Research on SSDF attack detection algorithm in cognitive Internet of Things

The Internet of Things (IoT) is a new paradigm for connecting various heterogeneous networks.cognitive radio (CR) adopts cooperative spectrum sensing (CSS) to realize the secondary utilization of idle spectrum by unauthorized IoT devices,so that IoT objects can eﬀectively use spectrum resources.However, the abnormal IoT devices in the cognitive Internet of Things will disrupt the CSS process. For this attack, we propose a spectrum sensing strategy based on the weighted combining of the Hidden Markov Model. In this method, Hidden Markov Model is used to detect the probability of malicious attack of each node and report it to the fusion center (FC). FC allocates a reasonable weight value according to the evaluation of the submitted observation results to improve the accuracy of the sensing results.Simulation results show that the detection performance of spectrum sensing data forgery(SSDF) attack in cognitive Internet of Things is better than that of K rank criterion in hard combining.


Introduction
The IoT can be defined as a network composed of interconnected objects and people who provide services. They share data to complete tasks in various applications [1].The IoT realizes the interconnection between various devices, including computers, sensors, household appliances, phones, personal devices, business devices, and any device that can connect to the network and communicate with other devices.With the develop-ment of technology and the increase in market demand, the number of IoT connected devices has achieved explosive growth. It is expected that sensors will be attached to all objects around us in the future.In order to manage a large number of devices in the IoT, contextaware methods are used to analyze the incoming data from sensors, and context-awareness plays a key role in data processing [2].However, the context-awareness method in the IoT only processes the incoming data, reduces unnecessary data entering the network, and does not really solve the network congestion problem caused by a large number of devices in the IoT.At present, our IoT devices have a high usage rate in unlicensed frequency bands, but the licensed frequency bands are not fully utilized. Therefore, the static allocation and management of spectrum resources cannot effectively meet the needs of these IoT devices and applications.The dynamic spectrum allocation method in cognitive radio can effectively overcome the shortcomings of the traditional static spectrum allocation method and alleviate the current situation of spectrum resource shortage [3,4]. Through collaborative spectrum sharing, unlicensed IoT devices can access the licensed spectrum band without interfering with the primary user (PU), which effectively improves the spectrum utilization of the IoT network [5].
Literature [6] proposed a new concept of cognitive Internet of Things (CIoT). CIoT is an IoT with cognitive and cooperative mechanisms. Integrating these mechanisms can improve performance and complete intelligent services. CIoT gives the current high-level intelligent "brain" of the current IoT, thinking and understanding the material and social world, so that it can analyze the current network conditions that it perceives, and make intelligent decisions to maximize network performance [7].While proposing the concept of the cognitive Internet of Things, a CIoT architecture was developed, combining the scalability of IoT with cognitive computing tools, and integrating knowledge models and self-learning information into the platform. The proposed architecture solves the problem of the lack of large-scale applications of CIoT [8].On this basis, we combine cognitive radio with the IoT based on the cognitive function of the IoT, and use CRN to establish an IoT intelligent network to solve the problem of scarcity of the IoT spectrum.The CR technology merges with the IoT and is called the cognitive radio Internet of Things (CRIoT) [9]. The combination of cognitive radio and the IoT enables IoT devices to perceive the spectrum resources that are not fully utilized by the primary user.
The first consideration in integrating CR technology into the IoT is the security issues in the IoT. The heterogeneity and complexity of the IoT make it more difficult to deal with the security of the IoT [10].There is usually a three-tier architecture in the IoT, and we implement different security principles in each layer to ensure the security of the IoT.Only by solving the security issues related to it, can the future of the IoT framework be ensured [11].In the IoT, threats such as sensitive information leakage, denial of service attacks, and unauthorized network access are all attack methods that undermine the security of the IoT [12].These common attacks have been studied. Zhen Li, Tao Jing and others used physical layer methods to solve the security problems in CIoT networks based on dynamic spectrum allocation, and proposed the use of cooperative interference to achieve secure transmission [13].Pin-Yu Chen et al. adopted a security availability and qualityaware channel allocation method for channel allocation under interference attacks in IoT-based cognitive radio networks with time-sensitive services [14].Xiaofan He et al. proposed a synchronous Q learning algorithm based on wideband spectrum sensing and greedy strategy to actively avoid channel interference [15].Khaled Mohammed Saifuddin et al. proposed a fusion-based defense mechanism for the damage caused by intention-al attacks on the IoT infrastructure under the complex network structure, and introduced a game method between the opponent and the defender, using the game equilibrium the results to evaluate the effectiveness of defense mechanism [16].
Although the security of the IoT has been extensively discussed and resolved, some problems in the security of spectrum sensing still need further research.One of the main requirements of CRIoT security is to ensure that the PU is not interfered by cognitive users and can obtain data at any time.In CRIoT, due to the path shadow and fading in the spectrum sensing process, the local spectrum sensing performed by a single IoT device is usually inaccurate.Compared with the traditional single-node spectrum sensing method, CSS can reduce the influence of channel fading and shadow on the accuracy of data fusion to a certain extent. After the IoT device senses the data, it can make the judgment whether the PU occupies the current frequency band by itself and also can share information with other IoT devices to complete the judgment together or FC collects the perception data of each IoT device and uses certain data fusion rules to complete the final decision.However, the CSS mechanism provides an opportunity for malicious IoT Devices (MIDs) to launch attacks. primary user emulation(PUE) attacks and SS-DF attacks are two common types of attacks. PUE attacks are mainly MIDs by acquiring PU-related characteristics and disguising them as PU, destroying the system environment [17].SSDF attack is also called Byzantine attack. This attack is MIDs tampering with local sensing data and affecting FC's final decision [18].There are two main purposes for MIDs to launch Byzantine attacks. One is to monopolize the entire channel and maximize benefits. When the PU does not occupy the authorized spectrum, the MIDs will signal the PU occupancy of the authorized spectrum to other IoT devices, so that other devices cannot intervene in the authorized spectrum. The second is to interfere with the transmission of the PU and destroy the performance of the entire network. When the PU occupies the authorized spectrum, MIDs signal that the authorized spectrum is idle to other IoT devices, causing a large number of devices to intervene in the authorized spectrum, leading to system chaos. Therefore, in either case, the damage to the normal operation of the network is serious.
On this basis, we propose a weighted combining attack detection method based on Hidden Markov Model. This method can use the channel state sensed by previous IoT devices as a data set to calculate normal IoT devices (NIDs) and probabilistic models of various attackers, and the FC evaluates the submitted observa-tion results and assigns reasonable weight values, and finally makes a global decision.
The following are the major contributions of this paper: • This article describes a method for discovering and detecting malicious IoT devices in the cognitive IoT.
• Proposed a weighted combining scheme based on Hidden Markov Model to discover malicious attack devices in CRIoT, so that the final decision made by FC has high accuracy.
• Use Hidden Markov Model to determine the size of the weight, and it has a higher detection rate when there are more malicious devices.
• The weighted combining scheme greatly reduces the inaccuracy of a single node's perception.
• The improvement of the detection rate of MIDs improves the overall spectrum utilization efficiency.
Rest of the paper is organized as follows: Section 2 introduces related work. Section 3 describes the system model. Section 4 describes the model of resisting SSDF attacks based on the hidden Markov model. In Section 5, experimental simulations are carried out and the results are analyzed. Section 6 concludes the paper.

Related works
At present, a lot of research work has been done on SS-DF attack. The common ways of SSDF attack are collusive attack and independent attack. In collusive attacks, malicious users conspire together to attack and degrade CSS performance [19]. For collusive attacks, Fan Jin et al. proposed a detection strategy based on Eclat algorithm to detect collusive malicious nodes [20] . Suchmita Bhattacharjee et al. studied the design of collusive nodes in cooperative spectrum sensing and found that the performance degradation of collusive attacks is more severe than that of independent attacks [21]. Jingyu Feng et al. propose a two-level defense called FeedGuard to defend against such attacks, which can be used to improve cognitive trust assessments and reduce the perceived trust of CFF attackers [22].
In the independent attack, the malicious user will launch the attack independently without collusion with other users, this kind of attack is quite common, this paper studies the independent attack in the SSDF attack. At present, many schemes based on reputation mechanism are used to detect independent attacks. Tao Qin and his colleagues propose a trust-aware hybrid spectrum sensing scheme, which can detect the behavior of secondary users and filter their reported spectrum sensing results from the decision-making process [23]. Fang Ye and others put forward a comprehensive reputationbased security mechanism. According to SU's current and historical perception behavior, the reliability of SU in cooperative perception is measured by comprehensive reputation value, and a penalty strategy is proposed to modify reputation [24].Ming Zhou and others proposed a cooperative spectrum sensing scheme based on CRN Bayesian Reputation Model. The key idea is to treat cooperation as a service evaluation process, and SU's reputation reflects their quality of service [25]. M. Yul. Morozov et al. used combinatorial methods to mitigate the SSDF attacks, first using a reputation method to isolate the initially untrusted nodes, and then using a special q-out-of-m fusion rule to mitigate the residual attacks [26]. In addition to reputationbased schemes, a number of other algorithms have been incorporated into some countermeasures against SSD-F attacks. Muhammad Sajjad Khan et al proposed a soft decision fusion scheme based on genetic algorithm to determine the optimal coefficient vector of multiple secondary user sensor reports [27]. Wangjam Niranjan Singh et al. proposed a distance-based outlier detection method to detect and isolate such malicious users on FC [28]. Zhixu Cheng et al have studied the detection of interactive M-ary quantization data against SSDF attacks in CSS networks, and proposed an interactive detection algorithm [29]. Amrapali Shivajirao Chavan et al. designed a situational awareness framework for distributed systems and mobile cognitive radio ad hoc networks to help prevent persistent SSDF attack [30]. Based on the Markov model, Xiaofan He et al have developed a new malicious user detection method using two proposed conditional frequency check statistics to improve the cooperative spectrum sensing performance [31]. Roshni Rajkumari et al proposed a method to detect SSDF attacks based on dissimilarity scores. SU calculates the dissimilarity scores of his neighbors based on the messages he receives from his h-hop neighbors [32]. Zeng Kun et al. proposed a simple robust secure cooperative SS scheme to counter SSDF attacks in the case of hard decision combination. In this approach, only binary decisions from the report OSA node are required to significantly reduce the overhead of the control channel [33]. In order to resist SSDF attacks, Yuanhua Fu, Zhiming He and others proposed a low complexity confidence weighted CSS scheme based on entropy, the scheme evaluates the weight of each sensor node according to the inconsistent characteristics of the data received by the FC in two continuous sensing slots [34]. Ye Fang and others proposed an algorithm based on evidence theory and fuzzy entropy to resist the attack of SSDF. In this algorithm, the membership function and the basic probability distribution function are obtained for the secondary users based on the local energy detection results. According to the distance of evidence and the classical conflict coefficient, the new conflict coefficient is calculated, and the conflict weight of evidence is obtained. The fuzzy weight is calculated by fuzzy entropy, and the weight of credibility is obtained by updating credibility [35]. Our scheme also uses a weighted fusion approach, the difference is that we use Hidden Markov Model to determine the weight of nodes. Changlong Chen, Min Song et al used a decentralized scheme to detect malicious users in cooperative spectrum sensing, and used the spatial correlation of received signal intensity between closely adjacent secondary users, and based on Robustness's outlier detection technique [36].
Machine learning methods such as SVM, neural network, Naive Bayes and Ensemble classifier are also widely used to detect SSDF attacks in CRN [37]. Sarmah R et al developed a sliding window trust model based on Bayesian inference to identify and eliminate independent cooperative SSDF attackers [38]. Muhammad Sajjad Khan and others proposed a support vector machine machine learning algorithm to classify normal users and malicious users in the network [39].
However, the above work does not solve the situation where there are many malicious devices in the cognitive Internet of Things. The weight value obtained by our proposed method using the Hidden Markov Model is more accurate and can well find a large number of malicious attacks in CRIoT. Equipment, the final decision made by FC has a high accuracy rate.

Spectrum-aware model
CRIoT is divided into four levels, namely the application layer, the transmission layer, the perception layer, and the sensing layer. The upper three layers constitute a basic IoT architecture. Combined with CR technology, a sensing layer is added to the three-layer architecture of the IoT, and the sensing layer provides an empty spectrum bandwidth for data transmission [40]. The focus of this paper is to solve the security problem of spectrum sensing in the sensing layer. In the cooperative spectrum sensing scenario, the CRIoT is composed of PU, FC, and N IoT devices. Among all IoT devices, there are MIDs, and the number is M. In the process of spectrum sensing, the number of NIDs is N-M. It senses the usage status of a specific spectrum channel in the sensing time slot, and sends the sensing report to the FC faithfully. The FC makes a global decision on the channel status based on all received reports, and then sends the decision result to the IoT device. And MIDs will choose to forge the perceived data, affecting FC to make incorrect decisions. The signal received by one of the IoT devices can be expressed as follows The k th sensing time slot, the signal received by the is the additive white Gaussian noise of the i th IoT device, and Z i [k] and S[k] are independent of each other.h i is the channel gain of the communication between the i th IoT device and the PU. H 0 is the current frequency band is free, and H 1 is the current frequency band is occupied [41].
The test statistic T i of L samples of the i th sensor node can be given by The local perception result G[i] made by each sensor node can be expressed as λ is the threshold of each sensor node. After obtaining the perception results of all N IoT devices, FC will use a certain integration strategy to make a global decision. If FC finds the result of PU existence, one of the IoT devices may start to transmit data on this channel. When the FC finds that the PU does not exist, the IoT device continues to perceive whether the next channel is occupied.

SSDF attack model
In Figure1, the sensing layer of CIoT may be subject to malicious attacks from different IoT devices. These MIDs may tamper with local sensing results, affect FC's global decision making, cause conflicts in the accessed spectrum, and disrupt the normal network communication, causing system chaos. Therefore, in cooperative spectrum sensing, identifying MIDs is very important for FC to make correct decisions. Two indicators are used in the SSDF attack to measure the performance of local perception. p f , it represents the probability of false alarm, that is, detecting the presence of the PU when the PU does not actually exist; p d , it represents the probability of detection, and correctly detecting the existence of the PU. There are three main types of SSDF attacks launched on the cognitive Internet of Things.
• "random yes" attack: When sensing that the PU does not exist, MIDs send the local perception report as 1, and the probability of conversion is ρ 01 . When ρ 01 = 1, it is called an "always yes" attack.
• "random no" attack: When the presence of a PU is sensed, MIDs send a local perception report as 0, and the probability of conversion is ρ 10 . When ρ 10 = 1, it is called a "always no" attack.
• "random false" attack: MIDs reverse the local perception report with a conversion probability of ρ 01 or ρ 10 [42].
For three different attackers, because the behavior and conversion probability of each attack are different, the final detection probability and false alarm probability are also different. Not all attackers will definitely launch an attack, and MIDs are not always aware of the existence of the PU.With reference to three different attack types, the detection probability and false alarm probability of NIDs and three SSDF attackers can be obtained.
For normal IoT devices, p H d represents the detection probability, p H f represents the false alarm probability, and the two probabilities are respectively given by For "random yes" attackers, use p RY d and p RY f to represent the probability of detection and the probability of false alarms, which are given by 1 − p d indicates the probability that the PU does not exist when the PU is falsely detected, but the PU actually exists. Assuming that the PU does not exist by mistake is detected, the "random yes" attacker will send a perception report as the PU exists, and the conversion probability is ρ 01 , so the probability that the PU is finally detected correctly is (1−p d )·ρ 01 .p d represents the probability of correctly detecting the existence of the PU, and finally the detection probability of a "random yes" attacker is (6). 1 − p f represents the probability of correctly detecting that the PU does not exist. Assuming that the PU does not exist correctly is detected, the "random yes" attacker will send a perception report that the PU exists, with a conversion probability of ρ 01 , so the final result is that the PU does not exist, but the probability of incorrectly detecting that the PU exists is (1 − p f ) · ρ 01 . p f represents the probability that the PU does not exist, but the existence of the false detection is detected, and the false alarm probability of the "random yes" attacker is finally obtained as (7) [43].
Similarly, for a "random no" attacker, p RN d and p RN f are given by Similarly, for a "random false" attacker, p RF d and p RF f are given by Note that at least one of formula ρ 01 and ρ 10 is nonzero, otherwise, the behavior of MIDs will be exactly the same as NIDs in a statistical sense.
In the cognitive network of the sensor layer, if these NIDs only exist in individual malicious devices, they can be easily identified through FC's decision fusion standard. However, if the number of MIDs is too large, the fusion strategy adopted by FC will fail, so other methods must be combined to improve the detection accuracy of the Fusion Center.

Attack detection based on Hidden Markov Model
Hidden Markov Model is a time-related probability model. Its process is to randomly generate an unobservable sequence of states from the Hidden Markov Model, and then randomly generate observations from each state to form an observation sequence [44].
In local spectrum sensing, Q = {q 1 , q 2 } is the hidden state set of the channel, q 1 = 1 and q 2 = 0 represent channel occupancy and idle respectively;V = {v 1 , v 2 } is B = {b j (k)} means the hidden channel state is q j and the channel state detected by the cognitive user is a conditional probability matrix of v k , where The initial channel state probability matrix π = {π 0 , π 1 }, where π i = P (i 1 = q i ), 1 ≤ i, j ≤ N , represents the probability of being in state q i at the initial moment.
Hidden Markov Model is determined by π, A and B, so HMM can be expressed as λ = (π, A, B). The H-MM models of honest users and three SSDF attackers are λ H ,λ RY ,λ RN and λ RF , respectively.The abnormal perception behavior of users will cause the difference between B in each model, but the parameters π and A of these four HMMs are the same because all users are perceiving the same frequency spectrum. Therefore, the four HMM models can be expressed as Figure 2 and Figure 3 show the HMM model of NIDs and "random yes" attackers, respectively.
The MIDs in the CRIoT will tamper with the spectrum sensing data, so the data obtained by the final FC may have been tampered with by the MIDs. These data are quite different from the data sensed by NIDs.A priori data can be obtained through spectrum sensing, and the result of spectrum sensing is used as the observation sequence O = (o 1 , o 2 , ..., o T ) of the HMM. Based on these known observation sequences, FC uses the forward algorithm to calculate the different probabilities of each IoT device P (O|λ H ), p(O|λ RY ), P (O|λ RN ) and P (O|λ H ).If FC calculates that the device's P (O|λ H ) is higher than other probabilities, the device is more likely to be NID. Conversely, if the probability of p(O|λ RY ) is the highest, then the device is likely to be an "random yes" attacker. The forward algorithm is expressed as follows.
Define the forward variable as Among them,α t (i) is the probability that the model observation sequence is o 1 , o 2 , ..., o t and the state of time slot t is q i under the premise that the model parameter λ is determined.
The recursive process of the forward algorithm is as follows.
• Initialize the parameters.

Detection algorithm based on Weighted Combining in FC
In FC, we can get the perception report of each IoT device and use the above Hidden Markov Mmodel to calculate that a certain IoT device may be NID or MID.The FC can make the following judgments. The device reports to the FC that the PU exists. If it detects that the device may be NID, it may correctly detect the presence of the PU. The probability is p H d . It may also be detected incorrectly. The actual PU does not exist. The probability is p H f . If it is detected that the device may be a "random yes" attacker, it may correctly detect the presence of the PU, with a probability of p RY d , or may incorrectly detect the presence of the PU, but the actual PU does not exist, with the probability p RY f . Conversely, if the device reports to the FC that the PU does not exist, if it detects that the device may be NID, it may correctly detect that the PU does not exist, the probability is 1 − p H f , or it may incorrectly detect that the PU does not exist, and the PU actually exists, the probability is 1 − p H f . If it is detected that the device may be a "random yes" attacker, it may correctly detect that the PU does not exist, with a probability of 1 − p RY d , or it may incorrectly detect that the PU does not exist, and the PU actually exists, with a probability of 1 − p RY f . We can use the different detection probabilities to determine the different weights of each device to distinguish MIDs and NIDs in the Internet of Things.
w H t and w H f respectively represent the weights of the NID perceiving the existence of the PU and perceiving the absence of the PU.
If you calculate that an Iot device might be a"random yes"attacker, you can determine the weights in the same way.
w N t and w N f respectively represent the weights of perceiving the existence of the PU and perceiving the non-existence of the PU in the case of "random yes" the attacker.
The "random no" attacker and the "random false" attacker are the same as the above situation, and will not be explained again. We will get different weights for each IoT device, and add these weights, and the result is positive means that the PU exists, and negative means that the PU does not exist. The final decision F (ω) can be expressed as follows

Experimental simulation and analysis
In this section, we performed simulations to illustrate the effectiveness of the method. In this simulation experiment, we mainly use the MATLAB platform to set the total number of IoT devices N=100, the number of time slots T=1000, and set different p d to simulate different noise interference in the channel, and all cooperative sensor nodes transmit their sensing data to FC through ideal control channel. Initialize the four modelsλ H , λ RY ,λ RN , and λ RF , initialize and A, set p d = 0.9, p f = 0.1 to get B H , B RY , B RN , and B RF . The detection rate can be expressed as the rate at which the channel state is correctly detected in a certain time slot. Figure 4 and Figure 5 show the changes in the detection rate as the number of MIDs continues to increase in the case of "random yes" and "random no" attacks. We compare our proposed method with the K rank criterion. The K rank criterion is the fusion strategy The relationship between detection rate and MIDs under "random false" attacks adopted by most papers at present, that is, the system can work normally when no less than K of the N devices work normally. It can be seen from the detection results that our detection method can distinguish between attackers and normal devices in IoT devices, and the weighted combining algorithm we proposed is better than the K rank criterion. The detection method is effective when MIDs account for less than 80% of the total, but as the number of MIDs continues to increase, the detection rate drops rapidly, because when the number of MIDs is too large, the result of spectrum sensing is unreliable. Figure 6 shows that the detection rate varies with the number of MIDs under the "random false" attack. It can be seen that the detection method is effective when MIDs account for less than 50% of the total. However, as the number of MIDs continues to increase, the detection rate drops rapidly. The experimental results show that the opposite sensor data will cause greater harm to the fusion process. This is because when there are more than half of the attackers in the IoT device, the "random false" attacker will get the data flipped, which affects the judgment of FC.
Change the attack frequency of the attacker. Under the "random yes", "random no" and "random false" attacks, we set three different attack frequencies for comparison. Figure 7, Figure 8 and Figure 9 respectively show the changes in the detection rate of different attack frequencies under the "random yes", "random no" and "random false" attacks as the number of MIDs continues to increase. It can be seen that as the frequency of attacks increases, the detection performance decreases. The increase in the frequency of attacks means that the MIDs will have a greater possibility of launching an at-  Fig. 9 The relationship between the detection rate of different attack frequencies and MIDs under "random false" attacks  Fig. 11 The relationship between different p d detection rates and MIDs under "random no" attacks tack, so the probability of an attack will increase, which will affect the detection rate. Figure 10, Figure 11 and Figure 12 respectively show the changes in the detection rate of different p d as the number of MIDs continues to increase under the "random yes", "random no" and "random false" attacks. It can be seen that as p d increases, the detection rate is also increasing. p d is the probability of correctly detecting the existence of the PU. Because of the interference of the noise in the channel, we may not be completely accurate in the detection of the existence of the PU, because different signal-to-noise ratios in the channel will lead to different p d , which further leads to a detection rate low when there is no noise.

conclusion
This paper proposes a cooperative spectrum sensing strategy based on the weighted combining of Hidden  Fig. 12 The relationship between different p d detection rates and MIDs under "random false" attacks Markov Model to defend SSDF attacks from malicious devices in the IoT. This method uses the Hidden Markov Model to detect the probability of malicious attacks on each device node and reports it to FC. FC assigns a reasonable weight value based on the evaluation of the submitted observation results, so as to avoid FC from making wrong decisions and correctly judging the channel status. This paper studies the performance parameters of the detection rate under three different attacks with the increase of malicious devices, and compare our algorithm with the traditional K rank criterion. Our algorithm can use Hidden Markov Model to determine the weight, so that the final decision made by FC is closer to the accurate value. In the future, we will further optimize our detection model to improve the detection rate in the case of more malicious devices. In addition, the combination of cognitive radio and IoT will be further studied to solve more security problems in CIoT.

Declarations
Funding This work was supported by the Excellent Middle-aged and Young Research and Innovation Team of Northeast Petroleum University Research on Performance Optimization of Oil and Gas Pipeline Internet of Things, China, No. KYCXTDQ201901. And, the work also is supported by National Natural Science Foundation of China, No. 61601111. The authors also gratefully acknowledge the helpful comments and suggestions of the reviewers, which have improved the presentation.
Data Availability Data can be shared and is available on request. Data can be requested by sending an email to the main author.