attacks in cognitive radio networks,” IEEE J. Sel. Areas Commun., vol. 26, no. 1, pp. 25–37, Jan. 2008.

[20] T. Clancy and N. Goergen, “Security in cognitive radio network.: Threats and mitigation,” in CrownCom, May 2008, pp. 1–8.

[21] T. Newman, T. Clancy, M. McHenry, and J. Reed, “Case study: Se- curity analysis of a dynamic spectrum access radio system,” in IEEE GLOBECOM, 2010, pp. 1–6.

[22] R. Chen, J.-M. Park, and K. Bian, “Robust distributed spectrum sensing in cognitive radio networks,” in IEEE INFOCOM, 2008, pp. 1876–1884.

[23] A. Rawat, P. Anand, H. Chen, and P. Varshney, “Collaborative spectrum sensing in the presence of byzantine attacks in cognitive radio networks,” IEEE Trans. on Signal Processing, vol. 59, no. 2, pp. 774–786, 2011.

[24] C. Cormio and K. R. Chowdhury, “A survey on MAC protocols for cognitive radio networks,” Ad Hoc Networks, vol. 7, no. 7, pp. 1315 – 1329, 2009.

[25] K. Bian and J.-M. Park, “MAC-layer misbehaviors in multi-hop cogni- tive radio networks,” in US-Korea Conference on Science, Technology, and Entrepreneurship, 2006.

[26] L. Zhu and H. Zhou, “Two types of attacks against cognitive radio network MAC protocols,” in Int. Conf. Computer Science and Software Engineering, vol. 4, 2008, pp. 1110–1113.

[27] K. Bian and J.-M. Park, “Security vulnerabilities in IEEE 802.22,” in WICON, 2008, pp. 1–9.

[28] A. Toledo and X. Wang, “Robust detection of selfish misbehavior in wireless networks,” IEEE J. Sel. Areas Commun., vol. 25, no. 6, pp. 1124–1134, 2007.

[29] M. Raya, I. Aad, J.-P. Hubaux, and A. El Fawal, “DOMINO: Detecting MAC layer greedy behavior in IEEE 802.11 hotspots,” IEEE Trans. on Mobile Computing, vol. 5, no. 12, pp. 1691–1705, 2006.

[30] W. Wang, Y. Sun, H. Li, and Z. Han, “Cross-layer attack and defense in cognitive radio networks,” in IEEE GLOBECOM, 2010, pp. 1–6.

[31] J. Hernandez-Serrano, O. León, and M. Soriano, “Modeling the lion attack in cognitive radio networks,” EURASIP J. Wirel. Commun. Netw., pp. 1–10, Jan. 2011.

[32] Z. Gao, H. Zhu, Y. Liu, M. Li, and Z. Cao, “Location privacy in database-driven cognitive radio networks: Attacks and countermeasures,” in IEEE INFOCOM, 2013.

[33] B. Patil, “Protocol to access white space database: Problem state- ment, use cases and requirements,” available at http://tools.ietf.org/html/ draft-ietf-paws-problem-stmt-usecases-rqmts-06, July 2012.

[34] FCC, “Third order and memorandum opinion and order, in the matter of unlicensed operation in the TV broadcast bands, additional spectrum for unlicensed devices below 900 MHz and in the 3 GHz band,” Apr. 2012.

[35] N. O. Tippenhauer, K. B. Rasmussen, C. Popper, and S. Capkun, “Attacks on public WLAN-based positioning,” in ACM MobiSys, 2009.

[36] A. Ginsberg, W. D. Horne, and J. D. Poston, “Community-based cog- nitive radio architecture: Policy-compliant innovation via the semantic web,” in IEEE DySPAN, 2007, pp. 191–201.

[37] F. Perich and M. McHenry, “Policy-based spectrum access control for dynamic spectrum access network radios,” Web Semantics: Science, Services and Agents on the World Wide Web, vol. 7, pp. 21–27, 2009.

[38] B. Bahrak, A. Deshpande, M. Whitaker, and J. Park, “Bresap: A policy reasoner for processing spectrum access policies represented by binary decision diagrams,” in IEEE DySPAN, 2010.

[39] B. Bahrak, A. Deshpande, and J. Park, “Spectrum access policy rea- soning for policy-based cognitive radios,” Computer Networks, vol. 56, no. 11, pp. 2649–2663, July 2012.

[40] G. Denker, D. Elenius, R. Senanayake, M. O. Stehr, and D. Wilkins, “A policy engine for spectrum sharing,” in IEEE DySPAN, 2007, pp. 55–65.

[41] F. Perich, R. Foster, P. Tenhula, and M. McHenry, “Experimental field test results on feasibility of declarative spectrum management,” in IEEE DySPAN, 2008, pp. 1–10.

[42] A. Toninelli, J. Bradshaw, L. Kagal, and R. Montanari, “Rule-based and ontology-based policies: Toward a hybrid approach to control agents in pervasive environments,” in Semantic Web and Policy Workshop, Sept. 2005, pp. 42–54.

[43] B. Bahrak, J. Park, and H. Wu, “Ontology-based spectrum access policies for policy-based cognitive radios,” in IEEE DySPAN, 2012.

[44] M. Kokar and L. Lechowicz, “Language issues for cognitive radio,” Proc. IEEE, 2009.

[45] “IEEE standard for policy language requirements and system architec- tures for dynamic spectrum access systems,” IEEE Std 1900.5, January 2012.

[46] C. Li, A. Raghunathan, and N. Jha, “An architecture for secure software defined radio,” in Design, Automation and Test in Europe (DATE), 2009, pp. 448–453.

[47] S. Xiao, J. Park, and Y. Ye, “Tamper resistance for software defined radio software,” in COMPSAC, 2009, pp. 383–391.

[48] C. R. Aguayo González and J. H. Reed, “Power fingerprinting in SDR integrity assessment for security and regulatory compliance,” Analog Integr. Circuits Signal Process., vol. 69, no. 2-3, pp. 307–327, Dec. 2011.

[49] X. Li, J. Chen, and F. Ng, “Secure transmission power of cognitive radios for dynamic spectrum access applications,” in Conference on Information Sciences and Systems (CISS), 2008, pp. 213–218.

[50] M. Weiss, M. Altamimi, and M. McHenry, “Enforcement and spectrum sharing: A case study of the 1695-1710 MHz band,” in CrownCom, 2013.

[51] E. Bertino and S. Ravi, “Database security-concepts, approaches, and challenges,” IEEE Trans. on Dependable and Secure Computing, vol. 2, no. 1, pp. 2–19, 2005.

[52] L. Li, M. Kantarcioglu, and B. Thuraisingham, “The applicability of the perturbation based privacy preserving data mining for real-world data,” Data & Knowledge Engineering, vol. 65, no. 1, pp. 5–21, 2008.

[53] L. Sweeney, “k-anonymity: A model for protecting privacy,” Int. J. Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp. 557–570, 2002.

[54] A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam, “l-diversity: Privacy beyond k-anonymity,” in Int. Conf. on Data Engi- neering (ICDE), 2006.

[55] N. Li, T. Li, and S. Venkatasubramanian, “t-closeness: Privacy beyond k-anonymity and l-diversity,” in Int. Conf. on Data Engineering (ICDE), 2007.

[56] P. Samarati and L. Sweeney, “Protecting privacy when disclosing in- formation: k-anonymity and its enforcement through generalization and suppression,” in IEEE Symp. Research in Security and Privacy, 1998.

[57] C. Dwork, “Differential privacy,” in International Conference on Au- tomata, Languages and Programming, 2006, pp. 1–12.

[58] M. Gruteser and D. Grunwald, “Anonymous usage of location-based services through spatial and temporal cloaking,” in ACM MobiSys, 2003.

[59] J. Freudiger, R. Shokri, and J. Hubaux, “On the optimal placement of mix zones,” in Int. Symp. on Privacy Enhancing Technologies, 2009.

[60] R. Chow and P. Golle, “Faking contextual data for fun, profit, and privacy,” in Proc. ACM WPES, 2009.

[61] B. Gedik and L. Liu, “Protecting location privacy with personalized k-anonymity: Architecture and algorithms,” IEEE Trans. Mobile Com- puting, vol. 7, no. 1, pp. 1–18, 2008.

[62] J. Hall, M. Barbeau, and E. Kranakis, “Detecting rogue devices in Bluetooth networks using radio frequency fingerprinting,” in Commun. Comput. Netw., Oct. 2006.

[63] O. Ureten and N. Serinken, “Wireless security through RF fingerprint- ing,” Canadian J. Electr. Comput. Eng., vol. 32, no. 1, pp. 27–33, 2007.

[64] K. Kim, C. Spooner, I. Akbar, and J. Reed, “Specific emitter identifi- cation for cognitive radio with application to IEEE 802.11,” in IEEE GLOBECOM, 2008, pp. 1–5.

[65] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, “Wireless device identifi- cation with radiometric signatures,” in Proc. ACM MobiCom, 2008, pp. 116–127.

[66] B. Danev and S. Capkun, “Transient-based identification of wireless sensor nodes,” in Int. Conf. Inform. Process. Sensor Netw., Apr. 2009, pp. 25–36.

[67] K. Remley et al, “Electromagnetic signatures of WLAN cards and network security,” in Proc. IEEE Int. Symp. Signal Process. Inform. Technol., Dec. 2005, pp. 484–488.

[68] B. Danev, H. Luecken, S. Čapkun, and K. Defrawy, “Attacks on physical- layer identification,” in ACM WiSec, 2010, pp. 89–98.

[69] I. Cox, M. Miller, and A. McKellips, “Watermarking as communication with side information,” Proc. IEEE, vol. 87, no. 7, pp. 1127–1141, July 1999.

[70] C. Fei, D. Kundur, and R. Kwong, “Analysis and design of secure watermark-based authentication systems,” IEEE Trans. Inform. Forensics Security, vol. 1, no. 1, pp. 43–55, Mar. 2006.

[71] N. Goergen, T. Clancy, and T. Newman, “Physical layer authentication watermarks through synthetic channel emulation,” in IEEE Symp. New Frontiers Dynamic Spectrum, Apr. 2010, pp. 1–7.

[72] J. Kleider, S. Gifford, S. Chuprun, and B. Fette, “Radio frequency watermarking for OFDM wireless networks,” in Proc. IEEE Int. Conf. Acoustics, Speech, and Signal Process., vol. 5, May 2004, pp. 397–400.

[73] X. Wang, Y. Wu, and B. Caron, “Transmitter identification using embedded pseudo random sequences,” IEEE Trans. Broadcast., vol. 50, pp. 244–252, Sept. 2004.

[74] L. Xiao, L. Greenstein, N. Mandayam, and W. Trappe, “Using the physical layer for wireless authentication in time-variant channels,” IEEE Trans. Wireless Commun., vol. 7, no. 7, pp. 2571–2579, July 2008.

[75] P. Yu, J. Baras, and B. Sadler, “Physical-layer authentication,” IEEE Trans. Inf. Forensics Security, vol. 3, no. 1, pp. 38–51, Mar. 2008.

[76] ——, “Multicarrier authentication at the physical layer,” in Int. Symp. on World of Wireless, Mobile and Multimedia Networks, June 2008, pp. 1–6.

[77] X. Tan, K. Borle, W. Du, and B. Chen, “Cryptographic link signatures for spectrum usage authentication in cognitive radio,” in Proc. ACM WiSec, June 2011, pp. 79–90.

[78] R. Miller and W. Trappe, “Short paper: ACE: authenticating the channel estimation process in wireless communication systems,” in Proc. ACM WiSec, 2011, pp. 91–96.

[79] Y. Liu, P. Ning, and H. Dai, “Authenticating primary users’ signals in cognitive radio networks via integrated cryptographic and wireless link signatures,” in IEEE Symp. Security and Privacy, May 2010, pp. 286– 301.

[80] L. Yang, Z. Zhang, B. Y. Zhao, C. Kruegel, and H. Zheng, “Enforc- ing dynamic spectrum access with spectrum permits,” in Proc. ACM MobiHoc, 2012, pp. 195–204.

[81] V. Kumar, J.-M. Park, T. C. Clancy, and K. Bian, “PHY-layer authen- tication by introducing controlled inter symbol interference,” in IEEE CNS, Oct. 2013, pp. 27–35.

[82] S. Liu, Y. Chen, W. Trappe, and L. J. Greenstein, “Non-interactive local- ization of cognitive radios based on dynamic signal strength mapping,” in Proc. Sixth Int. Conf. on Wireless On-Demand Network Systems and Services, 2009, pp. 77–84.

[83] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. Abdelzaher, “Range-free localization schemes for large scale sensor networks,” in Proc. ACM MobiCom, 2003, pp. 81–95.

[84] K. Woyach, A. Sahai, G. Atia, and V. Saligrama, “Crime and punishment for cognitive radios,” in 46th Annual Allerton Conference on Commu- nication, Control, and Computing, 2008, pp. 236–243.

[85] M. B. Weiss, W. H. Lehr, L. Cui, and M. Altamaimi, “Enforcement in dynamic spectrum access systems,” in Telecommunications Policy Research Conference, Sept. 2012.

[86] K. Ren, X. Liu, W. Liang, M. Xu, X. Jia, and K. Xing, “Enforcing spectrum access rules in cognitive radio networks through cooperative jamming,” in Wireless Algorithms, Systems, and Applications. Springer Berlin Heidelberg, 2013, vol. 7992, pp. 440–453.

[87] A. Menezes, P. V. Oorschot, and S. Vanstone, Handbook of applied cryptography. CRC press, 2010.